Hardening Your Seedbox: A Practical Security Guide for QuickBox Pro

A seedbox is productive because it is always on and always connected. Those same qualities make it a target. Automated scanners probe SSH ports every hour. Bots test media server login pages in bulk. Misconfigured firewall rules leave gaps that nobody noticed until something broke.

QuickBox Pro ships several overlapping layers of defense. This guide covers each one in depth — what it does, why it matters, and how to configure it through the v4 dashboard and CLI. The goal is not to make your server paranoid; it is to make sure that when an attack happens, something stops it before you even notice.

A seedbox running QuickBox Pro typically has:

• ●An SSH port accessible from the internet
• ●A dashboard on port 443 with a login page
• ●Multiple application web UIs — Sonarr, Radarr, qBittorrent, Plex, Jellyfin, and more — each with their own authentication
• ●nginx acting as a reverse proxy with basic-auth protection on some apps

Each of these is a potential attack surface. The goal is to close the obvious ones, raise the cost of the less obvious ones, and keep traffic private when it needs to be.

Fail2Ban watches log files and the systemd journal for repeated failed authentication attempts. When an IP address accumulates too many failures within a configurable window, Fail2Ban adds a DROP rule to iptables — the connection is refused at the kernel level without your application ever seeing the request.

Without Fail2Ban, a bot can try thousands of passwords against your SSH server overnight. With it, that same bot gets cut off after five attempts and cannot try again for ten minutes. Most automated attacks move on immediately.

Standard Fail2Ban configurations cover SSH and maybe nginx. QuickBox Pro goes further: it ships a purpose-built jail and filter library with stanzas and filters for ~27 applications alongside the three base jails.

The library lives in two files:

• ●/etc/fail2ban/jail.d/qbx-base.conf — always-active jails for sshd, nginx-http-auth, and qbx-v4dashboard (the QuickBox dashboard login)
• ●/etc/fail2ban/jail.d/qbx-apps.conf — disabled stanzas for 27+ supported apps including Plex, Sonarr, Radarr, Lidarr, Jellyfin, Emby, qBittorrent, Transmission, Nextcloud, and more

Each app jail stanza starts disabled. The install script for each application is responsible for enabling its corresponding jail — Sonarr, Radarr, and Lidarr are wired now, with coverage rolling out across the broader app catalog over the coming weeks. Install Sonarr, and the qbx-sonarr jail activates and begins watching Sonarr's authentication log. Remove the application, and the jail is cleanly disabled. For applications installed before their jail wiring is complete, the Recommendations panel surfaces a one-click enable suggestion.

The qbx-v4dashboard jail deserves special mention. It monitors the dashboard's systemd journal for login failures — covering not just username/password attempts but also two-factor authentication failures and password reset abuse. Attacks against any of these three authentication endpoints accumulate toward a single ban threshold.

Install from App Dashboard → Package Management. Before the install begins, an options form lets you set:

From the CLI:

qb install fail2ban --f2b-bantime 900 --f2b-maxretry 3 --f2b-ignoreip "YOUR.IP.HERE"

Once installed, the complete Fail2Ban management surface lives at Settings → Security → Fail2Ban in the v4 dashboard. See the Security Settings documentation for the full feature reference.

Jail control panel — Every configured jail appears as a card showing its current fail count, ban count, and the list of currently banned IPs. You can enable or disable any jail, and edit bantime, findtime, and maxretry inline without touching config files. Changes take effect immediately; use Reload Config to hot-reload after bulk changes.

Allowlist management — Add or remove IP addresses and CIDR ranges from the global allowlist. A lockout-protection guard warns you before removing an entry that covers your own connected IP. The loopback addresses are permanently protected and cannot be removed.

Manual ban / unban — Enter any IP address to immediately ban it into a specific jail, or unban it from all jails simultaneously. Useful when you spot a threat in logs before Fail2Ban's threshold fires, or when you need to release a legitimate IP that tripped a jail.

