Skip to Content
DocsDashboardSettingsSecuritySecurity Settings

Security Settings

The Security Settings page provides network-level and policy-level controls to protect your QuickBox Pro server. It is organized into five tabs: Settings for username and IP policies, Firewall Rules for viewing active firewall state, Geo-Lock for restricting streaming access by country, Geo-Block for blocking dashboard access from specific countries, and Fail2Ban for per-app brute-force protection, allowlist management, and manual ban/unban controls.

Admin only

Security Settings requires admin privileges (admin.settings.read to view, admin.settings.update to modify). Navigate to Settings > Security from the sidebar.

Overview

Disallowed Usernames

Maintain a list of usernames that cannot be registered — prevents impersonation of system or admin accounts

IP Ban Management

Block specific IP addresses with configurable durations. Bans are enforced at the network level via iptables

Quick Harden

Apply a curated security hardening profile in one click — closes known attack surfaces with iptables rules that survive reboot

Custom Rule Labels

Name any firewall rule with a plain-language label. Labeled rules group into their own filter chip so Unknown rules become organized

Firewall Viewer

View all active firewall rules organized by origin — QuickBox, Geo Policy, Fail2Ban, WireGuard, and system rules

Fail2Ban Jail Control

Per-app brute-force protection. Enable or disable individual jails, edit thresholds inline, manage the allowlist, and manually ban or unban IPs

Country-Based Access Control

Restrict or block access by country using Geo-Lock (allowlist) and Geo-Block (blocklist) policies

Settings tab

The Settings tab contains two sections for managing username restrictions and network enforcement.

Disallowed usernames

Maintain a list of usernames that are blocked from registration. This prevents users from registering with names that could be confused with system accounts or admin identities.

  • Add usernames to the disallowed list one at a time
  • Usernames are matched case-sensitively — add entries in lowercase for best coverage
  • Both the dashboard and the CLI enforce the disallowed list during user creation

Network enforcement

The network enforcement section lets you manually block IP addresses or CIDR ranges at the firewall level:

  • Add a block — Enter an IP address or CIDR range, provide a reason, and select a duration
  • Rollback safety — When you add a manual block, a 30-second countdown begins. You must click Confirm before the timer expires, or the block is automatically rolled back. This prevents accidental lockouts
  • Duration options — 30 minutes, 2 hours, 24 hours, or permanent
Block FieldDescription
IP / CIDR
The IP address or CIDR range to block (e.g., 192.168.1.100 or 10.0.0.0/24)
Reason
A text note explaining why this IP is being blocked
Duration
How long the block should last — 30 minutes, 2 hours, 24 hours, or permanent
Status
Pending (awaiting confirmation), active (enforced), expired (time elapsed), or rolled back (not confirmed in time)
Self-block protection

The system will warn you if you attempt to block your own IP address. Private and local network addresses are always allowed regardless of any block rules.

Firewall Rules tab

The Firewall Rules tab provides a view of all active iptables rules on your server, plus tools to harden your system and organize rules with plain-language labels. Rules are classified by origin so you can quickly identify where each rule came from:

OriginDescription
QuickBox
Manual blocks and hardening-profile rules managed by QuickBox
Geo Policy
Blocks created automatically by the Geo-Block enforcement system
Ban List
Blocks created when an IP is added to the banned IP list
Fail2Ban
Blocks created by the Fail2Ban intrusion detection service
WireGuard
FORWARD chain accepts for the wg0 interface, NAT MASQUERADE for traffic routing, and — when app-scoped routing is active — veth namespace rules and 10.200.x.y subnet entries. Created automatically when WireGuard is activated from VPN Control or via qb manage wireguard check
System
System-level firewall rules

You can filter rules by origin using the chip row, search across all rule fields, and delete individual QuickBox or Geo Policy rules. Bulk selection and deletion is also supported. Custom-labeled rules appear as their own filter chips between the QuickBox built-ins and the Unknown bucket.

