UniFi

Total Time Required

20 minutes

Difficulty

Easy

Required Knowledge

Crowdsec, UniFi

Prerequisites

Crowdsec account
You have subscribed to atleast 1 block list
Your UniFi Firewall is on the supported list (may work with unsupported)
Your Crowdsec enrollment key

This stack monitors...

Syslog data from UniFi controller
Crowdsec blocklists
Crowdsec whitelists

... And changes

UniFi firewall

UniFi changes

Service account

You will need to generate a service account for the UniFi bouncer to log into and use

Navigate to https://unifi/network/default/admins/
Untick "Admin Permissions"
Create a new user and fill out the below
First name
Crowdsec
Last name
Bouncer
Admin
True
Restrict to local access
True
Username
<randomly generated>
Password
<randomly generated>
Use a predifined role
False
Unifi
Full managemen
OTHER ROLES
None
Save your username and password to your text editor
Click on Create

We are randomly generating the username and password as this account has full write access (although only LAN) to your UniFi controller - you do not want to use simple credentials for this level of access

Forward Logs

Navigate to https://unifi/network/default/settings/cybersecure/traffic-logging
Set Syslog to SIEM server or external
Set the server address to the IP of the machine that will run this stack
Click on Apply Changes

Enable Firewall zones

Navigate to https://unifi/network/default/settings/zones
Enable Firewall zones

this will import your existing firewall rules and port forwards to the new Firewall zones, but please test and ensure your critical infrastructure is still working

Deploy Compose stack

Fill out the below env file and deploy your stack

# --- CrowdSec Configuration ---
CROWDSEC_ENROLL_KEY=

# --- Syslog Configuration ---
# The port your UniFi equipment will send logs to
SYSLOG_PORT=514
TZ=UTC

# --- UniFi Controller Configuration ---
# The IP or Hostname of your UniFi Controller (UDM/Gateway)
UNIFI_HOST=https://unifi
SKIP_TLS_VERIFY=true
UNIFI_USER=
UNIFI_PASS=

https://github.com/trentnbauer/HomelabPublic/blob/main/docker-compose/crowdsec-unifi.yml

services:
  syslog:
    image: linuxserver/syslog-ng:4.10.2
    labels:
      - AH.CS.UniFi=true
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
    restart: unless-stopped
    ports:
      - ${SYSLOG_PORT:-514}:5514/udp
      - ${SYSLOG_PORT:-514}:6601/tcp 
    volumes:
      - syslog:/config
      - logs:/var/log
    networks:
      crowdsec:
        aliases:
          - syslog
          
  engine:
    image: crowdsecurity/crowdsec:v1.7.6@sha256:63b595fef92de1778573b375897a45dd226637ee9a3d3db9f57ac7355c369493
    restart: unless-stopped
    labels:
      - AH.CS.UniFi=true
    depends_on:
      init:
        condition: service_completed_successfully
      syslog:
        condition: service_started
    healthcheck:  
      test: ["CMD", "cscli", "version"]
    environment:
      - COLLECTIONS=crowdsecurity/unifi crowdsecurity/whitelist-good-actors
      - BOUNCER_KEY_unifi=${BOUNCER_KEY:-MandatoryUnsolvedSnippetMonetizeDrizzle8}
      - ENROLL_INSTANCE_NAME=UniFi
      - DISABLE_LOCAL_API=false
      - DISABLE_ONLINE_API=false
      - ENROLL_KEY=${CROWDSEC_ENROLL_KEY}
    healthcheck:  
      test: ["CMD", "cscli", "version"]
      interval: 30s
      timeout: 10s
      retries: 5
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
    volumes:
      - crowdsec:/etc/crowdsec
      - logs:/var/log/syslog:ro
      - db:/var/lib/crowdsec/data
    networks:
      crowdsec:
        aliases:
          - crowdsec
          
  bouncer:
    image: ghcr.io/teifun2/cs-unifi-bouncer:v1.2.2@sha256:16590b6fc7cb784fc2fc2fbd7fa3a2782f12823e2787dfb55f63fc8521bc4853
    restart: unless-stopped
    labels:
      - AH.CS.UniFi=true
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
    environment:
      - CROWDSEC_URL=http://crowdsec:8080/
      - CROWDSEC_BOUNCER_API_KEY=${BOUNCER_KEY:-MandatoryUnsolvedSnippetMonetizeDrizzle8}
      - UNIFI_HOST=${UNIFI_HOST:-https://unifi}
      - UNIFI_USER=${UNIFI_USER}
      - UNIFI_PASS=${UNIFI_PASS}
      - UNIFI_SKIP_TLS_VERIFY=${SKIP_TLS_VERIFY:-true}
    depends_on:
      engine:
        condition: service_healthy
    networks:
      crowdsec:
        aliases:
          - bouncer
          
  init:
    image: alpine:3.23.3
    volumes:
      - crowdsec:/etc/crowdsec
      - logs:/var/log/syslog
    command: >
      sh -c "apk add --no-cache wget ca-certificates &&
             mkdir -p /etc/crowdsec/acquisitions.d &&
             mkdir -p /var/log/syslog &&
             touch /var/log/syslog/messages &&
             chmod -R 777 /var/log/syslog &&
             wget -qO /etc/crowdsec/acquis.yaml https://raw.githubusercontent.com/trentnbauer/HomelabPublic/main/crowdsec/unifi.yaml"

  autoheal:
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 5
        window: 120s
    environment:
      AUTOHEAL_CONTAINER_LABEL: AH.CS.UniFi
      AUTOHEAL_INTERVAL: 60
      AUTOHEAL_START_PERIOD: 240
      AUTOHEAL_DEFAULT_STOP_TIMEOUT: 60
      WEBHOOK_URL: ${AUTOHEAL_WEBHOOK:-}
    image: willfarrell/autoheal@sha256:fce548c91cca681686ac8faace4d0fb035b09afc30b2a8cb3eac416f56fe23d9
    restart: always
    network_mode: none
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock

networks:
  crowdsec:

volumes:
  crowdsec:
  logs:
  syslog:
  db:

Confirm the bouncer has logged into the account

Navigate to https://unifi/network/default/admins/
Review the list and find Crowdsec Bouncer - the last activity should state "now"

If not, review the bouncer and engine container logs

Host Firewall

Allow your syslog port through the firewall (by default 514)

Enroll the engine

Navigate to https://app.crowdsec.net/security-engines
Locate the UniFi in the enrollment list
Enrol the engine
Wait 5 minutes

Check UniFi firewall rules exit

Navigate to https://unifi/network/default/settings/zones
You will have a stack of "cs-unifi-bouncer" rules

PreviousCrowdsec NextUbuntu

Last updated 9 days ago

hashtagPrerequisites

hashtagThis stack monitors...

hashtag... And changes

hashtagUniFi changes

hashtagService account

hashtagForward Logs

hashtagEnable Firewall zones

hashtagDeploy Compose stack

hashtagConfirm the bouncer has logged into the account

hashtagHost Firewall

hashtagEnroll the engine

hashtagCheck UniFi firewall rules exit

Prerequisites

This stack monitors...

... And changes

UniFi changes

Service account

Forward Logs

Enable Firewall zones

Deploy Compose stack

Confirm the bouncer has logged into the account

Host Firewall

Enroll the engine

Check UniFi firewall rules exit