Jump to content

For you Unifi guys


mastrmind11

Recommended Posts

mastrmind11

@, @@MSattler, etc

 

I wrote a little bash script that pings the Unifi controller API and sends alerts of devices going up/down.  My motivation was because my domotz subscription was set to expire, and while domotz is a fantastic product, I found I wasn't really using it for anything but notifications of devices joining/leaving my network.

 

Anyway, the goal was to write something small and light weight w/ no major dependencies on things like Java, etc.  While it has a dependency on a Pushover account for notifications, you can easily modify the code to use whatever notification mechanism fits in your ecosystem.

 

When I find some time, I also plan to add notifications for when an unrecognized MAC joins/leaves the network, though I'm not sure I can do it as a shell script and maintain my sanity, so it may have a dependency on Java.  

 

Feedback welcome.

 

https://github.com/bbrunner11/unifi_notifier

Edited by mastrmind11
Link to comment
Share on other sites

iamspartacus

@, @@MSattler, etc

 

I wrote a little bash script that pings the Unifi controller API and sends alerts of devices going up/down.  My motivation was because my domotz subscription was set to expire, and while domotz is a fantastic product, I found I wasn't really using it for anything but notifications of devices joining/leaving my network.

 

Anyway, the goal was to write something small and light weight w/ no major dependencies on things like Java, etc.  While it has a dependency on a Pushover account for notifications, you can easily modify the code to use whatever notification mechanism fits in your ecosystem.

 

When I find some time, I also plan to add notifications for when an unrecognized MAC joins/leaves the network, though I'm not sure I can do it as a shell script and maintain my sanity, so it may have a dependency on Java.  

 

Feedback welcome.

 

https://github.com/bbrunner11/unifi_notifier

 

What devices of yours are going up and down enough that you need notifications?

Link to comment
Share on other sites

mastrmind11

What devices of yours are going up and down enough that you need notifications?

I use it primarily for tracking who's in my house and when, what time the kid's tv goes on and off to gauge how lazy the nanny is being any given day, etc.

Link to comment
Share on other sites

iamspartacus

I use it primarily for tracking who's in my house and when, what time the kid's tv goes on and off to gauge how lazy the nanny is being any given day, etc.

 

Ah I see.

Link to comment
Share on other sites

Guest asrequested

I live alone, could this be used for remote connections? Although, the unifi controller monitors that. I'm only glancing at what this does. I'll have to to take a closer look, tonight.

Link to comment
Share on other sites

mastrmind11

I live alone, could this be used for remote connections? Although, the unifi controller monitors that. I'm only glancing at what this does. I'll have to to take a closer look, tonight.

I'm not 100% but I'd think so.  I'm pretty sure the controller tracks all network activity, local or otherwise.  And since it's by MAC, it wouldn't matter if it were a remote connection w/ a dynamic IP or not.  Interesting thought.  

Link to comment
Share on other sites

Swynol

nice idea. i use PRTG for something similar. Unifi supports SNMP so you can get some useful stats out of it.

 

59e06d2800bff_Untitled.jpg

 

The 2 graphs on the top left are monitoring the WAN and LAN port on my USG. Top right graph is basically my USG pinging a HTTP address to make sure my net is up.

 

At one point i had a few boxes which showed how many APs are up, how many clients are connected and how many guests, however since upgrading to controller version 5.x.x its stopped working. 

 

You can also monitor the CPU and memory on the switch, VPN clients connected etc.

  • Like 2
Link to comment
Share on other sites

So I do a bit of monitoring and automating regular maintenance with my home automation system and the reverse proxy on my firewall.

 

My reverse proxy is able to do http monitoring. My hope is to be able to eventually send a reboot command, and pushover message on continued down.

 

I also do a bit of monitoring uptime from my home automation server. I use ICMP to detect up/down status and send remote shutdown, and WOL magic packets to systems that do not need to be up 100% of a day (ex: HTPC clients). I have it tied to my occupancy detection systems and sleep mode in my home automation system (which is also tied to automated lighting, holiday lighting, and HVAC events).

 

I also handle regular reboots on my servers and network infrastructure from my home automation server. I have events that run shell scripts and send pushover messages to my phone. Currently, I reboot my:

home automation server - 90 days uptime

Firewall -180 days uptime

NAS - 180 days uptime

HTPC server - 7 days uptime

Unifi controller - 90 days uptime

Unifi access point - 90 days uptime.

 

The nice part is that if I take a server down for maintenance that required a reboot the uptime timer starts over.

 

I need to finish setting up a reboot on my new unifi switch for 180 days.

 

I want to figure out a way to control my work VOIP phone Poe using my home automation system, and tie it to control poe power on the Poe switch port either using unifi or direct shell access to the switch. I would likely tie this to my existing automated occupancy detection (off when away), house mode (always off in sleep mode) only available for on during my normal work hours.