Rules that have expired or been rolled back appear faded in the list to distinguish them from active rules.

Inspecting WireGuard rules

Select the WireGuard filter chip to isolate all VPN-related firewall entries. This includes both the base tunnel rules (FORWARD and MASQUERADE on wg0) and any app-scoped routing rules for network namespaces. For details on what each rule does and how they are created, see the WireGuard application documentation and the VPN Control page.

Conflict resolver

If rules show as Unknown, or if a third-party VPN client is fighting QuickBox-managed firewall rules, the Firewall Conflict Resolver classifies every rule by provider and surfaces a Detected firewall conflicts list directly above the rules viewer. Each row opens a dry-run-gated, snapshot-backed resolution modal — including actionable chains for third-party kill-switches and a one-click dismissal for advisory-only rows.

Quick Harden

The Quick Harden dropdown sits in the top toolbar of the Firewall Rules tab, next to the Refresh button. It applies a curated hardening profile in a single click — no manual iptables commands required.

Available profiles

ProfileWhat it doesPorts / Protocols
Block RPC (`111`)
Closes the RPC portmapper. Servers that do not run NFS, NIS, or other RPC services gain nothing from having this open — it is a common scanning target
TCP 111, UDP 111
Block NetBIOS (`137`–`139`)
Closes legacy Windows file-sharing discovery ports. NetBIOS over IP is rarely needed on Linux servers and is a frequent reconnaissance target
UDP 137, UDP 138, TCP 139
Block SMB (`445`)
Closes the TCP port used for Windows file sharing (SMB/CIFS). If you are running Samba shares on this server, applying this profile will also block those shares from external access
TCP 445
Block MS-RPC (`135`)
Closes the Microsoft endpoint mapper. This port is associated with DCOM and WMI — services that are not relevant on Linux servers and are targeted by several known exploit families
TCP 135
Block Berkeley r-services (`512`–`514`)
Closes the BSD remote-shell ports (rsh, rlogin, rexec). These are deprecated, transmit credentials in plaintext, and have no place on a modern server
TCP 512, TCP 513, TCP 514
Block diagnostics (`7`, `9`, `13`, `19`)
Closes echo, discard, daytime, and chargen. These diagnostic ports are rarely needed and can be abused as DDoS amplification vectors (particularly chargen)
TCP + UDP 7, 9, 13, 19
Block Finger (`79`)
Closes the Finger protocol. Finger can disclose usernames and login activity to anyone who connects — this information aids targeted attacks
TCP 79
Block all common
Applies all of the above profiles in a single action. This is the recommended starting point for servers that do not use any of the services listed above
All ports from the profiles above

Each profile writes its DROP rules in the exact format the Firewall Rules classifier already knows — qbx:hardening:<profile> — so the rules appear labeled and organized immediately after you apply them.

How it works

  1. Open the Quick Harden dropdown in the toolbar
  2. Select a profile — for example, Block RPC (111)
  3. QuickBox writes the corresponding DROP rules into the QBX_ENFORCEMENT chain with a recognizable comment (qbx:hardening:rpc) and immediately persists them to disk so they survive a server reboot
  4. The rules appear in the Firewall Rules viewer classified as QuickBox origin and are ready for filtering, deletion, and labeling like any other QuickBox-managed rule
Why use Quick Harden instead of adding a manual block?

A manual block added through the Network Enforcement section works correctly, but rules you add manually show as Unknown origin until the classifier recognizes the comment format. Quick Harden writes rules in the exact format the classifier already knows — qbx:hardening:<profile> — so they appear labeled and organized immediately.

Reboot survival

Quick Harden rules are written into the QBX_ENFORCEMENT chain and persisted via iptables-save to /etc/iptables/rules.v4. They reload automatically on server restart along with all other QuickBox-managed rules.

Custom rule labels

Every rule in the Firewall Rules tab can be given a plain-language label. Labels serve two purposes: they help you remember what a rule is for, and they group rules into their own filter chip in the chip row so you can quickly isolate a named set.

