Security
Firewall, isolation, and credential protection.
Firewall Configuration
Depnix configures ufw on every server during provisioning. Only your chosen SSH port, 80 (HTTP), and 443 (HTTPS) are open by default. Database ports are bound to localhost only and are never exposed to the public internet.
You can open additional ports from the Server Settings → Firewall tab if your application requires them.
SSH Key-only Authentication
Password-based SSH authentication is disabled during provisioning. Only key pairs added through the Depnix dashboard can connect. This eliminates brute-force password attacks entirely.
Isolated Application Environments
Every application runs under the depnix system user in its own dedicated directory. Applications cannot read each other's files or environment variables, preventing cross-application data leakage.
Encrypted Secrets
Environment variables stored in Depnix are encrypted at rest using AES-256. They are decrypted only at deployment time and injected into the process environment, never written to disk as plain text.
Automatic Security Updates
Depnix enables unattended-upgrades for security patches on every provisioned server, ensuring critical OS-level vulnerabilities are patched automatically without requiring manual intervention.
fail2ban Intrusion Prevention
fail2ban is installed and configured on every server to monitor auth logs and automatically ban IP addresses that show signs of brute-force activity, reducing exposure to automated attacks.
Audit Logs
All actions performed through the Depnix dashboard — deployments, environment changes, SSH key additions, database creation — are recorded in the audit log with a timestamp and user attribution.