Dashboard

Total Servers
0
Online
0
Offline
0

Database Connection

ServerClient IDRoleDatabaseDB StatusAgent Status
Loading database status...

Query Executor

Audit Trail

Query Audit
Command Audit
File Deploy Audit
FDB Deploy Audit
Remote Storage Audit
Role Assignment Audit
Query IDSQLExecuted ByServersDate
No audit entries yet
Per page:

Server Monitor

Loading server monitoring data...

Remote Command

Select a predefined command above to see what will be executed.

File Deployment

Drag & drop files here or click to browse
Browse Files
ServerClient IDTypeStatusResult / BackupDate

FDB Deploy

Drag & Drop FDB.zip here or click to browse

Supports up to 2 GB zip files

0%

Server Selection 0

Loading servers...

Deployment Results

ServerClient IDStatusFDB DatePROGNOCIS DateErrorCompleted
No deployment results yet.

Deployment History

Page 1 / 1
DateDeployed ByTotal ServersSuccessFailed
No history yet.

Remote Storage

Loading connections...

Server Logs

Select a server and click Load to view logs.

Admin Panel

Users
Settings
IP Whitelist
Feedback
Agent Update

User Management

NameUsernameEmailRoleStatusSQL PermsActions
Loading users...

Dashboard Settings

Favicon

Accepted: .ico, .png, .jpg, .svg, .gif (max 512KB)

Storage Type:
💡 Tip: If timeout occurs, leave empty and use the instance's actual port
Not connected

SQL Server SSMS provides enterprise-grade data storage with encryption. All data is encrypted before storage. JSON mode stores data in encrypted local files.

Email / SMTP Settings

Auto-detect chooses encryption based on port. Use "None" for custom email servers with non-standard ports.

Alert Configuration

How often alert emails can repeat for the same server & metric. Lower = more emails.

OTP codes for unlocking protected fields (like FDB DB Name) will be sent to this email.

Alerts trigger automatically via agent heartbeat when resource usage exceeds 90%. No need to keep the dashboard open. FDB Deploy alerts send email on deploy start and completion.

Two-Factor Authentication (2FA)

Enable Two-Factor Authentication

When enabled, users will receive a 6-digit OTP via email during login. OTP expires in 10 minutes. Users without a registered email cannot login when 2FA is enabled.

Agent Interval Management

Heartbeat sends server health data to the dashboard (in seconds). Poll interval controls how often agents check for new commands (in seconds). Changes are pushed to all agents on next heartbeat.

Enable Production Hour Logic

Forgot Password

Enable Forgot Password on Login Page

When enabled, a "Forgot Password?" link will appear on the login page. Users can reset their password by verifying their identity via a 6-digit OTP sent to their registered email. Ensure SMTP email settings are configured correctly.

DevTools / Inspect Lock

Allow Admin DevTools Access

Right-click, F12, Ctrl+Shift+I/J/C, and Ctrl+U are always blocked for regular users. When this toggle is enabled, admin and super admin users are exempted and can use browser DevTools normally.

FDB Deploy Settings

Current Server Time: --  |  Today: --  |  Timezone: --

Protected field. Click Unlock & verify OTP to edit.

FDB.zip will be deployed to the target path on all selected servers at the scheduled cron time. Environment variables like %TOMCAT% are supported.

FDB deploy uses the same SQL credentials as the connected PROGNOCIS database. Ensure Database is connected before deploying.

IP Whitelist

IP AddressLabelAddedActions
Loading IP whitelist...

User Feedback

No feedback yet.
Loading agent update status...

Documentation

Download Agent

Loading agent info...

Architecture Overview

System Components

PHP Dashboard (SPA) Single-page app served by Apache/IIS. Handles authentication, routing, and renders all UI sections from a single layout.
HTTPS Polling
C++ Agent (Windows Service) Runs on each target server. Sends heartbeats, executes commands, deploys files/FDB updates, and reports results back to the dashboard.