Adding a label to a rule

Each rule row has a small tag icon to the right of the rule details (alongside the delete and exemptions buttons):

  • If the rule has no label, the icon is neutral — click it to open the label input
  • If the rule already has a label, the icon switches to a pencil to signal that a label exists and is editable
  • Type your label and press Enter to save. Leave the input empty and press Enter to remove an existing label
  • Labels can contain letters, numbers, spaces, and common punctuation. Maximum 80 characters

Once saved, the label appears as a badge on the rule row and the rule is grouped under its own chip in the chip row. Clicking the chip filters the view to only rules sharing that label.

Label durability — QuickBox rules vs foreign rules

How a label is stored depends on which chain owns the rule:

Rule typeHow the label is storedSurvives reboot?
QuickBox rules (QBX_ENFORCEMENT chain)
Written as an iptables comment on the rule itself (qbx:user:<label>). The label travels with the rule in iptables-save output
Yes — persisted to /etc/iptables/rules.v4 automatically
Foreign rules (Docker, third-party VPN, system, etc.)
Stored in the QuickBox database only. The rule itself is not modified
Across reboots: yes. Across third-party provider restarts: depends — see note below
Labels on foreign rules

When you label a rule that QuickBox does not own — for example, a Docker FORWARD rule or a rule installed by a VPN daemon — QuickBox stores your label locally in its database. Your label will appear in the Firewall Rules viewer as long as QuickBox can match the rule by its fingerprint. However, if the foreign provider removes and re-creates the rule (which some daemons do on restart), the rule fingerprint changes and QuickBox loses the match. Your label is stored safely but will not display until the rule reappears with the same fingerprint. A one-time notice appears the first time you label a foreign rule each session to remind you of this behavior.

Manage Labels panel

When you have labeled at least one rule, a Manage Labels button appears to the right of the chip row. Clicking it expands an inline panel below the chip row with a list of every label you have created:

  • Rename — click the pencil icon next to a label to rename it. The new name is applied to every rule sharing that label at once
  • Remove — click the trash icon to strip the label from all rules in that group. For QuickBox rules, this reverts the iptables comment back to the original; for foreign rules, the database entry is deleted

The panel stays open while you work. Close it with the X button in the panel header when you are done.

Use custom labels when

  • You added a port-block rule but it shows as Unknown in the viewer
  • You want to group a set of DROP rules under a project name (e.g. 'homelab-isolation')
  • You need to find all rules related to a specific service quickly without scrolling
  • You inherited firewall rules from a previous admin and want to annotate them

Use Quick Harden when

  • You want to apply a well-known security hardening recommendation quickly
  • You need the rule to survive reboots with its label intact
  • The port you want to close is covered by an available Quick Harden profile
  • You do not want to memorize iptables syntax for a common DROP rule

Fail2Ban tab

The Fail2Ban tab is the dashboard control center for brute-force protection. It is visible once the Fail2Ban package is installed (see the Fail2Ban application docs for install steps). Everything on this tab takes effect immediately — no command-line work needed.

Service status header

The top of the tab shows whether Fail2Ban is running, the total jail count, and how many IPs are currently banned. A Reload Config button hot-reloads the service after bulk changes without a full restart.

Permanent record strip

A short two-tile strip at the top of the tab summarizes the all-time picture from QuickBox’s durable security event ledger:

  • Offending IPs ever seen — distinct attacker IPs ever recorded by Fail2Ban on this server. Sourced from a forever-retention store, so this number only ever goes up — it never drops when bans expire or the Fail2Ban service restarts.
  • Permanent bans — IPs that currently carry a forever ban (ban time -1). These stay counted until you explicitly unban them.

Recommendations

The Recommendations panel surfaces per-install suggestions grouped by severity (Urgent, Recommended, Info). Each suggestion has a one-click apply action — for example, “enable the jail for this app” or “raise the bantime on SSH.” The engine looks at three things:

  • Which apps are installed and whether their associated jails are enabled
  • How many users are active on the server (multi-user hardening)
  • Observed ban patterns in your ban history (behavioral analysis)

Dismissed recommendations stay dismissed across page loads. The recommendations engine is conservative: it only suggests changes that improve protection, never weaken it.

