Thread: Ubuntu 12.04 Server w/ GUI, Permenant Auto Connecting SSH Tunnel, Fail2Ban, etc....

Introduction:

This is just an updated version to the guide I made awhile back for Ubuntu 10.04, and this includes Lighttpd instead of Apache for the webserver as it is lighter....so, on with the show.

First off let me say this guide is definitely open to suggestion on improvements. So please leave comments if a better way to do something in this guide is needed, also if anything is outdated and is in need of an update. Thank You. :)


This guide is for those who want their server with GUI, rtorrent/rutorrent, Lighttpd, SFTP, Webmin, Fail2ban, Firewall, and permenant auto connecting SSH Tunnel, and/or Proxy from a home Windows machine to a remote Ubuntu server.

Every command with # next to it is to be performed as root
Every command with $ next to it is to be performed as your user
-Do not type these symbols into Putty when logged into your server. They are there only to show if you need to be root or your normal user.
-Do not enter multiple lines of code at once. Take your time and go one by one, line by line. This is a server setup, not a race...It is supposed to take a couple hours. :)

Pre-requisites:

A Ubuntu 12.04 LTS (x86 or x64) with root access via Putty
**NOTE**
Might work on some earlier/later versions, and on other Debian based distros, but this is untested

-and-

A windows home machine running Windows XP - Windows 7 (x86 - x64)

Basics

Initial Login:

Login to your server as root via SSH

Windows:
-Download Putty and run it
-Download Putty from here

http://the.earth.li/~sgtatham/putty/.../x86/putty.exe

-Once open enter the IP address of your server where Host is, and enter the port number where asked as well. (Usually 22)
-Set the Radio button to SSH
-In the box below type in the name you want to save this connection as. Such as OVH or LeaseWeb...or whatever you want.
-Click the Save button
**NOTE**
This will save the seesion so you do not need to enter this info in everytime you want to connect via SSH. All you will need to do is double click the saved connection in the box and Putty will connect.
-Click Open and when connected the server will ask for username. Enter it (Usually root) and do the same for the password when asked.

**OPTIONAL**
After connected and you are root, you may change the password to something you would remember a bit easier.
Make sure to make your new password is:
-NOT a dictionary word
-includes ATLEAST two numbers
-uses upper AND lowercase letters
-is ATLEAST 10 characters long

Change Password:

# passwd

-Press Enter
-Set the new password (You will be asked twice for it)

Delete SSH Authorized Keys

This is for added protection to keep people from logging into your server unauthorized.

# ls .ssh/authorized_keys2
# rm .ssh/authorized_keys2

Update Packages

Ok, now we're going to make sure our Ubuntu installation is up to date.

# apt-get update

This will update the package database with all the latest packages available.

#apt-get upgrade

This will upgrade any packages that are out of date on your install. When asked if you want to do the upgrades (if any) type y and press Enter.

**NOTE**
-To run both together and not have to enter a command twice you should use && like so

# apt-get update && apt-get upgrade

-To clean the system of old packages and/or broken packages enter the following command.

# apt-get clean && apt-get autoclean

Add two packages to be used

Before we add a user to use we need to make sure that packages 'sudo' and 'nano' are installed. Use this command to install them.

# apt-get install sudo nano

Create a new user that we’ll install everything with



For security purposes, we’re going to add a new user and disable SSH access for the root user.

# adduser <username>

Replace <username> with a username of your choosing.
Fill in all the details when prompted (e.g. password)
Add your new user to the sudoers file. This allows this user to use elevated privileges when needed to do things that normally only the root user could do.

# visudo

In recent versions of Ubuntu this opens the sudoers file for editing in a lightweight editor called nano.
Scroll down and find this line:

root ALL=(ALL) ALL

On the next line add:

<username> ALL=(ALL) ALL

Replace <username> with the username we created earlier.
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

Lock down SSH

Now we will change some SSH settings.
We're going to use a different port, and prevent root access via SSH

# nano /etc/ssh/sshd_config

Change the following lines as below.
Use a high port of your choosing. I recommend a port over 20000.

Port 32002
Protocol 2
PermitRootLogin no
X11Forwarding no

Then add these lines at the end of the file:

UseDNS no
AllowUsers <username>

**NOTE**
As usual, replace <username> with the name of the user you created. Any additional usernames to be added such as nx (Add this if you use NX Server or FreeNX) should be separated with a space.
-Example-

AllowUsers heebyjeeby nx gnarkill sally

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now restart the SSH daemon

# /etc/init.d/ssh reload

Log out of SSH and log back in as the new user you created earlier.

# exit

Windows Putty Session with New Port

-To add your new port to your saved session in Putty, first open Putty back up. Click once on the name of your saved session from earlier so it is highlighted. Click Load, and at the top where port is, change the port to the new port you put in on the sshd_config file we just edited. Click save, and from now on you will be able to connect on the new port to your server by opening Putty and double clicking your saved session.
-Now login with the new user and password you created when asked to do so.

Login: <New User>
Password: <Users Password>

Install Necessary Basic Packages

**NOTE**
Now we use the $ symbol and the word sudo before a command. This means you are to be logged into the remote server as the new user we just created, and sudo is the command to temporarily retain root priviliges when you are a normal user on your server.