Intelligent recommendations — The Recommendations panel analyzes three things: which apps are installed and whether their corresponding jails are enabled, how many users are active on your server, and observed ban patterns from your history. Suggestions appear grouped by severity with one-click apply actions. After installing a new application, check this panel — it will tell you if that app's jail is not yet enabled.

When Fail2Ban is installed, the System Dashboard gains a Fail2Ban Protection widget with:

• ●Current active ban count and new bans in the last 24 hours
• ●Bans by country (top 10, visualized as a bar chart)
• ●Top blocked IPs (ranked by ban frequency)
• ●Access-vector breakdown by jail
• ●Ban event timeline with 24h, 7d, and 30d windows

This gives you a real-time picture of who is attacking your server and which services they are targeting — without needing to read log files.

After installing new applications, it is worth opening the Fail2Ban tab and checking the Recommendations panel. Per-app jails in qbx-apps.conf start disabled and are enabled by the app's own install script. If an app was installed before Fail2Ban, or if the jail needs to be manually enabled, the Recommendations panel surfaces an enable-jail suggestion with a one-click action.

You can also enable any jail directly from the jail card if you prefer not to wait for a recommendation.

From the CLI, check the current jail list:

fail2ban-client status
fail2ban-client status qbx-v4dashboard
fail2ban-client status sshd

Unban an IP from all jails:

qb manage fail2ban -o unban 203.0.113.42

There are two distinct reasons to run a VPN on your seedbox, and QuickBox Pro's WireGuard integration addresses both.

Privacy for download traffic — When qBittorrent fetches torrent data, your server's real IP is visible to other peers and, through them, to monitoring organizations. Routing qBittorrent's traffic through a WireGuard tunnel means the VPN exit IP is what peers see, not your server's IP. This is particularly useful in jurisdictions where BitTorrent traffic is monitored.

Account isolation for media servers — Services like Plex, Emby, and Jellyfin communicate with their parent APIs (plex.tv, emby accounts, etc.) over the internet. Routing those connections through a VPN keeps your server's real IP off those platforms' records and can help with geo-restriction requirements.

QuickBox's WireGuard integration operates in two distinct modes. Understanding the difference is important before you configure either one.

Main VPN (peer activation) — Toggling the Active switch on a peer in the VPN Control peer table starts a wg-quick@<peer> tunnel that routes all server traffic through that peer. Your dashboard, SSH session, and every running application exit through the VPN. This is a full-tunnel, server-wide configuration.

App-scoped routing — A separate feature that routes only one specific application's traffic through a WireGuard tunnel, while everything else on the server uses its normal route. Each routed app runs inside its own Linux network namespace with a dedicated WireGuard interface. There is complete traffic isolation.

Both modes can run at the same time. The critical rule: each active routing slot requires its own WireGuard peer config. A WireGuard config file represents one authenticated session with a VPN provider — one keypair, one handshake. You cannot share a .conf file between the main VPN and an app-scoped routing slot, or between two simultaneously routed apps.

# Server mode (routes all traffic, generates client configs)
qb install wireguard -u username -o server -lp 51820 -noc 1 \
  -dns 1.1.1.1 -cidr 10.5.0.2/16 -cai "0.0.0.0/0,::/0" \
  -ep vpn.example.com

# Client mode (import a provider .conf file)
qb install wireguard -u username -o client

Or install from System → VPN Control in the dashboard (WireGuard must be installed first — if it is not, the page shows an install prompt).

See the full WireGuard documentation for the complete CLI reference including MTU tuning, NordVPN profile generation, and peer management.

App-scoped routing is the most powerful privacy tool in the QuickBox VPN stack. It supports four applications: Emby, Jellyfin, Plex, and qBittorrent.

