Reply
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Easy UBNT: Install, Update and Secure the UniFi SDN Controller

[ Edited ]

All,

 

I've created a project for installing UBNT software, starting with a guided script to install the UniFi SDN Contoller and secure the server that is running it. Feedback and collaboration from the community is welcome! You can find the project on GitHub:

 

https://github.com/sprockteam/easy-ubnt

 

Who would benefit from this project?

  • System administrators who are experienced with Linux but would prefer a "cheatsheet" so they don't have to learn or re-learn the recommended way to install UBNT software whenever they need to deploy or re-deploy servers
  • System administrators with limited Linux experience
  • End-users who want an easy way to install UBNT software

 

Please note:

If you are using a recommend version of Linux, then you don't need this or any other script to install UniFi SDN, you can just do something like this:

  

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key C0A52C50
sudo apt-get update
sudo apt-get install unifi

 

 This will install the UniFi SDN Controller from UBNT sources along with Java 8 and Mongo <=3.4 (probably 3.2) from your distribution sources. If you have trouble getting this to work (i.e. you're using a Linux distribution that doesn't have Java 8 or Mongo <=3.4) then you'll need to follow some extra steps. This script tries to anticipate these extra steps for you!

 

Optionally, if you already have UniFi installed, you can still benefit from this script by using it to add a Let's Encrypt certificate to your controller and setup the UFW to better protect your controller.

 

Script instructions:

The easiest way to obtain the UniFi Installer script is to use the following command:

  

wget https://github.com/sprockteam/easy-ubnt/raw/master/unifi-installer.sh -O unifi-installer.sh

 

If you have git installed, you could alternatively obtain the script this way:

 

git clone --depth 1 https://github.com/sprockteam/easy-ubnt.git

 

After you have downloaded the script you can run the script using bash, either logged in as root or using sudo:

  

sudo bash unifi-installer.sh

 

Alternatively, you can run the script and automatically accept the license and all the default prompts with the -a and -q switches, like this:

  

sudo bash unifi-installer.sh -aq

 

Please note:

This script adjusts firewall rules on the local machine only. Any firewall external to your machine (network firewalls, hosting provider security groups, etc.) must allow the following UniFi ports:

  • 8080/tcp
  • 8443/tcp
  • 8880/tcp
  • 8843/tcp
  • 6789/tcp
  • 3478/udp

In addition, if you will be using Let's Encrypt to obtain an SSL certificate, you'll also need to allow HTTP (80/tcp) through your external firewall in order for the challenge verification to come through. Please let me know if you have any questions about this. Also note that custom UniFi ports and DNS challenge support for Let's Encrypt is planned for a future version of this script.

 

Recommended specifications:

  • Dedicated server or VM with at least 2GB of RAM
  • Ubuntu 16.04 "Xenial" or Debian 9.x "Stretch" 64-bit

 

Current status for UniFi Installer:

  • Version 0.x is currently beta
  • Relies on BASH3 Boilerplate and ShellCheck for framework and guidance
  • Works with 32-bit and 64-bit
  • Works with Debian 7.x "Wheezy", 8.x "Jessie", 9.x "Stretch"
  • Works with Ubuntu 12.04 "Precise", 14.04 "Trusty", 16.04 "Xenial", 18.04 "Bionic"
  • Experimental support for non-LTS versions of Ubuntu
  • Experimental support for ARM architecture (i.e. Raspberry Pi)
  • Installs/upgrades Java 8, MongoDB 3.4 (if possible) and UniFi Controller (5.6, 5.8 or 5.9)
  • Installs/upgrades OpenSSH Server
  • Installs/upgrades UFW (Uncomplicated Firewall) and adds firewall rules
  • Installs and sets up certbot for Let's Encrypt and imports the certificate to the UniFi keystore
  • Sets HTTPS protocol to TLSv1.2
  • Optionally shows release notes for chosen UniFi SDN version
  • Checks if required ports are open to the Internet
  • Support to run the script without prompts
  • Sets up a swap file if none present and checks the time (per Crosstalk setup guide)