Ok, now lets install some important packages that we're going to need throughout this guide:
12.04 LTS

$ sudo apt-get install aptitude firestarter tinyproxy mktorrent subversion libncurses5 libncurses5-dev libsigc++-2.0-dev libcurl4-openssl-dev build-essential screen curl lighttpd lighttpd-doc php5-cgi php5-cli php5-common php5-curl libwww-perl libwww-curl-perl irssi screen fail2ban perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python python-minimal libapt-pkg-perl perl-base perl-modules apache2-utils htop unrar

Windows Auto Logon SSH Tunnel:

MyEnTunnel

On your Windows machine open your internet browser and go to

N2 - MyEnTunnel - A background SSH tunnel daemon

Scroll down and download the latest Stable version, and install it as a Windows service when given the option.

Create Permenant Tunnel

-Copy MyEnTunnel.exe and Plink.exe to your C: drive and together.
-Open MyEnTunnel
-Click the settings tab
-Set your settings as if it were Putty

SSH Server = <Server IP address>
SSH Port = <Servers SSH Port>
Username = <Your Normal User on the Server>
Passphrase = <Your Normal User's Password on the Server>
Port = <Whatever port you want your tunnel to be under. I set mine to the same as the SSH Port on the server for less confusion>

-Check mark whatever boxes youd like. Enable Dynamic Socks MUST be checked. Other notable ones would be

Connect on Startup
Reconnect on Failure
Enable Slow Polling
Infinite Retry Attempts
Enable Compression

-Click Connect, and after it has connected click Save, and then Hide. Now it is down by your clock.
-Any program you want to use this tunnel (Firefox, uTorrent, mIRC, etc...) you must set it to use a SOCKS proxy with the IP address of 127.0.0.1 and the Port for whatever you chose MyEnTunnel to use.

Proxy:

**NOTE**
If you are going to use all of your connections from your Windows machine to your seaerver tunneled through SSH, you do not need this Proxy setup on your server. Just continue to GUI below and skip this. If you are like me and only want your uTorrent (or whatever client you use) traffic to be sent through your tunnel, and all others through an HTTP/HTTPS proxy, then continue setting up this Proxy on your server.

Tinyproxy

Edit the conf file of Tinyproxy.

$ sudo nano /etc/tinyproxy.conf

Changes noted in red:

##
## tinyproxy.conf -- tinyproxy daemon configuration file
##
## This example tinyproxy.conf file contains example settings
## with explanations in comments. For decriptions of all
## parameters, see the tinproxy.conf(5) manual page.
##

#
# User/Group: This allows you to set the user and group that will be
# used for tinyproxy after the initial binding to the port has been done
# as the root user. Either the user or group name or the UID or GID
# number may be used.
#
User nobody [You can change these to your user and group, but its optional, and dont make them root user or group.]
Group nogroup

#
# Port: Specify the port which tinyproxy will listen on. Please note
# that should you choose to run on a port lower than 1024 you will need
# to start tinyproxy using root.
#
Port 8080 [my preference, you can set it to any other port of your choice, but don't go for a port below 1024]

#
# Listen: If you have multiple interfaces this allows you to bind to
# only one. If this is commented out, tinyproxy will bind to all
# interfaces present.
#
#Listen 192.168.0.1

#
# Bind: This allows you to specify which interface will be used for
# outgoing connections. This is useful for multi-home'd machines where
# you want all traffic to appear outgoing from one particular interface.
#
#Bind 192.168.0.1

#
# BindSame: If enabled, tinyproxy will bind the outgoing connection to the
# ip address of the incoming connection.
#
BindSame yes [important to set to yes, easier management of multi IP proxies]

#
# Timeout: The maximum number of seconds of inactivity a connection is
# allowed to have before it is closed by tinyproxy.
#
Timeout 600

#
# ErrorFile: Defines the HTML file to send when a given HTTP error
# occurs. You will probably need to customize the location to your
# particular install. The usual locations to check are:
# /usr/local/share/tinyproxy
# /usr/share/tinyproxy
# /etc/tinyproxy
#
#ErrorFile 404 "/usr/share/tinyproxy/404.html"
#ErrorFile 400 "/usr/share/tinyproxy/400.html"
#ErrorFile 503 "/usr/share/tinyproxy/503.html"
#ErrorFile 403 "/usr/share/tinyproxy/403.html"
#ErrorFile 408 "/usr/share/tinyproxy/408.html"

#
# DefaultErrorFile: The HTML file that gets sent if there is no
# HTML file defined with an ErrorFile keyword for the HTTP error
# that has occured.
#
DefaultErrorFile "/usr/share/tinyproxy/default.html"

#
# StatHost: This configures the host name or IP address that is treated
# as the stat host: Whenever a request for this host is received,
# Tinyproxy will return an internal statistics page instead of
# forwarding the request to that host. The default value of StatHost is
# tinyproxy.stats.
#
#StatHost "tinyproxy.stats"
#