To enable it from the dashboard:

1. ●Navigate to System → VPN Control (VPN Control documentation)
2. ●Upload one WireGuard .conf file for each app you want to route — plus a separate one if you also want the main VPN active
3. ●Scroll to the App-Scoped Routing card
4. ●Select the application and choose its dedicated peer config from the dropdown
5. ●Click Enable Routing

The dashboard shows a live health indicator once routing is active. A background health monitor polls every 30 seconds to verify the namespace, WireGuard interface, and routing rules are all in place.

What Happens to Your Access

App-scoped routing tunnels the app's outbound traffic through the VPN. Your inbound access paths remain unchanged:

• ●Reverse proxy — The app is still reachable at https://your-server/username/app/ on port 443. The dashboard's reverse proxy bridges into the namespace via an internal link.
• ●Local network — Devices on the same LAN can still reach the app at its normal port on the server's LAN IP.

You do not need to change how you connect to Emby or Jellyfin after enabling routing.

Plex has additional handling: QuickBox wires Plex's inbound client connections (port 32400) to come in through your server's real public IP, while Plex's outbound API calls go through the VPN. This means Plex shows as Reachable in your plex.tv account and clients connect at full direct-connect speeds — no Plex Relay required. See VPN Control — App-Scoped Routing for the full explanation.

The kill switch prevents an application from sending traffic outside the VPN tunnel if the tunnel degrades. Without it, a tunnel drop causes the app to fall back to its normal route — your real IP leaks.

When the kill switch is enabled, if the WireGuard handshake age exceeds a configurable threshold (default 10 minutes for media servers, 30 minutes for qBittorrent), the application service is fully stopped. No traffic leaks.

Auto-recovery can be enabled to let the system attempt automatic tunnel restoration after a kill switch event, using exponential backoff up to five attempts. If auto-recovery is disabled or exhausted, re-enable routing from VPN Control after confirming the VPN peer is reachable.

Configure the kill switch from the panel that appears after enabling routing for an app.

When WireGuard is active, it adds FORWARD chain accepts, NAT MASQUERADE rules, and — when app-scoped routing is active — additional rules for the veth network namespaces on 10.200.x.y subnets. You can see all of these in the dashboard under Settings → Security → Firewall Rules, filtered to the WireGuard origin.

The Settings → Security → Firewall Rules tab gives you a complete view of all active iptables rules on your server, classified by origin. Rules from QuickBox, Geo Policy, Fail2Ban, WireGuard, and system sources all appear in one place with filter chips for each origin. See the Security Settings documentation for the full reference.

The Quick Harden dropdown in the Firewall Rules toolbar lets you close known attack surfaces in a single click. Available profiles include:

• ●Block RPC (111) — Closes the RPC portmapper, a common scanning target
• ●Block NetBIOS (137–139) — Closes legacy Windows file-sharing discovery ports
• ●Block SMB (445) — Closes Windows file sharing (note: disables external Samba access too)
• ●Block MS-RPC (135) — Closes Microsoft endpoint mapper
• ●Block Berkeley r-services (512–514) — Closes deprecated plaintext remote-shell protocols
• ●Block diagnostics (7, 9, 13, 19) — Closes echo, discard, daytime, and chargen
• ●Block Finger (79) — Prevents username enumeration
• ●Block all common — Applies all of the above in one action

Quick Harden rules write to the QBX_ENFORCEMENT iptables chain with recognizable comment markers, persist to /etc/iptables/rules.v4 automatically, and survive server reboots. They appear in the Firewall Rules viewer organized as QuickBox origin immediately after you apply them.

For a typical seedbox running QuickBox Pro, Block all common is safe to apply — none of the covered services are used by QuickBox applications.

The Settings → Security → Settings tab lets you block specific IP addresses or CIDR ranges at the firewall level with configurable durations (30 minutes, 2 hours, 24 hours, or permanent). A 30-second rollback countdown protects against accidental lockouts — confirm before the timer expires, or the block is automatically reverted.

If you run a third-party VPN client (PIA, NordVPN daemon, Tailscale, Mullvad, etc.) alongside QuickBox's WireGuard, those two systems can install firewall rules that quietly cancel each other out. The Firewall Conflict Resolver detects exactly this class of conflict and offers guided resolutions.

