Hardening controls for the host and panel: root password, unattended updates, SSH policy, Two-Factor Authentication, and IP allowlists. Changes are immediate and system-wide.

Access: root only.

Sections at a glance

Password (root)

• Enter the new password twice and save. The generator creates a 20-char strong password you can reveal to copy.
• Effect: updates the operating system’s root credential used across SSH and panel auth.

System Update

• Daily Auto Update: toggle unattended updates; optionally exclude kernel packages.
• Update now: runs an immediate update and streams progress in a live log area.
• Tip: for production systems, test kernel updates during a window or keep them excluded if you have a separate process.

SSH

• Port: set a custom SSH port (22–65535). The service is validated and restarted after a successful change.
• AllowUsers: restrict SSH login to specific users or patterns such as root, deploy, or admin@10.10.*. Deleting all entries removes the restriction; adding the first entry enables the policy.
• Safety: open the new port in your firewall and keep an existing session active until you confirm access on the new port.

Two-Factor Authentication (2FA)

• When no 2FA is set, the page shows a QR code and secret key. Scan with a TOTP app (Google Authenticator, etc.), then enter the 6-digit code to enable.
• When 2FA is enabled, you can disable it with a single action (requires current access).
• Scope: protects panel login with a one-time code in addition to your password.

IP Access Control

• Allowlist specific IPs or networks (supports IPv4/IPv6 and CIDR, e.g., 203.0.113.5, 203.0.113.0/24, 2001:db8::/64).
• Only sources matching at least one entry can reach the panel once the list is populated.
• Use the table to add/remove entries and annotate each with a comment (e.g., “office”, “VPN”).