Ubuntu Server w/ GUI, Permenant Auto Connecting SSH Tunnel, Fail2Ban, etc....
Introduction:
First off let me say this guide is deffinately open to suggestion on improvements. So please leave comments if a better way to do something in this guide is needed, also if anything is outdated and is in need of an update. Thank You. :)
This guide is for those who want their server with GUI, rtorrent/rutorrent, SFTP, Webmin, Fail2ban, Firewall, and permenant auto connecting SSH Tunnel, and/or Proxy from a home Windows machine to a remote Ubuntu server.
Every command with # next to it is to be performed as root
Every command with $ next to it is to be performed as your user
-Do not type these symbols into Putty when logged into your server. They are there only to show if you need to be root or your normal user.
-Do not enter multiple lines of code at once. Take your time and go one by one, line by line. This is a server setup, not a race...It is supposed to take a couple hours. :)
Pre-requisites:
A Ubuntu 9.10 - Ubuntu 11.04 (x86 or x64) with root access via Putty
**NOTE**
Might work on some earlier versions, and on other Debian based distros, but this is untested
-and-
A windows home machine running Windows XP - Windows 7 (x86 - x64)
Basics
Initial Login:
Login to your server as root via SSH
Windows:
-Download Putty and run it
-Download Putty from here
-Once open enter the IP address of your server where Host is, and enter the port number where asked as well. (Usually 22)
-Set the Radio button to SSH
-In the box below type in the name you want to save this connection as. Such as OVH or LeaseWeb...or whatever you want.
-Click the Save button
**NOTE**
This will save the seesion so you do not need to enter this info in everytime you want to connect via SSH. All you will need to do is double click the saved connection in the box and Putty will connect.
-Click Open and when connected the server will ask for username. Enter it (Usually root) and do the same for the password when asked.
**OPTIONAL**
After connected and you are root, you may change the password to something you would remember a bit easier.
Make sure to make your new password is:
-NOT a dictionary word
-includes ATLEAST two numbers
-uses upper AND lowercase letters
-is ATLEAST 10 characters long
Change Password:
-Press Enter# passwd
-Set the new password (You will be asked twice for it)
Delete SSH Authorized Keys
This is for added protection to keep people from logging into your server unauthorized.
Update Packages# ls .ssh/authorized_keys2
# rm .ssh/authorized_keys2
Ok, now we're going to make sure our Ubuntu installation is up to date.
This will update the package database with all the latest packages available.# apt-get update
This will upgrade any packages that are out of date on your install. When asked if you want to do the upgrades (if any) type y and press Enter.apt-get upgrade
**NOTE**
-To run both together and not have to enter a command twice you should use && like so
-To clean the system of old packages and/or broken packages enter the following command.# apt-get update && apt-get upgrade
Add two packages to be used# apt-get clean && apt-get auto-clean
Before we add a user to use we need to make sure that packages 'sudo' and 'nano' are installed. Use this command to install them.
Create a new user that we’ll install everything with# apt-get install sudo nano
For security purposes, we’re going to add a new user and disable SSH access for the root user.
Replace <username> with a username of your choosing.# adduser <username>
Fill in all the details when prompted (e.g. password)
Add your new user to the sudoers file. This allows this user to use elevated privileges when needed to do things that normally only the root user could do.
In recent versions of Ubuntu this opens the sudoers file for editing in a lightweight editor called nano.# visudo
Scroll down and find this line:
On the next line add:root ALL=(ALL) ALL
Replace <username> with the username we created earlier.<username> ALL=(ALL) ALL
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Lock down SSH
Now we will change some SSH settings.
We're going to use a different port, and prevent root access via SSH
Change the following lines as below.# nano /etc/ssh/sshd_config
Use a high port of your choosing. I recommend a port over 20000.
Then add these lines at the end of the file:Port 32002
Protocol 2
PermitRootLogin no
X11Forwarding no
**NOTE**UseDNS no
AllowUsers <username>
As usual, replace <username> with the name of the user you created. Any additional usernames to be added such as nx (Add this if you use NX Server or FreeNX) should be separated with a space.
-Example-
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.AllowUsers heebyjeeby nx gnarkill sally
Now restart the SSH daemon
Log out of SSH and log back in as the new user you created earlier.# /etc/init.d/ssh reload
Windows Putty Session with New Port# exit
-To add your new port to your saved session in Putty, first open Putty back up. Click once on the name of your saved session from earlier so it is highlighted. Click Load, and at the top where port is, change the port to the new port you put in on the sshd_config file we just edited. Click save, and from now on you will be able to connect on the new port to your server by opening Putty and double clicking your saved session.
-Now login with the new user and password you created when asked to do so.