Application Jails

The Application Jails section lists every installed app that has a Fail2Ban jail template available, with an enable/disable switch per app. Toggling activates brute-force protection for that app immediately — no qb update <app> required.

Each row carries a verification badge:

BadgeMeaning
Verified
The filter for this jail has been verified to reliably catch brute-force attempts for this app without falsely banning legitimate users.
Experimental
Safe to enable — it will not ban legitimate users — but the filter is still being refined and may not yet catch every attack pattern. Enable it for extra coverage; review your ban log periodically.

Jails

Each configured jail — qbx-v4dashboard, sshd, nginx-http-auth, recidive (see below), and any per-app jails you have enabled — appears as a card with:

  • An enable/disable toggle
  • Live fail count and ban count
  • Inline editing for bantime, findtime, and maxretry
  • An expandable list of currently banned IPs with per-IP unban
qbx-v4dashboard is always on

The qbx-v4dashboard jail protects dashboard logins. It is always enabled and cannot be toggled off — dashboard login protection is a core safeguard.

Default ban duration

New installs default to a 1-hour ban duration (3600 s). Older installs that were originally provisioned with the legacy 600-second (10-minute) default keep that value until you change it — adjust the bantime field on any jail card to bring it up to the new default.

Recidive — repeat-offender escalation

The recidive jail watches Fail2Ban’s own log for IPs that keep coming back. If the same IP is banned five or more times within a day by other jails, recidive re-bans it for a full week across all ports — not just the port that triggered the original bans. It only ever escalates IPs that other jails have already banned, so it can never lock out a clean visitor.

Recidive is enabled by default. You can adjust its thresholds (findtime, maxretry, bantime) on the recidive jail card just like any other jail, or disable it from the toggle.

Allowlist (ignoreip)

The Allowlist section lists all IPs and CIDR ranges that are never banned by any jail. 127.0.0.1/8 and ::1 are permanently protected and cannot be removed.

To add an entry, type an IP address or CIDR (e.g. 203.0.113.42 or 10.0.0.0/8) and click Add.

Lockout-protection guard

When you try to remove an allowlist entry that covers your own connected IP address, the dashboard shows a targeted danger-tone warning before proceeding. Removing your own IP means Fail2Ban can ban the address you are managing the dashboard from if you exceed any jail threshold. Ensure you have an alternative way back in before confirming.

Manual Ban / Unban

The bottom of the tab has two cards for one-off IP actions:

  • Ban IP — enter an IP and choose a jail from the dropdown, then click Ban IP to immediately ban that address in the selected jail.
  • Unban IP — enter an IP and click Unban from All Jails to remove it from every jail at once.
Real attacker IPs are visible

The dashboard surfaces real banned IPs to admins by design (no masking). Seeing the actual address lets you investigate offender patterns, recognize known-bad networks, and confirm a ban is what you expected. If your operation prefers reduced incidental exposure of attacker addresses, a privacy-mask toggle is available in General Settings (Mask banned IP addresses) — it zeros the last IPv4 octet / IPv6 group on the top-IPs displays.

Auto-protect apps on install

A feature flag in General Settings → Feature Flags controls whether QuickBox automatically enables Fail2Ban protection for new app installs:

  • Off (default) — Installing a new app does not enable its Fail2Ban jail. You opt in per-app from the Application Jails section of the Fail2Ban tab.
  • On — Installing or reinstalling any supported app automatically enables its jail at install time, provided the app has a verified jail template.

The flag is labeled Auto-protect apps on install and lives directly under Mask banned IP addresses in the Feature Flags section. Per-app toggling from the Fail2Ban tab remains available regardless of this flag.

