I will give an example of resetting the Ubiquiti (UBNT) settings of devices via SSH:Continue reading “How to reset Ubiquiti (UBNT) device settings”
On the test, I will update the firmware PowerBeam 5AC 500 (with version 7.1.4) and PowerBeam 5AC 620 (with version 7.0.3).Continue reading “PowerBeam 5AC Firmware Update”
Somehow, our Ubiquiti (UBNT) antennas beat thunderstorms, which then had to be repaired, changed and naturally tuned again. Therefore, I decided to make an automatic copy of the configuration.Continue reading “Backup Ubiquiti Device Configuration (UBNT)”
It was necessary to somehow put the frequency on the AirMAX PowerBeam M5 with firmware 5.6.2 under license, but alas, it is not on the list! The country is chosen Ukraine, after updating the firmware to the newest 5.6.3 frequencies did not appear, they cannot be chosen, although state sells them!Continue reading “How to enable Compliance Test on UBNT devices”
Once I updated the Nano Station M2 with firmware 5.5.6 to 5.6.5.
Version 5.6.5 did not immediately become, as there was not enough memory in the device for downloading it, so I first had to upgrade to 5.6.2, and then 5.6.5.
On the test, I will flash Rocket M5 with XM 5.6.5 firmware for version 6.1.8.
I will describe the update procedure:Continue reading “Rocket M5 firmware update”
For the test, I’ll take the airMAX Rocket M5 sector antenna in bridge mode and the airMAX NanoBeam M5 client antenna in router mode.
Restrict access first to the client.
Suppose that it is connected to the sector and has an IP address 192.168.110.40 which looks into the Internet (obtained via DHCP).
The IP of the administrator who should have access to it remotely is 10.10.10.5, the rest must be blocked.
And so, go to the airMAX NanoBeam M5 web interface, open the “NETWORK” tab, next to “Configuration Mode:” select “Advanced”, then more settings will appear.
At the bottom where the “Firewall” tick the “Enable”.
Just below we add a rule specifying:
IP Type: TCP
Source: 10.10.10.5 (IP from which it is allowed to connect, as well as be sure to put a tick in front of it under the exclamation mark)
Port: leave empty
Destination: 192.168.110.40 (An antenna IP that looks out)
Port: 22 (This is an SSH port, similarly, other rules are created to restrict access to the HTTP port – TCP 80, HTTPS – TCP 443, Telnet – TCP 23, SNMP – UDP 161, Discovery – UDP 10001)
As you can see, this rule blocks all TCP connections to port 22 of the WLAN0 interface on IP 192.168.110.40, and the set check mark on ! before Source: 10.10.10.5 means that everything except this IP is blocked.
Click “Add”, then “Change” at the bottom and at the top of “Apply” to apply the changes, after that the antenna will restart.
To limit access to the sector antenna that is configured by the bridge, we add the same rules, only where the Interface: we specify ANY (ALL).
After adding rules and connecting to a device via SSH in the configuration, you can see the following:
ebtables.status=enabled ebtables.1.status=enabled ebtables.1.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 22 -j DROP ebtables.1.comment= ebtables.2.status=enabled ebtables.2.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 80 -j DROP ebtables.2.comment= ebtables.3.status=enabled ebtables.3.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 443 -j DROP ebtables.3.comment= ebtables.4.status=enabled ebtables.4.cmd=-A FIREWALL -p 0x0800 --ip-protocol 17 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 161 -j DROP ebtables.4.comment=
See also my article:
Ubiquiti SSH control
UNMS (Ubiquiti Network Management System) – EdgeMAX®, EdgeSwitch®, airMAX®, UFiber device management system, which includes software updates, configuration backup, real-time performance graphs, notifications, device location maps, etc.
For example, I will install UNMS on Ubuntu Server 18.04 64bit.
First, install the necessary components:
sudo apt-get update sudo apt-get install curl sudo bash netcat
Download the installation script from the official site to the temporary directory:
curl -fsSL https://unms.com/install > /tmp/unms_inst.sh
Run the downloaded script:
sudo bash /tmp/unms_inst.sh
If it is necessary to change the web ports during the installation:
sudo bash /tmp/unms_inst.sh --http-port 8080 --https-port 8443
By default, UNMS uses Let’s Encrypt when creating SSL certificates for your domain and saves them in /home/unms/data/cert/live.
If you want to use your SSL certificates, then during installation, for example, we specify (UNMS should have read rights in ssl-cert-dir):
sudo bash /tmp/unms_inst.sh --http-port 8080 --https-port 8443 --ssl-cert-dir /etc/certificates --ssl-cert fullchain.pem --ssl-cert-key privkey.pem
It happened when during the process of updating the firmware of RocketM, NanoBeam, NanoStation and other Ubiquiti devices power was lost, or there were some other problems after which the device could not be accessed via the web interface and it did not work.
I will describe in points how you can restore the firmware:
1) Download firmware from the official site https://www.ubnt.com/download/, which you need to flash the device.
2) Start TFTP server. I described the launch example in these articles:
Starting a TFTP server in Windows
Installing and Configuring a TFTP Server in Ubuntu.
3) It is imperative to assign the computer exactly this IP address 192.168.1.254 and the subnet mask 255.255.255.0.
4) Turn off the device in which you need to restore the firmware, with the device turned off, press the RESET button and hold it to turn on the power to the device, continue to hold the RESET for 8-10 seconds, and then lower it. With these manipulations, we activate the recovery mode and the LED indicators will flash alternately. The IP address of the device 192.168.1.20 should start pinging, if not pinging, then alas will not be able to recover. To check the ping, the command is executed on the command line:
5) Now we’ll upload the previously downloaded firmware file to the TFTP server directory and send it. From windows, this can be done with the command:
tftp -i 192.168.1.20 put XM-v5.5.4.build16501.bin
From Linux, this is done by commands (you may have to put the firmware file in the user’s home directory):
tftp connect 192.168.1.20 bin trace put XM-v5.5.4.build16501.bin exit
When the firmware file from the TFTP server is sent to the device, you must wait until the firmware update process occurs and the device automatically reboots.
Once I noticed the spread of the virus/exploit on the network with Ubiquiti devices. Exploit using a vulnerability in older versions of firmware copied itself to other devices and from them attacked the following.Continue reading “Removing exploits from Ubiquiti devices”