Data Storage

The dashboard supports two storage backends: local AES-256-CBC encrypted JSON files (default) or an external SQL Server (SSMS) database. In JSON mode, JsonStore.php provides CRUD operations with file locking. In SQL mode, SqlStore.php stores all data as encrypted JSON blobs in SQL Server tables via PDO (pdo_sqlsrv). Both modes encrypt all data at rest using the same Encryption.php engine. The storage backend can be switched at any time from Admin Panel → Settings → Data Storage Configuration with built-in migration tools.

Communication Flow

  1. Agent sends a heartbeat to api/agent/heartbeat every 30 seconds, reporting CPU, memory, disk, and services status.
  2. Dashboard responds with any pending commands (SQL queries, remote commands, file deployments, FDB deployments).
  3. Agent executes the command and reports results back via api/agent/result.
  4. Dashboard renders the results in real-time and optionally sends email alerts via SMTP.
Data Storage Configuration

Dual Storage Architecture

The dashboard provides two fully interchangeable storage backends. You can switch between them at any time without losing data, thanks to built-in migration utilities.

JSON File Storage (Default) Data is stored as AES-256-CBC encrypted files inside the data/ directory. Each data store (servers, users, settings, audit_log, etc.) maps to a separate .dat file. File locking via flock() prevents concurrent write conflicts. No external database or driver required.
SQL Server (SSMS) Storage Data is stored as AES-256-CBC encrypted JSON blobs inside SQL Server tables. The pdo_sqlsrv PHP driver connects via PDO. Row-level locking prevents concurrent write conflicts. Supports SQL Server 2016+ with TLS-encrypted connections. All data remains encrypted even inside the database — a database admin cannot read raw data without the master encryption key.

How to Configure SQL Server Storage

  1. Navigate to Admin Panel → Settings → Data Storage Configuration.
  2. Enter the SQL Server connection details: Host, Port (default 1433), Database Name, Username, and Password.
  3. Click "Test Connection" to verify connectivity. The system tests the network connection, authenticates, and validates driver compatibility.
  4. Click "Save & Connect" to persist the configuration. The dashboard encrypts and stores credentials in data/.db_config.
  5. Click "Initialize Schema" to create the required tables (cssanket_data_store, cssanket_data_archive, cssanket_store_locks) automatically.
  6. Switch the storage type to "SQL Server". The system will prompt you to migrate existing JSON data to SQL.
  7. Optionally use "Migrate JSON → SQL" or "Migrate SQL → JSON" buttons to transfer all data between backends.

Encryption & Decryption Pipeline

Every piece of data — whether stored in JSON files or SQL Server — passes through the same encryption pipeline powered by Encryption.php. The process is identical for both storage backends:

Write Operation: PHP array data (e.g., servers list, settings, audit log)
Step 1 — Serialize: json_encode() converts the PHP array to a JSON string
Step 2 — Generate IV: A cryptographically random 16-byte Initialization Vector (IV) is generated using random_bytes()
Step 3 — Encrypt: openssl_encrypt() with AES-256-CBC cipher encrypts the JSON string using the master key + IV
Step 4 — HMAC Sign: hash_hmac('sha256') generates a 32-byte authentication tag over IV + ciphertext to prevent tampering
Step 5 — Encode: Final output = base64_encode(HMAC + IV + ciphertext)
Store: Written to .dat file (JSON mode) or encrypted_data column in SQL Server (SQL mode)
Read Operation: Fetch encrypted blob from file or SQL Server
Step 1 — Decode: base64_decode() extracts the binary payload
Step 2 — Split: Separate HMAC (32 bytes) + IV (16 bytes) + ciphertext from the payload
Step 3 — Verify HMAC: Recompute hash_hmac('sha256') and compare using hash_equals()rejects tampered data
Step 4 — Decrypt: openssl_decrypt() with AES-256-CBC + master key + IV recovers the JSON string
Step 5 — Deserialize: json_decode() converts back to a PHP array for use by the application