 

I am planning on gaining control of my comcrap modem. My hope is to get power monitoring and control on my entire network and server rack. I can then tie a script to my firewall that upon detecting of WAN down status, run an event on my home automation server that power cycles the modem's power outlet.

 

Another thing that would be cool is to schedule RFscans on my Ubiquiti access point during my sleep mode (when everyone is asleep) to aid the controller in optimizing my wifi channel selection. Normally, I do this manually after I receive a push over notification that my access point was rebooted.

 

Getting notifications on unknown MAC addresses would be pretty cool. I wonder if I can offload some of these tasks to this tool.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
  • Like 1
Link to comment
Share on other sites

mastrmind11

So I do a bit of monitoring and automating regular maintenance with my home automation system and the reverse proxy on my firewall.

 

My reverse proxy is able to do http monitoring. My hope is to be able to eventually send a reboot command, and pushover message on continued down.

 

I also do a bit of monitoring uptime from my home automation server. I use ICMP to detect up/down status and send remote shutdown, and WOL magic packets to systems that do not need to be up 100% of a day (ex: HTPC clients). I have it tied to my occupancy detection systems and sleep mode in my home automation system (which is also tied to automated lighting, holiday lighting, and HVAC events).

 

I also handle regular reboots on my servers and network infrastructure from my home automation server. I have events that run shell scripts and send pushover messages to my phone. Currently, I reboot my:

home automation server - 90 days uptime

Firewall -180 days uptime

NAS - 180 days uptime

HTPC server - 7 days uptime

Unifi controller - 90 days uptime

Unifi access point - 90 days uptime.

 

The nice part is that if I take a server down for maintenance that required a reboot the uptime timer starts over.

 

I need to finish setting up a reboot on my new unifi switch for 180 days.

 

I want to figure out a way to control my work VOIP phone Poe using my home automation system, and tie it to control poe power on the Poe switch port either using unifi or direct shell access to the switch. I would likely tie this to my existing automated occupancy detection (off when away), house mode (always off in sleep mode) only available for on during my normal work hours.

 

I am planning on gaining control of my comcrap modem. My hope is to get power monitoring and control on my entire network and server rack. I can then tie a script to my firewall that upon detecting of WAN down status, run an event on my home automation server that power cycles the modem's power outlet.

 

Another thing that would be cool is to schedule RFscans on my Ubiquiti access point during my sleep mode (when everyone is asleep) to aid the controller in optimizing my wifi channel selection. Normally, I do this manually after I receive a push over notification that my access point was rebooted.

 

Getting notifications on unknown MAC addresses would be pretty cool. I wonder if I can offload some of these tasks to this tool.

 

Sent from my iPhone using Tapatalk

I've been thinking about how to do the unidentified MAC script and I think I have a good way to accomplish it.  Now just need to find the time.  As far as RF Scanning, I'm fairly certain the Unifi API exposes an endpoint for that as well, so it'd just be a matter of scripting the call and scheduling it w/ cron or whatever to run during your downtime.  I'll probably have time to write an RF scan script today/tomorrow.   TBH, I've never run one and never knew there was a real use for the info other than for informational purposes.  In any case, I'll run one in a little bit in order to capture the API call.  Stay tuned.

  • Like 1
Link to comment
Share on other sites

mastrmind11

I've been thinking about how to do the unidentified MAC script and I think I have a good way to accomplish it.  Now just need to find the time.  As far as RF Scanning, I'm fairly certain the Unifi API exposes an endpoint for that as well, so it'd just be a matter of scripting the call and scheduling it w/ cron or whatever to run during your downtime.  I'll probably have time to write an RF scan script today/tomorrow.   TBH, I've never run one and never knew there was a real use for the info other than for informational purposes.  In any case, I'll run one in a little bit in order to capture the API call.  Stay tuned.

FYI the controller doesn't expose the scan API, but from what I've been reading, it doesn't adapt but instead expects human intervention to pick viable channels.  "Auto"  doesn't do it.  Just FYIl.  Regarding foreign MACs, I should be done with the script by sometime tomorrow (sick kids== free time).  I'm going to incorporate the algo into the bnove script, either directly or via an external call to another script.  I'll keep you posted.

Link to comment
Share on other sites

  • 4 weeks later...
Swynol

rather than create a new thread. Unifi have release unstable 5.7.3 it includes a feature i have been waiting for, geo blocking or country blocking. 

 

currently in BETA but something extra to add to security

  • Like 1
Link to comment
Share on other sites

mastrmind11

rather than create a new thread. Unifi have release unstable 5.7.3 it includes a feature i have been waiting for, geo blocking or country blocking. 

 

currently in BETA but something extra to add to security

ooh nice.  thanks for the tip.