#
# StatFile: The HTML file that gets sent when a request is made
# for the stathost. If this file doesn't exist a basic page is
# hardcoded in tinyproxy.
#
StatFile "/usr/share/tinyproxy/stats.html"

#
# Logfile: Allows you to specify the location where information should
# be logged to. If you would prefer to log to syslog, then disable this
# and enable the Syslog directive. These directives are mutually
# exclusive.
#
Logfile "/var/log/tinyproxy/tinyproxy.log"

#
# Syslog: Tell tinyproxy to use syslog instead of a logfile. This
# option must not be enabled if the Logfile directive is being used.
# These two directives are mutually exclusive.
#
#Syslog On

#
# LogLevel:
#
# Set the logging level. Allowed settings are:
# Critical (least verbose)
# Error
# Warning
# Notice
# Connect (to log connections without Info's noise)
# Info (most verbose)
#
# The LogLevel logs from the set level and above. For example, if the
# LogLevel was set to Warning, then all log messages from Warning to
# Critical would be output, but Notice and below would be suppressed.
#
LogLevel Warning [might want to set this to Info at the beginning to see all the connections, but remember to change back to warning level, otherwise your log files will be cluttered up]

#
# PidFile: Write the PID of the main tinyproxy thread to this file so it
# can be used for signalling purposes.
#
PidFile "/var/run/tinyproxy/tinyproxy.pid"

#
# XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
# contains the client's IP address.
#
XTinyproxy No [make this No]

#
# Upstream:
#
# Turns on upstream proxy support.
#
# The upstream rules allow you to selectively route upstream connections
# based on the host/domain of the site being accessed.
#
# For example:
# # connection to test domain goes through testproxy
# upstream testproxy:8008 ".test.domain.invalid"
# upstream testproxy:8008 ".our_testbed.example.com"
# upstream testproxy:8008 "192.168.128.0/255.255.254.0"
#
# # no upstream proxy for internal websites and unqualified hosts
# no upstream ".internal.example.com"
# no upstream "www.example.com"
# no upstream "10.0.0.0/8"
# no upstream "192.168.0.0/255.255.254.0"
# no upstream "."
#
# # connection to these boxes go through their DMZ firewalls
# upstream cust1_firewall:8008 "testbed_for_cust1"
# upstream cust2_firewall:8008 "testbed_for_cust2"
#
# # default upstream is internet firewall
# upstream firewall.internal.example.com:80
#
# The LAST matching rule wins the route decision. As you can see, you
# can use a host, or a domain:
# name matches host exactly
# .name matches any host in domain "name"
# . matches any host with no domain (in 'empty' domain)
# IP/bits matches network/mask
# IP/mask matches network/mask
#
#Upstream some.remote.proxy:port

#
# MaxClients: This is the absolute highest number of threads which will
# be created. In other words, only MaxClients number of clients can be
# connected at the same time.
#
MaxClients 100

#
# MinSpareServers/MaxSpareServers: These settings set the upper and
# lower limit for the number of spare servers which should be available.
#
# If the number of spare servers falls below MinSpareServers then new
# server processes will be spawned. If the number of servers exceeds
# MaxSpareServers then the extras will be killed off.
#
MinSpareServers 5
MaxSpareServers 20

#
# StartServers: The number of servers to start initially.
#
StartServers 10

#
# MaxRequestsPerChild: The number of connections a thread will handle
# before it is killed. In practise this should be set to 0, which
# disables thread reaping. If you do notice problems with memory
# leakage, then set this to something like 10000.
#
MaxRequestsPerChild 0

#
# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
Allow 127.0.0.1
Allow XXX.XXX.XXX.XXX [Important: set this to your home IP address, this will complement our firewall security measure. If your firewall does not block access to your proxy port AND you don't specify any IP address here this will be an open proxy i.e. anyone can get access to your not-so-private proxy. If you do not have a Static IP and is Dynamic set it for a range such as 176.31.0.0/8 The XXX.XXX.0.0/8 allows the first to groups to be the same, and the last 2 groups to be any number.]
#Allow 192.168.0.0/16
#Allow 172.16.0.0/12
#Allow 10.0.0.0/8

#
# AddHeader: Adds the specified headers to outgoing HTTP requests that
# Tinyproxy makes. Note that this option will not work for HTTPS
# traffic, as Tinyproxy has no control over what headers are exchanged.
#
#AddHeader "X-My-Header" "Powered by Tinyproxy"


#
# ViaProxyName: The "Via" header is required by the HTTP RFC, but using
# the real host name is a security concern. If the following directive
# is enabled, the string supplied will be used as the host name in the
# Via header; otherwise, the server's host name will be used.
#
ViaProxyName "tinyproxy"
#
# DisableViaHeader: When this is set to yes, Tinyproxy does NOT add
# the Via header to the requests. This virtually puts Tinyproxy into
# stealth mode. Note that RFC 2616 requires proxies to set the Via
# header, so by enabling this option, you break compliance.
# Don't disable the Via header unless you know what you are doing...
#
DisableViaHeader Yes [This turns the proxy server into more anonymous mode allowing it to pass whatismyipaddress dot com proxy tests and others]

