Thread: Debian/Ubuntu Dedicated Server Setup

I just wanted it for anonymous serving since mine is in france. what else is possible?

Edit. You can ignore this if its too much work, but would you know how to setup irssi? I know there is a tutorial here on t.i, but its for utorrent and not rtorrent.

Dont worry about it and its no problem for me to add irssi with rTorrent. Its very easy to do as well.

EDIT : I meant rtorrent and not uTorrent, sorry about that.

About the proxy > U guys dont want to use your seedbox as a proxy?? > meaning browse from home using your seedbox ip address? That is easy to do, but if i understand correctly, what u want to do is basically make yourself anonymous on your server correct?? meaning browse from your box anonymously?? Do u have root access, Desktop Enviroment, web browser or what do u have installed on your server?

did you mean rtorrent? and I wanted to browse from home anonymously, but i do have root access and gnome running

TUTORIAL # 5 - PROXY / IRSSI

NOTE : This tutorial is being done by request and is gonna be based on using your Server (seedbox) as a proxy and setting up IrssI with rTorrent.

** What you'll need for this tutorial > Putty for SSH access to your Server & Web browser on home computer preferably Firefox & WinScp**



PART 19 : USING SERVER AS A PROXY

INFO : There are several different ways u can go about achieving this. For example: installing a proxy server on server side or tunneling all connections through SSH are just some examples. What we're gonna be doing in this tutorial is tunneling through SSH.


--First we need to exit out of VNC or any Putty sessions u currently have open at the moment. U dont want to be connected to your Server in anyway till we're finished.

NOTE : This is basically the same way we tunneled VNC in Tutorial #4, but we need to configure a little different here.



--Next open up Putty, but dont connect to your server just yet. Make sure u are on the opening option page "Sessions". Its the category Putty opens up with by default. Now follow these STEPS to configure:

STEP 1 : On the "sessions" page enter your IP and Port # your SSH is configured on, but dont press open just yet.
STEP 2 : Now go to the left Putty options and navigate to this option > Connections > SSH > Tunnels. Niow u will be at the options we want.
STEP 3 : Next under "Add new forwarded Port" category u will see "Source Port" & "destinations"
STEP 4 : Put a Port # for the "Source Port" field. U can choose any Port # as long as its not taken by any other service. Im gonna chose 7567. U can leave "destination" blank.
STEP 5 : Now under "Destination" field u will see radio buttons. Check these circles and nothing else > "Auto" & "Dynamic". Then click add. U will now see "D7567" appear in the box above. Thats good and if u dont see re-do steps.
STEP 6 : After that go back to the left Putty options and navigate to the opening page where u put IP & Port # > "Sessions"
STEP 7 : Next u want to save this session for easy access and so u separate all different connections. Under the "Saved Sessions" field, put a name in the box and click "save". Your session will now be saved for easy connection.
STEP 8 : Finally, u can connect to your server through SSH with the new saved connection we just made. To do this just double click the session name and u will then connect to server. Proceed to login with normal user or if u didnt disable root then u can also login with root user.

NOTE : Thats it for configuring Putty, however dont close the Putty session as we need it open for this tunnel to work. Now its Web-Browser time.



--Open your Web-Browser on your home computer. I prefer Firefox and will be using it in this tutorial, but u can use any browser that supports using a "proxy"

STEP 1 : Once Firefox is open u need to open the Firefox "settings & options" and go to the Proxy settings page. To do this navigate to here > tools > options > advanced > network tab > click settings. Now u will be at the Proxy settings.
STEP 2 : Now in the "proxy settings" chose the radio button "Manual Proxy Configurations". U will now see all the fields alive.
STEP 3 : Next we need to fill in the fields. Look for "SOCKShosts" field and put 127.0.0.1 then for PORT# put 7567. Also, u need to check off radio button, either SOCKSv5 or SOCKSv4, it doesnt matter which one u chose. U can leave all other fields blank.
STEP 4 : Now close all windows by pressing "OK" and restart Firefox. Once Firefox restart u will be using your Seedbox as a proxy. To test this go to an "ip checker" website to see if it worked. A good website is utrace - locate IP addresses and domainnames or What's My IP Address? Networking Tools & More U should now see your Seedbox IP.