SQL Server Database Schema

When using SQL Server storage, the system creates three tables (prefix: cssanket_):

Table Purpose Key Columns
cssanket_data_store Primary data storage — holds all active data stores (servers, users, settings, audit_log, etc.) id, store_name (unique), encrypted_data (NVARCHAR MAX), data_hash, version, created_at, updated_at
cssanket_data_archive Version history — automatically archives previous versions of data before each write (up to configurable limit) id, store_id (FK), store_name, encrypted_data, data_hash, version, archived_at
cssanket_store_locks Distributed locking — prevents concurrent write conflicts when multiple PHP processes access the same store store_name (PK), lock_id, locked_at, expires_at

What Data Gets Stored

Each logical data set is stored as a separate "store" (row in SQL, or file in JSON mode). All store data is encrypted — the database only contains opaque encrypted blobs:

servers — Registered agent servers & heartbeat data
users — User accounts, hashed passwords, permissions
settings — Dashboard configuration & alert thresholds
audit_log — All user actions & system events
commands — Pending & completed remote commands
ip_whitelist — Allowed IP addresses & CIDR ranges
deploy_results — File deployment history & status
fdb_state — FDB deployment state & schedule

Security Measures

Master Encryption Key
A 256-bit (64 hex character) master key is auto-generated on first run and stored in data/.encryption_key with chmod 0600 (owner-only read). This key is used for ALL encryption/decryption operations. Without this key, no data can be decrypted — not from JSON files, not from SQL Server. Back up this file securely.
Data encrypted inside SQL Server
Unlike typical applications that store plaintext in databases, all data in SQL Server is stored as encrypted blobs. Even a database administrator with full SQL Server access cannot read the raw data. The encrypted_data column contains base64(HMAC + IV + AES-256-CBC-ciphertext). Each row also stores a data_hash (SHA-256) for integrity verification.
Database credentials protection
SQL Server connection credentials (host, port, database, username, password) are encrypted using the same AES-256-CBC engine and stored in data/.db_config. The password is never stored in plaintext anywhere. The configuration file is also protected with chmod 0600.
Connection security
The pdo_sqlsrv driver supports TLS-encrypted connections to SQL Server. Connection parameters include configurable timeouts (connection: 5s, query: 30s). The lazy PDO pattern means connections are only established when the first actual query is needed, not on page load.
HMAC tamper detection
Every encrypted payload includes an HMAC-SHA256 authentication tag. If anyone modifies even a single byte of the encrypted data (in the database or in a file), the HMAC verification will fail and the system will throw a RuntimeException('Data integrity check failed - possible tampering'). This uses timing-safe hash_equals() comparison to prevent timing attacks.

Performance Optimization

When using SQL Server storage with high-latency connections, the dashboard employs several caching strategies to ensure the UI loads instantly:

  1. Connection Cache (5-min TTL): Successful SQL Server connection details are cached to data/.connection_cache. Subsequent page loads skip the connection test if the cache is fresh, using a lazy PDO that connects only when needed.
  2. Settings File Cache: Dashboard settings are cached to data/.settings_cache on write. Page loads read from cache instead of SQL, falling back to SQL on cache miss.
  3. IP Whitelist File Cache: IP whitelist data is cached locally, avoiding SQL reads on every page request.
  4. Admin Flag File: A data/.admin_created flag file prevents repeated SQL reads to check if the default admin account exists.
  5. Automatic Cache Invalidation: All caches are automatically invalidated when data is modified through the Admin Panel (settings save, IP whitelist update, etc.).

Data Migration

The dashboard provides one-click migration between storage backends:

JSON → SQL Migration Reads all encrypted .dat files, decrypts them, re-encrypts with the same key, and writes to SQL Server tables. Original JSON files are preserved as backup. Progress is reported for each store.
SQL → JSON Migration Reads all stores from SQL Server tables, decrypts, re-encrypts, and writes back to local .dat files. Useful for reverting to file-based storage or creating offline backups.

