-
Notifications
You must be signed in to change notification settings - Fork 3
/
unifi-controller-install.sh
158 lines (131 loc) · 7.23 KB
/
unifi-controller-install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# Complete script reference to installing UniFi Controller on Ubuntu 16.04.2
#
# The procedure sets up a UniFi Controller instance with default settings
# Protected by fail2ban, secured by Let's Encrypt, automated backups to Backblacze B2
# Add Linux user "user" with password "PASSWORD"
adduser user
# PASSWORD
# Y
adduser user sudo
exit
## ssh as user
# Disable root login
sudo nano /etc/ssh/sshd_config
# PermitRootLogin no
sudo service ssh restart
# Set TimeZone to Europe/Stockholm
# Fund yours with timedatectl list-timezones
sudo timedatectl set-timezone Europe/Stockholm
# Update apt-get source list and upgrade all packages.
sudo apt-get update -y && sudo apt-get upgrade -y
# Set up Automatic Security Updates
sudo apt-get install unattended-upgrades -y
touch /etc/apt/apt.conf.d/20auto-upgrades
echo -e 'APT::Periodic::Update-Package-Lists "1";\nAPT::Periodic::Unattended-Upgrade "1";' | sudo tee -a /etc/apt/apt.conf.d/20auto-upgrades
/etc/init.d/unattended-upgrades restart
# Allow ports on UFW firewall.
# https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used
sudo ufw allow 22/tcp # SSH
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 8080/tcp # Inform
sudo ufw allow 8443/tcp # Web GUI
sudo ufw allow 8843/tcp # HTTPS Portal
sudo ufw allow 8880/tcp # HTTP Portal
sudo ufw allow 3478/udp # STUN
# Enable UFW firewall.
sudo ufw --force enable
# Add Ubiquiti UniFi repo to system source list.
# https://help.ubnt.com/hc/en-us/articles/220066768-UniFi-How-to-Install-Update-via-APT-on-Debian-or-Ubuntu
sudo echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee -a /etc/apt/sources.list.d/100-ubnt.list
# Add Ubiquiti GPG Keys
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50
# Update source list to include the UniFi repo then install Ubiquiti UniFi.
sudo apt-get update -y && sudo apt-get install unifi -y
# Install Fail2Ban
sudo apt-get install fail2ban -y
# Copy config Fail2ban config files to preserve overwriting changes during Fail2ban upgrades.
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Create ubiquiti Fail2ban definition and set fail regex.
sudo echo -e '# Fail2Ban filter for Ubiquiti UniFi\n#\n#\n\n[Definition]\nfailregex =^.*Failed .* login .* <HOST>*\s*$' | sudo tee -a /etc/fail2ban/filter.d/ubiquiti.conf
# Add ubiquiti JAIL to Fail2ban setting log path and blocking IPs after 3 failed logins within 15 minutes for 1 hour.
sudo echo -e '\n[ubiquiti]\nenabled = true\nfilter = ubiquiti\nlogpath = /usr/lib/unifi/logs/server.log\nmaxretry = 3\nbantime = 3600\nfindtime = 900\nport = 8443' | sudo tee -a /etc/fail2ban/jail.local
