Reply
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Easy UBNT: Install, Update and Secure UBNT Software

[ Edited ]

This is a project designed to make it easy to install, configuring, secure and maintain UBNT software. Feedback and collaboration from the community is welcome! I'm actively looking for folks who would like to contribute to the project by testing the script on their own VMs and systems.

 

UPDATE!

 

  • The 'unifi-installer.sh' script is now deprecated, use the 'easy-ubnt.sh' script instead
  • For issues using this project, please create an issue on GitHub
  • Please share this with the UBNT Community by kudoing this post and adding your comments to the thread
  • You can reach me more easily on Discord by tagging me in the #unifi-controller channel or via direct message

You can find more information about project and how to use the script on GitHub:

 

https://github.com/sprockteam/easy-ubnt

 

Who would benefit from this project?

  • System administrators who are experienced with Linux but would prefer a "cheatsheet" so they don't have to learn or re-learn the recommended way to install UBNT software whenever they need to deploy or re-deploy servers
  • System administrators with limited Linux experience
  • End-users who want an easy way to install UBNT software

 

How to begin

You can run the script this way:

wget https://github.com/sprockteam/easy-ubnt/raw/master/easy-ubnt.sh -O easy-ubnt.sh && sudo bash easy-ubnt.sh

For convenience, the script is also available using a short link:

wget sprocket.link/eubnt -O easy-ubnt.sh && sudo bash easy-ubnt.sh

Dev branch

You can run the latest development version of the script this way:

wget sprocket.link/eubntdev -O easy-ubnt.sh && sudo bash easy-ubnt.sh

Quick mode

You can run the script to quickly deploy a server this way:

wget sprocket.link/eubnt -qO easy-ubnt.sh && sudo bash easy-ubnt.sh -aqd unifi.fqdn.com

 

Please note:

If you are using a recommend version of Linux, then you don't need this or any other script to install UniFi SDN, you can just do something like this:

  

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key C0A52C50
sudo apt-get update
sudo apt-get install unifi

 

 This will install the UniFi SDN Controller from UBNT sources along with Java 8 and Mongo <=3.4 (probably 3.2) from your distribution sources. If you have trouble getting this to work (i.e. you're using a Linux distribution that doesn't have Java 8 or Mongo <=3.4) then you'll need to follow some extra steps. This project tries to anticipate these extra steps for you!

 

Optionally, if you already have UniFi installed, you can still benefit from this script by using it to add a Let's Encrypt certificate to your controller and setup the UFW to better protect your controller.

 

Please note:

The script will adjust firewall rules on the local machine only. Any firewall external to your machine (network firewalls, hosting provider security groups, etc.) must allow the following UniFi ports:

  • 8080/tcp
  • 8443/tcp
  • 8880/tcp
  • 8843/tcp
  • 6789/tcp
  • 3478/udp

In addition, if you will be using Let's Encrypt to obtain an SSL certificate, you'll also need to allow HTTP (80/tcp) through your external firewall in order for the challenge verification to come through. Please let me know if you have any questions about this. Also note that customizing UniFi Controller ports and supporting DNS challenges for Let's Encrypt is planned for a future version of this script.

 

Recommended specifications:

  • Dedicated server or VM with at least 2GB of RAM
  • Ubuntu 16.04 "Xenial" or Debian 9.x "Stretch" 64-bit

 

Current status for UniFi Installer:

  • Version 0.x is currently beta
  • Relies on BASH3 Boilerplate and ShellCheck for framework and guidance
  • Should work on any 32-bit or 64-bit Intel, AMD or ARM processor (i386, amd64, armhf and arm64)
  • Should work on any Debian/Ubuntu-based OS, including Linux Mint
  • Installs/upgrades Java 8, MongoDB 3.4 (if needed)
  • Allows for selection of any UniFi Network Controller published by UBNT (currently goes back to 5.4)
  • Allows for entering Early Access URLs to install beta versions
  • Installs/upgrades OpenSSH Server
  • Installs/upgrades UFW (Uncomplicated Firewall) and adds firewall rules
  • Installs and sets up certbot for Let's Encrypt and imports the certificate to the UniFi Network keystore (per this solution)
  • Sets HTTPS protocols and ciphers to maximum supported
  • Optionally shows release notes for chosen software version
  • Checks if required ports are open to the Internet
  • Support to run the script quickly without prompts
  • Sets up a swap file if none present