Each conflict gets a severity badge (Critical, Warning, or Info) and a resolution chain — a coherent set of steps that addresses the conflict as a unit. A dry-run preview shows exactly what will run, flags any risk of locking yourself out, and gives you the chance to whitelist your IP before the change applies. A snapshot of the current firewall state is taken automatically before any apply, so you can restore in one click if something unexpected happens.

Under Settings → Security → Settings, you can maintain a list of usernames that cannot be registered on your QuickBox server. Adding common system account names (admin, root, administrator) prevents social engineering and impersonation attempts.

Geo-Block restricts dashboard access by country. Requests from blocked countries are rejected at the application level, and their IPs are added to the firewall automatically. If you know your users are all in specific countries, blocking entire regions dramatically reduces your attack surface.

Before applying Geo-Block rules, the dashboard checks whether your own country would be blocked and warns you. Always add VPN exit IPs to the exempt list before enabling enforcement.

Geo-Lock operates on streaming sessions, not dashboard access. It applies to Emby and Jellyfin sessions monitored by the WSDashboard, terminating sessions that originate from countries not on your allowlist. Use it to enforce geographic restrictions on who can stream your media.

Both features are on the Security Settings page — see the documentation for full configuration details.

Here is a practical sequence for a freshly installed QuickBox Pro server:

1. ●

   Install Fail2Ban first — set a sensible allowlist, enable both base jails, and let the dashboard recommendations guide per-app jail activation as you install applications. See the Fail2Ban documentation.

2. ●

   Apply Quick Harden — open Firewall Rules and apply "Block all common" to close the legacy ports that have no place on a modern seedbox.

3. ●

   Review disallowed usernames — add common admin account names to the list before creating any non-admin users.

4. ●

   Consider WireGuard for download privacy — if you use qBittorrent and want to keep torrent traffic off your server's real IP, enable app-scoped VPN routing. See the WireGuard documentation and VPN Control documentation.

5. ●

   Enable Geo-Block if your user base is geographically concentrated — if everyone accessing your server is in two or three countries, blocking the rest of the world eliminates a large category of automated attacks.

6. ●

   Check the Fail2Ban widget on the System Dashboard weekly — watch for unusual ban spikes by jail or country. A sudden spike in qBittorrent login failures, for example, means someone is attempting to access the web UI.

7. ●

   Review the Firewall Conflict Resolver if you install any third-party VPN clients — PIA's Linux daemon and similar tools install catch-all REJECT rules that can silently break QuickBox's WireGuard underlay.

Do I need all of these layers?

At minimum, install Fail2Ban. The brute-force protection it provides is the highest-value single change you can make to a freshly installed server. Everything else adds progressively more protection for more specific threat models.

Will Fail2Ban lock me out of my own server?

It can, which is why adding your admin workstation IP to the allowlist before install is important. If you do lock yourself out, you can unban from the CLI on the server directly: qb manage fail2ban -o unban YOUR.IP.

Can I use a commercial VPN provider with QuickBox's WireGuard integration?

Yes. Most commercial VPN providers that support WireGuard (NordVPN, Mullvad, IVPN, and others) will give you downloadable .conf files for their servers. Upload them in VPN Control. For NordVPN specifically, QuickBox ships a built-in profile generator — see the VPN Control documentation.

What if my third-party VPN client is fighting with QuickBox's firewall rules?

Open the Firewall Conflict Resolver in Security Settings. It will detect the conflict, identify which rules are fighting each other, and offer a guided resolution with a full preview and rollback capability.

Does WireGuard app-scoped routing affect how I access Plex or Jellyfin?

No. Routing moves those apps' outbound traffic through the VPN tunnel. Your inbound connections — through the QuickBox reverse proxy or on your local network — work exactly the same as before. For Plex specifically, QuickBox also ensures that plex.tv can still reach your server directly, so Plex Remote Access shows as Reachable.