Thread: Ubuntu Seedbox with rtorrent/rutorrent and security

Introduction:

This guide will walk you through a full install of a secure seedbox environment, running rtorrent with the rutorrent web front end and the pureftpd FTP server.
The guide also includes optional steps to configure for multiple users, each with their own web login and running instance of rtorrent.

Pre-requisites: An Ubuntu 9.10 or later server (should also work on some earlier versions, and on other Debian based distros, but this is untested) with root SSH access.


Basics:


Initial Login:

Login to your server as root via SSH

ssh root@<server IP>

(You can also use an SSH client if you prefer, eg PuTTY on Windows)
Type the password as requested


Create a new user that we’ll install everything with

For security purposes, we’re going to add a new user and disable SSH access for the root user.

adduser <username>

Replace <username> with a username of your choosing.
Fill in all the details when prompted (e.g. password)

Add your new user to the sudoers file. This allows this user to use elevated privileges when needed to do things that normally only the root user could do.

visudo

In recent versions of Ubuntu this opens the sudoers file for editing in a lightweight editor called nano.

Scroll down and find this line:

root ALL=(ALL) ALL

On the next line add:

<username> ALL=(ALL) ALL

Replace <username> with the username we created earlier.
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.


Lock down SSH

Now we will change some SSH settings.
We're going to use a different port, and prevent root access via SSH

nano /etc/ssh/sshd_config

Change the following lines as below.
Use a high port of your choosing. I recommend a port over 20000.

Port 21976
Protocol 2
PermitRootLogin no
X11Forwarding no

Then add these lines at the end of the file:

UseDNS no
AllowUsers <username>

(As usual, replace <username> with the name of the user you created)
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now restart the SSH daemon

/etc/init.d/ssh reload

Log out of SSH and log back in as the new user you created earlier.

exit
ssh -p 21976 <username>@<server IP>

(Note the -p argument which specifies the new SSH port that you configured in the last step)
Type the password as requested


Update Packages

Ok, now we're going to make sure our Ubuntu installation is up to date.

sudo apt-get update

This will update the package database with all the latest packages available. Using the sudo command will temporarily elevate your privileges to be able to execute these commands that normally only a super user could execute.

sudo apt-get upgrade

This will upgrade any packages that are out of date on your install.


Install Necessary Basic Packages

Ok, now lets install some important packages that we're going to need throughout this guide:

sudo apt-get install apache2 apache2.2-common apache2-utils autoconf automake autotools-dev binutils build-essential bzip2 ca-certificates comerr-dev cpp cpp-4.1 dpkg-dev file g++ g++-4.1 gawk gcc gcc-4.1 libapache2-mod-php5 libapache2-mod-scgi libapr1 libaprutil1 libc6-dev libcppunit-dev libcurl3 libcurl4-openssl-dev libexpat1 libidn11 libidn11-dev libkdb5-4 libgssrpc4 libkrb5-dev libmagic1 libncurses5 libncurses5-dev libneon26 libpcre3 libpq5 libsigc++-2.0-dev libsqlite0 libsqlite3-0 libssl-dev libssp0-dev libstdc++6-4.1-dev libsvn1 libtool libxml2 linux-libc-dev lynx m4 make mime-support ntp ntpdate openssl patch perl perl-modules php5 php5-cgi php5-cli php5-common php5-curl php5-dev php5-geoip php5-sqlite php5-xmlrpc pkg-config python-scgi screen sqlite ssl-cert subversion ucf unrar zlib1g-dev pkg-config unzip htop screen irssi libwww-perl curl

Configure Apache:


Basic Configuration

We need to configure the Apache web server with some modules that we’ll need:

sudo a2enmod ssl
sudo a2enmod auth_digest
sudo a2enmod scgi

We want to edit our apache conf file for scgi support which is used to communicate with the rutorrent web front end.

sudo nano /etc/apache2/apache2.conf

Add these two lines at the end:

SCGIMount /RPC2 127.0.0.1:5000
servername localhost

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Reboot the server.

sudo reboot

After a few minutes, log back in via SSH:

ssh -p 21976 <username>@<server IP>

Lets just check apache is up and running:
Open a browser and go to:

http://<servername or IP>

You should see this message:

It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.

Configure Apache for HTTPS and Password Protection:

We are going to create an SSL certificate so that we can access the server via https.

openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

chmod 600 /etc/apache2/apache.pem

This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.