 

Next steps for UniFi Installer while in 0.x beta:

  • Prune/repair database before upgrade if needed
  • Tweak the default UniFi settings for JVM and listening ports
  • Add options to remove/change security features that have already been setup
  • Add option to remove UniFi itself and related packages
  • Add support for Docker using the project
  • Enhance OpenSSH security with fail2ban and Duo
  • Add options to limit access to the controller (i.e. via Duo and/or UFW Lockdown)
  • Add Let's Encrypt support for DNS challenge with Cloudflare

 

Next steps for UniFi Installer after stable 1.x release:

  • Add support for nginx as a reverse proxy for GUI access
  • Add support for JSON configuration templates for USGs
  • Add support for the DNS filter script project
  • Add support for your ideas!

 

Next steps for Easy UBNT:

  • Add support for UNMS (will post in the UNMS forum when ready)
  • Add support for UniFi Video
  • Add support for UCRM
  • Add support for your ideas!

 

Anyone who needs to install or upgrade UniFi Controller on a Debian/Ubuntu-based OS and would like to use this script, please post your experience in this thread. If anyone has a feature request or would like to contribute to the project, please also post back to this thread. And if you like this project then please help spread the word by kudoing this post!

 

Thanks all!

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Highlighted
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer

Update: Enhancements were made to the OpenSSH and UFW setup. Check it out!

 

https://github.com/sprockteam/easy-ubnt/commit/5fc22b11f8380c815c6e178aba95705c899b3414

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
New Member
Posts: 37
Registered: ‎11-16-2017
Kudos: 2

Re: Easy UBNT: UniFi Installer

Thanks for your message.

 

I already finish my installation but i will keep an eye on your project Man Wink

 

i will probably install some controlleurs soon.

i will give it a try Man Wink

 

thanks again for your message

Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer

@ramius179

 

Thanks, glad to help! Man Wink

 

Security is a priority with this project, so Let’s Encrypt support is on the way. You should be able to run this on an existing installation to get help with setting up the firewall.

 

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
New Member
Posts: 37
Registered: ‎11-16-2017
Kudos: 2

Re: Easy UBNT: UniFi Installer

[ Edited ]

What kind of settings are you talking about ?

 

The firewall is set with the default ufw firewall (editMan Happy for unifi controler)

i just open the port 80 and 443 for the renewal of let's Encrypt

 

but i would be happy to make it safer

Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer

Great, yes you want to use UFW with rules to allow the controller ports and ports for Let's Encrypt. Sounds like you have it right! :-) The script currently sets up UFW for the default UniFi controller ports.

 

Thanks!

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer

Update: Further enhancements to the OpenSSH/UFW setup, changed script to require sudo, removed support for Buster, and other housekeeping items. Check it out!

 

https://github.com/sprockteam/easy-ubnt/commits/master

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Emerging Member
Posts: 87
Registered: ‎07-16-2016
Kudos: 6
Solutions: 2

Re: Easy UBNT: UniFi Installer

Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer

Hey Jason,

 

Thanks for the question. Yes, I have seen his scripts and it's a great idea! He has clearly helped a lot of people and is doing great work in the community. I initially wanted to just make his scripts better, so I approached him about 10 days ago offering to contribute to his project... see here:

 

https://community.ubnt.com/t5/UniFi-Wireless/UniFi-Installation-Scripts-UniFi-Easy-Update-Scripts-Wo...

 

I think Glenn would rather just work on his own, which is his call. So, ironically, he told me to go start my own project and here we are! The major differences are:

 

  • This is just one script to download
  • Works on Debian and Ubuntu
  • Setting up security features on the controller is a priority
  • Feature ideas and contributions from the community are encouraged

 

The security features are the biggest sticking point for me. Setting up a firewall and obtaining an SSL certificate should be part of the script. Right now I've got some basic UFW rules, but I also have some ideas to help keep cloud-based controllers from just dangling out there, see here for starters:

 

https://community.ubnt.com/t5/UniFi-Wireless/Script-to-Limit-Access-to-UniFi-Controller-Ports-by-IP-...

