Reply
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@slooffmaster Ok, thanks. Based on that, my "plan B" solution would be this:

 

  • Use fail2ban to monitor the server log for failed auths, block those IPs (probably after 3-5 fails, with a certain timeout period)
  • Use fail2ban similarly to monitor the server log for successful auths, then send a Duo push to the logged in user's phone
  • If the response from the user is to block the login, then block the admin port (default 8443) via the firewall for that IP (probably with a timeout period as well)
  • If the above happens, the user will definitely want to change their password!
  • Probably also incorporate a blacklist/whitelist for repeat offenders/known good IPs

 

Thoughts? Can you think of a better way to do this?

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Veteran Member
Posts: 4,648
Registered: ‎06-13-2015
Kudos: 1261
Solutions: 218

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@SprockTech Makes sense, not sure I would go this far though myself. But you never know;-)

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@slooffmaster Yeah, I understand. Man Wink TBH most people would probably be served best to use the Cloud Access and limit direct access to 8443 to certain IPs. This will be another option I'll add to the firewall portion of the script in the future. I'm still not using Cloud Access myself, though this might change for me in the future. I'm currently just limiting 8443 access to certain IPs, see here for another project which I'll eventually fold into this project.

 

Different people and scenarios will have different needs, so I'd like to offer easy options to all and let them choose how tight to make the security.

 

Thanks again!

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Veteran Member
Posts: 4,648
Registered: ‎06-13-2015
Kudos: 1261
Solutions: 218

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@SprockTech Looks good.

I agree, as long as you provide the option to enable/disable a feature during the install/update process or even post-install, that would improve the usability of your script.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
Member
Posts: 191
Registered: ‎10-07-2017
Kudos: 46
Solutions: 1

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

[ Edited ]

@SprockTech wrote:

@slooffmaster Ok, thanks. Based on that, my "plan B" solution would be this:

 

  • Use fail2ban to monitor the server log for failed auths, block those IPs (probably after 3-5 fails, with a certain timeout period)
  • Use fail2ban similarly to monitor the server log for successful auths, then send a Duo push to the logged in user's phone
  • If the response from the user is to block the login, then block the admin port (default 8443) via the firewall for that IP (probably with a timeout period as well)
  • If the above happens, the user will definitely want to change their password!
  • Probably also incorporate a blacklist/whitelist for repeat offenders/known good IPs

 

Thoughts? Can you think of a better way to do this?

 

--

Klint



 

Not sure exactly what youre trying to achieve (its early mornign here and im about to hit the bed)

 

But ive had a Ubiquiti filter in place for fail2ban for 11 months now, and while ive got no end of jailed fools for sshd and sshd-dos, ive never had a single idiot hit the ubiquiti filter as yet

 

/etc/fail2ban/filter.d/unifi.conf

 

# Fail2Ban filter for Ubiquiti UniFi
#
#

[Definition]
failregex = ^(.*)Failed admin login for (.*) from <HOST>$

and lines added to /etc/fail2ban/jail.local

 

[ubiquiti]
enabled  = true
port = 8080,8443
filter   = unifi
logpath = /var/log/unifi/server.log
bantime = 3600
findtime = 900
maxretry = 4


believe me i thought about limiting access to ssh and the controller via IP, and ive yet to see any reason not to just let fail2ban handle it....sure its nice to lock down access to source IP, but at some point it can come back to haunt you, especially if like most people here, youre on dynamic ip ranges that can vary quite a bit....

 

 note: updated some lines above for better uniformity

 

Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@adrianmmiller Thanks for that contribution! Sharing collective knowledge and compiling it into one script is what this project is all about! I think this is a great start and I'll work on incorporating it along with a fail2ban entry for SSH. Man Very Happy

 

@slooffmaster Thanks for your perspective as well! I'll add "Option to remove features, such as Let's Encrypt, UFW or even UniFi itself" to the feature list.

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 191
Registered: ‎10-07-2017
Kudos: 46
Solutions: 1

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

[ Edited ]

fwiw, i recommend also enabling sshd-dos

 

relevant lines from my /etc/fail2ban/jail.local

 

universal ban/find time setting from the head of file

# "bantime" is the number of seconds that a host is banned.
bantime  = 604800

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

for a long time while i monitored it i had it emailing me when people hit the jail (literally within minutes of spinning up a instance on any VPS service the russians and the chinese will be trying to be your friend - i was shocked when i first ran fail2ban), then i got bored and turned email reporting off, and set a longer bantime. Email alerts are an option, but thats more work to get going

 

anyways back to sshd & sshd-dos from the jails section further down...

