Security Settings
The Security Settings page provides network-level and policy-level controls to protect your QuickBox Pro server. It is organized into four tabs: Settings for username and IP policies, Firewall Rules for viewing active firewall state, Geo-Lock for restricting streaming access by country, and Geo-Block for blocking dashboard access from specific countries.
Admin only
Security Settings requires admin privileges (admin.settings.read to view, admin.settings.update to modify). Navigate to Settings > Security from the sidebar.
Overview
🚫 Disallowed Usernames
Maintain a list of usernames that cannot be registered — prevents impersonation of system or admin accounts
🔒 IP Ban Management
Block specific IP addresses with configurable durations. Bans are enforced at the network level via iptables
🧱 Firewall Viewer
View all active firewall rules organized by origin — QuickBox, Geo Policy, Fail2Ban, WireGuard, and system rules
🌍 Country-Based Access Control
Restrict or block access by country using Geo-Lock (allowlist) and Geo-Block (blocklist) policies
Settings tab
The Settings tab contains two sections for managing username restrictions and network enforcement.
Disallowed usernames
Maintain a list of usernames that are blocked from registration. This prevents users from registering with names that could be confused with system accounts or admin identities.
- Add usernames to the disallowed list one at a time
- Usernames are matched case-sensitively — add entries in lowercase for best coverage
- Both the dashboard and the CLI enforce the disallowed list during user creation
Network enforcement
The network enforcement section lets you manually block IP addresses or CIDR ranges at the firewall level:
- Add a block — Enter an IP address or CIDR range, provide a reason, and select a duration
- Rollback safety — When you add a manual block, a 30-second countdown begins. You must click Confirm before the timer expires, or the block is automatically rolled back. This prevents accidental lockouts
- Duration options — 30 minutes, 2 hours, 24 hours, or permanent
| Block Field | Description |
|---|---|
IP / CIDR | The IP address or CIDR range to block (e.g., 192.168.1.100 or 10.0.0.0/24) |
Reason | A text note explaining why this IP is being blocked |
Duration | How long the block should last — 30 minutes, 2 hours, 24 hours, or permanent |
Status | Pending (awaiting confirmation), active (enforced), expired (time elapsed), or rolled back (not confirmed in time) |
Self-block protection
The system will warn you if you attempt to block your own IP address. Private and local network addresses are always allowed regardless of any block rules.
Firewall Rules tab
The Firewall Rules tab provides a read-only view of all active iptables rules on your server. Rules are classified by origin so you can quickly identify where each rule came from:
| Origin | Description |
|---|---|
QuickBox | Manual blocks added through the Security Settings page |
Geo Policy | Blocks created automatically by the Geo-Block enforcement system |
Ban List | Blocks created when an IP is added to the banned IP list |
Fail2Ban | Blocks created by the Fail2Ban intrusion detection service |
WireGuard | Rules related to VPN routing and network namespaces |
System | System-level firewall rules |
You can filter rules by origin using the tab bar, search across all rule fields, and delete individual QuickBox or Geo Policy rules. Bulk selection and deletion is also supported.
Rules that have expired or been rolled back appear faded in the list to distinguish them from active rules.
Geo-Lock tab
Geo-Lock restricts streaming sessions to specific countries. It operates as an allowlist — only sessions originating from countries you specify are permitted to continue. Sessions from other countries are terminated.
This feature is part of the Streaming Dashboard and applies to Emby and Jellyfin streaming sessions, not general dashboard access. Use Geo-Lock when you want to ensure media streaming only happens from expected locations.
Streaming sessions only
Geo-Lock applies to streaming sessions monitored by the Streaming Dashboard. It does not affect dashboard login or general server access. For blocking dashboard access by country, use Geo-Block instead.
Geo-Block tab
Geo-Block restricts dashboard access by country. It operates as a blocklist — requests from countries you specify are blocked at both the application level and the network level.
How Geo-Block works
- Select the countries you want to block
- Click Apply Rules to enable enforcement
- When a request arrives from a blocked country, it is rejected at the application level and the IP is added to the firewall automatically
- Subsequent requests from that IP are blocked at the network level (kernel-level iptables) before reaching the application
Managing Geo-Block
- Country selection — Choose countries from the list to add to the blocklist
- Exempt IPs — Add specific IP addresses or CIDR ranges that should bypass geo-blocking (useful for VPNs or trusted proxies)
- IP test tool — Test any IP address to see if it would be blocked by your current configuration
- Enable/disable — Toggle enforcement on or off. Disabling does not immediately remove existing firewall rules — they expire naturally
Check your own location
Before applying Geo-Block rules, the system checks whether your current IP would be blocked and warns you. Always verify that your own country and any VPN exit points are not in the blocklist.
Geo-Lock vs Geo-Block
Use Geo-Lock when
- You want to restrict where media can be streamed from
- You need to prevent account sharing across countries
- You only need to control Emby or Jellyfin streaming sessions
- You want per-session enforcement with automatic session termination
Use Geo-Block when
- You want to block all dashboard access from specific countries
- You need network-level protection against unauthorized access
- You want to block brute-force attempts from certain regions
- You want IP-level blocking that persists in the firewall
Both features use the same geolocation service to determine a visitor’s country based on their IP address. Private and local network addresses are always allowed regardless of either policy.
CLI equivalents
| Dashboard Feature | CLI Command |
|---|---|
Fail2Ban toggle | qb manage fail2ban -o <enable|disable> |
Dashboard advantage
Most Security Settings features — including disallowed usernames, manual IP blocking, firewall viewing, and geo-based access control — are available only through the dashboard. The CLI covers Fail2Ban management.
Best practices
Do
- Add common admin-like usernames (admin, root, administrator, system) to the disallowed list to prevent impersonation
- Use Geo-Block if you know your users are all in specific countries — blocking entire regions you do not serve reduces your attack surface
- Always add your VPN exit IPs to the Geo-Block exempt list before enabling enforcement
- Review the Firewall Rules tab periodically to understand what is being blocked and why
- Use the IP test tool on the Geo-Block tab to verify your configuration before applying rules
Don't
- Don't enable Geo-Block without checking that your own IP address and country are not in the blocklist
- Don't confuse Geo-Lock and Geo-Block — Geo-Lock controls streaming sessions, Geo-Block controls dashboard access
- Don't add overly broad CIDR ranges to manual blocks without understanding which IPs they cover
- Don't rely solely on Geo-Block for security — it should be one layer in a defense-in-depth approach alongside strong passwords, 2FA, and Fail2Ban
FAQ
Related pages
Join the Community
Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.