When to enable auto-protect

Turn this flag on if you regularly add new apps and want brute-force protection to be active from the moment they go live — without having to remember to enable the jail manually. Leave it off if you prefer opt-in protection for every app individually.

System Dashboard — Fail2Ban Protection card

When Fail2Ban is installed, the System Dashboard (/system/dashboard) shows a Fail2Ban Protection card. The widget is hidden when Fail2Ban is not installed. The card splits into two groups so you can read the live picture and the historical record without confusing them.

Permanent record (all-time, never resets)

These two tiles come from QuickBox’s durable security event ledger. They count distinct IPs (not ban events) and never decrease — even when Fail2Ban purges old state or restarts.

TileWhat it measures
Offending IPs ever seen
Distinct attacker IPs ever recorded on this server, all-time. This is the trustworthy lifetime offender count.
Permanent bans
IPs that currently carry a forever ban (ban time -1). Counted until you explicitly unban them.

Live & recent activity (live count vs rolling window)

These four tiles mix a live point-in-time figure with three windowed figures. Use the 24h / 7d / 30d selector in the card header to change the window for the bottom three tiles. The live tile is always current; it does not change when you switch the window.

TileWhat it measures
Banned right now
Distinct IPs Fail2Ban is enforcing at this instant, across all jails. A point-in-time count — it rises and falls as bans are added and expire, so it is expected to differ from the window and all-time figures. An IP banned in two jails simultaneously counts once.
Bans (window)
Ban events recorded in the selected window from the durable event ledger. Counts events, not currently-active bans.
Unique IPs (window)
Distinct attacker IPs banned in the selected window. Answers "how many different attackers," not "how many ban events."
Busiest Jail
Jail with the most ban events in the selected window.
Two different lenses

The permanent record tiles answer “what is the overall threat history on this server?” The live & recent tiles answer “what is happening right now and over the last day or week?” They are intentionally different sources, so a smaller live number is not the all-time number dropping — it is a different measurement.

The widget also contains:

  • Active Bans (Live) — a paginated, searchable table of every IP currently blocked, with country, jail, and how long ago each was banned.
  • Bans by Country — a ranked horizontal bar chart of source countries for the selected window.
  • Top Blocked IPs — a ranked table of the IPs with the most bans in the window. Clicking a jail name jumps to the Fail2Ban tab for configuration.
  • Access-Vector Breakdown — a bar chart showing active vs total bans per jail. Click a bar to drill into that jail’s configuration.
  • Ban Events Timeline — an area chart of ban activity across the selected window.
Service stopped

If Fail2Ban is installed but the service is not running, the card shows a “fail2ban service is not running” notice and the metric panels are unavailable until the service is restored. The permanent-record tiles still display, since they read from the durable ledger rather than the live daemon.

Geo-Lock tab

Geo-Lock restricts streaming sessions to specific countries. It operates as an allowlist — only sessions originating from countries you specify are permitted to continue. Sessions from other countries are terminated.

This feature is part of the Streaming Dashboard and applies to Emby and Jellyfin streaming sessions, not general dashboard access. Use Geo-Lock when you want to ensure media streaming only happens from expected locations.

Streaming sessions only

Geo-Lock applies to streaming sessions monitored by the Streaming Dashboard. It does not affect dashboard login or general server access. For blocking dashboard access by country, use Geo-Block instead.

Geo-Block tab

Geo-Block restricts dashboard access by country. It operates as a blocklist — requests from countries you specify are blocked at both the application level and the network level.

How Geo-Block works

  1. Select the countries you want to block
  2. Click Apply Rules to enable enforcement
  3. When a request arrives from a blocked country, it is rejected at the application level and the IP is added to the firewall automatically
  4. Subsequent requests from that IP are blocked at the network level (kernel-level iptables) before reaching the application

Managing Geo-Block

  • Country selection — Choose countries from the list to add to the blocklist
  • Exempt IPs — Add specific IP addresses or CIDR ranges that should bypass geo-blocking (useful for VPNs or trusted proxies)
  • IP test tool — Test any IP address to see if it would be blocked by your current configuration
  • Enable/disable — Toggle enforcement on or off. Disabling does not immediately remove existing firewall rules — they expire naturally
Check your own location

Before applying Geo-Block rules, the system checks whether your current IP would be blocked and warns you. Always verify that your own country and any VPN exit points are not in the blocklist.