 

#
# JAILS
#

#
# SSH servers
#

[sshd]
enabled = true
port = ssh
filter = sshd logpath = %(sshd_log)s
maxretry = 3 [sshd-ddos] # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = true port = ssh filter = sshd-ddos logpath = %(sshd_log)s
maxretry = 2

and if i want to check in on the bans, since i dont have email reporting set up any longer - you will get bored with them arriving in your inbox...once i learned to trust fail2ban, i switched to just checking in on the bans via an alias...

 

for ease of checking up on currently banned ip's i use the following alias in my /home/.bash_aliases file

 

alias banned='cat /var/log/fail2ban.log | grep "$(date +"%Y-%m-%d").*NOTICE.*Ban*"'

whenever i login and im bored enough ill just type in banned, hit enter and ill get output thusly:

 

 UB4Irg0

 

Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@adrianmmiller Thanks for the additional sshd-dos suggestion!

 

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

All,

 

I've posted a new commit to this project, here are the comments:

 

Major update, initial 0.5.x version, added wrapper functions for running commands to get better control over screen output and logging, added pre-install/update fixes including fix for full boot volume, enhanced Let's Encryption setup, enhanced error handling and script cleanup, fixed issue where Mongo could be removed leaving UniFi broken

 

https://github.com/sprockteam/easy-ubnt/commit/71951b39ce41955e0fc95b15dae0e08b5ad28da2

 

Check it out!

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

[ Edited ]

@SprockTech wrote:

All,

 

I've posted a new commit to this project, here are the comments:

 

Major update, initial 0.5.x version, added wrapper functions for running commands to get better control over screen output and logging, added pre-install/update fixes including fix for full boot volume, enhanced Let's Encryption setup, enhanced error handling and script cleanup, fixed issue where Mongo could be removed leaving UniFi broken

 

https://github.com/sprockteam/easy-ubnt/commit/71951b39ce41955e0fc95b15dae0e08b5ad28da2

 

Check it out!

 

--

Klint


 

As a follow up... I had an opportunity to run this script on a client's in-house UniFi Controller running on an Ubuntu 16.04 64-bit VM. During the script run it couldn't upgrade any packages because the /boot volume was full and one of the packages that needed upgrading was a kernel package. Man Surprised So I added a fix for this issue, and while I was at it I revamped the output to make it cleaner to the screen output while also logging to file. Since this ended up being such a large code change, I went ahead and bumped to 0.5.0, and I'll include some of the enhancements suggested by @adrianmmiller and @slooffmaster as a minor 0.5.x release. Man Wink

 

Comments and feedback are welcome. Thanks! Man Very Happy

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

All,

 

I've released a minor update, now at 0.5.1. Here is a summary:

 

  • Fixed bug with email input in __eubnt_setup_certbot function
  • Fixed issue with Ubuntu repository source lists not being loaded before packages need to be installed in the script
  • Fixed issue where keys with spaces weren't detected in __eubnt_add_key function
  • Added tweaks for virtual memory (thanks @adrianmmiller)
  • Enhanced logging

 

Check it out and try it! You can see the details of the commit here:

 

https://github.com/sprockteam/easy-ubnt/commit/bfdc034e88eacbbff70d2374e014d5800510bc5e

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

All,

 

After getting some feedback from @victorhooi in another thread, I've added experimental support for versions of Ubuntu higher than 18.04 (i.e. 18.10). In addition, the 0.5.2 update includes:

 

  • Enhanced UFW setup - now gives the option to bypass adding the UFW allow rules for UniFi if desired
  • Added fix for Mongo 3.4 install
  • Enhanced post-script summary output - now shows the web address at the end along with a short status of the UniFi service

 

Check it out!

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller


@SprockTech wrote:

All,

 

After getting some feedback from @victorhooi in another thread, I've added experimental support for versions of Ubuntu higher than 18.04 (i.e. 18.10). In addition, the 0.5.2 update includes:

 

  • Enhanced UFW setup - now gives the option to bypass adding the UFW allow rules for UniFi if desired
  • Added fix for Mongo 3.4 install
  • Enhanced post-script summary output - now shows the web address at the end along with a short status of the UniFi service

 

Check it out!

 

--

Klint


 

I should also mention that I added the option to bypass the UFW rules for UniFi to the script after I ran it on a controller that is using the UFW Lockdown script. Automatically adding the allow to UniFi from any rules kind of defeated the purpose of the lockdown script. Man Wink

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

All,

 

I've been thinking more about the support for "unsupported" Linux OSes for this project. After getting some great feedback from @chrismc, I think the solution for running UniFi in a situation that this script isn't built to expect is to offer the option to use Docker. Chris also liked the Docker project from @goofball better than the one I had chosen previously. I took a closer look at both and I agree, this one seems to have a better structure and is lighter-weight (based on Debian/Alpine instead of Ubuntu). Check out the project and let me know any thoughts. Thanks!