NOTE : U now successfully tunneled your SSH server for your browser at home. Do not close Putty while u are using your Server as a proxy or Firefox will drop connection. U need to leave it open and close and revert options when finished. Anytime u want to do this just follow the same steps. To do this with any program like uTorrent or FTP client then follow the same steps for Firefox, but open that programs proxy options page.

**If u had any problems or it didnt work then please re-do all steps. If it still doesnt work then post here and i'll help u. Also, if u want me to make a tutorial for a server side install of a Proxy Server instead then i can. Just ask here**




PART 20 : IRSSI WITH SCRIPTS

NOTE : This part of the tutorial is gonna be based on setting up IRSSI, so u can auto-download, using scripts.

--If u followed the tutorial to setup rTorrent then u already have screen + irssi installed, but just in case u didnt, u need to install irssi. Login through Putty as normal user:

$ sudo apt-get install screen irssi

--Now we need to start irssi in screen so we can keep irssi active if we closed the session:

$ screen -S irc irssi

NOTE : To re-attach screen session > "$ screen -x irc" List running screen sessions "$ screen -list". "irc" used in the command to start irssi is just the name for the current session. U can change that to anything u want.


--Next we need to setup irssi with nick's, etc....irssi is now started and u should see the terminal opened with irssi running. Please replace with your own names / nick's :

/set nick MikeD
/set alternate_nick Mike
/set user_name Mike
/set real_name Mike

NOTE: U could also add networks, servers, channels, etc... Also to connect to your irc server u want to issue either the command "/server" or "/connect" - Using "/connect" will keep u connected to multiple servers - Using "/server" will drop current server for new server.


--U can now close irssi and we will re-attach in a minute.

crtl a + d

--Now that irssi is detached we need to create a scripts dir for irssi to use

$ cd ~/.irssi
$ mkdir scripts
$ chmod 755 ~/.irssi -R

NOTE : Please make sure that a watch folder actually exists & is enabled in your torrent client. Also, make sure both paths & folder names match up as well. If u followed my rtorrent tutorial then u already have a watch folder located at '~/rtorrent/torrents/'. If your using other clients then make sure everything is correct.


--Next we need to get a script from a tracker and download it to your computer. Then follow the steps to configure it. One thing u will need to do is put the path to your rTorrent or uTorrent watch folder in the script.

NOTE : After u do that u need to follow the rest of the scripts instructions. If u need help doing this just post here and ill help u.


--After your done configuring it we need to put the script in the right dir so irssi can load it. This is simple and u can use WinScp to achieve this. Ok, open up winscp then:

STEP 1 : Browse to the '~/.irssi' dir and open it.
STEP 2 : Then upload the script, from the that u downloaded to your computer, into the scripts folder.
STEP 3 : Close winscp


--Now that irssi and script is all setup, lets go ahead and load the script and connect to our irc server. Remember to re-attach screen irssi session and register your nick on there server.

$ screen -x irc

--Then load the script & connect to the irc server:

/script load ~/.irssi/scripts/name_of_script
/server irc.miked.org
/join #mike

NOTE : Now just wait for a release and the script should work, if u set it up correctly. Also remember to follow the scripts instructions to set it up and so on. The instructions for the script will usually tell u everything from where to put the script and how to load it. Again, this is just the basic way on how setup IRSSI to use a script cause im not going to post a specific script and instructions here.

**Thats it for this tutorial and i hope this helps. If u found any mistakes, need any help or have a question, please post here and ill do my best to answer u on time. Thanks and again this was soley written by me (MikeD)**

TUTORIAL # 6 : LIGHTTPD WITH HTTPS / FAIL2BAN

NOTE : This tutorial is going to show u how to setup Lighttpd with SSL, so rutorrent can use HTTPS, and setup 'fail2ban' so it can ban IP address' who incorrectly try and login to your server through certain protocols.

INFO : For those who dont know 'fail2ban' works with iptables and monitors log files for important protocols liks SSH, FTP, Web-Server. When someone trys to access one of these protocols and fails at the login attempt, 'fail2ban' will ban there IP from trying again.