Geo-Lock vs Geo-Block

Use Geo-Lock when

  • You want to restrict where media can be streamed from
  • You need to prevent account sharing across countries
  • You only need to control Emby or Jellyfin streaming sessions
  • You want per-session enforcement with automatic session termination

Use Geo-Block when

  • You want to block all dashboard access from specific countries
  • You need network-level protection against unauthorized access
  • You want to block brute-force attempts from certain regions
  • You want IP-level blocking that persists in the firewall

Both features use the same geolocation service to determine a visitor’s country based on their IP address. Private and local network addresses are always allowed regardless of either policy.

CLI equivalents

Dashboard FeatureCLI Command
Fail2Ban service enable/disable
qb manage fail2ban -o <enable|disable>
Fail2Ban interactive config wizard
qb manage fail2ban -o config
Unban an IP from all jails
qb manage fail2ban -o unban <ip>
Dashboard advantage

Most Security Settings features — including disallowed usernames, manual IP blocking, firewall viewing, country-based access control, and per-app jail control with the Recommendations engine — are available only through the dashboard. The CLI covers basic Fail2Ban service management.

Best practices

Do

  • Add common admin-like usernames (admin, root, administrator, system) to the disallowed list to prevent impersonation
  • Use Quick Harden profiles to close known attack surfaces — they write rules in the correct comment format so the classifier recognizes them immediately
  • Use custom labels to annotate rules you add for specific projects or services — you will thank yourself six months later when auditing
  • Use Geo-Block if you know your users are all in specific countries — blocking entire regions you do not serve reduces your attack surface
  • Always add your VPN exit IPs to the Geo-Block exempt list before enabling enforcement
  • Review the Firewall Rules tab periodically to understand what is being blocked and why; use the Manage Labels panel to keep your own rules organized
  • Use the IP test tool on the Geo-Block tab to verify your configuration before applying rules
  • Add your admin workstation IP to the Fail2Ban allowlist before tightening any jail thresholds — the lockout-protection guard catches the obvious mistake but a fresh allowlist entry is the safer pattern
  • Review the Fail2Ban Recommendations panel after installing new apps — it surfaces jail gaps and tighter-threshold suggestions specific to your install
  • Leave the recidive jail enabled — it can only escalate IPs other jails have already banned, never a clean visitor

Don't

  • Don't label a foreign-chain rule (Docker, third-party VPN) and expect the label to survive if the provider's daemon restarts and re-creates the rule
  • Don't enable Geo-Block without checking that your own IP address and country are not in the blocklist
  • Don't confuse Geo-Lock and Geo-Block — Geo-Lock controls streaming sessions, Geo-Block controls dashboard access
  • Don't add overly broad CIDR ranges to manual blocks without understanding which IPs they cover
  • Don't rely solely on Geo-Block for security — it should be one layer in a defense-in-depth approach alongside strong passwords, 2FA, and Fail2Ban
  • Don't remove your own IP from the Fail2Ban allowlist without a confirmed fallback route back to your server
  • Don't read the System Dashboard's live Banned right now count as if it were the all-time figure — the Permanent record tiles above it are the trustworthy lifetime count