 

https://github.com/goofball222/unifi

 

--

Klint

 

P.S. Bash and Docker are available for macOS and Windows now too. Man Wink

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
New Member
Posts: 23
Registered: ‎09-16-2014
Kudos: 4

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

[ Edited ]

I went to try out your script today on a brand new EC2 t2.micro instance today. Got through all the way to certbot, and then it ended.

 

Do you want to setup or re-setup Let's Encrypt? (y/n, default n) y

Running apt-get update [✓]
Running apt-get install --fix-broken --yes [✓]
##############################################################################

ERROR! Unable to install package certbot at 823 unifi-installer.sh
Setting up Let's Encrypt...

Do you want to setup or re-setup Let's Encrypt? y
Skipping add source for http://archive.ubuntu.com/ubuntu xenial main universe
Skipping add source for http://security.ubuntu.com/ubuntu xenial-security main universe
Skipping add source for http://mirrors.kernel.org/ubuntu xenial main universe
apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease
Ign:5 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 InRelease
Hit:6 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 Release
Hit:7 http://mirrors.edge.kernel.org/ubuntu xenial InRelease
Hit:8 http://dl.ubnt.com/unifi/debian unifi-5.9 InRelease
Reading package lists...
Running apt-get update [✓]
apt-get install --fix-broken --yes
Reading package lists...
Building dependency tree...
Reading state information...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Running apt-get install --fix-broken --yes [✓]
ERROR! Unable to install package certbot at 823 unifi-installer.sh
service ssh restart
Running service ssh restart [✓]
apt-get clean --yes
Running apt-get clean --yes [✓]
apt-get autoremove --yes
Reading package lists...
Building dependency tree...
Reading state information...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Running apt-get autoremove --yes [✓]

Thoughts? Wanting to get a new controller setup to migrate my small installation to a secured controller. I do have a FQDN for this controller setup and ready.

Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

[ Edited ]

Hey @srmorris2,

 

Thanks for the feedback! Can you share the latest log file? You should be able to find it at /var/log/easy-ubnt/unifi-installer-latest.log, and either post it as an attachment in this thread or send it to me via a PM if you're more comfortable with that. Please don't copy and paste the whole log into the thread because it could be pretty long. Man Wink

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

@srmorris2,

 

Thanks for sharing a portion of the log, that helps, I might have missed that before my previous reply.

 

Please run this command then try again:

 

sudo add-apt-repository ppa:certbot/certbot

 

Let me know how it goes. Thanks!

 

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
New Member
Posts: 23
Registered: ‎09-16-2014
Kudos: 4

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

[ Edited ]

I had updated my original post with that log info. I also PMd you the entire log. Will try that now.



Waiting for DNS to propigate, will check it again later. I noticed that when I put in the FQDN into the LE setup, it mentioned that "

WARNING: The domain X does not resolve to 172.(internal ip)." Thats when I checked to see that my DNS hasn't updated yet so I stopped it for now and will fix once I see it has propigated.

 

Another thing I noticed, when your scripted ended, it gave me the IP to the server using my private IP, not public IP. Is there something unique with Amazon EC2 that may need to be configured?

Member
Posts: 299
Registered: ‎01-28-2016
Kudos: 64
Solutions: 10

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

[ Edited ]

@srmorris2,

 

Thanks again for the feedback. In addition to the previous command I gave, if the script still doesn't work then you'll need to run this as well:

 

sudo apt-get install certbot

Looks like I introduced a bug in 0.5.0, so thanks for helping me find and fix that for the next release. Man Wink

 

Regarding the local machine IP address, yes I need to find a better way to handle this when multiple IP addresses/interfaces are present. Let me know if you don't see your public IP address listed when you issue this command:

 

hostname -I

--

Klint

Primary Innovator at Sprocket Technology
Ubiquiti Enterprise Wireless Admin

Setup and secure your UniFi SDN Controller the easy way! Check out the Easy UBNT project and view the source on GitHub. Also, try Vultr for hosting your cloud controller!
Established Member
Posts: 1,287
Registered: ‎05-25-2016
Kudos: 230
Solutions: 11

Re: Easy UBNT: UniFi Installer | Setup and Secure Your Controller

“Add support for ucrm maybe?Man Happy

Reply