 

Next steps for UniFi Installer while in 0.x beta:

  • Add support for Let's Encrypt
  • Add swap file setup
  • Check the time/timezone
  • Add support for Raspberry Pi controllers
  • Check if required ports are open to the Internet
  • Add option to download basic Unix package for non-Debian based distros
  • Create a UniFi backup before upgrading if needed
  • Prune/repair database before upgrade if needed
  • Tweak the default UniFi settings for JVM and listening ports
  • Add options to remove/change security features that have already been setup
  • Add option to remove UniFi itself and related packages
  • Add support to run the script unattended using custom options
  • Add support for Cloud Key controllers
  • Add support for Docker using the project

 

Next steps for UniFi Installer after stable 1.x release:

  • Add options to limit access to the controller (i.e. via Duo and/or UFW Lockdown)
  • Add Let's Encrypt support for DNS challenge with Cloudflare
  • Add support for nginx as a reverse proxy for GUI access
  • Add support for JSON configuration templates for USGs
  • Add support for the DNS filter script project
  • Enhance OpenSSH security with fail2ban and Duo
  • Add support for your ideas!

 

Next steps for Easy UBNT:

  • Add support for UNMS (will post in the UNMS forum when ready)
  • Add support for UniFi Video
  • Add support for UCRM
  • Add support for your ideas!

 

Anyone who needs to install or upgrade UniFi Controller on a Debian or Ubuntu server, please use this script and post your experience in this thread. If anyone has a feature request or would like to contribute to the project, please also post back to this thread. And if you like this project then please help spread the word by kudoing this post!

 

Thanks all!

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer

Update: Enhancements were made to the OpenSSH and UFW setup. Check it out!

 

https://github.com/sprockteam/easy-ubnt/commit/5fc22b11f8380c815c6e178aba95705c899b3414

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
New Member
Posts: 29
Registered: ‎11-16-2017
Kudos: 1

Re: Easy UBNT: UniFi Installer

Thanks for your message.

 

I already finish my installation but i will keep an eye on your project Man Wink

 

i will probably install some controlleurs soon.

i will give it a try Man Wink

 

thanks again for your message

Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer

@ramius179

 

Thanks, glad to help! Man Wink

 

Security is a priority with this project, so Let’s Encrypt support is on the way. You should be able to run this on an existing installation to get help with setting up the firewall.

 

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
New Member
Posts: 29
Registered: ‎11-16-2017
Kudos: 1

Re: Easy UBNT: UniFi Installer

[ Edited ]

What kind of settings are you talking about ?

 

The firewall is set with the default ufw firewall (editMan Happy for unifi controler)

i just open the port 80 and 443 for the renewal of let's Encrypt

 

but i would be happy to make it safer

Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer

Great, yes you want to use UFW with rules to allow the controller ports and ports for Let's Encrypt. Sounds like you have it right! :-) The script currently sets up UFW for the default UniFi controller ports.

 

Thanks!

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer

Update: Further enhancements to the OpenSSH/UFW setup, changed script to require sudo, removed support for Buster, and other housekeeping items. Check it out!

 

https://github.com/sprockteam/easy-ubnt/commits/master

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Emerging Member
Posts: 83
Registered: ‎07-16-2016
Kudos: 5
Solutions: 2

Re: Easy UBNT: UniFi Installer

Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer

Hey Jason,

 

Thanks for the question. Yes, I have seen his scripts and it's a great idea! He has clearly helped a lot of people and is doing great work in the community. I initially wanted to just make his scripts better, so I approached him about 10 days ago offering to contribute to his project... see here:

 

https://community.ubnt.com/t5/UniFi-Wireless/UniFi-Installation-Scripts-UniFi-Easy-Update-Scripts-Wo...