Install Necessary Basic PackagesLogin: <New User>
Password: <Users Password>
**NOTE**
Now we use the $ symbol and the word sudo before a command. This means you are to be logged into the remote server as the new user we just created, and sudo is the command to temporarily retain root priviliges when you are a normal user on your server.
Ok, now lets install some important packages that we're going to need throughout this guide:
$sudo apt-get install apache2 apache2.2-common apache2-utils aptitude autoconf automake autotools-dev binutils build-essential bzip2 ca-certificates comerr-dev cpp cpp-4.1 dpkg-dev file firestarter g++ g++-4.1 gawk gcc gcc-4.1 git-core libapache2-mod-php5 libapache2-mod-scgi libapr1 libaprutil1 libauthen-pam-perl libc6-dev libcppunit-dev libcurl3 libcurl4-openssl-dev libexpat1 libidn11 libidn11-dev libkdb5-4 libgssrpc4 libkrb5-dev libmagic1 libncurses5 libncurses5-dev libncursesw5-dev libneon26 libnet-ssleay-perl libpam-runtime libio-pty-perl libpcre3 libpq5 libsigc++-2.0-dev libsqlite0 libsqlite3-0 libssl-dev libssp0-dev libstdc++6-4.1-dev libsvn1 libtool libxml2 linux-libc-dev lynx m4 make mktorrent mime-support ntp ntpdate openssl patch perl perl-modules php5 php5-cgi php5-cli php5-common php5-curl php5-dev php5-geoip php5-sqlite php5-xmlrpc pkg-config python python-scgi rar screen sqlite ssl-cert subversion ucf unrar zlib1g-dev pkg-config unzip htop screen irssi libwww-perl curl
Windows Auto Logon SSH Tunnel:
MyEnTunnel
On your Windows machine open your internet browser and go to
Scroll down and download the latest Stable version.
Plink
On your Windows machine open your internet browser and go to
Download the file when asked.
Create Permenant Tunnel
-Copy MyEnTunnel.exe and Plink.exe to your C: drive and together.
-Open MyEnTunnel
-Click the settings tab
-Set your settings as if it were Putty
-Check mark whatever boxes youd like. Enable Dynamic Socks MUST be checked. Other notable ones would beSSH Server = <Server IP address>
SSH Port = <Servers SSH Port>
Username = <Your Normal User on the Server>
Passphrase = <Your Normal User's Password on the Server>
Port = <Whatever port you want your tunnel to be under. I set mine to the same as the SSH Port on the server for less confusion>
-Click Connect, and after it has connected click Save, and then Hide. Now it is down by your clock.Connect on Startup
Reconnect on Failure
Enable Slow Polling
Infinite Retry Attempts
Enable Compression
-Any program you want to use this tunnel (Firefox, uTorrent, mIRC, etc...) you must set it to use a SOCKS proxy with the IP address of 127.0.0.1 and the Port for whatever you chose MyEnTunnel to use.
Proxy:
**NOTE**
If you are going to use all of your connections from your Windows machine to your seaerver tunneled through SSH, you do not need this Proxy setup on your server. Just continue to GUI below and skip this. If you are like me and only want your uTorrent (or whatever client you use) traffic to be sent through your tunnel, and all others through an HTTP/HTTPS proxy, then continue setting up this Proxy on your server.
Tinyproxy
Install Tinyproxy
Enter the root password if asked.$ sudo apt-get install tinyproxy
Now we need to edit the conf file of Tinyproxy.
Enter the root password if asked.$ sudo nano /etc/tinyproxy.conf
Find this line
And change the port to whatever port you wish, I will use port 33002 in this tutorial. So now it should look like this# Port to listen on.
#
Port 8888
Next step is to configure Tinyproxy to only accept connection from your IP address. So scroll down the config file until you see this# Port to listen on.
#
Port 33002
And add this text under it#
# The following is the authorization controls. If there are any access
# control keywords then the default action is to DENY. Otherwise, the
# default action is ALLOW.
#
# Also the order of the controls are important. The incoming connections
# are tested against the controls based on order.
#
Allow 127.0.0.1
This should look like thisAllow <Your Public IP address>
To check what your IP address is, go to whatismyip.comAllow 192.168.1.1
**NOTE**
If you have a Dynamic (Changes) IP you can also use a domain string instead of an IP address. For example, if you are connected to your ISP as something-adsl-sanfran-comcast.com, you could specify “Allow adsl-sanfran-comcast.com” (Without the Quotes) which would allow all Comcast ADSL users in San Francisco to connect. This is MUCH less secure, but a solution if you are not on a Static (Always the Same) IP address.
