Security & isolation
BOA's foundational threat model: multiple Octopus tenants share one host but
cannot affect each other or escape their boundaries. This area is the operator
reference for every layer that enforces that model — the trust hierarchy, the
per-tenant restricted shell, the network edge (SYNPROXY → CSF/LFD → Nginx),
per-binary AppArmor confinement, SSH/SFTP hardening, password policy, the
default /admin* and mailing restrictions, and the backend Drush extension
deny-filter.
The defence is layered. A request crosses, in order: kernel SYNPROXY → CSF/LFD → the Nginx Abuse Guard → PHP-FPM (function-restricted, AppArmor-confined) → Drupal. Each layer filters more, so by the time traffic reaches application code it has already survived several independent gates.
Pages in this topic
- Security model — multi-Ægir architecture — the trust
hierarchy, the built-in protections,
_PHP_FPM_DENY, strict binary permissions, hidepid, the 5.9.5 audit and 5.10.1 edge hardening,edgetest. - lshell +
manage_ltd_users— the per-tenant restricted-shell boundary, the two-account model, what breaks lshell. - CSF + LFD firewall lifecycle — the host firewall, its ban-loop integration with the Abuse Guard, migration-proxy trust, recovery.
- SYNPROXY DDoS protection — the kernel-level SYN-flood layer beneath CSF.
- AppArmor confinement profiles — the 46 shipped MAC profiles.
- SSH server + SFTP hardening —
sshd_configenforcement, the strip-and-append upgrade reconciliation, the MySecureShell/Pure-FTPd chroot. - Password hashing — SHA512 → Bcrypt — the optional
pam_unix2Blowfish migration and its failure mode. - Extra SSH/SFTP/FTPS accounts — per-Aegir-Client subaccounts.
/admin*URL protection +ip_access— the default anonymous-/adminblock, the per-site opt-out, and whole-site IP allow-listing.- Mailing policy — no bulk mail; SMTP relay configuration.
- Drush extension deny-filter — the backend
*.drush.incloading restriction that closes the #762138 tenant-code privilege escalation, its backend-identity gate, the per-instance CiviCRM/Elysia opt-ins, and the single-tenant kill switch.
Adjacent operating topics
- Abuse Guard (nginx IDS) — the deep scan_nginx scoring, ban pipeline and request guards that CSF and the security model reference.
- Nginx internals — the vhost generator and the
config-template maps that emit the
/admin*block, AI policy and realip. - Migration & cloning — the
xmass/xoctflow that the migration-proxy trust on the CSF page supports. - Troubleshooting — blocked-IP recovery and SSH host-key-changed recovery.