Announcement

Collapse
No announcement yet.

[Guide] Online.net Dedibox manual secure seedbox install (rTorrent/ruTorrent)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Guide] Online.net Dedibox manual secure seedbox install (rTorrent/ruTorrent)

    Introduction
    So here is my first shot at a tutorial. As I posted yesterday, I ordered a dedibox from Online.net and set up a seedbox on it. You can read my review on the setup process and my first thoughts after having ran it the first day HERE

    I tried a couple scripts, namely flizbox and lefteris' scripts. I'm not saying that there is anything wrong with those scripts, but with my server they just were not working. Everything would install fine, but then I'd have to go through all sorts of code to find out why things were breaking down when I tried to make things work. I figured rather than spending too much time on it I'd just do the installs myself and gain the experience myself. Another upside with installing things yourself, is you have a hands on view of each step in the processes, making it FAR easier to troubleshoot or modify things later because you know where everything is, and how everything is configured. Plus it helps you to learn and understand more about how everything in your server is working and operating. This also makes sure that you know and input every command along the way so you know what's happening. I rarely use someone else's scripts because, especially with the long ones, it's far too easy for someone to slip something in there with everything and you never notice.

    That said, here is what I did to get my server up and running. This guide assumes that you have at least a sudo user with root access via SSH. And while prior knowledge of Apache, general web server operation, setting up SSL, SFTP, and various seedbox programs are a plus, it is not required. Honestly, I have the rest of the server stuff on lock myself, but the seedbox part is completely new to me.

    My System
    I'm running a Dedicated Server on Online.net with Ubuntu Server 12.04 installed.
    Via Nano U2250 1.3+GHz processor
    2Gb RAM
    500Gb Storage
    1Gb/s network connection with guarantee for 150Mb/s
    1 IPv4 Static IP Address

    Process Overview
    - Install XMLrpc, LibTorrent, rTorrent, ruTorrent, ruTorrent Plugins, and proFTPD
    - Configure the installations for use on a secure connection
    - Secure our connection through use of SFTP for transfer of materials, and SSL for default browsing and use
    - Secure our browsing directories with basic pw authentication (this is safe enough because we are using HTTPS)
    - Set a default theme for ruTorrent and securely connect to it

    My Process
    Note 1: Like I said, this was done on an Online.net Dedicated Server with Ubuntu Server 12.04 installed. If you are using a different provider and distribution or linux I cannot vouch for any of this working.
    Note 2: Anytime you come across something like this: <<GENERIC>> this means that you much put in whatever variable that is specific to your system in that instance, this will mostly apply to UserName and IP.
    PAY ATTENTION TO THOSE DOUBLE KARATS!!!!!!
    If you are using Online.net and do not read french, I recommend you change your locale.
    Code:
    sudo nano /etc/default/locale
    Once opened you will see a LANG definition, change this to "en_US.UTF-8" or lookup whatever country you want to use on Ubuntu's website. Since this is still in French, you will hit "O" for yes and save your changes. Reboot the machine:
    Code:
    sudo shutdown -r now
    We are now going to start our installation. Run the following two commands to make sure your system is up-to-date.
    Code:
    sudo apt-get update
    sudo apt-get upgrade
    Now it's time to install all our libraries and dependencies that we will need. For both the seedbox software, and webserver.
    Code:
    sudo apt-get install subversion build-essential automake libtool libcppunit-dev libcurl4-openssl-dev libsigc++-2.0-dev unzip unrar curl libncurses5-dev
    sudo apt-get install apache2 php5 php5-cli php5-curl
    sudo apt-get install libapache2-mod-scgi
    Let's enable SCGI MOD in Apache, while we are at it we can create our directory tree.
    Code:
    sudo ln -s /etc/apache2/mods-available/scgi.load /etc/apache2/mods-enabled/scgi.load
    sudo mkdir /install
    sudo mkdir /home/<<USERNAME>>/rtorrent
    sudo mkdir /home/<<USERNAME>>/rtorrent/.session
    sudo mkdir /home/<<USERNAME>>/rtorrent/downloads
    sudo mkdir /home/<<USERNAME>>/rtorrent/watch
    Now we are on to getting the install going for the seedbox itself. When you get to the "make" commands, be aware that those can take anywhere from 30 seconds to 4-5 minutes to complete.