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Configuration is completed. Now restart the service to affect the new configuration
Your proxy server is now ready. Open the Network settings of your browser and enable proxy. Put the server’s IP address in the proxy hostname/address box and 33002 (put whatever port you set in the conf file) as proxy port. Now, your page requests will be served through your proxy.$ sudo /etc/init.d/tinyproxy restart
**NOTE**
Tinyproxy is extremely lightweight however, you may restart it occasionally to refresh memory usages. You may also set a cron job to do it automatically, but that is beyond the scope of this tutorial for now.
GUI Install:
Ubuntu Desktop with FreeNX
First we will install the Ubuntu Desktop Environment. There are several choices to choose from, this tutorial is for GNOME but you could use any of them if you wanted to fiddle with them. Be warned though - Not all Ubuntu desktop environments play nice with all programs. So install the one you think you would like to see and use for your server.
First we will make sure all of your packages are up to date.
Now install a desktop.$ sudo apt-get update && sudo apt-get upgrade
**GNOME**
**NOTE**$ sudo apt-get install ubuntu-desktop
-If you wan to install GNOME desktop manager without some of the desktop addons like Evolution and OpenOffice use this command to save on server resources:
**XFCE**$ sudo aptitude install --no-install-recommends ubuntu-desktop
**KDE**$ sudo apt-get install xubuntu-desktop
FreeNX$ sudo apt-get install kubuntu-desktop
Add the FreeNX PPA
**NOTE**$ sudo add-apt-repository ppa:freenx-team
If you do not have add-apt-repository installed add the following
-As of July 2011, there are no packages built for Maverick (10.10) or Natty (11.04), but the packages for Lucid seem to work. Update the sources list as follows:$ sudo apt-get install python-software-properties
Ubuntu Natty (11.04):
Ubuntu Maverick (10.10)$ sudo sed -i 's/natty/lucid/g' /etc/apt/sources.list.d/freenx-team-ppa-natty.list
Update Apt$ sudo sed -i 's/maverick/lucid/g' /etc/apt/sources.list.d/freenx-team-ppa-maverick.list
Install FreeNX$ sudo apt-get update
Get the nxsetup script$ sudo apt-get install freenx
-As of July 2011, the FreeNX PPA package is missing the nxsetup script. The script can be downloaded from here by issuing:
Unpack the nxsetup script:
Copy the setup script to /usr/lib/nx:$ tar -xvf nxsetup.tar.gz
Run nxsetup:$ sudo cp nxsetup /usr/lib/nx/nxsetup
**NOTE**$ sudo /usr/lib/nx/nxsetup --install
After installation, FreeNX will ask you to use the default keys or a custom pair of keys. If your IP address is Static (Never changes) then you can use the default keys as the Firewall will only be allowing your IP to access SSH, but it should be noted that under any cicumstances that it is a security risk. You can use custom keys if you prefer higher security or have a Dynamic (Changes) IP address, as the Firewall will not be able to only allow your IP but all IP's. Custom keys are beyond the scope of this tutorial at the moment, and will be added at a later date.
Now open up your NX Connection Wizard and the options as it asks them.
-Session can be named whatever you want
-Host is your server IP address
-Port is the same as your SSH port
-The environment should be Unix and Gnome, unless you used a different desktop then select accordingly
....and connect.
If asked to import/replace a key, do so.
After connected, close NX on your Windows machine, and connect through Putty. After connected with your normal user, reboot it.
**NOTE**$ sudo reboot
You do not need to install the VNC tutorial below if you have chose to install this version of desktop. Skip it and continue on to Configuring Apache.
VNC
Login through Putty as Root on your server.
If you are already logged in under your user on your server type this
Enter the root user password when asked and you will now be root on your server.$ su root
To exit out of root user and return to your normal user you can type
after you are done doing what you need to do as root user.# exit
Install the environment first
Return your normal user# apt-get install vnc4server xterm fluxbox firefox firestarter
# update-menus
# apt-get install xfonts-base xfonts-75dpi xfonts-100dpi
Make sure you are in your home directory:# exit
Configure VNC:$ cd ~
Now we need to open the xstartup file and add fluxbox$ mkdir .vnc
Save (ctrl + o) and exit (ctrl + x). This will start Fluxbox with VNC.$ nano .vnc/xstartup
$ fluxbox
Make the xstartup file executable:
Now start the vnc4server. The first time u start it, it will ask u to create a password no longer then 8 characters:$ chmod +x .vnc/xstartup
**NOTE**$ vnc4server :1
Password:
Verify:
-To kill VNC use this command
-Never run VNC as root user.$ vnc4server -kill :1
Now Open VncViewer or TightVNC on your home computer and set the server to <Server IP Address>:1 and press connect. Then type in your password when asked and you will see your desktop.
After connected, close NX on your Windows machine, and connect through Putty. After connected with your normal user, reboot it.
