Tutorial: UniFi 3.2.1 on Digital Ocean, Ubuntu 14.04 LTS

Update: 10-18-2015:

This is obsolete due to no further development on the version 3 UniFi controller. An updated installer for version is available for 4.7.5 here.

In a previous article, I shown you how to install UniFi on Ubuntu 12.04 LTS but since then we’ve had a new version of Ubuntu and the long-awaited UniFi version 3.x released that allows you to have multiple sites on a single controller.

If you don’t have a Digital Ocean account, please consider signing up through my affiliate link and you’ll also get a $10 credit towards your account (this pays for the basic controller for two months!)

Create your first droplet by naming it, choosing a data center close to you, and choosing the 1 CPU / 512MB size with Ubuntu 14.04 for the operating system. You will be emailed the IP address and the root password. For some reason Gmail always tosses this in the Spam folder, check in there if you don’t see it. Connect to the server controller using the credentials that were emailed to you.

If you don’t already have a SSH client, download PuTTy here.

Many of these commands require root access so either use ‘root’ for your user or if you’re running a local copy of Ubuntu use sudo (or su to elevate).

First let’s update the OS issuing the following commands to get Ubuntu up to date:

sudo apt-get update
sudo apt-get dist-upgrade

Let’s enable swap space so you don’t end up with funky results if you outgrow your droplet faster than you think. We’ll create a 1GB swap file, change file permissions so that only root can read/write, enable the swap file, and then set the swap file to survive an OS restart.

fallocate -l 1G /swapfile
chmod 600 /swapfile
nano /etc/fstab

Paste this into the end of the file:

/swapfile none swap sw 0 0

Control+O, Enter, and then Control+X to save and exit the text editor

To optimize the swap file, we want to set Swappiness. Skipping this step will cause poor performance. Swappiness basically tells the server the allowable tendency to utilize the swap file.

echo 10 | sudo tee /proc/sys/vm/swappiness
echo vm.swappiness = 10 | sudo tee -a /etc/sysctl.conf

Next let’s add some basic security to our server by configuring iptables and installing fail2ban to provide additional protection against brute force login attacks.

Enable already established connections through the firewall:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Enable SSH (you should use a different port for SSH than the default but that’s another article altogether):

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Enable loopback:

sudo iptables -I INPUT 1 -i lo -j ACCEPT

Add ports for UniFi:

sudo iptables -A INPUT -p tcp --dport 8081 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8843 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 27117 -j ACCEPT

Finally we add a drop rule so that the incoming request doesn’t match the criteria set above, it’s dropped:

sudo iptables -A INPUT -j DROP

Configuration of iptables also doesn’t survive an OS restart, so we’ll install a simple package to take care of that

sudo apt-get install iptables-persistent

Hit Enter twice to confirm settings changes.

Now let’s install fail2ban to prevent someone trying to brute force their way into SSH.

sudo apt-get install fail2ban

Copy the configuration since package updates can modify the original configuration on updates:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the file for editing:

sudo nano /etc/fail2ban/jail.local

These settings are the ones that I use but you can use your own judgement:
bantime = 3600
findtime = 600
maxretry = 3

Control+O, Enter, and then Control+X to save and exit the text editor

bantime – amount of time in seconds the client is banned (3600 = 1 hour)
findtime – period of time in which someone can attempt to login before being banned
maxretry – number of failed attempts in the timeframe specified in findtime

So to translate, if you try to SSH into my server using the wrong credential 3 times in a time frame of 10 minutes, you’ll be banned for 1 hour.

Restart fail2ban to apply the changes in the configuration

sudo service fail2ban restart

Since the whole reason you’re here is to install UniFi 3.2.1, let’s move on to that

Edit the package sources file:

sudo nano /etc/apt/sources.list

Scroll to the end of the file and paste:

deb http://www.ubnt.com/downloads/unifi/distros/deb/ubuntu ubuntu ubiquiti

Control+O, Enter, and then Control+X to save and exit the text editor

Add GPG keys:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10

Update sources since we’ve added the UniFi source to the list

sudo apt-get update

Finally, the installation

sudo apt-get install unifi-rapid

After about a minute, you’ll get your message that it’s completed. Open your browser and navigate to https://YOUR_DROPLET_IP:8443 (replacing YOUR_DROPLET_IP with the actual IP of your droplet). If all is well, your browser will show a security warning due to the self- signed SSL certificate and then prompt you with the setup wizard.

There is one final thing to do to make your UniFi devices to see your controller and that’s layer 3 adoption. Since the devices are on a different network, they cannot resolve the default hostname “unifi”.

The knowledgebase article at Ubiquiti’s site covers this nicely and I don’t see a reason to copy it here since everyone might want to do something a bit different. If you are on the same LAN as the devices, I use the Unifi-Discover utility to manually set the controller address. Other options are DNS, DHCP option 43, or manually through SSH.

http://community.ubnt.com/t5/UniFi-Controller-Installation/UniFi-Layer-3-methods-for-UAP- adoption-and-management/ta-p/455643

For most people’s needs, this is as far as you will need to go as far as server configuration. Routinely monitor your server to ensure it stays updated (apt-get update,
apt-get dist-update)