    Install XMLrpc
    Code:
    cd /installsudo svn checkout http://svn.code.sf.net/p/xmlrpc-c/code/stable xmlrpc-c
    cd xmlrpc-c
    sudo ./configure --disable-cplusplus
    sudo make
    sudo make install
    Install LibTorrent
    Code:
    cd /installsudo wget http://libtorrent.rakshasa.no/downloads/libtorrent-0.13.2.tar.gz
    sudo tar xvf libtorrent-0.13.2.tar.gz
    cd libtorrent-0.13.2
    sudo ./autogen.sh
    sudo ./configure
    sudo make
    sudo make install
    Install rTorrent
    Code:
    cd /installsudo wget http://libtorrent.rakshasa.no/downloads/rtorrent-0.9.2.tar.gz
    sudo tar xvf rtorrent-0.9.2.tar.gz
    cd rtorrent-0.9.2
    sudo ./autogen.sh
    sudo ./configure --with-xmlrpc-c
    sudo make
    sudo make install
    sudo ldconfig
    sudo chmod 777 /home/<<USERNAME>>/rtorrent/.session/
    Now that we have rTorrent installed, we need to add a configuration for your user in rTorrent
    Code:
    cd /home/<<USERNAME>>
    sudo nano .rtorrent.rc
    This is a config I found elsewhere on the forums here, mixed with some other stuff I found on other sources. I've only been running this for a bit over a day, but it seems stable. If I make any major changes I'll come back and update it here:
    Code:
    # Directoriesdirectory = /home/<<USERNAME>>/rtorrent/downloads
    session = /home/<<USERNAME>>/rtorrent/.session
    
    
    # rTorrent
    encryption = allow_incoming,try_outgoing,enable_retry
    schedule = watch_directory,5,5,"load_start=/home/<<USERNAME>>/rtorrent/watch/*.torrent"
    max_downloads_global = 0
    max_uploads_global = 0
    min_peers = 100
    max_peers = 300
    min_peers_seed = 100
    max_peers_seed = 300
    max_uploads = 350
    download_rate = 0
    upload_rate = 0
    check_hash = no
    
    
    # Network
    scgi_port = 127.0.0.1:5000
    encoding_list = UTF-8
    system.umask.set = 022
    port_range = <<YOURPORTRANGE>>
    port_random = no
    use_udp_trackers = yes
    dht = disable
    peer_exchange = no
    Take note of that line with DHT, this is where you disable it to adhere to those sites that require you disable it. Change the appropriate ports and username lines. Something important to know about ruTorrent is that every time you start a new session, it imports these settings as the default values for the settings within ruTorrent. ANY CHANGES MADE IN THE RUTORRENT SETTINGS DIALOG WILL BE LOST with the new session. This includes your default theme, I'll show you how to change that later.

    Now that we have the backend of the seedbox set up, we are going to install our front end. Let's install ruTorrent
    Code:
    cd /installsudo wget http://dl.bintray.com/novik65/generic/rutorrent-3.6.tar.gz
    sudo tar xvf rutorrent-3.6.tar.gz
    sudo mv rutorrent /var/www
    sudo wget http://dl.bintray.com/novik65/generic/plugins-3.6.tar.gz
    sudo tar xvf plugins-3.6.tar.gz
    sudo mv plugins /var/www/rutorrent
    And there we go, now let's establish our permissions and start up rtorrent in a screen instance (so when you close putty it doesn't stop rtorrent)
    Code:
    sudo apt-get install screensudo chown -R www-data:www-data /var/www/rutorrent
    sudo htpasswd -c /var/www/rutorrent/.htpasswd <<USERNAME>>
    sudo service apache2 restart
    screen -fa -d -m rtorrent
    Now that we got all that done, it's time to secure our connections to the server. We are going to start with setting up SFTP and making sure that it doesn't allow connection for SFTP over the SSH port.
    First let's generate the keys
    Code:
    cd /home/<<USERNAME>>sudo mkdir .ssh
    sudo chmod 700 .ssh
    ssh-keygen -t rsa
    Here you may leave file blank, even the password if you wish. But I always toss one in, make sure you keep this passphrase though, YOU WILL NEED IT FOR CONNECTING VIA SFTP!

