Category Archives: Howto Tutorials (EN)

Knowledge Network for Tutorials, Howto’s, Workaround, DevOps Code for Professionals.

Unifi UAP Device Re adoption

Ubiquiti UAP device adoption with UniFi network application and SSH terminal

UniFi Device adoption is the process of connecting a UniFi device to a UniFi application in order to be managed by UniFi Controller.

This tutorial explains how Unifi UAP device adoption works, how to adopt devices to the UniFi Network application, and how to troubleshoot any issues that may arise.

The UniFi Network application scans and displays all devices that are unmanaged or managed by UniFi Controller. A UniFi UAP device that is not managed by any application will show a static white LED. This means that the device is available for discovery and adoption.

If the adoption process fails and the UAP device is no longer possible to adopt because the UniFi Controller reject it, for example after a failed provisioning, the first step to do is to remove the device that is no longer connected from the UniFi Controller by clicking on the Forget button.

UniFi Device adoption Disconnected click Forget

Manual set-inform via SSH

Now connect over SSH to the device, for example using PuTTY terminal or with Linux use SSH to the Unifi UAP Access Point.

SSH Terminal open to UniFi UAP with PuTTY
Open SSH Terminal to UniFi UAP with PuTTY
BusyBox v1.25.1 () built-in shell (ash)
 
 
  ___ ___      .__________.__
 |   |   |____ |__\_  ____/__|
 |   |   /    \|  ||  __) |  |   (c) 2010-2020
 |   |  |   |  \  ||  \   |  |   Ubiquiti Networks, Inc.
 |______|___|  /__||__/   |__|
            |_/                  https://www.ui.com/
 
      Welcome to UniFi UAP-AC-LR!
 
APBern-BZ.v4.3.28# info
 
Model:       UAP-AC-LR
Version:     4.3.28.11361
MAC Address: 18:e8:29:c0:b0:d6
IP Address:  192.168.1.20
Hostname:    APBern
Uptime:      104426 seconds
 
Status:      Server Reject (http://192.168.2.17:8080/inform)
APBern-BZ.v4.3.28#

If the Unifi UAP status Server Reject is displayed, then you can reset the UAP, using the following command-line from the SSH terminal.

sudo syswrapper.sh restore-default

During the reset, the Unifi UAP will reboot, after about 2 minutes the device is reachable again, possibly now with a different IP address.

The UAP device is now in the status – Pending Adoption (static white LED), the device can now adopt by the UniFi controller application.

Unifi UAP Pending Adoption Status

Now open an SSH terminal again and execute the command-lines, the command set-inform must be executed several times. After reset the login is ubnt/ubnt or root/ubnt. The UniFi-Controller is running on Server 192.168.2.17, but it can also by an UniFi Cloud-Key.

set-inform http://192.168.2.17:8080/inform
set-inform

After about 2 minutes, the device is ready for adoption, in the UniFi Controller application click Adopt. After another 2 minutes, the device is adopted and has been provisioned. The device status LED now lights up blue permanently.

Advanced UniFi UAP adoption troubleshooting

If the UniFi UAP device doesn’t appear for adoption and the steps above didn’t help, try the following steps:

If the device status LED not lights up, check whether the device is powered. Check the PoE and Ethernet cables. If the device is powered and the LED lights up, it may be managed by another UniFi network application.

If the device status LED is permanently blue, it means that the UAP device has either already been adopted from a UniFi network application and is no longer able to connect, or that the device is managed by another UniFi network application that prevents the device from being detected.

A reset can be triggered on the UniFi device next to the RJ-45 LAN port, use a pen or a curved paper clip to press and hold the reset button for at least 5 seconds, the device status LED starts flashing.

Add additional IP address on Windows

If the device has assigned the IP address 192.168.1.20 and not one from DHCP, it means that the device has been rejected by the UniFi Controller and the provisioning no longer works. In order to be able to reach the device via the SSH terminal, a second IP address must be assigned to the client computer. To do this, proceed as follows under Windows, by pressing the keys, Win+R for Run.

Enter ncpa.cpl and click OK

Enter ncpa.cpl and click OK

The Control Panel Network Connections is opened; right-click on Properties above the active network adapter.

Control Panel Ethernet Properties

Mark the line Internetprotocol Version 4 (TCP/IPv4) and click on Properties.

Add alternate IP-Address

Enter an IP address in the Alternate Configuration tap, i.e. 192.168.1.2 and the subnet mask 255.255.255.0. Confirm the entry by clicking OK to activate the alternate IP address.

Add second IP address on Linux

Under Linux, a second IP address can be temporarily assigned to the network interface as root.

$ ifconfig eth0:0 192.168.1.2 netmask 255.255.255.0 up

With modern Linux distributions like Debian 10 (buster) or CentOS 7 and newer, it is this command line.

$ ip address add 192.168.1.2/24 dev eth0

macOS use ifconfig to add second IP-Address to interface en0.

$ sudo ifconfig en0 inet 192.168.1.2 netmask 255.255.255.0

The device can now be checked with ping and connected to 192.168.1.20 via SSH terminal.

$ ssh ubnt@192.168.1.20

Linux has SSH built in and can be used directly from shell. After the SSH connection to the device has been established, the procedure described above is carried out.

If a UniFi UAP is not accepted after try several attempts Adoption. Assign an alternate IP address to the host on which the UniFi controller is running, i.e. 192.168.1.100. The UAP that does not get an IP from the DHCP can be reached by the UniFi controller in order to be able to initiate provisioning. Cause the UAP can be reached by the controller via the IP address 192.168.1.20, that after execute restore-default. After the successful provisioning, the UAP is back in the original subnet.

unifi UAP advanced adoption

It is also possible to use the ADVANCED ADOPT option with click to the + on UAP they appers status MANAGED BY OTHER.

