I have a Postfix mail server, and I regularly check its logs to identify junk IP addresses. On my UniFi Ubiquiti gateway, I created a blacklist to block this suspicious activity. For me, it’s a good idea to block unwanted IPs directly on the router, using its filtering power.

Over time, the list has grown to more than 200 IP addresses. When I tried to copy and paste this IP list from the UniFi web interface, I noticed that only the visible IPs were copied – all others, hidden by scrolling, were ignored. Since I didn’t want to manually copy the list six entries at a time, I decided to extract the IPs in another way.

New name and location of list

After upgrading the UniFi Network Application to version 9.5.21, the Network Objects were renamed to Network Lists.
The UI uses lazy loading, meaning only visible elements are loaded in the browser window. Therefore, when copying manually, I can only get the IPs that are currently displayed.

To view IP Network Lists in the UniFi Cloud Network Application or a self-hosted UniFi instance, do the following:

1. Open Settings
2. Click the Overview menu
3. Scroll down to find the Network Lists section

Where IP Network List located?

I know that the UniFi gateway runs on a Linux-based OS, which means it uses iptables and ipset to manage network rules.
The name of my Network List is Postfix Blacklist, which helps me locate the corresponding rule quickly. To find this list, I need to connect to the gateway via SSH.

Connect to gateway via SSH

Before connecting, I need to make sure that SSH access is enabled. For cloud-based gateways such as UCG Max, this option is found in:

Settings → Control Plane → Console tab

If SSH is disabled, enable it and set a password. Once it’s active, connect using the root account:

ssh [email protected]

Find the IP list

After connecting, I can list all ipset entries using the following command:

sudo ipset list

I found my blacklist under the section named:

UBIOS46894dcc581515d0a7d85e9ba

Example output:

Name: UBIOS46894dcc581515d0a7d85e9ba
Type: hash:net
Revision: 6
Header: family inet hashsize 64 maxelem 10000
Size in memory: 6976
References: 1
Number of entries: 312
Members:
162.142.125.216
204.76.203.231
23.185.120.116
...
128.14.236.41
147.185.133.191
20.163.60.142

The corresponding configuration file is located at:

/data/udapi-config/udapi-net-cfg.json

Now I can manage this list directly from the console — copy, export, or edit the data as I need.

Conclussion

By exploring how UniFi gateways manage firewall and network lists internally, I found that it’s possible to bypass the visual limitation of the UniFi interface and access the complete blacklist directly from the system.

This approach is especially useful for administrators who regularly monitor and block spam or malicious IPs at the network level.
Managing lists through SSH provides more control, easier backup options, and the ability to automate updates – something that the web UI currently limits.

Blocking suspicious IPs directly at the gateway remains one of the most efficient ways to protect the network and reduce unwanted traffic to the mail server.

Ubiquiti’s UniFi Network Controller provides a user-friendly interface for network management, but for deeper diagnostics and configuration, command line access via SSH is sometimes required. For security and convenience, you should use an SSH key instead of a password. This article explains how to create an SSH key, add it to the UniFi Controller, and use it to log in to the device.

Generation of SSH keys

I have an Ubuntu operating system installed, so I’ll be using that for all setups. In the terminal, you need to execute the command to generate private and public SSH keys.

ssh-keygen -t ed25519 -C "unifi-access"

You will be asked to specify the path to save the key and its name. Specify where it will be stored, usually it is the user’s home directory, and give the name unifi_key or press Enter for the default path (~/.ssh/id_rsa).

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/UserName/.ssh/id_ed25519): unifi_key

After that, you will be asked to create a password for the private key. This password will always be requested when accessing this key, however I will add the data to the ssh agent to avoid having to enter this password all the time and keep the system secure.

Enter passphrase (empty for no passphrase): 
Enter same passphrase again:

As a result, two files will be generated:

• Private key: ~/.ssh/unifi_key
• Public key: ~/.ssh/unifi_key.pub

Adding a public key

In the new Unifi Network interface, the remote control settings section has been moved to the devices section:

Unifi Devices -> Device Updates and Settings -> Device Settings -> SSH Keys

To do this, you will need to enter the name of the public key and its content.

To view the contents of the newly created public key, open it:

cat ~/.ssh/unifi_key.pub
ssh-ed25519 AAA.....cpoM unifi-access

We copy this line into the corresponding block and add it to the controller. We click on the Apply Changes button and we have the key, it remains to add it to the agent and check the connection.

How to add a key to the SSH agent

To avoid specifying the path to the public key each time, you can add the key to the SSH agent. If a password was previously created for the private key, it must be entered.

ssh-add ~/.ssh/unifi_key
Enter passphrase for /home/home/.ssh/unifi_key: 
Identity added: /home/home/.ssh/unifi_key (unifi-access)

Checking the connection

Now from this PC, you can connect to any device that is added to the UniFi controller without specifying a password, but the login must already be root.

ssh [email protected]
Linux UXGLite 5.4.213-ui-qcom #5.4.213 SMP PREEMPT Wed Apr 30 13:12:54 CST 2025 aarch64

Firmware version: v4.1.13

Conclusions

Using SSH keys to access UniFi devices is a more secure and convenient approach compared to passwords. Keys are harder to intercept and, if used correctly, can be easily updated and revoked. UniFi Controller allows you to centrally distribute keys to all devices, which simplifies the administration of a large network.