Configure Apache:$ sudo reboot
Basic Configuration
We need to configure the Apache web server with some modules that we’ll need:
We want to edit our apache conf file for scgi support which is used to communicate with the rutorrent web front end.$ sudo a2enmod ssl
$ sudo a2enmod auth_digest
$ sudo a2enmod scgi
Add these two lines at the end:$ sudo nano /etc/apache2/apache2.conf
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.SCGIMount /RPC2 127.0.0.1:5000
servername localhost
Reboot the server.
After a few minutes, log back in via Putty$ sudo reboot
Lets just check apache is up and running:
Open a browser and go to:
You should see this message:http://<servername or IP>
Configure Apache for HTTPS and Password Protection:It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
We are going to create an SSL certificate as root user so that we can access the server via https.
This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.# openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem
# chmod 600 /etc/apache2/apache.pem
Now lets add password protection
Where <webusername> is the username you'll use to connect to the rutorrent web UI.$ sudo htdigest -c /etc/apache2/passwords gods <webusername>
It can be the same as the system username you’ve created previously if you like.
After running this command, you'll be prompted for a password. This will be the password you enter to log into the rutorrent web UI.
Now copy the following and paste to replace the contents of the file we're editing.$ sudo nano /etc/apache2/sites-available/default
Then replace all instances of <servername or IP> with your real servername or IP
Now lets configure apache for HTTPS.<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ http://<servername or IP>/rutorrent
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ http://<servername or IP>/rutorrent
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>
</VirtualHost>
And now lets reload Apache.$ sudo a2ensite default-ssl
Check that everything is working by opening a browser and going to:$ sudo /etc/init.d/apache2 reload
You should see this message:https://<servername or IP>
Webmin:It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
I like to use Webmin for web based administration of my servers. It offers a very convenient way to remotely administer your server from anywhere with a net connection and a web browser.
First add some dependencies for Webmin
Ubuntu 11.04$ sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python python-minimal libapt-pkg-perl perl-base perl-modules
For libmd5-perl install it manually
First lets add the webmin repository to our sources.list file so that we can use apt to install is easily$ wget http://ftp.debian.org/pool/main/libm...2.03-1_all.deb
$ sudo dpkg -i libmd5-perl_2.03-1_all.deb
Add this line to the end of the file:$ sudo nano /etc/apt/sources.list
Ubuntu 10.04
Ubuntu 10.10deb http://download.webmin.com/download/repository sarge contrib
Ubuntu 11.04deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsol....uk/repository sarge contrib
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsol....uk/repository sarge contrib
Lets now fetch and install the PGP key for this new repository so we're not warned about it
Now we can install webmin$ wget http://www.webmin.com/jcameron-key.asc
$ sudo apt-key add jcameron-key.asc
Test webmin is working by opening a browser and going to:$ sudo apt-get update
$ sudo apt-get install webmin
Login with the system user you created earlierhttps://<servername or IP>:10000
rtorrent:
Building rtorrent from source
You can install rtorrent using apt, but the package there isn’t compiled with xmlrpc-c, which we need to use with rutorrent.
So we're going to compile our own version of rtorrent using xmlrpc-c
Enter these commands one line at a time, and not the whole block at once.
Create source directory
Install libtorrent$ cd ~/
$ mkdir source
$ cd source
Install xmlrpc-c$ git clone https://github.com/rakshasa/libtorrent.git libtorrent-git
$ cd libtorrent-git
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
$ cd ../
Install rtorrent with xmlrpc-c support$ svn co https://xmlrpc-c.svn.sourceforge.net...lrpc-c/stable/ xmlrpc-c-svn
$ cd xmlrpc-c-svn
$ ./configure --disable-cplusplus
$ make
$ sudo make install
$ cd ../
Configuring rtorrent:$ git clone https://github.com/rakshasa/rtorrent.git rtorrent-git
$ cd rtorrent-git
$ ./autogen.sh
$ ./configure --with-xmlrpc-c
$ make
$ sudo make install
$ sudo ldconfig
$ cd ../
rtorrent needs a config file to initialize it. Heres mine...you'll need to edit it for your own environment, and make sure that the paths all exist and are writable by the user you will run rtorrent with.