# Restart Fail2ban to apply changes above.
sudo service fail2ban restart
# Prerequisites
sudo mkdir /usr/local/bin
sudo apt-get install wget openssl -y
# Make sure sudo has a Crontab
sudo crontab -e
# REMEBER TO CHANGE;
# UNIFI.CONTROLLER.NAME
# -password pass:PASSWORD
# -srcstorepass PASSWORD
# Make sure to change the same vaules at the Cron Job stage aswell.
# Open https (tcp:443) using UFW
sudo ufw allow 443/tcp
sudo ufw --force enable
# This can be done in other ways, for example sudo iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
# Set up LetsEncrypt with Certbot
# Navigate to system folder
cd /usr/local/bin
# Download certbot-auto
sudo wget https://dl.eff.org/certbot-auto
# Make Certbot-auto executable
sudo chmod a+x certbot-auto
# Install Certbot
yes | ./certbot-auto
# Generate a request for LetsEncrypt
./certbot-auto certonly --standalone --standalone-supported-challenges tls-sni-01 --register-unsafely-without-email --agree-tos -d UNIFI.CONTROLLER.NAME
# Convert cert to PKCS #12 format
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/UNIFI.CONTROLLER.NAME/privkey.pem -in /etc/letsencrypt/live/UNIFI.CONTROLLER.NAME/fullchain.pem -out /usr/local/bin/lecert.p12 -name ubnt -password pass:PASSWORD
# Install certificate on UniFi Controller
sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /usr/local/bin/lecert.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD -alias ubnt -noprompt
# Cleanup
sudo rm /usr/local/bin/lecert.p12
# Restart UniFi Service to enable the new certificate
sudo /etc/init.d/unifi restart
# Automated Cron Job for Renewal
# Create renew_lets_encrypt_cert.sh script
sudo touch /usr/local/bin/renew_lets_encrypt_cert.sh
sudo echo -e '#!/bin/bash\n# Get the certificate from LetsEncrypt\n/usr/local/bin/certbot-auto renew --quiet --no-self-upgrade\n# Convert cert to PKCS #12 format\n/usr/bin/openssl pkcs12 -export -inkey /etc/letsencrypt/live/UNIFI.CONTROLLER.NAME/privkey.pem -in /etc/letsencrypt/live/UNIFI.CONTROLLER.NAME/fullchain.pem -out /usr/local/bin/lecert.p12 -name ubnt -password pass:PASSWORD\n# Load it into the java keystore that UBNT understands\n/usr/bin/keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /usr/local/bin/lecert.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD -alias ubnt -noprompt\n# Clean up and use new cert\nrm /usr/local/bin/lecert.p12\n/etc/init.d/unifi restart' | sudo tee -a /usr/local/bin/renew_lets_encrypt_cert.sh
# Make renew_lets_encrypt_cert.sh script executable
sudo chmod +x /usr/local/bin/renew_lets_encrypt_cert.sh
# Schedule Cron Job to run renew_lets_encrypt_cert.sh every Monday
sudo crontab -l | { cat; echo "1 1 * * 1 /usr/local/bin/renew_lets_encrypt_cert.sh"; } | sudo crontab -
# Read access to UniFi backup directory
sudo chmod -R 705 /var/lib/unifi/backup/
# Set up rclone for use with Backblaze B2
# https://rclone.org/
# https://www.backblaze.com/b2/cloud-storage.html
cd /tmp
sudo apt-get install unzip -y
curl -O https://downloads.rclone.org/rclone-current-linux-amd64.zip
unzip rclone-current-linux-amd64.zip
cd rclone-*-linux-amd64
# Install rclone
# Binary
sudo cp rclone /usr/sbin/
sudo chown root:root /usr/sbin/rclone
sudo chmod 755 /usr/sbin/rclone
# Manpage
sudo mkdir -p /usr/local/share/man/man1
sudo cp rclone.1 /usr/local/share/man/man1/
sudo mandb
# Configure rclone for use with Backblaze B2
# Use your bucket settings
rclone config
n # New Config
B2_UNIFI.CONTROLLER.NAME # Select a Name
3 # 3 for Backblaze B2
123456abcdef # Provide Accound ID
123456abcdef123456abcdef123456abcdef123abc # Provide Application Key
# Blank Endpoint
y # Save
q
# Automate backups with rclone
touch /usr/local/bin/unifi_b2_backup.sh
sudo echo -e '#!/bin/bash\ncd /tmp\n# Backup /var/lib/unifi/backup\nTIMESTMP=$(date +'%Y%m%d_%H%M%S')\ntar -zcvf backup.$TIMESTMP.tar.gz /var/lib/unifi/backup\n/usr/sbin/rclone copy /tmp/backup.$TIMESTMP.tar.gz B2_UNIFI.CONTROLLER.NAME:BUCKETNAME\nrm backup.$TIMESTMP.tar.gz\n\n# Backup /var/lib/unifi/sites\nTIMESTMP=$(date +'%Y%m%d_%H%M%S')\ntar -zcvf sites.$TIMESTMP.tar.gz /var/lib/unifi/sites\n/usr/sbin/rclone copy /tmp/sites.$TIMESTMP.tar.gz B2_UNIFI.CONTROLLER.NAME:BUCKETNAME\nrm sites.$TIMESTMP.tar.gz' | sudo tee -a /usr/local/bin/unifi_b2_backup.sh
sudo chmod +x /usr/local/bin/unifi_b2_backup.sh
# Schedule Cron Job to run unifi_b2_backup.sh every Sunday, After UniFi Controller Automated Backups
sudo crontab -l | { cat; echo "45 21 * * 0 /usr/local/bin/unifi_b2_backup.sh"; } | crontab -