Now lets add password protection

sudo htdigest -c /etc/apache2/passwords gods <webusername>

Where <webusername> is the username you'll use to connect to the rutorrent web UI.
It can be the same as the system username you’ve created previously if you like.
After running this command, you'll be prompted for a password. This will be the password you enter to log into the rutorrent web UI.

sudo nano /etc/apache2/sites-available/default

Now copy the following and paste to replace the contents of the file we're editing.
Then replace all instances of <servername or IP> with your real servername or IP

<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ http://<servername or IP>/rutorrent

AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>

</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@localhost

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ http://<servername or IP>/rutorrent

AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>
</VirtualHost>

Now lets configure apache for HTTPS.

sudo a2ensite default-ssl

And now lets reload Apache.

sudo /etc/init.d/apache2 reload

Check that everything is working by opening a browser and going to:

https://<servername or IP>

You should see this message:

It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.

Webmin:


I like to use Webmin for web based administration of my servers. It offers a very convenient way to remotely administer your server from anywhere with a net connection and a web browser.

First lets add the webmin repository to our sources.list file so that we can use apt to install is easily

sudo nano /etc/apt/sources.list

Add this line to the end of the file:

deb Index of /download/repository sarge contrib

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

Lets now fetch and install the PGP key for this new repository so we're not warned about it

wget http://www.webmin.com/jcameron-key.asc

sudo apt-key add jcameron-key.asc

Now we can install webmin

sudo apt-get update
sudo apt-get install webmin

Test webmin is working by opening a browser and going to:

https://<servername or IP>:10000

Login with the system user you created earlier

We will return to use Webmin later for an easy way to configure the Linux IPTables firewall

rtorrent:

Ok, now lets install rtorrent

Building rtorrent from source

You can install rtorrent using apt, but the package there isn’t compiled with xmlrpc-c, which we need to use with rutorrent.
So we're going to compile our own version of rtorrent using xmlrpc-c

Enter these commands one line at a time, and not the whole block at once.

cd ~/
mkdir source
cd source
svn co https://xmlrpc-c.svn.sourceforge.net...pc-c/advanced/ xmlrpc-c
wget http://libtorrent.rakshasa.no/downlo...-0.12.6.tar.gz
wget http://libtorrent.rakshasa.no/downlo...t-0.8.6.tar.gz
tar -xvzf libtorrent-0.12.6.tar.gz
tar -xvzf rtorrent-0.8.6.tar.gz
rm *.tar.gz

Now we’ll configure and make xmlrpc-c
Enter these commands one line at a time, and not the whole block at once.

cd xmlrpc-c
./configure --disable-cplusplus
make
sudo make install

Now time to do the same for libtorrent and rtorrent
Enter these commands one line at a time, and not the whole block at once.

cd ../libtorrent-0.12.6
./autogen.sh
./configure
make
sudo make install

cd ../rtorrent-0.8.6
./autogen.sh
./configure --with-xmlrpc-c
make
sudo make install

sudo ldconfig

Configuring rtorrent:

Ok, now we've got rtorrent installed, but we have to configure it.

rtorrent needs a config file to initialize it. Heres mine...you'll need to edit it for your own environment, and make sure that the paths all exist and are writable by the user you will run rtorrent with.

# This is an example resource file for rTorrent. Copy to
# ~/.rtorrent.rc and enable/modify the options as needed. Remember to
# uncomment the options you wish to enable.
#
# Based on original .rtorrent.rc file from The libTorrent and rTorrent Project
# Modified by Lemonberry for rtGui rtgui - Project Hosting on Google Code
#
# This assumes the following directory structure:
#
# /Torrents/Downloading - temporaray location for torrents while downloading (see "directory")
# /Torrents/Complete - Torrents are moved here when complete (see "on_finished")
# /Torrents/TorrentFiles/Auto - The 'autoload' directory for rtorrent to use. Place a file
# in here, and rtorrent loads it #automatically. (see "schedule = watch_directory")
# /Torrents/Downloading/rtorrent.session - for storing rtorrent session information
#

