Lockdown mode is an emergency measure. It mass-suspends every hosting account on the server in a single action. Use it when the situation demands that all hosted sites and services stop immediately — during an active compromise, a DDoS incident requiring investigation, or a maintenance window where no customer traffic should be served.
When to use lockdown
- Active server compromise — you detect unusual activity, rootkits, or mass file modification and need to stop the spread immediately
- Active attack in progress — a hosted account is being used to send spam or host malicious content and you cannot identify which one quickly
- Emergency maintenance — you need to bring the server offline for disk work, kernel update with reboot, or network reconfiguration and do not want customer sites serving stale content during the process
Do not use lockdown for suspending individual accounts — use the per-account suspend action in Server Mode → Accounts instead.
Enabling lockdown
Server Mode → Security → Lockdown Mode → Enable Lockdown.
Confirm the action in the modal by entering your admin password.
The agent executes /security/lockdown-accounts which iterates every hosting account and suspends each one. This happens within seconds on servers with up to a few hundred accounts.
What lockdown does
| Service | Effect |
|---|---|
| Web (HTTP/HTTPS) | All account vhosts return 503 Service Unavailable |
| SMTP (outbound) | Mail submission rejected for all account mailboxes |
| IMAP/POP3 | Account mailboxes inaccessible to mail clients |
| SSH (account users) | Jailkit shells disabled for all accounts |
| Opterius Panel | Remains accessible — admin can continue working |
| Agent | Remains accessible — agent continues accepting panel commands |
| DNS | Unaffected — DNS zones continue to resolve |
Lockdown does not touch the server's own SSH access, firewall rules, or the agent listener. The admin retains full control throughout.
What lockdown does NOT do
Lockdown suspends accounts — it does not:
- Terminate active SSH sessions already in progress (those connections persist until the user disconnects)
- Flush active SMTP connections already mid-delivery
- Block IPs at the firewall level — use Firewall Management or Fail2ban for IP blocking
If you suspect an active SSH session by an attacker, terminate it directly:
# Find the session
who
ss -tp | grep sshd
# Kill the specific session by PID
kill -9 <PID>
Disabling lockdown
Server Mode → Security → Lockdown Mode → Disable Lockdown.
All accounts are unsuspended automatically. There is no need to unsuspend them one by one. Account states that existed before lockdown (accounts that were already suspended individually) are restored correctly — lockdown tracks pre-existing suspensions so it does not accidentally re-enable accounts that were intentionally suspended.
During lockdown: what customers see
- Website visitors: HTTP 503 with a brief service unavailable message
- Email clients: authentication failure or connection refused depending on the mail client and how it handles rejected logins
- SSH users: connection refused or permission denied
Customers will contact you. Have a status page or support message ready before enabling lockdown if the situation allows.
[!NOTE] Lockdown does not send any automatic notifications to account holders. If you want to inform customers, do so through your support channel before or immediately after enabling lockdown.