**NOTE**
This is a good configuration for a 100 Mbit/1 Gbit server
Create the empty rtorrent configuration file
Paste this config file into it.$ sudo nano ~/.rtorrent.rc
The file should be saved in the home directory of the user you will run rtorrent with. I use the same system user we created earlier# This is an example resource file for rTorrent. Copy to
# ~/.rtorrent.rc and enable/modify the options as needed. Remember to
# uncomment the options you wish to enable.
#
# Based on original .rtorrent.rc file from The libTorrent and rTorrent Project
# Modified by Lemonberry for rtGui rtgui - Project Hosting on Google Code
#
# This assumes the following directory structure:
#
# /Torrents/Downloading - temporaray location for torrents while downloading (see "directory")
# /Torrents/Complete - Torrents are moved here when complete (see "on_finished")
# /Torrents/TorrentFiles/Auto - The 'autoload' directory for rtorrent to use. Place a file
# in here, and rtorrent loads it #automatically. (see "schedule = watch_directory")
# /Torrents/Downloading/rtorrent.session - for storing rtorrent session information
#
# Maximum and minimum number of peers to connect to per torrent.
min_peers = 100
max_peers = 500
# Same as above but for seeding completed torrents (-1 = same as downloading)
min_peers_seed = -1
max_peers_seed = -1
# Maximum number of simultanious uploads per torrent.
max_uploads = 500
# Global upload and download rate in KiB. "0" for unlimited.
download_rate = 0
upload_rate = 0
# Default directory to save the downloaded torrents.
directory = /home/downloads/<username>
# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /home/downloads/<username>/.session
# Watch a directory for new torrents, and stop those that have been
# deleted.
schedule = watch_directory,5,5,load_start=/home/downloads/<username>/watch/*.torrent
schedule = untied_directory,5,5,stop_untied=
# Close torrents when diskspace is low. */
schedule = low_diskspace,5,60,close_low_diskspace=100M
# Stop torrents when reaching upload ratio in percent,
# when also reaching total upload in bytes, or when
# reaching final upload ratio in percent.
# example: stop at ratio 2.0 with at least 200 MB uploaded, or else ratio 20.0
#schedule = ratio,60,60,stop_on_ratio=200,200M,2000
# When the torrent finishes, it executes "mv -n <base_path> ~/Download/"
# and then sets the destination directory to "~/Download/". (0.7.7+)
# on_finished = move_complete,"execute=mv,-u,$d.get_base_path=,/home/downloads/<username>/complete/ ;d.set_directory=/home/downloads/<username>/complete/"
# The ip address reported to the tracker.
#ip = 127.0.0.1
#ip = rakshasa.no
# The ip address the listening socket and outgoing connections is
# bound to.
#bind = 127.0.0.1
#bind = rakshasa.no
# Port range to use for listening.
port_range = 57001-57001
# Start opening ports at a random position within the port range.
#port_random = yes
scgi_port = 127.0.0.1:5000
# Check hash for finished torrents. Might be usefull until the bug is
# fixed that causes lack of diskspace not to be properly reported.
#check_hash = no
# Set whetever the client should try to connect to UDP trackers.
use_udp_trackers = no
# Alternative calls to bind and ip that should handle dynamic ip's.
#schedule = ip_tick,0,1800,ip=rakshasa
#schedule = bind_tick,0,1800,bind=rakshasa
# Encryption options, set to none (default) or any combination of the following:
# allow_incoming, try_outgoing, require, require_RC4, enable_retry, prefer_plaintext
#
# The example value allows incoming encrypted connections, starts unencrypted
# outgoing connections but retries with encryption if they fail, preferring
# plaintext to RC4 encryption after the encrypted handshake
#
encryption = allow_incoming,enable_retry,prefer_plaintext
# Enable DHT support for trackerless torrents or when all trackers are down.
# May be set to "disable" (completely disable DHT), "off" (do not start DHT),
# "auto" (start and stop DHT as needed), or "on" (start DHT immediately).
# The default is "off". For DHT to work, a session directory must be defined.
#
dht = disable
# UDP port to use for DHT.
#
# dht_port = 6881
# Enable peer exchange (for torrents not marked private)
#
peer_exchange = no
#
# Do not modify the following parameters unless you know what you're doing.
#
# Hash read-ahead controls how many MB to request the kernel to read
# ahead. If the value is too low the disk may not be fully utilized,
# while if too high the kernel might not be able to keep the read
# pages in memory thus end up trashing.
#hash_read_ahead = 10
# Interval between attempts to check the hash, in milliseconds.
#hash_interval = 100
# Number of attempts to check the hash while using the mincore status,
# before forcing. Overworked systems might need lower values to get a
# decent hash checking rate.
#hash_max_tries = 10
# Max number of files to keep open simultaniously.
#max_open_files = 512
# Number of sockets to simultaneously keep open.
#max_open_sockets = <no default>
# Example of scheduling commands: Switch between two ip's every 5
# seconds.
#schedule = "ip_tick1,5,10,ip=torretta"
#schedule = "ip_tick2,10,10,ip=lampedusa"
# Remove a scheduled event.
#schedule_remove = "ip_tick1"
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Ensure that the correct directories exist as you specified in the .rtorrent.rc file
Now check your config file is ok by trying to start rtorrent$ sudo mkdir /home/downloads
$ sudo mkdir /home/downloads/<username>
$ sudo mkdir /home/downloads/<username>/watch
$ sudo mkdir /home/downloads/<username>/.session
$ sudo chown -R <username>:<username> /home
If rtorrent starts, you're good. Use CTRL-Q to quit it.$ rtorrent
If rtorrent doesnt start and you get an error, then note the error and fix your config file as necessary.