PART 21 : SETTING UP SSL ( HTTPS )

NOTE : This part is going to walk u through setting up Lighttpd with SSL. We will also setup a re-direct for HTTP so that anytime u try to access your website or rutorrent using HTTP u will be re-directed to HTTPS. I will also show u how to use both HTTP & HTTPS.

--First login to your server and "su" to root user.

$ su
password :

--Now we need to create a self-signed certificate for Lighttpd and make a dir to keep this cert in :

# cd /etc/lighttpd
# mkdir certs
# cd certs
# openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes
# chmod 400 lighttpd.pem

NOTE : U will need to fill in important info when asked. U can put any info u like for your certificate, but please fill in the info when asked.



--Next we want to open the Lighttpd config file and add some lines :

# cd ..
# nano lighttpd.conf

--Then add these lines to the file directly on top of the "scgi.server = (" part we added from 'TUTORIAL #3' :

PHP Code:

$SERVER["socket"] == ":80" {
  $HTTP["host"] =~ "(.*)" {
    url.redirect = ( "^/(.*)" => "https://%1/$1" )
  }
}

$SERVER["socket"] == "Your_Server_IP_address:443" {
  ssl.engine = "enable" 
  ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" 
}

ssl.use-sslv2 = "disable" 


NOTE : ^^^ This will enable HTTPS. Make sure u put your server IP address into the field above.



--Only do this next step if u want to use HTTPS only..... Scroll back up and look for the line "server.modules". Once u find this line, proceed to un-comment the following "mod"

"mod_redirect"

NOTE : This will make all HTTP traffic redirect to HTTPS.




--This next step is 'OPTIONAL' and should only be done if your the only one with access to rutorrent, have no website & a static IP. Adding these lines will block all other access to your web-server except your own IP. Again its optional and does not need to be done.

PHP Code:

$HTTP["host"] == "Server_IP" {
  $HTTP["remoteip"] != "Home_IP" {
    url.access-deny = ( "" )
  }   
} 


NOTE : Please edit above with your server-IP/home-IP. Its also a good idea to put a range in for your "Home-IP" > 24.127.0.0/255



--Thats it and u are done setting up Lighttpd to use SSL ( HTTPS ). Now to finish u need to restart Lighttpd for this to take effect:

# /etc/init.d/lighttpd restart

NOTE : Now u can reach rutorrent by using HTTPS. If u used the redirect, then test it out and point your web-browser to HTTP and it should redirect itself to HTTPS. If not then please look over all steps.






PART 22 : SETTING UP FAIL2BAN

INFO : U can use Fail2ban to monitor SSH, FTP, & your Web-Server (Lighttpd). I usually get a lot of failed attempts on these protocols so this is where Fail2ban comes in handy.



--First we need to install Fail2ban. Still logged in as "root user" u need to install Fail2ban

# apt-get update && apt-get upgrade
# apt-get install fail2ban

NOTE : Say yes to all ^^^



--Now that Fail2ban is installed we need to setup our own Lighttpd filter because unfortunately Fail2ban does not monitor Lighttpd by default. This is very easy to do:

# cd /etc/fail2ban/filter.d
# nano lighttpd-fastcgi.conf

--Now copy & paste this file into "nano" & save (ctrl + o) and exit (ctrl + x)

http://pastebin.com/f45933e93



--Next we need to open the "jail config" file, so that we can make the necessary changes to it :

# nano /etc/fail2ban/jail.conf

EDIT : Credit goes to s2cuts & TIME. Thanks again for the help & insight. These first steps will make sure u dont get accidently locked out of your server. However, just continue to follow the tutorial as normal.



--After u open the "jail.conf" file look for the following line "ignoreIP". This is where u are going to put your IP address at home so u dont get blocked. Make the following changes :

ignoreip = 127.0.0.1 Your_Home_IP

EX : ignoreip = 127.0.0.1 24.127.*.* 192.168.1.*

NOTE : U can use as many IP's as u want. Just use a space in between each IP address. If u have a Dynamic IP, it would be a good idea to accept the whole range like i gave in the example above.



