Hardening your IPTV server

Most IPTV server compromises don't come from sophisticated 0-days — they come from boring, well-documented misconfigurations. SSH on port 22 with password auth. Default panel admin credentials. No firewall. No fail2ban. This guide walks through hardening your IPTV server using the same checklist we apply to every server we deploy.

1. SSH hardening

SSH is the #1 attack surface. Lock it down first.

Generate a key pair on your local machine:

ssh-keygen -t ed25519 -C "iptv-server"

Copy your public key to the server:

ssh-copy-id root@your-server-ip

Edit /etc/ssh/sshd_config:

Port 2222                       # Move off port 22
PermitRootLogin prohibit-password  # Allow root via key only
PasswordAuthentication no       # Disable password auth entirely
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers root

systemctl restart sshd

Don't close your current session — open a new SSH session on the new port to verify before disconnecting. If you lock yourself out, you'll need console access from your VPS provider to recover.

2. UFW firewall

apt install -y ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp           # Your new SSH port
ufw allow 80/tcp             # HTTP
ufw allow 443/tcp            # HTTPS
ufw allow 25461/tcp          # Xtream/XUI client port
ufw allow 1935/tcp           # RTMP if applicable
ufw --force enable

3. fail2ban for brute-force protection

apt install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

Edit the [sshd] section:

[sshd]
enabled = true
port = 2222
maxretry = 3
findtime = 600
bantime = 3600

Add an NGINX section to protect your panel from credential stuffing:

[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 5

[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 2

systemctl restart fail2ban
fail2ban-client status

4. Automatic security updates

apt install -y unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades

Edit /etc/apt/apt.conf.d/50unattended-upgrades to enable security updates and configure email notifications.

5. Sysctl kernel hardening

Edit /etc/sysctl.conf:

# Disable IP forwarding (unless this server is a router)
net.ipv4.ip_forward = 0

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable SYN cookies (DDoS protection)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_synack_retries = 2

# Ignore ICMP echo broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log martian packets
net.ipv4.conf.all.log_martians = 1

# Increase connection tracking for IPTV traffic
net.netfilter.nf_conntrack_max = 524288
net.core.somaxconn = 65535
net.ipv4.tcp_max_tw_buckets = 1440000

# IPTV-specific network tuning
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

sysctl -p

6. Panel admin protection

Beyond OS-level hardening, your IPTV panel itself needs attention:

• Change all default passwords immediately — admin, MariaDB root, panel API keys
• Move admin URL off the default path — change /admin to /yourrandomstring-admin via NGINX rewrite
• IP-whitelist admin access if you only manage from a few static IPs
• Enable 2FA if your panel supports it (XUI.ONE does)
• Monitor login attempts via panel audit log + ship to remote syslog

NGINX admin path obfuscation example

location /xc-admin-7f3k9p2/ {
    proxy_pass http://127.0.0.1:25500/admin/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}

location /admin/ {
    return 444;  # Drop default-path attempts
}

7. Anti-credential-sharing (most overlooked)

Your customers will share their credentials. Mitigations:

• Max connections per credential: Set realistic limits — usually 1–2 per line for residential, 5+ for family plans
• Geo-restriction: Lock credentials to a country or region; flag/block when same credentials connect from multiple countries within minutes
• IP rotation alerts: Alert on credentials seen from 5+ unique IPs within 24h
• User-Agent fingerprinting: Same credentials suddenly appearing across IPTV Smarters + TiviMate + STB simultaneously usually means account sharing
• Token-based stream URLs: Generate ephemeral, time-limited stream URLs server-side; never expose raw m3u8 URLs to apps

Our credential protection deep-dive covers exact NGINX rules and panel configurations for each.

8. Backups (the disaster recovery you'll thank yourself for)

apt install -y rclone
rclone config  # Set up your remote (Backblaze B2, Wasabi, S3, etc.)

Daily DB + config backup script at /usr/local/bin/iptv-backup.sh:

#!/bin/bash
DATE=$(date +%Y%m%d-%H%M)
BACKUP_DIR=/var/backups/iptv

mkdir -p $BACKUP_DIR

# Database
mysqldump --all-databases --single-transaction | \
  gzip > $BACKUP_DIR/db-$DATE.sql.gz

# Config
tar -czf $BACKUP_DIR/config-$DATE.tar.gz \
  /etc/nginx /etc/mysql /home/xtreamcodes/iptv_xtream_codes/config 2>/dev/null

# Upload offsite
rclone copy $BACKUP_DIR remote:iptv-backups --max-age 30d

# Local retention 7 days
find $BACKUP_DIR -mtime +7 -delete

chmod +x /usr/local/bin/iptv-backup.sh
crontab -e
# Add:
0 4 * * * /usr/local/bin/iptv-backup.sh

9. Monitoring & alerts

You can't fix what you can't see. Bare minimum:

• Uptime monitor: UptimeRobot, BetterStack, or self-hosted Uptime Kuma — alert on panel down
• Disk space alerts: Catch-up TV fills disks fast; alert at 80%
• Bandwidth monitoring: vnStat or ntopng to see traffic patterns and detect DDoS
• Failed login monitoring: Ship fail2ban logs to a SIEM or even just a Telegram bot

10. Hardening checklist

• ☐ SSH on non-default port, key-only auth
• ☐ UFW firewall enabled, only required ports open
• ☐ fail2ban active for SSH + web
• ☐ Automatic security updates enabled
• ☐ Sysctl kernel hardening applied
• ☐ All default passwords changed
• ☐ Panel admin URL randomized
• ☐ Per-credential connection limits set
• ☐ Geo-blocking configured (if relevant)
• ☐ Daily offsite backups running
• ☐ Uptime monitoring active
• ☐ Disk space alerts configured