Security

Reqad hardens your server during installation and keeps it locked down by default — SSH access, the firewall and PHP are all configured for you, with sensible defaults you can still tune from the panel.

SSH access

The installer hardens SSH so your server isn't exposed to the usual automated attacks:

  • Non-default port — SSH is moved off port 22 to a non-standard port (you can choose it at install time with the SSH_PORT variable). This alone removes most brute-force noise.
  • Password authentication disabled — logging in with a password is turned off, so guessed or leaked passwords can't be used over SSH.
  • Key-based authentication — you log in with an SSH key instead. Add, remove and manage keys (including automatic SSH2 → OpenSSH conversion) from the SSH Keys section in the panel.
Don't lock yourself out. Add and test your SSH key from the SSH Keys section before relying on key-only access, and keep your private key safe — with passwords disabled, it's the only way in.

Firewall (CSF)

CSF (ConfigServer Security & Firewall) is installed and configured out of the box. It puts a stateful firewall around the services Reqad runs — web, mail, DNS and SSH on its custom port — and includes login-failure detection that automatically blocks repeat offenders. You get a sensible baseline without writing a single firewall rule.

PHP security

Every account runs in its own isolated PHP-FPM pool, and Reqad applies sensible PHP restrictions by default — all editable from PHP settings in the panel:

  • disable_functions — dangerous PHP functions such as shell_exec, system, exec, passthru, popen and proc_open are disabled, so a compromised script can't run arbitrary system commands. Reqad ships a recommended list and a one-click button to apply it.
  • open_basedir — each account's PHP is locked to its own home directory, so one site can't read or write another site's files or wander the filesystem.
  • Isolated pools — each account has its own PHP-FPM pool running as its own Linux user, with private temp and log directories.
  • Less fingerprintingexpose_php is turned off so PHP doesn't advertise its version.

You can tune all of these per PHP version from the panel, alongside OPcache and APCu settings.

Why this matters. Most hosting compromises start with weak SSH access or a single vulnerable script escaping its account. Reqad closes both doors by default — hardened SSH plus a firewall, and PHP boxed into each account.

Need a hand? Register for early access or contact us.