Auto-Fallback & Reliability

If the SQL Server connection fails during initialization (e.g., server is down, network issue), the dashboard automatically falls back to JSON file storage to ensure uninterrupted operation. An amber warning indicator appears in the UI showing the fallback state. Once the SQL Server becomes available again, the system reconnects automatically on the next page load.

Deployment Workflow

File Deploy Workflow

User selects servers & target path
Check: Verify file existence on each server
File Found?
Yes
Delete: Select files & batch-delete (with in-use warning)
No
Path clear; proceed to deploy
Upload: Upload file(s) from browser
Dashboard queues deploy command per server
Agent polls, receives & executes file write (old file backed up)
Result reported back; status table updated

FDB Deploy Workflow

Upload FDB.zip (supports chunked upload for large files)
Select target servers from the list
FDB Month auto-detected from server time
Confirm & Lock: Deployment locked with cron schedule
Started-alert email sent to configured recipients
Agents download zip, extract to target path, report result
Completion email sent; results & history updated
Workflow & Features
Server Monitor Real-time CPU, memory, disk usage, and Windows services monitoring with configurable alert thresholds.
Database Management Connect to SQL Server/ODBC databases on remote servers. Execute queries across multiple servers simultaneously.
Remote Command Execute CMD or PowerShell commands on any connected server. Output is streamed back in real-time.
File Deploy Upload and deploy files to specific paths on selected servers. Supports existence checks before deployment.
FDB Deploy Scheduled deployment of FDB.zip to target paths on selected servers. Supports chunked uploads for slow networks.
Security IP whitelisting, role-based permissions, AES-256-CBC encryption, session management, and audit logging.
Auto-Start Daemon Agent automatically registers itself silently on Windows boot without requiring admin privileges.
Security Analysis & Q&A
How is data stored and protected?
All backend data (servers, users, logs) is encrypted using AES-256-CBC and validated with HMAC-SHA256 (via Encryption.php). Data can be stored in local encrypted JSON files or in SQL Server as encrypted blobs — both use the same encryption pipeline. Even a database administrator with full SQL Server access cannot read the raw data without the master encryption key. File locking (JSON mode) and row-level locking (SQL mode) prevent race conditions during concurrent writes. See the Data Storage Configuration section above for full details.
How does authentication work?
User passwords are hashed using the industry-standard BCRYPT algorithm. Dashboard uses PHP session-based authentication with secure cookies (HttpOnly and Secure flags). Sessions have a configurable timeout to log out inactive users automatically.
What is IP Whitelisting?
The IpWhitelist.php middleware restricts dashboard access to specific IP addresses or CIDR ranges. When enabled, only whitelisted IPs can reach the dashboard. Agent API endpoints are exempt from this check.
How are agent communications secured against hackers?
1. Strict SSL/TLS Verification: The C++ Agent enforces strict HTTPS certificate validation (verify_ssl = true). This completely prevents Man-In-The-Middle (MITM) attacks, ensuring no hacker can intercept or inject malicious commands on the local network.

2. Token Authentication: Agents authenticate using a cryptographically secure 64-character Hex Token (bin2hex(random_bytes(32))) assigned during registration.

3. No Inbound Ports: Agents actively poll the dashboard. You do not need to open any inbound firewall ports on the agent's server, making it invisible to external port scanners.

4. Replay Protection: Every executed command has a unique cryptographic ID to prevent replay attacks.
What are role-based permissions?
Three roles exist: Super Admin (full access, manages admins), Admin (full section access by default, configurable by Super Admin), and User (configurable permissions). Super Admins and Admins can assign per-section and per-action permissions to users (e.g., allow query execution but not file deploy). SQL statement types (SELECT, UPDATE, DELETE, etc.) can be individually permitted. Super Admin users cannot be blocked or deleted — they must be demoted first.