Ajenti is a modular server administration panel that provides web-based management for services like Nginx, MySQL, PostgreSQL, FTP, and more. As a centralized administration interface, it requires strict security controls to prevent unauthorized access to critical infrastructure.
Ajenti includes built-in user management with role-based access control (RBAC):
Create dedicated admin accounts:
# Ajenti users are managed through the web UI
# Navigate to Configuration → Users in the panel
Best practices:
Ajenti supports granular permissions through roles:
| Role Type | Permissions | Use Case |
|---|---|---|
| Administrator | Full access to all modules | Senior admins, automation |
| Web Manager | Nginx/Apache configuration only | Web developers |
| Database Admin | MySQL/PostgreSQL management | DBAs |
| Read-Only | View-only access | Auditors, monitoring |
Configure roles in the Ajenti UI:
/etc/ajenti/config.json:{
"session_max_age": 1800,
"session_cookie_secure": true,
"session_cookie_httponly": true
}
Ajenti supports HTTPS natively. Always use valid certificates in production.
Option 1: Self-signed certificate (testing only)
sudo mkdir -p /etc/ajenti/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ajenti/ssl/ajenti.key \
-out /etc/ajenti/ssl/ajenti.crt
Option 2: Let’s Encrypt certificate (recommended)
# Install certbot
sudo apt install certbot # Debian/Ubuntu
sudo dnf install certbot # RHEL/Fedora
# Generate certificate
sudo certbot certonly --standalone -d ajenti.example.com
# Link to Ajenti config
sudo ln -s /etc/letsencrypt/live/ajenti.example.com/fullchain.pem /etc/ajenti/ssl/ajenti.crt
sudo ln -s /etc/letsencrypt/live/ajenti.example.com/privkey.pem /etc/ajenti/ssl/ajenti.key
Configure HTTPS in /etc/ajenti/config.json:
{
"https": {
"enabled": true,
"ssl_certificate": "/etc/ajenti/ssl/ajenti.crt",
"ssl_key": "/etc/ajenti/ssl/ajenti.key"
}
}
Firewall rules (firewalld):
# Default Ajenti port is 8000
sudo firewall-cmd --permanent --add-port=8000/tcp
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port port="8000" protocol="tcp" accept'
sudo firewall-cmd --reload
Firewall rules (ufw):
sudo ufw allow from 10.0.0.0/24 to any port 8000
sudo ufw enable
Option: Reverse Proxy with additional security
server {
listen 443 ssl;
server_name ajenti.example.com;
ssl_certificate /etc/letsencrypt/live/ajenti.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ajenti.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
# Rate limiting
limit_req_zone $binary_remote_addr zone=ajenti:10m rate=10r/s;
limit_req zone=ajenti burst=20 nodelay;
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support (if needed)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Edit /etc/ajenti/config.json:
{
"authentication": {
"enable_password_reset": false,
"min_password_length": 12,
"require_special_chars": true
},
"security": {
"disable_shell_access": false,
"allowed_shell_commands": ["ls", "cat", "systemctl status"],
"max_login_attempts": 5,
"lockout_duration": 300
},
"logging": {
"level": "info",
"file": "/var/log/ajenti/ajenti.log"
}
}
Ajenti’s modular design means you should only enable necessary plugins:
# List available plugins
ajenti-plugins list
# Disable unused plugins to reduce attack surface
# Edit /etc/ajenti/plugins.json or use the web UI
Recommended modules for minimal install:
# Ensure Ajenti config is protected
sudo chown -R root:ajenti /etc/ajenti
sudo chmod 750 /etc/ajenti
sudo chmod 640 /etc/ajenti/config.json
# Protect logs
sudo chown -R ajenti:ajenti /var/log/ajenti
sudo chmod 750 /var/log/ajenti
# Secure plugin data directories
sudo chmod 700 /var/lib/ajenti
# Enable automatic security updates (Debian/Ubuntu)
sudo apt install unattended-upgrades
# Check for Ajenti updates regularly
sudo pip install --upgrade ajenti-core # If installed via pip
# Or use package manager
sudo apt update && sudo apt upgrade ajenti # Debian/Ubuntu
sudo dnf update ajenti # RHEL/Fedora
Ajenti logs to both file and system journal:
# View Ajenti logs
sudo tail -f /var/log/ajenti/ajenti.log
# Journalctl access
journalctl -u ajenti -f
# Filter for authentication events
grep -i "auth\|login" /var/log/ajenti/ajenti.log
Set up alerts for:
Example logrotate configuration:
# /etc/logrotate.d/ajenti
/var/log/ajenti/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 ajenti ajenti
}
Rsyslog forwarding:
# /etc/rsyslog.d/ajenti.conf
:programname, isequal, "ajenti" /var/log/ajenti/forward.log
:programname, isequal, "ajenti" @syslog.example.com:514
Filebeat configuration for ELK stack:
# /etc/filebeat/modules.d/ajenti.yml
- module: ajenti
log:
enabled: true
var.paths: ["/var/log/ajenti/*.log"]
Ajenti provides a REST API for automation. Secure it properly:
{
"api": {
"enabled": true,
"require_auth": true,
"allowed_ips": ["10.0.0.0/24"],
"rate_limit": 100,
"api_keys": {
"automation-key": ["read", "write:config"]
}
}
}
API security best practices:
| Control | Status | Notes |
|---|---|---|
| HTTPS enabled with valid certificate | ☐ | Use Let’s Encrypt |
| Default admin password changed | ☐ | Immediately after install |
| RBAC configured for all users | ☐ | Least privilege principle |
| Firewall rules restrict access | ☐ | Management network only |
| Session timeout configured | ☐ | 30 minutes or less |
| Unused plugins disabled | ☐ | Reduce attack surface |
| Logging enabled and forwarded | ☐ | To SIEM or log server |
| Regular backup of config | ☐ | Encrypt and store off-server |
| API secured with keys | ☐ | If API is used |
| File permissions hardened | ☐ | Config and logs protected |
If you suspect a security breach:
/var/log/ajenti/ and journal entries