FAQ

Both result in network-level blocking via iptables. The banned IP list (managed in the Settings tab) is designed for known bad actors with permanent blocks. Manual firewall blocks (also in the Settings tab) support configurable durations and the 30-second rollback safety mechanism. Both are enforced at the kernel level.
Geo-Block uses a fail-open approach. If the geolocation lookup times out or the service is down, the request is allowed through. Successful lookups are cached for 24 hours in memory and indefinitely in the database, so most repeat visitors are resolved from cache.
Yes. They operate independently. Geo-Block controls dashboard access for all users, while Geo-Lock controls streaming session access for Emby and Jellyfin users. You can enable both with different country configurations.
Go to the Firewall Rules tab and filter by Geo Policy origin. Find the rule for the IP you want to unblock and click the delete icon. You can also add the IP to the exempt list on the Geo-Block tab to prevent it from being blocked again.
Manual blocks require confirmation within 30 seconds. This is a safety mechanism to prevent accidental lockouts. If you did not click Confirm before the timer expired, the block was automatically rolled back. Simply add the block again and confirm it promptly.
Block RPC (111) — drops TCP and UDP `111` (RPC portmapper). Relevant for servers that do not run NFS or NIS. Block NetBIOS (137–139) — drops UDP `137`/`138` and TCP `139` (legacy Windows file-sharing discovery). Block SMB (445) — drops TCP `445` (Windows file sharing / Samba). Note: if you run active Samba shares, this will also block external access to them. Block MS-RPC (135) — drops TCP `135` (Microsoft endpoint mapper / DCOM). Block Berkeley r-services (512–514) — drops TCP `512`, `513`, `514` (rsh, rlogin, rexec — deprecated plaintext remote-shell protocols). Block diagnostics (7, 9, 13, 19) — drops echo, discard, daytime, and chargen on both TCP and UDP — these ports can be abused as DDoS amplification vectors. Block Finger (79) — drops TCP `79`, which can expose usernames and login activity to anyone who connects. Block all common — applies all of the above in one action.
Block all common applies all seven individual profiles in a single action: RPC (`111`), NetBIOS (`137`–`139`), SMB (`445`), MS-RPC (`135`), Berkeley r-services (`512`–`514`), diagnostics (`7`, `9`, `13`, `19`), and Finger (`79`). For a seedbox running QuickBox Pro, this is safe in the vast majority of cases — none of these services are used by QuickBox applications. The one exception: if you have Samba shares configured on the same server, blocking SMB (`445`) will prevent external access to those shares. Review your server's services before applying Block all common if you are unsure.
Yes. When you apply a Quick Harden profile, QuickBox writes the rules into the QBX_ENFORCEMENT iptables chain and immediately persists the full ruleset to /etc/iptables/rules.v4 via iptables-save. The iptables-persistent service reloads that file on boot, so Quick Harden rules come back automatically along with all other QuickBox-managed rules.
Yes. Quick Harden rules appear in the Firewall Rules viewer under the QuickBox origin filter. Find the rule — it will show a role label like 'Hardening profile — rpc' — and click the delete icon to remove it. You can also delete it by label if you applied a custom label to the rule first.
There are two common causes. First, if you labeled a rule owned by a third-party provider (Docker, a VPN daemon, etc.), that provider may have removed and re-created the rule during a restart. QuickBox matches foreign-rule labels by a fingerprint of the rule. When the rule is re-created with different parameters, the fingerprint no longer matches and the label does not display — though it is still in the QuickBox database. Second, if you labeled a QuickBox-managed rule (QBX_ENFORCEMENT chain), the label is stored as an iptables comment and should survive reboots and restarts. If a QuickBox-managed rule lost its label, check whether another admin or a CLI command removed and re-added the rule without the comment.
This notice appears the first time you label a rule in a session that is not owned by the QBX_ENFORCEMENT chain — for example, a Docker FORWARD rule or a rule installed by a VPN daemon. It means QuickBox will store your label in its database rather than writing it as an iptables comment on the rule. The label will display correctly in the dashboard, but if the external provider removes and re-creates the rule, QuickBox will lose the match and the label will stop appearing for that rule. The notice appears once per session; subsequent foreign-rule labels in the same session are saved silently.