 

Hope that helps clarify a bit! Man Happy

 

--

Klint

 

P.S. Glenn is credited in the mentions of my script.

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer

[ Edited ]

Update: Let's Encrypt support has been added to the script. Check it out!

 

https://github.com/sprockteam/easy-ubnt/commits/master

 

Credit to this post: https://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-on-Hosted-Controller/m-p/2463220/highlight...

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer

Besides myself, @AmazedMender16@Frankedinven and @ssawyer have made posts in the community that have contributed to the making this script better. Thank you to them! 

 

I think the idea for this project is to make the installer better by incorporating discoveries from others shared on the forums, that way everyone can benefit. In other words, instead of having to search through the community for "best practices" whenever installing UniFi, this script would consolidate the collective experience of the community in one place. Even if nobody else finds this useful, at least I would! Man LOL

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer

Update: Bug fixes. Enhancements to setup functions for Mongo, Java, UFW and Let's Encrypt.

 

You should be able to safely run this script after you already have UniFi installed to setup Let's Encrypt and UFW.

 

Check it out!

 

https://github.com/sprockteam/easy-ubnt/commit/5beae874550d412296eafb54b9628490669d82c9

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Update: Bug fixes, added install check to Java installer function, improved question prompt function.

 

https://github.com/sprockteam/easy-ubnt/commit/0905ca089625ae7d9e5f461edd748a226db3c39e

 

Check it out! Man Happy

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Update: Added option to skip Let's Encrypt setup if already in use, added disk and memory size checks, added option to setup swap file.

 

Check it out!

 

https://github.com/sprockteam/easy-ubnt/commit/6f69a2916d328acb431e8c42a266b7008843cf46

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Update: Bug fixes, improved UniFi version selection, fixed UFW port detection, added error handler for swapfile creation.

 

https://github.com/sprockteam/easy-ubnt/commit/664f84777251acc77b257ac7271eb4df019740d6

 

Check out the source code and try it!

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Major update! You can now skip the license screen using the -a switch and accept all the default prompts using the -q switch to run this script automatically. True unattended support to come! Check out the commit on GitHub here:

 

https://github.com/sprockteam/easy-ubnt/commit/77ae07678ec61497a52bdeb664da385e76b3c728

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller


@SprockTech wrote:

Major update! You can now skip the license screen using the -a switch and accept all the default prompts using the -q switch to run this script automatically. True unattended support to come! Check out the commit on GitHub here:

 

https://github.com/sprockteam/easy-ubnt/commit/77ae07678ec61497a52bdeb664da385e76b3c728

 

--

Klint


It will now also check if a reboot is needed after updating packages. Man Wink

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Update: Bug fixes, added time/timezone check.

 

https://github.com/sprockteam/easy-ubnt/commit/8f92cdd7a014b2a2b82ae2c27a750004c60f6cb9

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Regular Member
Posts: 577
Registered: ‎01-28-2016
Kudos: 131
Solutions: 17

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller


@SprockTech wrote:

 

Next steps for UniFi Installer (not necessarily in order!):

  • ...
  • Add support for Duo 2FA during controller login (if possible)
  • ...

 @slooffmaster I've been doing some outside-the-box thinking... Do you know of a way to invalidate a login cookie (i.e. invoke the '/logout' API call) server-side?

 

--

Klint

UEWA | Primary Innovator at Sprocket Technology
UniFi Network Notes | Easy UBNT | UFW Lockdown | Companion API | Host on Vultr
Veteran Member
Posts: 5,052
Registered: ‎06-13-2015
Kudos: 1357
Solutions: 235

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@SprockTech Interesting line of thought;-) AFAIK such aspects of the controller aren't exposed through the API, even if available, it would be tricky if you're able to influence the session of another user...

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
Reply