# Maximum and minimum number of peers to connect to per torrent.
#min_peers = 40
max_peers = 100

# Same as above but for seeding completed torrents (-1 = same as downloading)
min_peers_seed = -1
max_peers_seed = -1

# Maximum number of simultanious uploads per torrent.
max_uploads = 50

# Global upload and download rate in KiB. "0" for unlimited.
download_rate = 0
upload_rate = 0

# Default directory to save the downloaded torrents.
directory = /home/downloads/<username>

# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /home/downloads/<username>/.session

# Watch a directory for new torrents, and stop those that have been
# deleted.
schedule = watch_directory,5,5,load_start=/home/downloads/<username>/watch/*.torrent
schedule = untied_directory,5,5,stop_untied=

# Close torrents when diskspace is low. */
schedule = low_diskspace,5,60,close_low_diskspace=100M

# Stop torrents when reaching upload ratio in percent,
# when also reaching total upload in bytes, or when
# reaching final upload ratio in percent.
# example: stop at ratio 2.0 with at least 200 MB uploaded, or else ratio 20.0
#schedule = ratio,60,60,stop_on_ratio=200,200M,2000


# When the torrent finishes, it executes "mv -n <base_path> ~/Download/"
# and then sets the destination directory to "~/Download/". (0.7.7+)
# on_finished = move_complete,"execute=mv,-u,$d.get_base_path=,/home/downloads/<username>/complete/ ;d.set_directory=/home/downloads/<username>/complete/"

# The ip address reported to the tracker.
#ip = 127.0.0.1
#ip = rakshasa.no

# The ip address the listening socket and outgoing connections is
# bound to.
#bind = 127.0.0.1
#bind = rakshasa.no

# Port range to use for listening.
port_range = 55995-56000

# Start opening ports at a random position within the port range.
#port_random = yes

scgi_port = 127.0.0.1:5000

# Check hash for finished torrents. Might be usefull until the bug is
# fixed that causes lack of diskspace not to be properly reported.
#check_hash = no

# Set whetever the client should try to connect to UDP trackers.
#use_udp_trackers = no

# Alternative calls to bind and ip that should handle dynamic ip's.
#schedule = ip_tick,0,1800,ip=rakshasa
#schedule = bind_tick,0,1800,bind=rakshasa

# Encryption options, set to none (default) or any combination of the following:
# allow_incoming, try_outgoing, require, require_RC4, enable_retry, prefer_plaintext
#
# The example value allows incoming encrypted connections, starts unencrypted
# outgoing connections but retries with encryption if they fail, preferring
# plaintext to RC4 encryption after the encrypted handshake
#
encryption = allow_incoming,enable_retry,prefer_plaintext

# Enable DHT support for trackerless torrents or when all trackers are down.
# May be set to "disable" (completely disable DHT), "off" (do not start DHT),
# "auto" (start and stop DHT as needed), or "on" (start DHT immediately).
# The default is "off". For DHT to work, a session directory must be defined.
#
dht = disable

# UDP port to use for DHT.
#
# dht_port = 6881

# Enable peer exchange (for torrents not marked private)
#
peer_exchange = no

#
# Do not modify the following parameters unless you know what you're doing.
#

# Hash read-ahead controls how many MB to request the kernel to read
# ahead. If the value is too low the disk may not be fully utilized,
# while if too high the kernel might not be able to keep the read
# pages in memory thus end up trashing.
#hash_read_ahead = 10

# Interval between attempts to check the hash, in milliseconds.
#hash_interval = 100

# Number of attempts to check the hash while using the mincore status,
# before forcing. Overworked systems might need lower values to get a
# decent hash checking rate.
#hash_max_tries = 10

# Max number of files to keep open simultaniously.
#max_open_files = 128

# Number of sockets to simultaneously keep open.
#max_open_sockets = <no default>


# Example of scheduling commands: Switch between two ip's every 5
# seconds.
#schedule = "ip_tick1,5,10,ip=torretta"
#schedule = "ip_tick2,10,10,ip=lampedusa"

# Remove a scheduled event.
#schedule_remove = "ip_tick1"

The file should be saved in the home directory of the user you will run rtorrent with. I use the same system user we created earlier

sudo nano ~/.rtorrent.rc

Paste your config into that file
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Ensure that the correct directories exist as you specified in the .rtorrent.rc file

sudo mkdir /home/downloads
sudo mkdir /home/downloads/<username>
sudo mkdir /home/downloads/<username>/watch
sudo mkdir /home/downloads/<username>/.session
sudo chown -R <username>:<username> /home

Now check your config file is ok by trying to start rtorrent

rtorrent

If rtorrent starts, you're good. Use CTRL-Q to quit it.
If rtorrent doesnt start and you get an error, then note the error and fix your config file as necessary.

rtorrent Startup Script:

Since we dont want to have to start rtorrent manually every time the server boots, we're going to start it automatically, and we'll run it in a screen session.
Now we'll create the startup script
Edit this example as necessary to change the username that you want rtorrent to run as.

sudo nano /etc/init.d/rtorrent

Paste your edited config into that file.
Replace anything that says <username> with the username you created before.