 

I think Glenn would rather just work on his own, which is his call. So, ironically, he told me to go start my own project and here we are! The major differences are:

 

  • This is just one script to download
  • Works on Debian and Ubuntu
  • Setting up security features on the controller is a priority
  • Feature ideas and contributions from the community are encouraged

 

The security features are the biggest sticking point for me. Setting up a firewall and obtaining an SSL certificate should be part of the script. Right now I've got some basic UFW rules, but I also have some ideas to help keep cloud-based controllers from just dangling out there, see here for starters:

 

https://community.ubnt.com/t5/UniFi-Wireless/Script-to-Limit-Access-to-UniFi-Controller-Ports-by-IP-...

 

Hope that helps clarify a bit! Man Happy

 

--

Klint

 

P.S. Glenn is credited in the mentions of my script.

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer

[ Edited ]

Update: Let's Encrypt support has been added to the script. Check it out!

 

https://github.com/sprockteam/easy-ubnt/commits/master

 

Credit to this post: https://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-on-Hosted-Controller/m-p/2463220/highlight...

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer

Besides myself, @AmazedMender16@Frankedinven and @ssawyer have made posts in the community that have contributed to the making this script better. Thank you to them! 

 

I think the idea for this project is to make the installer better by incorporating discoveries from others shared on the forums, that way everyone can benefit. In other words, instead of having to search through the community for "best practices" whenever installing UniFi, this script would consolidate the collective experience of the community in one place. Even if nobody else finds this useful, at least I would! Man LOL

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer

Update: Bug fixes. Enhancements to setup functions for Mongo, Java, UFW and Let's Encrypt.

 

You should be able to safely run this script after you already have UniFi installed to setup Let's Encrypt and UFW.

 

Check it out!

 

https://github.com/sprockteam/easy-ubnt/commit/5beae874550d412296eafb54b9628490669d82c9

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Update: Bug fixes, added install check to Java installer function, improved question prompt function.

 

https://github.com/sprockteam/easy-ubnt/commit/0905ca089625ae7d9e5f461edd748a226db3c39e

 

Check it out! Man Happy

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Update: Added option to skip Let's Encrypt setup if already in use, added disk and memory size checks, added option to setup swap file.

 

Check it out!

 

https://github.com/sprockteam/easy-ubnt/commit/6f69a2916d328acb431e8c42a266b7008843cf46

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Update: Bug fixes, improved UniFi version selection, fixed UFW port detection, added error handler for swapfile creation.

 

https://github.com/sprockteam/easy-ubnt/commit/664f84777251acc77b257ac7271eb4df019740d6

 

Check out the source code and try it!

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Major update! You can now skip the license screen using the -a switch and accept all the default prompts using the -q switch to run this script automatically. True unattended support to come! Check out the commit on GitHub here:

 

https://github.com/sprockteam/easy-ubnt/commit/77ae07678ec61497a52bdeb664da385e76b3c728

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller


@SprockTech wrote:

Major update! You can now skip the license screen using the -a switch and accept all the default prompts using the -q switch to run this script automatically. True unattended support to come! Check out the commit on GitHub here:

 

https://github.com/sprockteam/easy-ubnt/commit/77ae07678ec61497a52bdeb664da385e76b3c728

 

--

Klint


It will now also check if a reboot is needed after updating packages. Man Wink

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

Update: Bug fixes, added time/timezone check.

 

https://github.com/sprockteam/easy-ubnt/commit/8f92cdd7a014b2a2b82ae2c27a750004c60f6cb9

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Regular Member
Posts: 338
Registered: ‎01-28-2016
Kudos: 69
Solutions: 11

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller


@SprockTech wrote:

 

Next steps for UniFi Installer (not necessarily in order!):

  • ...
  • Add support for Duo 2FA during controller login (if possible)
  • ...

 @slooffmaster I've been doing some outside-the-box thinking... Do you know of a way to invalidate a login cookie (i.e. invoke the '/logout' API call) server-side?

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Veteran Member
Posts: 4,671
Registered: ‎06-13-2015
Kudos: 1265
Solutions: 218

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@SprockTech Interesting line of thought;-) AFAIK such aspects of the controller aren't exposed through the API, even if available, it would be tricky if you're able to influence the session of another user...

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Our UniFi Device Search tool can be found here, and our Captive Portal solutions for UniFi can be found here.
Reply