Set Ubuntu To Have Unlimited Open Files
If you are the normal user temporarily become root
Enter root password when asked.$ su root
Uncomment the following line# nano /etc/pam.d/su
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.#session required pam_limits.so
to
session required pam_limits.so
Now in the terminal do
Add the following lines to the end of the file (before the line # End of file)# nano /etc/security/limits.conf
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.* soft nofile 4084
* hard nofile 4084
rtorrent Startup Script:
Since we dont want to have to start rtorrent manually every time the server boots, we're going to start it automatically, and we'll run it in a screen session.
Now we'll create the startup script
Edit this example as necessary to change the username that you want rtorrent to run as.
Paste your edited config into that file.$ sudo nano /etc/init.d/rtorrent
Replace anything that says <username> with the username you created before.
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.#!/bin/sh
#############
###<Notes>###
#############
# This script depends on screen.
# For the stop function to work, you must set an
# explicit session directory using ABSOLUTE paths (no, ~ is not absolute) in your rtorrent.rc.
# If you typically just start rtorrent with just "rtorrent" on the
# command line, all you need to change is the "user" option.
# Attach to the screen session as your user with
# "screen -dr rtorrent". Change "rtorrent" with srnname option.
# Licensed under the GPLv2 by lo***ihilist: lo***ihilist _at_ gmail _dot_ com
##############
###</Notes>###
##############
#######################
##Start Configuration##
#######################
# You can specify your configuration in a different file
# (so that it is saved with upgrades, saved in your home directory,
# or whateve reason you want to)
# by commenting out/deleting the configuration lines and placing them
# in a text file (say /home/user/.rtorrent.init.conf) exactly as you would
# have written them here (you can leave the comments if you desire
# and then uncommenting the following line correcting the path/filename
# for the one you used. note the space after the ".".
# . /etc/rtorrent.init.conf
#Do not put a space on either side of the equal signs e.g.
# user = user
# will not work
# system user to run as
user="<username>"
# the system group to run as, not implemented, see d_start for beginning implementation
# group=`id -ng "$user"`
# the full path to the filename where you store your rtorrent configuration
config="`su -c 'echo $HOME' $user`/.rtorrent.rc"
# set of options to run with
options=""
# default directory for screen, needs to be an absolute path
base="`su -c 'echo $HOME' $user`"
# name of screen session
srnname="rtorrent"
# file to log to (makes for easier debugging if something goes wrong)
logfile="/var/log/rtorrentInit.log"
#######################
###END CONFIGURATION###
#######################
PATH=/usr/bin:/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin
DESC="rtorrent"
NAME=rtorrent
DAEMON=$NAME
SCRIPTNAME=/etc/init.d/$NAME
checkcnfg() {
exists=0
for i in `echo "$PATH" | tr ':' '\n'` ; do
if [ -f $i/$NAME ] ; then
exists=1
break
fi
done
if [ $exists -eq 0 ] ; then
echo "cannot find rtorrent binary in PATH $PATH" | tee -a "$logfile" >&2
exit 3
fi
if ! [ -r "${config}" ] ; then
echo "cannot find readable config ${config}. check that it is there and permissions are appropriate" | tee -a "$logfile" >&2
exit 3
fi
session=`getsession "$config"`
if ! [ -d "${session}" ] ; then
echo "cannot find readable session directory ${session} from config ${config}. check permissions" | tee -a "$logfile" >&2
exit 3
fi
}
d_start() {
[ -d "${base}" ] && cd "${base}"
stty stop undef && stty start undef
su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "screen -dm -S ${srnname} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
# this works for the screen command, but starting rtorrent below adopts screen session gid
# even if it is not the screen session we started (e.g. running under an undesirable gid
#su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "sg \"$group\" -c \"screen -fn -dm -S ${srnname} 2>&1 1>/dev/null\"" ${user} | tee -a "$logfile" >&2
su -c "screen -S "${srnname}" -X screen rtorrent ${options} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
}
d_stop() {
session=`getsession "$config"`
if ! [ -s ${session}/rtorrent.lock ] ; then
return
fi
pid=`cat ${session}/rtorrent.lock | awk -F: '{print($2)}' | sed "s/[^0-9]//g"`
if ps -A | grep -sq ${pid}.*rtorrent ; then # make sure the pid doesn't belong to another process
kill -s INT ${pid}
fi
}
getsession() {
session=`cat "$1" | grep "^[[:space:]]*session[[:space:]]*=" | sed "s/^[[:space:]]*session[[:space:]]*=[[:space:]]*//" `
echo $session
}
checkcnfg
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "."