#!/bin/sh
#############
###<Notes>###
#############
# This script depends on screen.
# For the stop function to work, you must set an
# explicit session directory using ABSOLUTE paths (no, ~ is not absolute) in your rtorrent.rc.
# If you typically just start rtorrent with just "rtorrent" on the
# command line, all you need to change is the "user" option.
# Attach to the screen session as your user with
# "screen -dr rtorrent". Change "rtorrent" with srnname option.
# Licensed under the GPLv2 by lo***ihilist: lo***ihilist _at_ gmail _dot_ com
##############
###</Notes>###
##############

#######################
##Start Configuration##
#######################
# You can specify your configuration in a different file
# (so that it is saved with upgrades, saved in your home directory,
# or whateve reason you want to)
# by commenting out/deleting the configuration lines and placing them
# in a text file (say /home/user/.rtorrent.init.conf) exactly as you would
# have written them here (you can leave the comments if you desire
# and then uncommenting the following line correcting the path/filename
# for the one you used. note the space after the ".".
# . /etc/rtorrent.init.conf

#Do not put a space on either side of the equal signs e.g.
# user = user
# will not work
# system user to run as
user="<username>"

# the system group to run as, not implemented, see d_start for beginning implementation
# group=`id -ng "$user"`

# the full path to the filename where you store your rtorrent configuration
config="`su -c 'echo $HOME' $user`/.rtorrent.rc"

# set of options to run with
options=""

# default directory for screen, needs to be an absolute path
base="`su -c 'echo $HOME' $user`"

# name of screen session
srnname="rtorrent"

# file to log to (makes for easier debugging if something goes wrong)
logfile="/var/log/rtorrentInit.log"
#######################
###END CONFIGURATION###
#######################
PATH=/usr/bin:/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin
DESC="rtorrent"
NAME=rtorrent
DAEMON=$NAME
SCRIPTNAME=/etc/init.d/$NAME

checkcnfg() {
exists=0
for i in `echo "$PATH" | tr ':' '\n'` ; do
if [ -f $i/$NAME ] ; then
exists=1
break
fi
done
if [ $exists -eq 0 ] ; then
echo "cannot find rtorrent binary in PATH $PATH" | tee -a "$logfile" >&2
exit 3
fi
if ! [ -r "${config}" ] ; then
echo "cannot find readable config ${config}. check that it is there and permissions are appropriate" | tee -a "$logfile" >&2
exit 3
fi
session=`getsession "$config"`
if ! [ -d "${session}" ] ; then
echo "cannot find readable session directory ${session} from config ${config}. check permissions" | tee -a "$logfile" >&2
exit 3
fi
}

d_start() {
[ -d "${base}" ] && cd "${base}"
stty stop undef && stty start undef
su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "screen -dm -S ${srnname} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
# this works for the screen command, but starting rtorrent below adopts screen session gid
# even if it is not the screen session we started (e.g. running under an undesirable gid
#su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "sg \"$group\" -c \"screen -fn -dm -S ${srnname} 2>&1 1>/dev/null\"" ${user} | tee -a "$logfile" >&2
su -c "screen -S "${srnname}" -X screen rtorrent ${options} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
}

d_stop() {
session=`getsession "$config"`
if ! [ -s ${session}/rtorrent.lock ] ; then
return
fi
pid=`cat ${session}/rtorrent.lock | awk -F: '{print($2)}' | sed "s/[^0-9]//g"`
if ps -A | grep -sq ${pid}.*rtorrent ; then # make sure the pid doesn't belong to another process
kill -s INT ${pid}
fi
}

