Caution

This FAQ mixes general Linux server administration with panel-specific tips. The panel is now on the v3.x series; commands and panel paths below have been refreshed for it, but external tutorials and IP addresses linked here may age over time.

1. Server Update

Usually, the first step on a Linux server is to update and upgrade the server.

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get dist-upgrade -y

If your connection is interrupted during an update and you then get a lock error, the following commands will fix it:

sudo rm /var/lib/apt/lists/lock
sudo rm /var/cache/apt/archives/lock
sudo rm /var/lib/dpkg/lock*

sudo dpkg --configure -a

After running these, perform the update and upgrade again.

2. Changing Default SSH Port

The default SSH port is 22. Changing it can enhance server security by reducing automated attacks and unauthorized access attempts. Here's how to change it:

1. Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Find the line that says #Port 22 and change it to your desired port number (e.g., Port 2222). Make sure to remove the # symbol.

3. Save the file (Ctrl+X, then Y, then Enter)

4. Restart the SSH service:

sudo systemctl restart sshd

5. Before closing your current SSH session, test the new port in a new terminal window to ensure it works:

ssh -p 2222 username@your_server_ip

6. If the new port works, update your firewall to allow it:

sudo ufw allow 2222/tcp

7. Optionally, you can remove the old port from the firewall:

sudo ufw deny 22/tcp

Important notes:

• Choose a port number between 1024 and 65535
• Remember to update your SSH client configurations to use the new port
• Keep the new port number secure and don't share it publicly
• Make sure to test the new connection before closing your current session

3. Root Access to Server

For some servers, login is done with a non-root user. You can switch to root with sudo -i or sudo su.

You can also allow root login and log in directly as root:

sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && sudo systemctl restart ssh && sudo passwd

4. Changing DNS Server

Changing the DNS server can improve server performance and bypass some restrictions.

a) Recommended DNS

nameserver 1.1.1.1
nameserver 1.0.0.1

For Iranian servers, you need to change DNS to Shecan to install sanctioned tools.

nameserver 178.22.122.100
nameserver 185.51.200.2

5. Enabling Server Firewall

Enabling the firewall is useful and effective for server security and preventing blocking. On some servers the firewall is open by default, and you need to enable the ports you need.

First, enable the ports you need (SSH port, panel port, config ports, etc.):

sudo ufw allow <port>/tcp

Then turn on the firewall:

sudo ufw enable

Check your firewall status with:

sudo ufw status

You can also easily enable the server firewall using Firewall Management in the x-ui menu.

6. What settings do you recommend for Reality?

According to the xray developer and experts, the TCP REALITY VISION combination is the best choice. You can also use gRPC and XHTTP, which have lower ping, but TCP has usually been more successful in speed tests. It is recommended to use RealiTLScanner to find SNIs with TLS 1.3 / H2 characteristics.

It is strongly recommended to put all configs on one inbound or port.

7. What should I do if someone is trying to log into my panel?

If you notice through the bot or server logs that your panel is being brute-forced, you have several solutions.

1. Change the panel port and path.
2. Block the attacker's IP (if the firewall is active):

sudo ufw deny from <ip-address> to any

3. Limit panel access to your IP. By not leaving the panel port open in the firewall, you can only log in from the same server. Or, if you have another IP, allow it (if the firewall is active):

sudo ufw allow from <ip-address> to any port <panel-port> proto tcp

Enabling HTTPS for the panel is also an important security point. You can also enable two-factor authentication in Panel Settings.

8. How do I disable IP table tunneling?

sysctl net.ipv4.ip_forward=0

First run the above command, then replace -A with -D in all the commands you used to enable IP table tunneling and execute them.

9. How do I make the bot send backups at a certain time?

Set the Notification Time (cron syntax) in Panel Settings → Telegram Bot and enable Database Backup. See the Telegram Bot guide for details, and to build a precise schedule you can use crontab.guru. (The bot also accepts shortcuts like @daily, @weekly, and @every 12h.)

10. Does the IP limit work? How do I use it with tunneling?

Yes. Install fail2ban from the x-ui menu (IP Limit Management → Install Fail2ban and configure IP Limit) and set the IP limit for each client. If a user connects with more than the allowed number of IPs, they are blocked for the duration you specified.

You also need to enable the access log. In the panel go to Xray Configs → Basics → Log → Access Log and set it to ./access.log, then save and restart Xray. (If you edit the template directly, the equivalent is:)

"log": {
    "access": "./access.log",
    "dnsLog": false,
    "error": "./error.log",
    "loglevel": "warning"
},

You cannot use the IP limit for direct tunneling, because only your domestic server's IP reaches the foreign server. A simple solution is panel-to-panel outbound tunneling and using the IP limit on the domestic server.

