How to secure your UniFi Controller with 2FA, firewalls, and domain restrictions

If you’re running a UniFi Controller—whether in the cloud or on-prem—you need to take security seriously. These controllers are powerful, but they also sit at the center of your network. That means if someone gets in, they’ve got the keys to the whole shop.

Thankfully, UniFi gives you a few built-in tools to keep your controller locked down. In this post, we’ll walk you through setting up two-factor authentication (2FA), locking down access with firewalls, and adding domain restrictions so only allowed URLs can reach your login page.

Let’s dive in !!

Before we dive in, please don't self-host your UniFi Controller if you take care of client networks. Sooner or later this will cause issues! It's fine for home users, but definitely not recommended for IT service businesses and MSPs. If you want secure, reliable and a scalable hosting solution check out UniHosted.

Why securing your UniFi Controller matters

UniFi Controllers manage Wi-Fi, switching, and even security cameras and phones in some cases. They store admin credentials, Wi-Fi keys, historical data, and sometimes even personal user info.

That makes them a prime target. Exposed UniFi instances have already been abused in the wild—especially those without basic protection like 2FA.

If your controller is online and not locked down, it’s not a matter of if someone tries to get in. It’s when.

Step 1: Enable two-factor authentication (2FA)

This is the easiest win, and it’s built right into UniFi’s platform.

How to enable it:

  1. Log into your UniFi Controller or go to unifi.ui.com.
  2. Click your profile icon (top-right corner), then select Account Settings.
  3. Find the Security tab.
  4. Turn on Two-Factor Authentication.
  5. Scan the QR code with an app like Google Authenticator, Authy, or 1Password.
  6. Enter the code to confirm.

That’s it. From now on, anyone logging into this account will need both the password and the code from their phone.

Note: Every admin should have 2FA enabled. If you’re using local-only credentials, make sure those are locked down too.

Step 2: Use firewalls to restrict access

If your controller is hosted online (cloud VM, public IP, etc.), it should not be open to the world.

You want to restrict access to only the IPs or locations that need it. If you’re using a VPS or cloud host, use your provider’s firewall or iptables to block everything except:

  • TCP port 443 (HTTPS)
  • TCP port 8443 (UniFi dashboard on older installs)
  • Your trusted admin IPs

Example: Basic iptables setup

bash
# Allow from your admin's IP
sudo iptables -A INPUT -p tcp -s YOUR.IP.ADDRESS.HERE --dport 443 -j ACCEPT

# Drop all other inbound traffic to port 443
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

If you’re using UFW (on Ubuntu), it’s easier:

bash
sudo ufw allow from YOUR.IP.ADDRESS.HERE to any port 443
sudo ufw deny 443

Pro tip: If you manage multiple sites, consider using a VPN so all traffic comes from your own static IP.

Step 3: Domain restrictions and HTTPS only

You should never expose your controller on an IP address alone. Always use a domain name and secure it with HTTPS.

If you’re hosting your own controller, you can use Let’s Encrypt or a reverse proxy (like NGINX) to force HTTPS and add hostname checks.

Force HTTPS with NGINX

Here’s a quick example of an NGINX reverse proxy setup:

nginx
server {
    listen 80;
    server_name yourcontroller.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name yourcontroller.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    location / {
        proxy_pass https://localhost:8443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

This setup:

  • Forces HTTPS
  • Only allows access via the correct domain
  • Prevents direct IP access

Step 4: Use UI Accounts instead of local logins

When you use a UniFi OS Console or official hosting (like UniHosted), your controller ties into UI Accounts. These accounts support:

  • 2FA
  • Role-based access
  • Email verification
  • Remote access logging

This is a big upgrade over “admin/admin” local logins on older installs.

If you’re still using a local-only login, create a UI Account and invite it as an admin. Then remove the old credentials.

Step 5: Lock down SSH

If you’re hosting your controller on your own Linux server, don’t forget SSH.

  • Disable root login (PermitRootLogin no)
  • Use key-based auth instead of passwords
  • Change the default SSH port
  • Use fail2ban to block brute-force attempts

This won’t directly stop someone from accessing the UniFi Controller dashboard—but it can stop someone from wiping your server altogether.

Step 6: Keep UniFi OS and apps updated

Outdated versions are a huge risk. UniFi occasionally releases security patches silently.

Here’s how to check for updates:

  1. Go to UniFi OS > Settings > Updates
  2. Click “Check for Updates”
  3. Enable Auto-Updates if you haven’t already

You can also set specific update times (like 3 AM) to avoid downtime during work hours.

Step 7: Log out unused accounts

Go to Settings > Admins and remove any users who no longer need access. Old accounts are a liability—especially if they don’t have 2FA.

Also:

  • Remove devices from the mobile app that are no longer in use
  • Revoke Teleport or VPN sessions not in use
  • Reset any shared credentials

Step 8: Enable remote access logging

This one’s easy. Remote access is enabled by default if you use UI Accounts, but you can also see who logged in and when.

Head to:

bash
UniFi OS > Settings > Users > Activity

You’ll see a full list of logins, IP addresses, and times. If something looks off, you’ll know.

Real-world setup example

Let’s say you manage a UniFi setup for a client. Here’s how we’d lock it down:

  1. Host the controller on UniHosted
  2. Use a custom subdomain like client1.unihosted.network
  3. Enforce 2FA for all admins
  4. Use the UniFi firewall to restrict access to their office IP and ours
  5. Enable auto-updates and daily cloud backups
  6. Monitor activity weekly

With this setup, even if someone guesses the admin email, they’re blocked by firewalls, locked out by 2FA, and can’t even hit the login page without using the right domain.

Final thoughts

Security is one of those things that’s easy to push off until something goes wrong. But when it comes to UniFi Controllers—especially ones managing real networks—it’s better to be proactive.

Set up 2FA. Restrict access with firewalls. Only allow trusted domains. And keep everything updated.

We handle all this and more by default on our hosted controllers at UniHosted. It’s how we keep client sites secure without spending all day babysitting login pages. If you’re tired of patching and worrying, give us a look.