getsession() {
session=`cat "$1" | grep "^[[:space:]]*session[[:space:]]*=" | sed "s/^[[:space:]]*session[[:space:]]*=[[:space:]]*//" `
echo $session
}

checkcnfg

case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "."
;;
restart|force-reload)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 1
d_start
echo "."
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now we need to change the user and group ownership of that file and make it executable

sudo chown root:root /etc/init.d/rtorrent
sudo chmod a+x /etc/init.d/rtorrent

Now lets tell ubuntu to run this script at startup

cd /etc/init.d
sudo update-rc.d rtorrent defaults

Test the script:

sudo /etc/init.d/rtorrent start

Check that an rtorrent and a screen process are running using htop

htop

To exit htop, hit F10


rutorrent


Ok, now to install rutorrent

ruTorrent is really just a set of php and html files, so we're going to install them to a folder under our web server root.
We’re going to get the latest 3.0 files from the subversion repository.

cd /var/www
sudo svn checkout rutorrent - Revision 1461: /trunk/rutorrent

Now we'll download some useful rutorrent plugins

cd rutorrent/plugins
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/erasedata
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/create
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/trafic
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/edit
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/retrackers
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/cookies
sudo svn checkout http://rutorrent.googlecode.com/svn/...plugins/search
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/scheduler
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/autotools
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/datadir
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/tracklabels
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/geoip
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/ratio
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/seedingtime
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/diskspace
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/data
sudo svn checkout rutorrent - Revision 1461: /trunk/plugins/rss

Now lets change ownership of the rutorrent files to the web server user, and change the permissions on them

cd /var/www
sudo chown -R www-data:www-data rutorrent
sudo chmod -R 777 rutorrent

OK, now visit your rutorrent site to check its all working:

https://<servername or IP>/rutorrent

You should be prompted for the username and password we set up earlier for password protection of our web server

Now you should see the rutorrent web gui, and be able to add torrents.


FTPS / SFTP


If you just want to use SFTP (FTP over SSH), you dont need to do anything more here.
Just connect with an FTP client via SFTP to your server on the SSH port you use.

If you want to setup FTPS (FTP using SSL encryption) then we'll setup Pure-FTPd.
I usually use proftpd on my servers but a bug in the current versions (1.3.2 in the Ubuntu karmic package repo, and 1.3.3 current stable) mean that a 550 error is thrown when browsing directories with '[' in their name.

Pure-FTPd

sudo apt-get install pure-ftpd

Now lets create another SSL certificate (you could use the ones you created earlier if you like - I prefer to keep them separate)

sudo openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
sudo chmod 600 /etc/ssl/private/pure-ftpd.pem

This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.

Now lets edit the Pure-ftpd config.
Pure-ftpd doesn't use a config file like other FTP daemons. Instead it starts with a set of command like switches.
However, the init.d startup script that is installed when you installed the pureftpd package can parse a directory of single line 'config files' in order to dynamically build the correct set of command line switches.
So all we need to do is create these single line files in the right place:

Temporarily act as root user

sudo su

Enter the root password when asked

cd /etc/pure-ftpd/conf/
echo ,22005 > Bind
echo 12.34.56.78 > ForcePassiveIP
echo 27200 27210 > PassivePortRange
echo 1 > TLS

The first 'echo' line above creates a file that tells Pure-ftpd to use a particular port, so change the number to the port you wish to use.
The second 'echo' line creates a file that tells Pure-ftpd to use the given static IP address for Passive mode. You need to set this to the IP of your server.
The third 'echo' line determines what port range to use for Passive mode.

If you want additional security, also do the following:

echo yes > ProhibitDotFilesRead
echo yes > ProhibitDotFilesWrite
echo yes > NoChmod
echo yes > BrokenClientsCompatibility

The first two 'echo' lines create files that stop users reading and writing system files that have a leading '.' in their filename (for example the '.rtorrent.rc' config file.
The third 'echo' line creates a file that stops users changing the permissions on files and folders.
The final 'echo' line creates a file that prevents clients that dont strictly adhere to the FTP/FTPS protocol from connecting.

Now lets configure how users will authenticate

echo no > PAMAuthentication
echo yes > UnixAuthentication

Here we are configuring to use system usernames.

Now just restart the FTP service

/etc/init.d/pure-ftpd restart

Test everything is ok by connecting to the FTP service with an FTP client set to use the FTPS protocol, on the port you chose.