The IP limit doesn't work by default for CDN configs because the IPs of CDN edge servers reach our server. To send the user's real IP to Xray, create a reverse proxy with nginx by setting the X-Forwarded-For header for WS and X-Real-IP for gRPC, and enable acceptProxyProtocol in your inbound settings.

11. Some sites don't open for me. What is WARP and how do I use it?

WARP routes your server's traffic through Cloudflare's network using WireGuard, changing your server's IP to a Cloudflare IP. Since WARP IPs are whitelisted by most services, you can access sites that return Forbidden or 403 errors. However, your server's IP may not be fixed.

Enable WARP this way:

Xray Configs → Outbounds → WARP → Create → Add Outbound

In the WARP Routing section, you can toggle preset categories (e.g. Google, Spotify).

Or add your desired sites this way:

Xray Configs → Routing Rules → Add Rule

Select warp as the Outbound Tag and add your domains to the Domain field, for example:

bing.com,yahoo.com,geosite:instagram,geosite:meta

You can view existing geosites at this link.

To route all traffic through WARP, modify the WARP route in the Advanced template as follows:

{
    "type": "field",
    "outboundTag": "warp",
    "network": "tcp,udp"
},

If you encounter a 403 error on Google, WARP isn't mandatory — you can often solve it by enabling the Use IPv4 for host option in the Xray settings. For Spotify, sometimes besides WARP you also need to enable Fake DNS on the client side.

12. What should I do with Hetzner abuse?

Receiving abuse reports from datacenters is not related to the panel.

Routing all traffic through WARP (see question 11) can prevent some abuse reports. Not running or installing unknown scripts is also an effective security measure. Make sure Block BitTorrent Protocol is enabled and private IPs are blocked in the Xray settings, and use the Block IPs / Block Domains lists to block known-malicious destinations.

If the problem persists, monitor your users.

13. How does the panel subscription link work?

The advantage of the subscription link is that if there are changes to the inbound settings, you don't need to send a new link to the user — they receive the new config by updating from the client side.

To use this feature, enable the Subscription Service toggle under Panel Settings → Subscription. Then you can assign a subscription link to each client; the same link can be shared by multiple clients.

The remaining traffic and time are added to the config name. It's also recommended to enable HTTPS by selecting your domain's certificate files.

14. My server's disk is filling up. How do I stop logs from being saved?

If you're not using the IP limit, disable the access log: go to Xray Configs → Basics → Log → Access Log and set it to none (or, if editing the template directly, remove the access line):

"log": {
    "error": "./error.log",
    "loglevel": "warning"
},

To clear an existing access-log file:

echo "" > /usr/local/x-ui/access.log

15. How do I prevent continuous high CPU usage?

First, check which process is causing the spike with top and htop.

If it's from the panel or Xray:

• Update the panel.
• Install fail2ban from the x-ui menu.
• Get server resources appropriate for your bandwidth consumption.

16. Why is all users' consumption zero and the panel not calculating traffic?

This usually has these main causes:

• An error in the Xray config — press the Reset to Default button in the panel once and save.
• You (or the bot you're using) may not have entered complete user information such as the email.
• If you moved the database and then hit this problem, update the panel once.
• The api rule must be the first rule in the Routing Rules section.

17. How do I solve the "database is locked" error?

Usually this is due to a slow/weak server disk. To solve it, disable the access log (see question 14).

18. How do Direct Country Configs settings work?

This setting is only suitable for panel-to-panel outbound tunneling. By enabling it on your domestic server, you can open internal sites with the domestic server's IP.

19. GitHub won't download when installing or updating the panel

If it stops at Resolving raw.githubusercontent.com or you get a Connection timed out error, and the problem only affects GitHub, there are two fixes.

First method — download over IPv4:

bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh --ipv4)

Second method — override GitHub's domain IP:

sudo nano /etc/hosts

Add this line to the end of the file and save (note: GitHub's IPs can change over time):

185.199.110.133 raw.githubusercontent.com

20. Why doesn't the panel search show any results?

Search works fine in the latest updates, but note that no client's email should contain spaces.

21. Why does a user stay online and over-consume even after their traffic is used up?

Traffic is checked every 10 seconds, and if the quota is used up the panel tells Xray to disconnect the client. If the user is still shown as online, it may be due to the server's disk and changes being saved late. More importantly, if Xray doesn't disconnect the user, it's not an x-ui bug: according to community evaluations, when a user is downloading at high bandwidth it can take roughly two minutes for all of that user's Xray sessions to end, and consumption keeps being recorded during that window.

22. Why doesn't my panel open after updating or transferring?

This might be due to an error in Xray or a panel SSL issue. It's usually solved by Reset Settings in the x-ui menu.

23. How do I use a fragment for my config?

Fragment is easily configurable in the Freedom column of Outbounds for panel-to-panel tunneling.

For a direct config, a fragment cannot be delivered as a link and must be used as JSON. You can use this tool to easily create the fragment JSON.