ProxCP Software Security
From ProxCP Documentation
Security Overview
ProxCP does not make any guarantees as to the security of the Web software or Daemon software. It is impossible for us to guarantee 100% security coverage.
During the development and testing cycles, we do take appropriate steps in designing, implementing, and testing industry standard methods for software security.
Security Features
- User passwords are not stored in plaintext. All user passwords are salted and hashed with SHA256. In general, this scheme cannot be reversed to retrieve plaintext passwords.
- User accounts have an Access Control page to restrict account login to certain IP addresses.
- User accounts have a 2FA option in the Profile page to enable Google Authentication.
- All user account accesses are logged with IP address and geolocation information.
- Proxmox/VPS node credentials are saved in an encrypted format using AES-256-CBC. This is necessary because we must retrieve the original credentials to perform ProxCP tasks on Proxmox/VPS nodes.
- HTTPS/SSL communications are forced between ProxCP Web and Daemon.
Security Settings
- Be sure your core/init.php file has read permissions only.
- Delete the install.php file after ProxCP Web installation.
- Delete the upgrade.php file after ProxCP Web upgrades.
- Delete the sql/ directory after ProxCP Web installation.
- You can change the /admin location by editing the config/admin/base value in the core/init.php file.
Security Notes
Do not share the ProxCP secret key with anybody. This is used by the Web application and Daemon application for various security features. Take care in how you move this key around if you need to. If your ProxCP secret key has been exposed, assume all ProxCP encryption is compromised.