#
# Filter: This allows you to specify the location of the filter file.
#
#Filter "/etc/filter"

#
# FilterURLs: Filter based on URLs rather than domains.
#
#FilterURLs On

#
# FilterExtended: Use POSIX Extended regular expressions rather than
# basic.
#
#FilterExtended On

#
# FilterCaseSensitive: Use case sensitive regular expressions.
#
#FilterCaseSensitive On

#
# FilterDefaultDeny: Change the default policy of the filtering system.
# If this directive is commented out, or is set to "No" then the default
# policy is to allow everything which is not specifically denied by the
# filter file.
#
# However, by setting this directive to "Yes" the default policy becomes
# to deny everything which is _not_ specifically allowed by the filter
# file.
#
#FilterDefaultDeny Yes

#
# Anonymous: If an Anonymous keyword is present, then anonymous proxying
# is enabled. The headers listed are allowed through, while all others
# are denied. If no Anonymous keyword is present, then all headers are
# allowed through. You must include quotes around the headers.
#
# Most sites require cookies to be enabled for them to work correctly, so
# you will need to allow Cookies through if you access those sites.
#
#Anonymous "Host"
#Anonymous "Authorization"
#Anonymous "Cookie"
[These are all OPTIONS, and DO NOT have to be added]
Anonymous "Accept"
Anonymous "Accept-Charset"
Anonymous "Accept-Encoding"
Anonymous "Accept-Language"
Anonymous "Authorization"
Anonymous "Cache-Control"
Anonymous "Connection"
Anonymous "Content-Length"
Anonymous "Content-Type"
Anonymous "Cookie"
Anonymous "Date"
Anonymous "Expect"
Anonymous "Host"
Anonymous "If-Match"
Anonymous "If-Modified-Since"
Anonymous "If-None-Match"
Anonymous "If-Range"
Anonymous "If-Unmodified-Since"
Anonymous "Pragma"
Anonymous "Range"
Anonymous "TE"
Anonymous "Upgrade"

#
# ConnectPort: This is a list of ports allowed by tinyproxy when the
# CONNECT method is used. To disable the CONNECT method altogether, set
# the value to 0. If no ConnectPort line is found, all ports are
# allowed (which is not very secure.)
#
# The following two ports are used by SSL.
#
#ConnectPort 443 [Comment both of these lines out]
#ConnectPort 563

#
# Configure one or more ReversePath directives to enable reverse proxy
# support. With reverse proxying it's possible to make a number of
# sites appear as if they were part of a single site.
#
# If you uncomment the following two directives and run tinyproxy
# on your own computer at port 8888, you can access Google using
# http://localhost:8888/google/ and Wired News using
# http://localhost:8888/wired/news/. Neither will actually work
# until you uncomment ReverseMagic as they use absolute linking.
#
#ReversePath "/google/" "http://www.google.com/"
#ReversePath "/wired/" "http://www.wired.com/"

#
# When using tinyproxy as a reverse proxy, it is STRONGLY recommended
# that the normal proxy is turned off by uncommenting the next directive.
#
#ReverseOnly Yes

#
# Use a cookie to track reverse proxy mappings. If you need to reverse
# proxy sites which have absolute links you must uncomment this.
#
#ReverseMagic Yes

#
# The URL that's used to access this reverse proxy. The URL is used to
# rewrite HTTP redirects so that they won't escape the proxy. If you
# have a chain of reverse proxies, you'll need to put the outermost
# URL here (the address which the end user types into his/her browser).
#
# If not set then no rewriting occurs.
#
#ReverseBaseURL "http://localhost:8888/"

After making changes that suit your needs press Ctrl + X and press 'y' to save them.

Restart the server:

$ sudo service tinyproxy start

-Hopefully the proxy server is up and running now. After opening the port you chose to use in the firewall, go and point your browser proxy setting to the IP address and port of the VPS/proxy, and navigate to whatismyipaddress.com. It should show your proxy address instead of your home address. Also check their advanced proxy check page at whatismyipaddress.com/proxy-check , the results should be all False (no proxy detected).
**NOTE**
Tinyproxy is extremely lightweight however, you may restart it occasionally to refresh memory usages. You may also set a cron job to do it automatically, but that is beyond the scope of this tutorial for now.

GUI Install:

Ubuntu Desktop with FreeNX

First we will install the Ubuntu Desktop Environment. There are several choices to choose from, this tutorial is for GNOME but you could use any of them if you wanted to fiddle with them. Be warned though - Not all Ubuntu desktop environments play nice with all programs. So install the one you think you would like to see and use for your server.
First we will make sure all of your packages are up to date.

