UniFi SDN Controller

by jshayden
9 deployments · 8 still active · last rev. 22 days ago

Installs the Ubiquiti UniFi SDN Controller.
Configures LetsEncrypt certificates for HTTPS.
Creates and saves firewall rules to allow only necessary traffic, including a pre-routing redirect of 443 to 8443 for standard HTTPS.
Creates an Nginx redirect from port 80 to 443 to force unencrypted HTTP to HTTPS.
Installs fail2ban to prevent brute force SSH attacks.

Runs great on a Nanode.

LetsEncrypt expects your hostname to resolve to your IP before creating certificates. Have your DNS configuration pulled up and ready, and add the relevant entry as soon as the Linode deployment shows your your IP address. The software updates/installs happening in the script before the certificate creation will give you enough time to save your DNS settings.

(Based on https://www.linode.com/stackscripts/view/335530 ; Thanks, eseelke !)

Compatible with: Debian 9
#<UDF name="email" label="The email address used for LetsEncrypt:">
#<UDF name="hostname" label="The hostname for the new Linode:">

# update debian
echo "Updating Debian"
apt-get update
apt-get upgrade -y

# Setup the hostname
echo "Setting the hostname"
hostname $HOSTNAME
hostnamectl set-hostname $HOSTNAME

# Install Unifi
echo "Installing UniFi"
wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg 
echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt-get update
apt-get install unifi -y

# Install LetsEncrypt
echo "Installing LetsEncrypt"
apt-get install letsencrypt -y

# Setup LetsEncrypt certificate
echo "Setting up LetsEncrypt Certificate"
wget -O /opt/gen-unifi-cert.sh https://source.sosdg.org/brielle/lets-encrypt-scripts/raw/master/gen-unifi-cert.sh
sed -i 's/--agree-tos --standalone --preferred-challenges tls-sni/--agree-tos --standalone/g' /opt/gen-unifi-cert.sh
chmod +x /opt/gen-unifi-cert.sh
/opt/gen-unifi-cert.sh -e $EMAIL -d $HOSTNAME

# Create crontab for LetsEncrypt
echo "Update LetsEncrypt Certificate on a schedule"
crontab -l > /tmp/letsencryptcron
echo "23 1,13 * * * /opt/gen-unifi-cert.sh -r -d $HOSTNAME" >> /tmp/letsencryptcron
crontab /tmp/letsencryptcron
rm /tmp/letsencryptcron

# Create firewall rules
echo "Creating FW Rules"
iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8843 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o eth0 -j ACCEPT

# Install FW persistence 
echo "Installing other Software"
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
apt-get install iptables-persistent netfilter-persistent -y

# Save firewall rules
echo "Saving FW Rules"
netfilter-persistent save

# Install Nginx
echo "Installing Nginx"
apt-get install nginx-light -y

# Configure Nginx to forward 80 to 443
echo "Configuring Nginx to forward HTTP to HTTPS"
echo "server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://\$host\$request_uri;
}" > /etc/nginx/sites-available/redirect
ln -s /etc/nginx/sites-available/redirect /etc/nginx/sites-enabled/
rm /etc/nginx/sites-enabled/default

# Install fail2ban
echo "Installing fail2ban"
apt-get install fail2ban -y

# Restart services
echo "Restarting Services"
systemctl restart nginx
systemctl restart unifi