Link to comment
Share on other sites

Swynol

Just a warning if you upgrade. I had an issue with my guest portal/hotspot, after about 2 hours troubleshooting I think it’s working now. Also you will need java 8 162. It’s a public beta version, I had to google it to get a download link as it’s not on their main website. Otherwise everything else is all good.

 

Country blocking only allows you to add either 15 allowed or 15 blocked countries. So I just blocked the known worst ones out there

 

 

Sent from my iPhone using Tapatalk

  • Like 1
Link to comment
Share on other sites

  • 3 weeks later...
Swynol

some more unifi stuff. 

 

Someone has created a nice guide to run a syslog server and pull logs from the unifi firewall.

 

Takes a little work to get it running, but its interesting to see how many connections my firewall is dropping and what ports they are coming in on. It also shows allowed connections and i can set a rule to see what IP they are coming from on each port.

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/Analyzing-USG-firewall-logs-for-attack-visibility/td-p/2136050/highlight/false

 

My setup is slightly different, i dont use a linux box, instead i use PRTG for windows to read the logs. now to get it working with Sumologic so it can display geo-ip info. 

Link to comment
Share on other sites

mastrmind11

some more unifi stuff. 

 

Someone has created a nice guide to run a syslog server and pull logs from the unifi firewall.

 

Takes a little work to get it running, but its interesting to see how many connections my firewall is dropping and what ports they are coming in on. It also shows allowed connections and i can set a rule to see what IP they are coming from on each port.

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/Analyzing-USG-firewall-logs-for-attack-visibility/td-p/2136050/highlight/false

 

My setup is slightly different, i dont use a linux box, instead i use PRTG for windows to read the logs. now to get it working with Sumologic so it can display geo-ip info. 

Pretty cool stuff.  I graph my fail2ban log.  It's crazy the number of bots trying to break in on any given day.

Edited by mastrmind11
Link to comment
Share on other sites

Swynol

with fail2ban does it log it at your web server level or at router level?

 

Here is my dashboard. the results show a period of 24 hours, buts its more like 18 hours as it hasnt been running 24 yet.#

 

5a1e724e30d1f_Untitled.jpg

Link to comment
Share on other sites

mastrmind11

with fail2ban does it log it at your web server level or at router level?

 

Here is my dashboard. the results show a period of 24 hours, buts its more like 18 hours as it hasnt been running 24 yet.#

 

5a1e724e30d1f_Untitled.jpg

 

Yeah saw your post over at the unifi forum.  Very nice.

 

It logs at the server level, and only for the predefined ports I set up in fail2ban, which is good enough for me.  It's interesting info, but I'm not concerned enough or interested enough to get it logging from the router (though it is possible I've read).

Link to comment
Share on other sites

Swynol

ye the above is what my router is blocking. although looking at some of the IPs they are mostly DNS servers, guessing they are resolving my domain name to my WAN IP.

Link to comment
Share on other sites

mastrmind11

ye the above is what my router is blocking. although looking at some of the IPs they are mostly DNS servers, guessing they are resolving my domain name to my WAN IP.

Do you happen to have a client vpn set up in your controller?  not the remote vpn, the one that one can use to connect to an external vpn service?  Trying to decide if I'm going to do it but would like some insight from someone that has actually done it.  

Link to comment
Share on other sites

Swynol

no i haven't bothered with a VPN client. i have been tempted, there were some good prices around on 'black' friday.

 

as long as the client supports a PPTP it should work. There's a few posts on the unifi forum about it, some say speed decreases somewhat.

Link to comment
Share on other sites

Guest asrequested

I've tried to get the client VPN to work on mine. I use Torguard. I haven't been successful. I just updated to 5.6.22 and haven't tried with that, yet.

Link to comment
Share on other sites

mastrmind11

I've tried to get the client VPN to work on mine. I use Torguard. I haven't been successful. I just updated to 5.6.22 and haven't tried with that, yet.

alright, lemme know how it works out and any findings.  appreciate it.

Link to comment
Share on other sites

Guest asrequested

alright, lemme know how it works out and any findings.  appreciate it.

 

@@mastrmind11

 

Trying it today with 5.6.22.....SUCCESS! It works and is easy to set up. Unfortunately, I'm having greatly diminished bandwidth. But I think that is for other reasons (which I'm presently exploring)

Edited by Doofus
Link to comment
Share on other sites

Guest asrequested

Torguard are trying to tell me that me that my gateway doesn't have enough juice for the encryption, and that's why my bandwidth is choking. I've tried to show them that I only get half my bandwidth even when I used their client on my PC. 

 

But this might mean that I may have to build my own gateway, primarily to run the VPN client. I do have a spare Intel CPU, motherboard and windows 8, lying around. I could add another layer of security. What a terrible thing that I have to build and play with more tech  :rolleyes:  :D  

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...