$ sudo apt-get update && sudo apt-get upgrade

Now install a desktop.
**Unity**

$ sudo apt-get install ubuntu-desktop

**NOTE**
-If you wan to install GNOME desktop classic without some of the desktop addons like Evolution and OpenOffice ALSO DO these commands to save on server resources:

$ sudo aptitude install --without-recommends ubuntu-desktop && sudo apt-get install gnome-session-fallback

To make Gnome Classic your default desktop environment edit LightDM:

$ sudo /usr/lib/lightdm/lightdm-set-defaults -s gnome-classic

FreeNX

Add the FreeNX PPA

$ sudo add-apt-repository ppa:freenx-team

**NOTE**
If you do not have add-apt-repository installed add the following

$ sudo apt-get install python-software-properties

Update Apt

$ sudo apt-get update

Install FreeNX

$ sudo apt-get install freenx

Get the nxsetup script
-As of July 2011, the FreeNX PPA package is missing the nxsetup script. The script can be downloaded from here by issuing:

$ wget https://bugs.launchpad.net/freenx-se...nxsetup.tar.gz

Unpack the nxsetup script:

$ tar -xvf nxsetup.tar.gz

Copy the setup script to /usr/lib/nx:

$ sudo cp nxsetup /usr/lib/nx/nxsetup

Run nxsetup:

$ sudo /usr/lib/nx/nxsetup --install

**NOTE**
After installation, FreeNX will ask you to use the default keys or a custom pair of keys. If your IP address is Static (Never changes) then you can use the default keys as the Firewall will only be allowing your IP to access SSH, but it should be noted that under any cicumstances that it is a security risk. You can use custom keys if you prefer higher security or have a Dynamic (Changes) IP address, as the Firewall will not be able to only allow your IP but all IP's. Custom keys are beyond the scope of this tutorial at the moment, and will be added at a later date.
Now open up your NX Connection Wizard and the options as it asks them.
-Session can be named whatever you want
-Host is your server IP address
-Port is the same as your SSH port
-The environment should be Unix and Gnome, unless you used a different desktop then select accordingly
....and connect.
If asked to import/replace a key, do so.
After connected, close NX on your Windows machine, and connect through Putty. After connected with your normal user, reboot it.

$ sudo reboot

**NOTE**
You do not need to install the VNC tutorial below if you have chose to install this version of desktop. Skip it and continue on to Configuring Apache.

Set Ubuntu To Have Unlimited Open Files

If you are the normal user temporarily become root

$ su root

Enter root password when asked.

# nano /etc/pam.d/su

Uncomment the following line

# session required pam_limits.so
to
session required pam_limits.so

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now in the terminal do

# nano /etc/security/limits.conf

Add the following lines to the end of the file (before the line # End of file)

* soft nofile 10000
* hard nofile 10000

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

Lighttpd:

Update your system

$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get clean && sudo apt-get autoclean

See if Lighttpd is started:

$ sudo /etc/init.d/lighttpd start

Configure the Lighttpd config file:

$ sudo nano /etc/lighttpd/lighttpd.conf

Look for line "server.modules" & add this to the file, exactly how i have it typed, right on top of the other "mod's" :

"mod_scgi",
"mod_fastcgi",
"mod_auth",

Now scroll all the way down and paste this in:

scgi.server = (
"/var/www/rutorrent/RPC2" => # RT_DIR
( "127.0.0.1" =>
(
"host" => "127.0.0.1",
"port" => 5000,
"check-local" => "disable"
)
)
)

fastcgi.server = ( ".php" => ((
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php.socket"
)))

auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/.passwd"
auth.debug = 2

auth.require = ( "/rutorrent" =>
(
"method" => "digest",
"realm" => "Authenticated Users",
"require" => "valid-user"
),
"/rutorrent/RPC2" =>
(
"method" => "digest",
"realm" => "Authenticated Users",
"require" => "valid-user"
)
)

Save and Exit the editor by Ctrl + O, then Ctrl + X

https:

First login to your server and "su" to root user.

$ su root

Enter the root password when asked.
Create a self-signed certificate for Lighttpd and make a dir to keep this cert in :

# cd /etc/lighttpd && mkdir certs && cd certs && openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes && chmod 400 lighttpd.pem

**NOTE**
U will need to fill in important info when asked. U can put any info u like for your certificate, but please fill in the info when asked.
Open the Lighttpd config file and add some lines :

# cd .. && nano lighttpd.conf

Add these lines to the file directly on top of the "scgi.server ="

$SERVER["socket"] == ":80" {
$HTTP["host"] =~ "(.*)" {
url.redirect = ( "^/(.*)" => "https://%1/$1" )
}
}

$SERVER["socket"] == "Your_Server_IP_address:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
}

ssl.use-sslv2 = "disable"

**NOTE**
Make sure u put your server IP address into the field above.
For https ONLY. Scroll back up and look for the line "server.modules". Once u find this line, proceed to un-comment the following "mod"

"mod_redirect"

This next step is 'OPTIONAL' and should only be done if your the only one with access to rutorrent, have no website & a static IP. Adding these lines will block all other access to your web-server except your own IP. Again its optional and does not need to be done.

