Aether Panel Documentation

Security and Best Practices

Security Introduction

Security is a fundamental priority in Aether Panel. This document covers best practices, built-in security features, and recommendations to keep your installation secure.

Aether Panel includes multiple layers of security to protect your data and servers, including robust authentication, granular permission system, encryption and more.

Authentication

Aether Panel implements a robust authentication system with multiple layers of security:

Authentication Methods
Session Authentication

The panel uses secure sessions based on HTTP-only cookies for web authentication. Sessions are validated on each request and expire automatically after a period of inactivity.

OAuth2 for API

For programmatic access, the panel supports OAuth2 with the Client Credentials flow. Tokens have specific scopes that limit what actions they can perform.

  • Tokens with automatic expiration
  • Granular scopes for access control
  • Secure regeneration of client secrets
  • Token revocation
Two-Factor Authentication (2FA/TOTP)

Aether Panel supports TOTP (Time-based One-Time Password) for two-factor authentication. Compatible with applications like Google Authenticator, Authy, Microsoft Authenticator, etc.

Setup 2FA
  1. Go to your profile in the panel
  2. Click 'Setup 2FA'
  3. Scan the QR code with your authentication app
  4. Enter the verification code to confirm
  5. Save the recovery codes in a safe place
Recovery Codes

When you configure 2FA, unique recovery codes are generated. Save them in a safe place. If you lose access to your 2FA device, you can use these codes to disable 2FA and regain access to your account.

Password Security

Passwords in Aether Panel are protected with:

  • Bcrypt hashing: Passwords are never stored in plain text
  • Automatic salt: Each password has a unique salt
  • Strength validation: It is recommended to use passwords of at least 12 characters
  • Password policy: Configure minimum requirements for your users
Password Recommendations
  • Minimum 12 characters (recommended 16+)
  • Combination of uppercase, lowercase, numbers and symbols
  • Do not reuse passwords from other services
  • Use a password manager (like Bitwarden, 1Password, etc.)
  • Change passwords regularly, especially administrator ones

Authorization and Permissions

Aether Panel uses a granular permission system based on scopes that allows precise control over what each user can do.

Scopes System

Scopes are specific permissions that control access to different functionalities. Examples include:

  • server.view: View server information
  • server.edit: Modify server configuration
  • server.start: Start servers
  • server.files.edit: Edit server files
  • users.edit: Manage users
  • admin: Full administrative access
Principle of Least Privilege

Always grant only the minimum necessary permissions. A user who only needs to view servers should not have permissions to edit or delete them.

Roles and Groups

Roles allow grouping multiple permissions and assigning them to users. This simplifies permission management for groups of users with similar needs.

  • Create specific roles for different types of users (moderators, developers, etc.)
  • Regularly review the permissions assigned to each role
  • Do not grant the 'admin' role unless absolutely necessary

Security Best Practices

Follow these recommendations to keep your Aether Panel installation secure:

Updates and Maintenance
  • Keep your panel updated: Always run the latest version of Aether Panel to ensure you have the latest security patches.
  • Update the operating system regularly: Apply operating system security patches.
  • Review logs regularly: Monitor panel logs to detect suspicious activity.
  • Make regular backups: Keep updated backups of your database and configuration.
Passwords and Authentication
  • Use strong passwords: Enforce robust password policies for all user accounts.
  • Enable 2FA for administrators: All administrators must have 2FA enabled.
  • Enable 2FA for users: Encourage all users to enable 2FA.
  • Rotate passwords regularly: Especially for administrative accounts.
  • Do not share credentials: Each user must have their own account.
Permissions and Access
  • Limit user permissions: Grant users only the permissions they absolutely need.
  • Review permissions regularly: Periodically audit user permissions.
  • Use roles instead of individual permissions: Simplifies management and reduces errors.
  • Deactivate unused accounts: Delete or deactivate user accounts that no longer need access.
Network and Communication
  • Use HTTPS: Always access your panel through a secure HTTPS connection.
  • Configure SSL/TLS correctly: Use valid certificates (preferably Let's Encrypt).
  • Restrict access by IP: If possible, limit administrative access to specific IPs.
  • Use VPN for remote access: For remote administrative access, use a VPN instead of exposing the panel directly.
Server and System
  • Configure the firewall correctly: Only open necessary ports.
  • Disable SSH with password: Use SSH key authentication.
  • Change the default SSH port: Reduces exposure to automated attacks.
  • Monitor system resources: Configure alerts for abnormal CPU, RAM or disk usage.
  • Isolate servers: Each server must run in its own isolated environment.
API and Automation
  • Protect your client secrets: Never share client secrets publicly.
  • Rotate client secrets regularly: Generate new secrets periodically.
  • Use minimal scopes: Only grant the necessary scopes for each OAuth2 client.
  • Monitor API usage: Review API logs to detect abnormal activity.
  • Implement rate limiting: If you create integrations, respect rate limits.