;;
restart|force-reload)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 1
d_start
echo "."
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
Now we need to change the user and group ownership of that file and make it executable
Now lets tell ubuntu to run this script at startup$ sudo chown root:root /etc/init.d/rtorrent
$ sudo chmod a+x /etc/init.d/rtorrent
Test the script:$ cd /etc/init.d
$ sudo update-rc.d rtorrent defaults
Check that an rtorrent and a screen process are running using htop$ sudo /etc/init.d/rtorrent start
To exit htop, hit F10$ htop
rutorrent
ruTorrent is really just a set of php and html files, so we're going to install them to a folder under our web server root.
We’re going to get the latest files from the subversion repository, and update them to the newest version.
Update SVN Checkout$ cd /var/www
$ sudo svn co http://rutorrent.googlecode.com/svn/trunk/rutorrent
Now we'll download some useful rutorrent plugins$ cd /var/www/rutorrent
$ sudo svn up
$ sudo wget http://rutorrent.googlecode.com/file...ins-3.3.tar.gz
$ sudotar -xvf plugins-3.3.tar.gz
$ sudo rm plugins-3.3.tar.gz
Now lets change ownership of the rutorrent files to the web server user, and change the permissions on them
OK, now visit your rutorrent site to check its all working:$ cd /var/www
$ sudo chown -R www-data:www-data rutorrent
$ sudo chmod -R 777 rutorrent
You should be prompted for the username and password we set up earlier for password protection of our web serverhttps://<servername or IP>/rutorrent
Now you should see the rutorrent web gui, and be able to add torrents.
FTPS / SFTP
**NOTE**
If you just want to use SFTP (FTP over SSH), you dont need to do anything more here.
Just connect with an FTP client via SFTP to your server on the SSH port you use.
If you want to setup FTPS (FTP using SSL encryption) then we'll setup Pure-FTPd.
Pure-FTPd
Now lets create another SSL certificate (you could use the ones you created earlier if you like - I prefer to keep them separate)$ sudo apt-get install pure-ftpd
This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.$ sudo openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
$ sudo chmod 600 /etc/ssl/private/pure-ftpd.pem
Now lets edit the Pure-ftpd config.
Pure-ftpd doesn't use a config file like other FTP daemons. Instead it starts with a set of command like switches.
However, the init.d startup script that is installed when you installed the pureftpd package can parse a directory of single line 'config files' in order to dynamically build the correct set of command line switches.
So all we need to do is create these single line files in the right place:
Temporarily act as root user
Enter the root password when asked$ su root
The first 'echo' line above creates a file that tells Pure-ftpd to use a particular port, so change the number to the port you wish to use.# cd /etc/pure-ftpd/conf/
# echo ,<port to be used for FTP> > Bind
# echo <server IP> > ForcePassiveIP
# echo <port used for Passive Mode of FTP> > PassivePortRange
# echo 1 > TLS
The second 'echo' line creates a file that tells Pure-ftpd to use the given static IP address for Passive mode. You need to set this to the IP of your server.
The third 'echo' line determines what port range to use for Passive mode.
If you want additional security, also do the following:
The first two 'echo' lines create files that stop users reading and writing system files that have a leading '.' in their filename (Hidden files)# echo yes > ProhibitDotFilesRead
# echo yes > ProhibitDotFilesWrite
# echo yes > NoChmod
# echo yes > BrokenClientsCompatibility
The third 'echo' line creates a file that stops users changing the permissions on files and folders.
The final 'echo' line creates a file that prevents clients that dont strictly adhere to the FTP/FTPS protocol from connecting.
Now lets configure how users will authenticate
Here we are configuring to use system usernames.# echo no > PAMAuthentication
# echo yes > UnixAuthentication
Now just restart the FTP service
Test everything is ok by connecting to the FTP service with an FTP client set to use the FTPS protocol, on the port you chose.# /etc/init.d/pure-ftpd restart
And return to the normal user
Linux Firewall# exit
Now it is time to set up the linux firewall to close all the ports other than the ones we need. This is where the GUI will come in handy for those who do not understand IPTables.
First we will restart our server to make sure everything is a go, and then we will update it afterward.