And return to the normal user

exit

OPTIONAL: Multi-user Setup


This section is OPTIONAL. If you want a multi-user setup, follow these steps.
This will show you how to add one additional user, but just use the same steps to add more as needed.
Each user will be set up as a system user, with only basic priveleges, without shell access.
They would use their system credentials to access FTP.
They will use a separate username/password combination to access the rutorrent web GUI.

Create New System Users:

Lets add our new user to the system

sudo adduser <second_username>

Replace <second_username> with a username of your choosing.
Fill in all the details when prompted (e.g. password)

Apache Config:

Now we want to edit our apache conf file to ensure that each user has their own SCGI mount point and port.

sudo nano /etc/apache2/apache2.conf

Find this line at the end:

SCGIMount /RPC2 127.0.0.1:5000

And add a new line for the new user:

SCGIMount /RPC3 127.0.0.1:5001

Note that the first user uses an SCGI mount point at /RPC2, on port 5000.
The second user uses an SCGI mount point at /RPC3, on port 5001

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

And now lets reload Apache

sudo /etc/init.d/apache2 reload

We also need to add a second user to our passwords file that protects the rutorrent web directory

sudo htdigest /etc/apache2/passwords gods <second_webusername>

This <second_webusername> can be whatever you like, but I recommend using the same name as previously used for <second_username>
After running this command, you'll be prompted for a password. This will be the password you enter to log into the rutorrent web UI.

rtorrent Config and Startup:

Each user needs to run their own instance of rtorrent. Each instance of rtorrent needs its own config file.
So we need to copy our previously created .rtorrent.rc config file and edit it specifically for this user

sudo cp ~/.rtorrent.rc /home/<second_username>
sudo chown <second_username>:<second_username> /home/<second_username>

Replace <second_username> with the username you chose previously.
Now lets edit that file and make some key changes

sudo nano /home/<second_username>/.rtorrent.rc

Find the following lines:

# Port range to use for listening.
port_range = 55995-56000

# Start opening ports at a random position within the port range.
#port_random = yes

scgi_port = 127.0.0.1:5000

And change them for the new users config:

# Port range to use for listening.
port_range = 56001-56005

# Start opening ports at a random position within the port range.
#port_random = yes

scgi_port = 127.0.0.1:5001

The port range needs to be different to the current users, and the scgi port also needs to be different to the current users.
If adding more users, ensure that each user has their own scgi port and torrent port range.
IMPORTANT: THESE PORTS MUST CORRESPOND TO THE PORTS CONFIGURED IN THE PREVIOUS STEP WHEN EDITING THE 'apache2.conf' FILE

Also find the following lines

# Default directory to save the downloaded torrents.
directory = /home/downloads/<username>

# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /home/downloads/<username>/.session

# Watch a directory for new torrents, and stop those that have been
# deleted.
schedule = watch_directory,5,5,load_start=/home/downloads/<username>/watch/*.torrent

And change them to:

# Default directory to save the downloaded torrents.
directory = /home/downloads/<second_username>

# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /home/downloads/<second_username>/.session

# Watch a directory for new torrents, and stop those that have been
# deleted.
schedule = watch_directory,5,5,load_start=/home/downloads/<second_username>/watch/*.torrent

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

We now need to make sure the relevant directories exist

sudo mkdir /home/downloads
sudo mkdir /home/downloads/<second_username>
sudo mkdir /home/downloads/<second_username>/watch
sudo mkdir /home/downloads/<second_username>/.session
sudo chown -R <second_username>:<second_username> <second_username>

We also need to make sure that the new users rtorrent starts up when the server is rebooted.
Lets copy our current users startup script and set it to run at boot.

sudo cp /etc/init.d/rtorrent /etc/init.d/rtorrent2
sudo chown root:root /etc/init.d/rtorrent2
sudo update-rc.d rtorrent2 defaults

Now lets make a change to the startup script to make sure that it runs as the corrent user

sudo nano /etc/init.d/rtorrent2

Find the line that configures which user to run the script as:

# system user to run as
user="<username>"

And change it to run as the new user we created:

# system user to run as
user="<second_username>"

If adding more users, ensure that each user has their own unique rtorrent startup script.