$HTTP["host"] == "<Your-Server-IP>" {
$HTTP["remoteip"] != "<Your-Home-IP>" {
url.access-deny = ( "" )
}
}

**NOTE**
Please edit above with your server-IP/home-IP. Its also a good idea to put a range in for your "Home-IP" 24.127.0.0/8
Now to finish u need to restart Lighttpd for this to take effect:

# /etc/init.d/lighttpd restart

rTorrent:

Download

First lets make a dir for our software :

$ cd ~ && mkdir apps && cd apps

Then download our software :

$ svn co https://xmlrpc-c.svn.sourceforge.net...rpc-c/advanced xmlrpc-c
$ wget http://libtorrent.rakshasa.no/downlo...-0.12.9.tar.gz
$ wget http://libtorrent.rakshasa.no/downlo...t-0.8.9.tar.gz

Untar libtorrent and rtorrent:

$ tar zxfv libtorrent-0.12.9.tar.gz && tar zxfv rtorrent-0.8.9.tar.gz

Compile

Xmlrpc-c

$ cd xmlrpc-c && ./configure && make && sudo make install && cd ../libtorrent-0.12.9

Libtorrent-0.12.9

$ ./configure && make && sudo make install && cd ../rtorrent-0.8.9

Rtorrent-0.8.9

$ ./configure --with-xmlrpc-c && make && sudo make install && sudo ldconfig && cd ..

Clean Up and Create Folders:

$ rm *.tar.gz && cd ~ && mkdir rtorrent && cd rtorrent && mkdir .session downloads torrents && cd ..

Configure rtorrent:

$ nano .rtorrent.rc

Paste this into the file:

min_peers = 20
max_peers = 200
min_peers_seed = 20
max_peers_seed = 100
max_uploads = 100
download_rate = 0
upload_rate = 0
directory = /home/<username>/rtorrent/downloads
session = /home/<username>/rtorrent/.session
schedule = watch_directory,5,5,load_start=/home/<username>/rtorrent/torrents/*.torrent
port_range = 57001-57001
scgi_port = localhost:5000
port_random = no
check_hash = no
use_udp_trackers = no
encryption = allow_incoming,enable_retry,prefer_plaintext
hash_read_ahead = 8
hash_interval = 10
hash_max_tries = 5
dht = disable
peer_exchange = no

Start rtorrent in screen

$ screen -S rt rtorrent

**NOTE**
To detach session > ctrl a + d
re-attach the screen session > "$ screen -x rt"
To see a list of all running sessions > "$ screen -list"

rtorrent Startup Script

Since we dont want to have to start rtorrent manually every time the server boots, we're going to start it automatically, and we'll run it in a screen session.
Now we'll create the startup script
Edit this example as necessary and change the username that you want rtorrent to run as.

$ sudo nano /etc/init.d/rtorrent

Paste your edited config into that file.
Replace anything that says <username> with the username you created before.

#!/bin/sh
#############
###<Notes>###
#############
# This script depends on screen.
# For the stop function to work, you must set an
# explicit session directory using ABSOLUTE paths (no, ~ is not absolute) in your rtorrent.rc.
# If you typically just start rtorrent with just "rtorrent" on the
# command line, all you need to change is the "user" option.
# Attach to the screen session as your user with
# "screen -dr rtorrent". Change "rtorrent" with srnname option.
# Licensed under the GPLv2 by lo***ihilist: lo***ihilist _at_ gmail _dot_ com
##############
###</Notes>###
##############

#######################
##Start Configuration##
#######################
# You can specify your configuration in a different file
# (so that it is saved with upgrades, saved in your home directory,
# or whateve reason you want to)
# by commenting out/deleting the configuration lines and placing them
# in a text file (say /home/user/.rtorrent.init.conf) exactly as you would
# have written them here (you can leave the comments if you desire
# and then uncommenting the following line correcting the path/filename
# for the one you used. note the space after the ".".
# . /etc/rtorrent.init.conf

#Do not put a space on either side of the equal signs e.g.
# user = user
# will not work
# system user to run as
user="<username>"

# the system group to run as, not implemented, see d_start for beginning implementation
# group=`id -ng "$user"`

# the full path to the filename where you store your rtorrent configuration
config="`su -c 'echo $HOME' $user`/.rtorrent.rc"

# set of options to run with
options=""

# default directory for screen, needs to be an absolute path
base="`su -c 'echo $HOME' $user`"

# name of screen session
srnname="rtorrent"

# file to log to (makes for easier debugging if something goes wrong)
logfile="/var/log/rtorrentInit.log"
#######################
###END CONFIGURATION###
#######################
PATH=/usr/bin:/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin
DESC="rtorrent"
NAME=rtorrent
DAEMON=$NAME
SCRIPTNAME=/etc/init.d/$NAME

checkcnfg() {
exists=0
for i in `echo "$PATH" | tr ':' '\n'` ; do
if [ -f $i/$NAME ] ; then
exists=1
break
fi
done
if [ $exists -eq 0 ] ; then
echo "cannot find rtorrent binary in PATH $PATH" | tee -a "$logfile" >&2
exit 3
fi
if ! [ -r "${config}" ] ; then
echo "cannot find readable config ${config}. check that it is there and permissions are appropriate" | tee -a "$logfile" >&2
exit 3
fi
session=`getsession "$config"`
if ! [ -d "${session}" ] ; then
echo "cannot find readable session directory ${session} from config ${config}. check permissions" | tee -a "$logfile" >&2
exit 3
fi
}