Firewall Configuration

Make sure your server's firewall is configured correctly. The following ports must be open for the panel to function correctly:

8080/TCP

Default port for the web panel (HTTP/HTTPS). Required.

In production, consider restricting this port to specific IPs or using a reverse proxy.

8081/TCP

Port for Gatus (uptime monitoring). Optional but recommended.

Can be restricted to internal access if you don't need external access.

5657/TCP

SFTP port for file transfer. Required if you use SFTP.

Should only be accessible to users who need to transfer files.

22/TCP

SSH port for server administration. Recommended to change to a non-standard port (e.g., 2022).

Should only be accessible to administrators. Consider using fail2ban.

UFW Configuration (Ubuntu/Debian)

To configure the firewall with UFW:

# Permitir puertos necesarios
sudo ufw allow 8080/tcp
sudo ufw allow 5657/tcp
sudo ufw allow 8081/tcp

# Cambiar puerto SSH (opcional pero recomendado)
sudo ufw allow 2022/tcp
sudo ufw deny 22/tcp

# Habilitar firewall
sudo ufw enable

# Verificar estado
sudo ufw status
firewalld Configuration (Fedora/RHEL/CentOS)

To configure the firewall with firewalld:

# Permitir puertos necesarios
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=5657/tcp
sudo firewall-cmd --permanent --add-port=8081/tcp

# Cambiar puerto SSH (opcional pero recomendado)
sudo firewall-cmd --permanent --add-port=2022/tcp
sudo firewall-cmd --permanent --remove-service=ssh

# Aplicar cambios
sudo firewall-cmd --reload

# Verificar reglas
sudo firewall-cmd --list-ports

SSL/TLS Configuration

Using HTTPS is essential to protect credentials and data transmitted between client and server.

Let's Encrypt Certificates

Let's Encrypt provides free SSL certificates and automatic renewal. To configure it:

  1. Install Certbot: sudo apt install certbot (Ubuntu/Debian) or sudo dnf install certbot (Fedora)
  2. Get certificate: sudo certbot certonly --standalone -d your-domain.com
  3. Configure automatic renewal: sudo certbot renew --dry-run
  4. Configure Nginx to use the certificate (see Nginx documentation)

Let's Encrypt certificates expire every 90 days, but Certbot can renew them automatically.

Self-Signed Certificates (Development Only)

Self-signed certificates should only be used in development environments. Never use them in production.

Browsers will show security warnings with self-signed certificates.

Monitoring and Intrusion Detection

Monitoring your installation helps detect security issues before they become serious incidents.

Log Review

Regularly review panel logs to detect:

  • Failed login attempts
  • Access from unknown IPs
  • Abnormal API activity
  • Unusual errors or suspicious patterns
Log Location

Nativo: In native installations: /var/log/skypanel/

Docker: In Docker: docker-compose logs -f skypanel

Fail2ban (Brute Force Protection)

Fail2ban can protect your server against brute force attacks by blocking IPs after multiple failed attempts.

Installation and Configuration
# Ubuntu/Debian
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Fedora/RHEL/CentOS
sudo dnf install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Basic Configuration

Create a custom configuration file in /etc/fail2ban/jail.local to protect SSH and other services.

Backups and Recovery

Regular backups are essential for security and business continuity.

What to Backup
  • Panel database (database.db or MySQL)
  • Configuration file (config.json)
  • Important server files
  • SSL certificates
  • Nginx/Apache configuration
Backup Frequency

It is recommended to make daily backups of the database and weekly backups of server files. Adjust according to your needs.

Backup Storage
  • Store backups in a location separate from the main server
  • Use encryption for sensitive backups
  • Test backup restoration regularly
  • Keep multiple versions of backups (last 7 days, monthly, etc.)

Incident Response

If you suspect your installation has been compromised:

  1. Disconnect the server from the network immediately if possible
  2. Change all passwords (panel, database, SSH, etc.)
  3. Review logs to identify the attack vector
  4. Revoke all OAuth2 tokens and regenerate client secrets
  5. Review and remove any suspicious users or permissions
  6. Restore from a known safe backup if necessary
  7. Update the panel and all dependencies
  8. Notify affected users if appropriate
Prevention

The best response to incidents is to prevent them. Follow all security best practices and keep your installation updated.

Security Checklist

Use this checklist to ensure your installation is configured securely:

  • Panel updated to the latest version
  • Operating system updated
  • HTTPS configured with valid certificate
  • 2FA enabled for all administrators
  • Firewall configured correctly
  • SSH port changed from port 22
  • Strong passwords for all accounts
  • User permissions reviewed and limited
  • Backups configured and tested
  • Logs being monitored
  • Fail2ban configured (recommended)
  • Administrative access restricted by IP (if possible)
  • OAuth2 client secrets protected
  • SSL certificates with automatic renewal configured

No olvides que Aether Panel es un proyecto en desarrollo open source, si tienes alguna duda o problema al instalar o el comando del instalador no funciona puedes contactarnos en el Discord de Aether Panel.

    Aether Panel | Open Source Game Server & Cloud Hosting Platform