Unifi cloud server security sanity check

Hi guys. Just want to sanity check what I am doing with Unifi controller for security and backups. I have the controller installed on a Vultr cloud managing 3 sites with switches and APs. I followed Chris’s guide here which was fantastic. Been operating for a little over a year now flaw-free.

  • CloudFlare DNS A-Record points to the cloud server IP
  • UFW firewall enabled and only the specified ports are open.
  • Root user disabled, my SSH user has a strong password and SSH keys
  • Ubuntu update/upgrade done regulararly
  • Vultr control panel secured with MFA & strong PW
  • Vultr automatic backup weekly
  • Unifi controller on latest release
  • Unifi devices all regularly updated
  • Unifi controller auto-backup is on weekly
  • Unifi controller settings backup taken before/after changes

Anything I’m missing here? I would prefer to route my sites to the Vultr cloud with Wireguard. This would be fine for two sites with a pfSense firewall, but the third just has a consumer Acer router.

Seems fine to me. If you didn’t want it publicly accessible you could put it behind a VPN. My controller hosts dozens of sites, I leave it public ally accessible.

Note that going forward with their UDM lineup that you’ll have to use Ubiquiti’s cloud controller. You can’t pull UDM’s into legacy controllers. This is very lame and annoying. While I like the Unifi switches and APs I don’t care much for their firewalls anyways so I may drop Unifi for firewall duty and use something else.