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

rutorrent Config:

Ok, now we need to configure rutorrent for multiple users.
To do this we need to create a configuration directory for each user that will hold that users config files.
Remember the SCGI mounts and ports weve configured? We'll need those details here.

user1 = <webusername> and his SCGI mount is on /RPC2 and port 5000
user2 = <second_webusername> and his SCGI mount is on /RPC3 and port 5001

Now we need to create the user conf directories and copy the config files to them

cd /var/www/rutorrent/conf/
mkdir user/<webusername>
mkdir user/<second_webusername>

Now, we need to copy a file from the current default conf directory to each users specific conf directory.

sudo cp config.php user/<webusername>
sudo cp config.php user/<second_webusername>

Lets edit the ownership and permissions on these files

sudo chown -R www-data:www-data user
sudo chmod -R 777 user

Now we need to edit each config file specific to each user.
In fact, we dont need to edit the config file for our first user (<webusername>) since that user is just going to use the config we had already setup for the single user system.
So we just need to edit the config file for the second user (<second_webusername>).

sudo nano user/<second_webusername>/config.php

Find the following lines:

$scgi_port = 5000;
$scgi_host = "127.0.0.1";
$XMLRPCMountPoint = "/RPC2";

And change them to:

$scgi_port = 5001;
$scgi_host = "127.0.0.1";
$XMLRPCMountPoint = "/RPC3";

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

Remember, if you have more than 2 users you need to do this for each users unique config.php file and ensure the values for mount point and port match those set in previous steps when configuring rtorrent and apache

Now when you browse to

https://<servername or IP>/rutorrent/

you will be prompted with the login dialog.
Depending on what username and password you enter here, your rutorrent instance will connect to the relevant rtorrent session.

Pure-FTPd

Ok, lets make a couple of changes to our Pure-ftpd setup to support multiple users

Temporarily act as root user

sudo su

Enter the root password when asked

cd /etc/pure-ftpd/conf/
echo yes > ChrootEveryone
sudo echo 4 > MaxClientsPerIP
sudo echo 20 > MaxClientsNumber

The first 'echo' line creates a file that stops users from navigating outside of their home directory.
The second 'echo' line creates a file that dictates how many connections can be made per connecting IP. Change this to whatever you deem appropriate for your needs.
The third 'echo' line creates a file that dictates how many connections in total can be made. Change this to whatever you deem appropriate for your needs.

And return to the normal user

exit

We have each users torrent downloads being stored in /home/downloads/<the_username>.
But in the steps above we've jailed each FTP user to not be able to leave their home directory /home/<the_username/
So we want to create a link from the users home directory to their downloads directory.
However, a symbolic link wont work here as the chroot will prevent it.
Instead we need to create mount points.
We can do this using:

sudo mount --bind /home/downloads/<username> /home/<username>/downloads
sudo mount --bind /home/downloads/<second_username> /home/<second_username>/downloads

However we want these mounts to be permanent so we do the following:

sudo nano /etc/fstab

At the end of the file add these lines

/home/downloads/<username> /home/<username>/downloads none bind 0 0
/home/downloads/<second_username> /home/<second_username>/downloads none bind 0 0

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

And thats the end of the multi-user setup!


Linux Firewall


Right, we’re almost done, but first its time to set up the linux firewall to close all the ports other than the ones we need.

Its easiest to use Webmin for this task

Open a browser window and go to:

https://<servername or IP>:10000

You'll need to login with the system username we created earlier

On the left hand navigation menu, go to Networking->Linux Firewall

Set up the firewall as you need..Remember that we need to open the following ports that we've configured in this guide:

SSH: 21976
FTPS: 22005
Passive Ports for FTP: 27200 to 27210
SSL: 443
Webmin: 10000
rtorrent: 55995 to 56000 for <username>, and 56001 to 56005 for <second_username>

And we can lock the rest down.

You're encouraged to change the ports used as examples in this guide - just make sure you write them down, and double check them before implementing any firewall rules.
You should also check with your host in case that they use any automatic network monitoring tools.
If they do, you may need to leave some ports open to respond to pings and so on, otherwise their tools might think your server is down and try rebooting it or putting it into recovery mode. Best just to check with them.


Summary


That’s it, we’re done !

The source for this tutorial is here:

Ubuntu Seedbox with rtorrent | rutorrent | pureftpd | multi-user (optional)

Rep added.

Excellent tutorial. And Webmin is the shizat. Thanks for that.