So connect with Putty and type
After about 5 minutes reconnect with Putty as the normal user.$ sudo reboot
Now update
GUI with GNOME/NX$ sudo apt-get update && sudo apt-get upgrade
$sudo apt-get clean && sudo apt-get auto-clean
Connect with your NX client on your windows machine.
Now with firestarter installed we can setup the Linux Firewall. (This was previously installed at the beginning of the tutorial.)
Go to System > Administration > Firestarter
-When you launch the GUI for the first time, it will take you through a setup wizard.
-Click forward, and you will be able to select the network device. This device you must choose correctly. There may be a list of them. On almost all setups you will chose eth0.
-Select eth0
-Do check the other boxes.
-Click Forward, and then click Forward again.
-Uncheck to start the Firewall now. You must uncheck this or it will lock out all ports when you click Save.
-Click the Policy tab
-Make sure that Editing is set to Inboud Traffic Policy
-Right click under Allow Service, and you will do this individually for all your ports you need open.
VNCPort = 32002, 80, 443, 10000, 57001 (33002 should only be set if you setup tinyproxy)
Anyone should be set for 57001
All others are to be set to your IP, unless you have a Dynamic IP address in which case you should set all of these ports to Anyone.
Connect to your VNC desktop on your Windows machine.
Now with firestarter installed we can setup the Linux Firewall. (This was previously installed at the beginning of the tutorial.)
-Right-click on the desktop and open an xterm window.
-When xterm opens type
Enter the password for root when asked. If an error appears select ok and ignore it.$ sudo firestarter
-When you launch the GUI for the first time, it will take you through a setup wizard.
-Click forward, and you will be able to select the network device. This device you must choose correctly. There may be a list of them. On almost all setups you will chose eth0.
-Select eth0
-Do check the other boxes.
-Click Forward, and then click Forward again.
-Uncheck to start the Firewall now. You must uncheck this or it will lock out all ports when you click Save.
-Click the Policy tab
-Make sure that Editing is set to Inboud Traffic Policy
-Right click under Allow Service, and you will do this individually for all your ports you need open.
You're encouraged to change the ports used as examples in this guide - just make sure you write them down, and double check them before implementing any firewall rules.Port = 32002, 80, 443, 10000, 57001 (33002 should only be set if you setup tinyproxy)
Anyone should be set for 57001
All others are to be set to your IP, unless you have a Dynamic IP address in which case you should set all of these ports to Anyone.
You should also check with your host in case that they use any automatic network monitoring tools.
If they do, you may need to leave some ports open to respond to pings and so on, otherwise their tools might think your server is down and try rebooting it or putting it into recovery mode. Best just to check with them.
Fail2Ban:
Login through Putty to your Server as your normal user, and then become root
Enter root password when asked.$ su root
Install Fail2ban
Answer yes to all things asked.# apt-get update && apt-get upgrade
# apt-get install fail2ban
Open the config file of Fail2Ban called the jail to be edited.
After you open the jail.conf file look for the following line "ignoreIP". This is where you are going to put your IP address at home so you dont get blocked. Make the following changes# nano /etc/fail2ban/jail.conf
EX : ignoreip = 127.0.0.1 24.127.*.* 192.168.1.*ignoreip = 127.0.0.1 Your_Home_IP
**NOTE**
You can use as many IP's as you want. Just use a space in between each IP address. If you have a Dynamic IP, it would be a good idea to accept the whole range like i gave in the example above.
This next 'STEP' is not done in the 'jail.conf' file and is just to show you how to unban an IP using IPTables. To flush all SSH fail2ban rules:
To delete just 1 IP rule:# iptables -F fail2ban-ssh
Now thats out of the way we can continue with the 'jail.conf' and make the following changes# iptables -D fail2ban-ssh host-name/ip DROP
[ssh]
enabled = true
port = ssh
maxretry = 5
**NOTE**
If you are using the standard port 22 for ssh then you can leave above just as "port = ssh". If u are not using that port # then u need to put it like this port = 33002
All lines for Apache should marked to true
Scroll to the bottom of jail.conf and add these lines to monitor Webmin and Pure-FTPd
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.[webmin-auth]
enabled = true
port = 10000
filter = webmin-auth
logpath = /var/log/auth.log
maxretry = 3
[pure-ftpd]
enabled = true
port = <Port used for FTP on Server>
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 3
All we need to do now is restart Fail2ban with this command:
# /etc/init.d/fail2ban restart
**NOTE**
I have taken all of this information and compiled it into one setup because its the way I set my servers up. Many sources and exhausting google searches have made this possible. Thank you to those that took the time to let me destroy some OVH and LeaseWeb servers with their great tutorials. The most notable peron would be MikeD when after I added a fail2ban snippet to his great tutorial said I should write one of my own....and here it is.
Reply With Quote
Originally Posted by Deatherage