--This next 'STEP' is not done in the 'jail.conf' file and is just to show u how to unban an IP using iptables. To flush all SSH fail2ban rules:

# iptables -F fail2ban-ssh

--To delete just 1 IP rule:

# iptables -D fail2ban-ssh host-name/ip DROP

--Now thats out of the way we can continue with the 'jail.conf' and make the following changes

[ssh]
enabled = true
port = ssh
maxretry = 5

NOTE : If u are using the standard port 22 for ssh then u can leave above just as "port = ssh". If u are not using that port # then u need to put it like this "port = 35678"



--Now for FTP. Choose whatever FTP server u have installed on your server. I use VSFTPD and did earlier in this tutorial, so this is what im going to use here. Do the same u did for SSH for FTP, if your using a non-standard port #.

[vsftpd]
enabled = true
port = ftp, ftps
maxretry = 5

--Next we need to add the below lines to the 'jail.conf' file, so Fail2ban monitors Lighttpd. Look for the section "HTTP Servers". Then add this to the file, in that section, exactly how i have it here

[lighttpd-fastcgi]

enabled = true
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/*.log
maxretry = 5

--Finally under the same section look for the line [Apache] and change it to and make the these changes below. It should look like this when done :

[Lighttpd]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/lighttpd*/*error.log
maxretry = 6

--Thats it for Fail2ban setup so u can save & exit the 'jail.conf' file. All we need to do now is restart Fail2ban with this command:

# /etc/init.d/fail2ban restart

NOTE : Thats it for this tutorial and now u have even more security for your server with Lighttpd using SSL and Fail2ban monitoring wrong login attempts on important protocols.

** This tutorial was written by me, but i learned this through different sources from the net. I just recently learned how to use Lighttpd with Fail2ban from this website and used there info for some of this tutorial > Fail2ban rules for lighttpd fastcgi alerts > Thank u & if u found any mistakes, have any questions or need help, then post here and ill do my best to answer in a timely matter. Hope this helps a few users out there.**

Originally Posted by MikeD

I usually get 50-100 failed attempts a day on these protocols so this is where Fail2ban comes in handy.

Mike buddy, I was getting the same until I took your advice and changed the default ports. Now I don't even get a sniff.

But still, Fail2ban looks like a dead simple solution for dealing with brute force attacks. The only thing missing is the section on how to remove an IP from the iptables after it's been banned. If I know people, someone will surely screw up their password 5 times in a row.

Originally Posted by s2cuts

Mike buddy, I was getting the same until I took your advice and changed the default ports. Now I don't even get a sniff.

But still, Fail2ban looks like a dead simple solution for dealing with brute force attacks. The only thing missing is the section on how to remove an IP from the iptables after it's been banned. If I know people, someone will surely screw up their password 5 times in a row.

Yeah me too, but someone or multiple users have been trying to log into my rutorrent lately. I think they see my IP in the connection info of there client and then try to reach it in there browser. Im not sure what there doing, but its funny cause my logs show them trying to get to all kinds of dir's like "phpmyadmin", which i dont even have. Also a bunch of other stuff.

Its weird, so i setup an html file with all there IP's on it. Now when they try and get dir's on my web-server, they will get the html with the IP's on it and then they will see there own. I just hope i dont piss off the wrong person, lol.

Anyway, i will do what u said and thank u cause i never thought about people getting locked out like that. I will add that now and give u credit for it. Thanks again s2cuts!

Hey Mike,

Thank you very much for putting this together, best guide I have seen yet. I really appreciate it, I had my server setup in one day. :D

But of course, since I am new at this, I'm having an issue. The redirect to https works perfect, but https will not load, it sits and thinks for a bit, then times out. Any ideas? I set this up exactly as you have it outlined, can't get any simpler, so how can one make a mistake I ask myself. Please help. :)

Edit: Ok, the step that I missed, I needed to add https to the firewall. It's all working now! Sweeet! Thanks again!!

Hey superbad09,

sorry it took me long to get back to u. I was busy the last couple of hours. Anyway so u are having trouble with HTTPS loading? Try commenting the "mod_redirect" by putting a # sign in front of the line in lighttpd config file and restart lighttpd. Then try to get to HTTPS manually by typing it your browser. Also, im guessing u followed the guide exactly how i have it? Did u leave out or skip anything? U could also take this line out > ssl.use-sslv2 = "disable" > Then restart lighttpd and try again. If u can, please post your lighttpd config file so i could look at it, but just upload to pastebin and edit out your IP or any other info that is a security risk.

EDIT : your welcome