    Now let's install and configure proFTPD
    Code:
    sudo apt-get install proftpd
    sudo nano /etc/proftpd/proftpd.conf
    In the configuration we are going to find the ServerName setting, and set that to the IP address of your box. While we are at it, go take a look for this line: (hint, use ctrl-w to search)
    Code:
    # DefaultRoot ~
    Remove that pound sign "#" to enable that line. Save the file and lets move on to configuring access.
    Code:
    sudo nano /etc/proftpd/conf.d/sftp.conf
    Now in here, you will need to copy the following snipit and save that file:
    Code:
    <IfModule mod_sftp.c>
            SFTPEngine on
            Port 2222
            SFTPLog /var/log/proftpd/sftp.log
    
            # Configure both the RSA and DSA host keys, using the same host key
            # files that OpenSSH uses.
            SFTPHostKey /etc/ssh/ssh_host_rsa_key
            SFTPHostKey /etc/ssh/ssh_host_dsa_key
    
            SFTPAuthMethods publickey
    
            SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
    
            # Enable compression
            SFTPCompression delayed
    </IfModule>
    Now that our connections are good, let's configure authentication and disable SFTP on port 22
    Code:
    sudo mkdir /etc/proftpd/authorized_keyssudo ssh-keygen -e -f /home/<<USERNAME>>/.ssh/id_rsa.pub | sudo tee /etc/proftpd/authorized_keys/<<USERNAME>>
    sudo service proftpd restart
    sudo nano /etc/ssh/sshd_config
    In this file you need to find the following line and remove the pound sign "#" to uncomment it.
    Code:
    #Subsystem sftp /usr/lib/openssh/sftp-server
    Now let's reboot SSH so our changes take into effect
    Code:
    sudo service ssh restart
    Now let's secure our ruTorrent directory. Username and password are case sensitive here.
    Code:
    sudo htpasswd -c /home/<<USERNAME>>/.htpasswd <<USERNAME>>
    Now let's set up SSL
    Code:
    sudo a2enmod ssl
    sudo service apache2 restart
    sudo mkdir /etc/apache2/ssl
    sudo openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
    Assuming you are using Online.net, these are the settings you want to use:
    Country: FR
    Province: Īle-de-France
    City: Paris
    Common Name: the IP address of your server ! Important or when you add the cert to the trusted zones on your computer it will error out !

    Now open your vhost configuration for the SSL website
    Code:
    sudo nano /etc/apache2/sites-available/default-ssl
    You will have what looks like an XML structure. go to the bottom, but make sure to stay within the VirtualHost tags and add this:
    Code:
        <Location /rutorrent>        AuthName "Private"
            AuthType Basic
            AuthBasicProvider file
            AuthUserFile /home/<<USERNAME>>/.htpasswd
            Require valid-user
        </Location>
    While we are in here, let's go ahead and set up our certificate references. Make sure to find these lines and change them:
    Code:
     ServerName <<SERVERIP>>:443 SSLEngine on
     SSLCertificateFile /etc/apache2/ssl/apache.crt
     SSLCertificateKeyFile /etc/apache2/ssl/apache.key
    Now you can save and close this out and open the regular HTTP default config
    Code:
    sudo nano /etc/apache2/sites-available/default
    Change it so that it only says this (this is going to force HTTPS be used on your site)
    Code:
    <VirtualHost *:80>   ServerName <<SERVERIP>>
       Redirect permanent / https://<<SERVERIP>>/
    </VirtualHost>
    Save and close that out and let's activate the SSL config within Apache and reload services
    Code:
    sudo a2ensite default-ssl
    sudo service apache2 reload
    So we are just about done! Remember how I said earlier I would show you how to change your default theme? Run these commands
    Code:
    sudo mkdir -p /var/www/rutorrent/conf/users/<<USERNAME>>/plugins/theme/
    sudo nano /var/www/rutorrent/conf/users/<<USERNAME>>/plugins/theme/conf.php
    Now in this file, we want to put in this PHP code
    Code:
     <?php   $defaultTheme = "Oblivion" ;
     ?>
    I prefer Oblivion, but change that to whatever you want.

