Product / Security
VPS Security Panel with Free SSL and Auto Patching
Every server you connect gets a firewall, fail2ban, malware and rootkit scans, nightly security patches, and a fresh Let’s Encrypt certificate within the first minute. One dashboard, one security score, and fixes you can apply in a click. No scripts to copy. No surprise bills.
Why a security panel
Security is mostly the boring stuff, done on time
Patch the kernel on Tuesday. Rotate keys when a teammate leaves. Keep port 22 off the open internet. Molixa makes the consistent part easy, so you can spend your week shipping features instead of reading syslog.
Free SSL with auto-renewal
Let’s Encrypt issues a certificate within 30 seconds of DNS resolving. Renewals run 30 days before expiry and alert you if one fails. Wildcard via DNS-01 works with Cloudflare, Route 53, DigitalOcean, and Hetzner DNS.
UFW firewall with sane defaults
Default deny inbound, explicit allow for 22, 80, and 443. Add application rules like “MySQL from VPN only” from a dropdown. Generated UFW rules are readable and editable straight from the panel.
fail2ban on SSH and Nginx
Five failed SSH attempts from one IP, 24 hour ban. WordPress login brute-force pattern matched, one hour ban. Active bans are visible in the dashboard so you can unban yourself in a click if you lock yourself out.
ClamAV malware scans
Scheduled ClamAV sweeps of your web directories catch compromised plugin payloads, backdoored uploads, and web shells. Suspect files go to a locked quarantine folder and trigger an alert on your chosen channel.
AIDE file integrity tracking
AIDE fingerprints every file in /etc, /bin, and your web roots on install. Nightly diffs flag unexpected changes to sshd config, sudoers, or wp-admin files. Perfect for catching post-compromise tampering before it spreads.
rkhunter rootkit checks
rkhunter looks for known rootkits, suspicious kernel modules, and modified system binaries every night. Findings ride the same severity queue as ClamAV so you have one inbox for all server threats.
Lynis CIS benchmark
Run the bundled Lynis scan for about 200 CIS Level 1 checks on Ubuntu and Debian. Every failing check ships with the remediation command. Schedule weekly runs and get alerts on score drift. A must-have step if you are chasing SOC 2 readiness.
Auto-patching with unattended-upgrades
unattended-upgrades is installed and scoped to the security channel only, scheduled at 03:00 server time. You get a summary email of what was patched. Non-security upgrades stay manual so you decide when a kernel change happens.
Security score and findings inbox
Every scan contributes to a single 0 to 100 security score. Open the findings inbox, sort by severity, and apply the fix in one click. History is kept so you can show auditors how the score has trended over months.
SSL automation
Free Let’s Encrypt SSL on every domain
Add a site, point DNS, and a valid HTTPS certificate appears before you refresh the tab. Auto-renewal runs 30 days out, so you never wake up to a browser warning.
- HTTP-01 and DNS-01 challenges supported
- Wildcard certs for Cloudflare, Route 53, DigitalOcean, Hetzner DNS
- Email and webhook alerts when renewal needs your attention
- HSTS header on by default, preload opt-in
- One-click upgrade to custom CA or paid EV cert
# molixa ssl issue app.example.com
ok DNS A record resolves to this server
ok HTTP-01 challenge passed in 3.1s
ok Certificate issued, valid 89 days
ok Nginx reloaded, HSTS header set
# next renewal scheduled 2026-07-17 03:12 UTC
# UFW rules on web-prod-01
22/tcp ALLOW Anywhere (rate 3/min)
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
3306/tcp ALLOW 10.0.0.0/24 (VPN only)
Everything else DENY
# fail2ban active jails
sshd: 3 IPs banned (last 24h)
wordpress-login: 11 IPs banned
nginx-botsearch: 42 IPs banned
Firewall and fail2ban
Block the noise before it hits your app
UFW closes every port you did not open. fail2ban watches auth.log and Nginx error.log and bans brute-force IPs automatically. You get a live list of blocks so you can unban yourself if a rule catches your office.
- Cloud firewall aware (Hetzner, DigitalOcean)
- Per-IP rate limits on SSH to slow password sprays
- WordPress login and xmlrpc jails built in
- Nginx bot-search and 404 flood jails
- Unban any IP with one click, with reason logged
Malware and intrusion scans
Catch compromises before your users do
Three scans run every night, each built for a different class of attack. Findings land in one inbox with severity, file path, and a recommended fix.
ClamAV
Signature-based malware scanner. Catches web shells, encoded payloads in WordPress plugin files, and known backdoors in upload directories. Quarantines flagged files.
rkhunter
Rootkit hunter. Looks for kernel-level rootkits, suspicious loadable modules, and binary tampering in /bin, /sbin, and /usr/bin. Great for catching post-breach persistence.