Yes. Open the Manage Labels panel by clicking the 'Manage Labels' button to the right of the chip row. Find the label in the list and click the pencil icon to rename it. The new name is applied to every rule in that group at once — QuickBox bulk-updates the iptables comment for all QBX_ENFORCEMENT rules in the group, and updates the database entry for any foreign rules.
Removing a label strips it from every rule in that group. For QuickBox-managed rules (QBX_ENFORCEMENT chain), this rewrites the iptables comment back to the original rule format — the rule stays in place, only the user label is removed. For foreign rules, the database entry is deleted and the label no longer appears. The underlying firewall rules themselves are never deleted by removing a label.
Open the Fail2Ban tab and scroll to the Application Jails section. Each installed app that has a Fail2Ban jail template available appears as a row with an enable/disable switch. Toggling activates protection immediately — no qb update needed. The badge on each row tells you whether the filter is Verified (reliably catches brute-force attempts) or Experimental (safe to enable but still being refined). The Recommendations panel above will also suggest jails to enable based on what is installed.
It is an opt-in feature flag in General Settings → Feature Flags. Off by default. When turned on, installing or reinstalling any app with a verified Fail2Ban jail template automatically enables that jail at install time. Per-app toggling from the Fail2Ban tab remains available regardless of this flag — so leaving it off means protection is fully opt-in per app, and turning it on just removes the manual step for new installs.
The recidive jail is repeat-offender escalation. It watches Fail2Ban's own log and looks for IPs that get banned five or more times within a day by other jails. When it finds one, it re-bans that IP for a full week across all ports — not just the port that triggered the original bans. It can only ever escalate IPs that other jails have already banned, so it cannot lock out a clean visitor. Recidive is enabled by default, and its thresholds (findtime, maxretry, bantime) are editable on the recidive jail card just like any other jail.
QuickBox raised the default Fail2Ban ban duration from 600 seconds (10 minutes) to 3600 seconds (1 hour) so a new install is meaningfully protected out of the box — 10 minutes was too short to discourage even casual brute-force tooling. The old default still applies to servers that were originally provisioned with it; to bring them up to the new default, edit the bantime field on any jail card in the Fail2Ban tab and save.
They measure different things. Banned right now is a live count — distinct IPs Fail2Ban is enforcing at this instant — and it rises and falls as bans are added and expire. Offending IPs ever seen is a lifetime count from a durable security event ledger — every distinct attacker IP ever recorded on this server. It only ever goes up. The two tiles are intentionally separated into Live & recent activity and Permanent record sections so they cannot be misread as one number — a smaller live count is not the all-time number dropping, it is a different lens on the same protection.
By design. Showing real banned IPs to admins lets you investigate offender patterns, recognize known-bad networks, and confirm a ban is what you expected. If your operation prefers reduced incidental exposure of attacker addresses, enable Mask banned IP addresses in General Settings — that zeros the last IPv4 octet or IPv6 group on the top-IPs displays. Allowlist entries and your own admin IP are never displayed alongside attacker IPs.
The Fail2Ban Protection card only appears when the Fail2Ban package is installed. If it is installed but the card is missing, confirm the service is running (systemctl status fail2ban) and that the dashboard has fully loaded — the card hides itself during the summary fetch on first page load. If the service is stopped, the card still shows the Permanent record tiles (they read from the durable ledger) plus a 'service is not running' notice; the live and windowed panels reappear once the service is restored.
Firewall Conflict Resolver

Classify firewall rules by provider, detect conflicts, and apply guided resolutions safely

Session Settings

Configure session timeouts, concurrency, and bulk invalidation

Registration Settings

Username policies and registration controls

User Admin

Ban, delete, and manage individual user accounts

Fail2Ban

Install reference, directory layout, and CLI options for the Fail2Ban package

WireGuard VPN

WireGuard installation, app-scoped routing, and firewall rule details

VPN Control

Dashboard VPN management — peers, routing, and NordVPN generator

General Settings

Feature flags including auto-protect apps on install and mask banned IP addresses

Join the Community

Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.

Dedicated Support
Feature Previews
Community Configs
Active Discussions
Join Discord Server
Last updated on
Registration SettingsFirewall Conflict Resolver