Block suspicious IP with Linux firewall daemon

Block Brute-Force requests with Firewall Daemon from Bash Script

firewalld

Firewall Daemon can help to protect against ongoing brute force attacks by detecting attempted attacks on the Linux host. To permanently protect the host from suspicious sources they can be blocked. The following bash script prevent from suspicious requests by append the IP address as argument and set it to reject using firewall-cmd.

#!/bin/bash
# permanently reject or remove suspicious sources by kernel firewall
# dependency: firewalld (fail2ban optional)
if [[ $1 == "add" && $2 =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
   echo "$2 add to reject"
   firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="'$2'" reject'

elif [[ $1 == "remove" && $2 =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
   echo "$2 being to remove"
   firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="'$2'" reject'

 elif [[ $1 == "add6" && $2 =~ ^[A-Za-z0-9]{1,4}\:[A-Za-z0-9]{1,4}\: ]]; then
    echo "$2 add to reject"
    firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source address="'$2'" reject'

  elif [[ $1 == "remove6" && $2 =~ ^[A-Za-z0-9]{1,4}\:[A-Za-z0-9]{1,4}\: ]]; then
    echo "$2 being to remove"
    firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv6" source address="'$2'" reject'

  else
    echo "Usage: fw add|remove [source IPv4]"
    echo "       fw add6|remove6 [source IPv6]"
    exit 0
fi
firewall-cmd --reload
sleep 1
if [[ -f /run/fail2ban/fail2ban.pid ]]; then
  systemctl restart fail2ban
else
  echo "fail2ban not running"
fi
sleep 2
firewall-cmd --list-all

The script was written on Debian 10 (buster), Debian has ufw installed by default, so you have to install firewalld and disable ufw, as well as on Ubuntu 20. On RHEL and CentOS 7+ family and Fedora firewalld is default and the script can be used.

Save the script lines into a file, for instance as fw and make them executable, then run the script to block an ip address with add.

chmod u+x fw
./fw add 192.168.89.56

Use remove to swipe the ip address from the chain if desired.

How to enable Firewalld on Debian

The firewalld package is available on the official Debian 10 repositories. Installation is quick as shown below commands.

sudo apt update
sudo apt -y install firewalld

Install firewalld in the terminal as root or user with sudo privileges.

sudo ufw disable

If ufw is activated, the uncomplicated firewall (ufw) for managing the netfilter must be deactivated in order to make firewalld to the standard firewall.

$ sudo systemctl enable firewalld
$ sudo systemctl start firewalld

Run the firewall daemon and activate it for the system start.

$ sudo firewall-cmd --state
running

Check if firewall daemon is running and the service is available.

$ sudo firewall-cmd --reload

Load the new firewall rules and keep the status information.

Using Debian after run firewall-cmd --reload the error appears:

Error: COMMAND_FAILED: ‘/usr/sbin/ip6tables-restore -w -n’ failed: ip6tables-restore v1.8.2 (nf_tables:
line 4: RULE_REPLACE failed (no such file ordirectory): rule in chain OUTPUT

The solution is to run update-alternatives to force Debian to use iptables instead of nftables.

$ sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
$ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

After switching from nftables to iptables, restart the Linux machine with reboot.

Firewalld configuring

Firewalld is a firewall-management solution that acts as a front-end for the iptables packet filter system provided by the Linux kernel. firewall-cmd is the utility used to manage the firewall configuration. The firewalld daemon manages groups of rules using entities called “zones”. Zones are like sets of rules that determine what traffic to allow based on the known trust of the networks to which the computer is connected. A zone is assigned to the network interfaces in order to determine the behavior that the firewall should allow.

Assign an interface to the zone public using the firewall-cmd tool, check zones and interfaces with the command.

$ sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="10.10.10.1" reject

If no network interface appears at interfaces, this must still be assigned to the zone, to querying the interface name use ip or ifconfig (net-tools).

$ ip link
$ ip addr
$ ifconfig

Here at the virtual Debian (buster) it is Link 2 ens33.

The interface ens33 we assign to the default zone public.

$ sudo firewall-cmd --zone=public --change-interface=ens33

Check the interface assigned to the zone use get-active-zones.

$ firewall-cmd --get-active-zones
public
  interfaces: ens33
$ sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="10.10.10.1" reject

The interface ens33 is assigned to zone public.

Interacting Fail2ban and firewalld

Fail2ban (failure leads to ban) is an IPS framework developed in Python to prevent attacks. It runs on all Unixoid OS that is based on a managable packet filter system or a firewall such as iptables or firewalld on Linux.

ln the script (above), if available and executed, the addresses banned by fail2ban are restored to their previously active state after firewalld has been processed.

firewall-cmd add | remove source address

Using firewall-cmd to reject suspicious requests from sources.

$ sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.10.1" reject'

The locked IP address can be removed with the following command line.

$ sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="10.10.10.1" reject'

Execute the rule entered through the firewall daemon.

$ sudo firewall-cmd --reload

Help to use firewall-cmd

Check the entered and enabled rules of the Public zone.

$ sudo firewall-cmd --zone=public --list-all

Get current firewall rules with the following commands.

$ sudo firewall-cmd --list-all

Use the iptables command to list current rules.

$ sudo iptables -vxnL

Show standard zone for connections and interfaces.

$ firewall-cmd --get-default-zone

Set a zone as the default zone.

$ sudo firewall-cmd --set-default-zone=zone_name

Output currently active zones.

$ firewall-cmd --get-active-zones

Get output of predefined zones.

$ firewall-cmd --get-zones

Get help and man page of firewall-cmd.

$ firewall-cmd --help
$ man firewall-cmd

The next related post might also be helpful, see in Block IP address using Linux Firewall.