AIDE
File integrity monitor. Fingerprints /etc, web roots, and system binaries on install, then diffs nightly. Any change to sshd_config or sudoers shows up before attackers dig deeper.
Auto patching
Security updates every night, without the pager
unattended-upgrades is already the right answer for keeping Ubuntu and Debian patched. We just make sure it is installed, scoped to the security channel, and reports back to you.
- Security pocket only, never a surprise kernel change
- Runs at 03:00 server time, randomized by 30 minutes
- Morning summary email of every package patched
- Auto-reboot window opt-in for kernel updates
- One click to pin a package or rollback an upgrade
# unattended-upgrades run: 2026-04-17 03:14
openssh-server 1:8.9p1-3ubuntu0.7 -> .8
libssl3 3.0.2-0ubuntu1.15 -> .16
curl 7.81.0-1ubuntu1.17 -> .18
3 packages patched, 0 errors, 0 held back
# next run 2026-04-18 03:22
DDoS protection
Application layer defense, honest about the rest
Volumetric network attacks belong to your provider or a proxy like Cloudflare. Inside that perimeter, our Nginx rate-limits, port scanner, and fail2ban rules take care of the slow, targeted traffic that gets through.
Nginx rate limits on sensitive routes
Per-IP limit_req zones on login pages, admin paths, and API routes. The panel writes the config for wp-login.php, /wp-json, Laravel’s /login, and your custom paths. Tunable per site, logged on every block.
Port scanner and drift detection
An outside-in port scan runs weekly to confirm only 22, 80, and 443 are reachable. Any drift, like a database port accidentally exposed after a deploy, alerts the security channel within minutes.
- SSH keys only, root login disabled
- UFW active, 3 rules allowed inbound
- Auditd not installed (Lynis recommendation)
- SSH MaxAuthTries is 6, CIS suggests 4
- wp-content/uploads writeable by web user (1 finding)
Security score
One number, a real action list
Every scan contributes to a single 0 to 100 score per server. Open the findings inbox, apply the fix from the attached command, and watch the number move in real time. Share the score with a stakeholder or export it for your next audit.
- Severity ranked findings with remediation commands
- Ignore list with reason field for audit trail
- Weekly score report by email, CSV export anytime
- Webhook to Slack or Discord when score drops
Works with the AI assistant
Ask a question, apply the fix
Pair the security panel with the Molixa AI assistant and you can ask “why is fail2ban banning my office” or “show me the Lynis remediation for this finding” and run the fix with one approval. Curious how we stack up elsewhere? See the RunCloud alternative comparison.
FAQ
Questions about the security panel
How often do the security scans run?
ClamAV, rkhunter, and AIDE file-integrity checks run nightly by default, with the first pass scheduled within 60 seconds of connecting a server. Lynis runs the CIS benchmark weekly and after any package upgrade. You can change the cadence per server, or trigger any scan on demand from the dashboard. Results land in your findings inbox with a severity score.
What happens when a scan reports a false positive?
Every finding has a one-click ignore action that adds the file or rule to a per-server allowlist, with a reason field you can fill in for your audit trail. Future scans respect the allowlist so you do not see the same noise twice. You can review or revoke any ignored finding later from the security history view.
Does the VPS security panel replace Cloudflare for DDoS protection?
No, and we are honest about that. Network-level DDoS mitigation belongs to your provider or a proxy like Cloudflare. What the panel does is add an application-layer defense: Nginx rate-limit rules on login, admin, and API routes, plus fail2ban bans for brute-force patterns. If you run Cloudflare in front, we show you which rules are already covered upstream.
How does Let’s Encrypt SSL renewal work in the panel?
Every domain you point at a site on the server gets a free Let’s Encrypt certificate issued within 30 seconds of DNS resolving. Renewals run 30 days before expiry via certbot, and you get an email alert if a renewal fails so you can fix the DNS or webroot before the cert expires. Wildcard certs via DNS-01 work with Cloudflare, Route 53, DigitalOcean, and Hetzner DNS.
Should I keep password auth on SSH or switch to keys only?
Switch to keys only. Password auth is the single biggest source of brute-force attempts on any public VPS, and fail2ban alone cannot stop a slow distributed attack. The panel imports your SSH key on first connect, verifies a successful key login, then disables PasswordAuthentication in sshd_config. You keep a time-limited emergency key if you want a fallback.
What is the CIS benchmark and why should I care?
The CIS benchmark is a set of about 200 hardening checks for Ubuntu and Debian, published by the Center for Internet Security. We run it through Lynis and score your server from 0 to 100, with remediation commands attached to every failing check. It is the fastest way to find misconfigurations like world-readable cron files, weak sshd ciphers, or missing audit logging.