d_start() {
[ -d "${base}" ] && cd "${base}"
stty stop undef && stty start undef
su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "screen -dm -S ${srnname} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
# this works for the screen command, but starting rtorrent below adopts screen session gid
# even if it is not the screen session we started (e.g. running under an undesirable gid
#su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "sg \"$group\" -c \"screen -fn -dm -S ${srnname} 2>&1 1>/dev/null\"" ${user} | tee -a "$logfile" >&2
su -c "screen -S "${srnname}" -X screen rtorrent ${options} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
}

d_stop() {
session=`getsession "$config"`
if ! [ -s ${session}/rtorrent.lock ] ; then
return
fi
pid=`cat ${session}/rtorrent.lock | awk -F: '{print($2)}' | sed "s/[^0-9]//g"`
if ps -A | grep -sq ${pid}.*rtorrent ; then # make sure the pid doesn't belong to another process
kill -s INT ${pid}
fi
}

getsession() {
session=`cat "$1" | grep "^[[:space:]]*session[[:space:]]*=" | sed "s/^[[:space:]]*session[[:space:]]*=[[:space:]]*//" `
echo $session
}

checkcnfg

case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "."
;;
restart|force-reload)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 1
d_start
echo "."
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now we need to change the user and group ownership of that file and make it executable

$ sudo chown root:root /etc/init.d/rtorrent
$ sudo chmod a+x /etc/init.d/rtorrent

Now lets tell ubuntu to run this script at startup

$ cd /etc/init.d
$ sudo update-rc.d rtorrent defaults

Set permissions

$ sudo chown -R <username>:<username> /home/<username>
$ sudo chmod 777 -R /home

Test the script:

$ sudo /etc/init.d/rtorrent start

Check that an rtorrent and a screen process are running using htop

$ htop

To exit htop, hit F10

rutorrent

Download

$ cd /var/www && sudo svn co rutorrent - Revision 2084: /trunk/rutorrent

Plugins

$ cd /var/www/rutorrent && sudo wget http://rutorrent.googlecode.com/file...ins-3.4.tar.gz

$ sudo tar -xvf plugins-3.4.tar.gz && sudo rm plugins-3.4.tar.gz

Set permissions

$ cd /var/www && sudo chown -R www-data:www-data rutorrent && sudo chmod -R 777 rutorrent

Authenticate ruTorrent

We already added the authentication to the Lighttpd config file for ruTorrent and now we just need to make a password file.

$ sudo htdigest -c /etc/lighttpd/.passwd 'Authenticated Users' <UserName>
Password:
Verify:

**NOTE**
Change <UserName> to the user you would like to login to ruTorrent with.

Specify the RPC2 mount

$ sudo nano /var/www/rutorrent/conf/config.php

Look for the line "XMLRPCMountPoint" and add this:

/var/www/rutorrent/RPC2

It should look like this when finished:

$XMLRPCMountPoint = "/var/www/rutorrent/RPC2";

Restart Lighttpd and then we're finished:

$ sudo /etc/init.d/lighttpd restart

**NOTE**
Now u can reach rutorrent in your browser at https://<your-server-ip>/rutorrent

Webmin:

I like to use Webmin for web based administration of my servers. It offers a very convenient way to remotely administer your server from anywhere with a net connection and a web browser.

First add some dependencies for Webmin

$ sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python python-minimal libapt-pkg-perl perl-base perl-modules

Setup Repository and Download

$ sudo nano /etc/apt/sources.list

Add this line to the end of the file:

deb Index of /download/repository sarge contrib

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Lets now fetch and install the PGP key for this new repository so we're not warned about it

$ wget http://www.webmin.com/jcameron-key.asc && sudo apt-key add jcameron-key.asc

Now we can install webmin

$ sudo apt-get update && sudo apt-get install webmin

Test webmin is working by opening a browser and going to:

https://<servername or IP>:10000

Login with root user

FTPS / SFTP

**NOTE**
If you just want to use SFTP (FTP over SSH), you dont need to do anything more here.
Just connect with an FTP client via SFTP to your server on the SSH port you use.

If you want to setup FTPS (FTP using SSL encryption) then we'll setup Pure-FTPd.

Pure-FTPd

$ sudo apt-get install pure-ftpd

Now lets create another SSL certificate (you could use the ones you created earlier if you like - I prefer to keep them separate)

$ sudo openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
$ sudo chmod 600 /etc/ssl/private/pure-ftpd.pem

This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.
Now lets edit the Pure-ftpd config.
Pure-ftpd doesn't use a config file like other FTP daemons. Instead it starts with a set of command like switches.
However, the init.d startup script that is installed when you installed the pureftpd package can parse a directory of single line 'config files' in order to dynamically build the correct set of command line switches.
So all we need to do is create these single line files in the right place:
Temporarily act as root user

$ su root

Enter the root password when asked

# cd /etc/pure-ftpd/conf/
# echo ,<port to be used for FTP> > Bind
# echo <server IP> > ForcePassiveIP
# echo <port used for Passive Mode of FTP> > PassivePortRange
# echo 1 > TLS

The first 'echo' line above creates a file that tells Pure-ftpd to use a particular port, so change the number to the port you wish to use.
The second 'echo' line creates a file that tells Pure-ftpd to use the given static IP address for Passive mode. You need to set this to the IP of your server.
The third 'echo' line determines what port range to use for Passive mode.
If you want additional security, also do the following:

# echo yes > ProhibitDotFilesRead
# echo yes > ProhibitDotFilesWrite
# echo yes > NoChmod
# echo yes > BrokenClientsCompatibility

The first two 'echo' lines create files that stop users reading and writing system files that have a leading '.' in their filename (Hidden files)
The third 'echo' line creates a file that stops users changing the permissions on files and folders.
The final 'echo' line creates a file that prevents clients that dont strictly adhere to the FTP/FTPS protocol from connecting.
Now lets configure how users will authenticate

# echo no > PAMAuthentication
# echo yes > UnixAuthentication

Here we are configuring to use system usernames.
Now just restart the FTP service

# /etc/init.d/pure-ftpd restart

Test everything is ok by connecting to the FTP service with an FTP client set to use the FTPS protocol, on the port you chose.
And return to the normal user

# exit

Linux Firewall

Now it is time to set up the linux firewall to close all the ports other than the ones we need.
This is where the GUI will come in handy for those who do not understand IPTables.

First we will restart our server to make sure everything is a go, and then we will update it afterward.
So connect with Putty and type

$ sudo reboot

After about 5 minutes reconnect with Putty as the normal user.
Now update

$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get clean && sudo apt-get auto-clean

GUI with GNOME/NX

Connect with your NX client on your windows machine.
Now with firestarter installed we can setup the Linux Firewall. (This was previously installed at the beginning of the tutorial.)
Go to System > Administration > Firestarter
-When you launch the GUI for the first time, it will take you through a setup wizard.
-Click forward, and you will be able to select the network device. This device you must choose correctly. There may be a list of them. On almost all setups you will chose eth0.
-Select eth0
-Do check the other boxes.
-Click Forward, and then click Forward again.
-Uncheck to start the Firewall now. You must uncheck this or it will lock out all ports when you click Save.
-Click the Policy tab
-Make sure that Editing is set to Inboud Traffic Policy
-Right click under Allow Service, and you will do this individually for all your ports you need open.

Port = 32002, 80, 443, 10000, 57001
Anyone should be set for 57001
All others are to be set to your IP, unless you have a Dynamic IP address in which case you should set all of these ports to Anyone.

You're encouraged to change the ports used as examples in this guide - just make sure you write them down, and double check them before implementing any firewall rules.
You should also check with your host in case that they use any automatic network monitoring tools.
If they do, you may need to leave some ports open to respond to pings and so on, otherwise their tools might think your server is down and try rebooting it or putting it into recovery mode. Best just to check with them.

Fail2Ban:

Login through Putty to your Server as your normal user, and then become root

$ su root

Enter root password when asked.
Install Fail2ban

# apt-get update && apt-get upgrade

Answer yes to all things asked.
Open the config file of Fail2Ban called the jail to be edited.

# nano /etc/fail2ban/jail.conf

After you open the jail.conf file look for the following line "ignoreIP". This is where you are going to put your IP address at home so you dont get blocked. Make the following changes

ignoreip = 127.0.0.1 Your_Home_IP

EX : ignoreip = 127.0.0.1 24.127.*.* 192.168.1.*
**NOTE**
You can use as many IP's as you want. Just use a space in between each IP address. If you have a Dynamic IP, it would be a good idea to accept the whole range like i gave in the example above.
This next 'STEP' is not done in the 'jail.conf' file and is just to show you how to unban an IP using IPTables. To flush all SSH fail2ban rules:

# iptables -F fail2ban-ssh

To delete just 1 IP rule:

# iptables -D fail2ban-ssh host-name/ip DROP

Now thats out of the way we can continue with the 'jail.conf' and make the following changes
[ssh]
enabled = true
port = ssh
maxretry = 5
**NOTE**
If you are using the standard port 22 for ssh then you can leave above just as "port = ssh". If u are not using that port # then u need to put it like this port = 33002

--Next we need to add the below lines to the 'jail.conf' file, so Fail2ban monitors Lighttpd. Look for the section "HTTP Servers". Then add this to the file, in that section, exactly how i have it here
[lighttpd-fastcgi]

enabled = true
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/*.log
maxretry = 5

Finally under the same section look for the line [Apache] and change it to and make the these changes below. It should look like this when done :

[Lighttpd]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/lighttpd*/*error.log
maxretry = 6


Scroll to the bottom of jail.conf and add these lines to monitor Webmin and Pure-FTPd

[webmin-auth]
enabled = true
port = 10000
filter = webmin-auth
logpath = /var/log/auth.log
maxretry = 3

[pure-ftpd]
enabled = true
port = <Port used for FTP on Server>
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 3

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
All we need to do now is restart Fail2ban with this command:

# /etc/init.d/fail2ban restart

**NOTE**
I have taken all of this information and compiled it into one setup because its the way I set my servers up. Many sources and exhausting google searches have made this possible. Thank you to those that took the time to let me destroy some OVH and LeaseWeb servers with their great tutorials. The most notable person would be MikeD when after I added a fail2ban snippet to his great tutorial said I should write one of my own....and here it is.