    And voila, we are up and running! Let's reboot the server for good measure and set up our FTP client and Trust the Site. First thing first though, let's go open the following file and copy the entire contents to a file on your local computer
    Code:
    nano /home/<<USERNAME>>/.ssh/id_rsa
    Copy the entirety of that file to your local computer, stick it in my documents or somewhere where you know you wont delete it and name it seedbox.ppk. You will need this to setup your key within your FTP client.

    Configure Server for Socks Proxy
    First thing's first, Let's back-up our current configuration and then make the changes we need for our tunnel.
    Code:
    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bkup
    sudo nano /etc/ssh/sshd_config
    There are a lot of options in this config file. There are a few that I would reccomend. TCP Forwarding is a must if you want to make your proxy work. Make sure to keep your authentication set to RSA, I know there has been some arguements over which is best, RSA or DSA, but I can tell you firsthand from experience that RSA is hands down the best to use. If you would like more information on this check out this link: http://security.stackexchange.com/qu...ntication-keys
    Code:
    Port 22 #Change this
    Protocol 2
    PermitRootLogin no
    RSAAuthentication yes
    PubkeyAuthentication yes
    TCPKeepAlive yes
    AllowUsers <<USERNAME>>
    AllowTcpForwarding yes
    Now that we made our changes, we need to restart SSH Daemon for them to take into affect
    Code:
    sudo services ssh restart
    Voila, you can now use your server as a SOCKS Proxy to safely encript your web traffic.

    Using our Seedbox
    Since we have done all this with our server, let's reboot it for good measure.
    Code:
    sudo shutdown -r now

    SFTP Client (FileZilla)

    For the sake of demonstration, I'm going to use FileZilla. For our FTP client, but you can google whatever client you use if you need instructions on something else.
    1: Open FileZilla and go into site manager.
    2: Create a new site, name it what you want, and put in the following for your connection information:
    Host: Server IP
    Port: 2222
    Protocol: SFTP - SSH File Transfer Protocol
    Logon Type: Normal
    User: USERNAME
    Password: PASSWORD
    3: Click on the Advanced Tab and set up default local and remote directories if you like. On my system I have a folder in my downloads called Seedbox, and on the server I set /rtorrent/downloads as my default.
    4: Click ok and then go to File > Settings
    5: On the left, go to Connection > SFTP
    6: Click on Add keyfile and point it to wherever you saved seedbox.ppk
    7: Put in your password that you used back when you created the SSH keys.

    SSH Client (Putty)

    I use Putty for my SSH client, so I'm going to use it for my example on setting up your SOCKS Proxy:
    Start Putty
    1: For host name put the IP of your server, for Port use what you configured, Type is SSH
    2: Click on Connection on the left.
    3: Change keep alive to 1800 seconds, check Enable TCP keepalives
    4: Select SSH > Tunnels
    5: Source port is the same as your Port you configured, click Add.
    Go back to the Session Tab and save your session using whatever name you would like. Then Connect, our tunnel has been established.

    Browser Settings (FireFox)
    Personally, I use Chrome for all my personal non-secure browsing. Any time I want to download a torrent, or get my net traffic on without having to worry about eavesdroppers then I use FireFox. So now we are going to use that SSH connection to establish our Proxy. Remember, that SSH client needs to be open for this to work.
    Start FireFox
    1: Press Alt key if the tools menu isn't at the top.
    2: Tools > Options, Then click on the Advanced tab, and go to Network > Settings
    3: Select Manual Proxy Configuration.
    4: For SOCKS Host enter localhost, port is whatever you configured SSH to be.
    5: Make sure SOCKS v5 is selected and this hit OK.
    6: Go to whatismyip.org and verify that your ip address is your Seedbox Server's IP.


    Now for trusting the website (ruTorrent Web UI). You'll notice when you go to http://ipaddress/rutorrent that it automatically redirects to https://ipaddress/rutorrent. This is fine, but you will probably get an error saying that the site is using a self-signed certificate and cannot be trusted. We are not looking for some 3rd party site's seal of approval of our server, we just want to encrypt our traffic. So to add this to your trusted sites, you need to do a couple things. First thing is click on the lock icon next to the address, go to the certificate information and then details, there you will see a button that says export or save to file or something. You are going to save that to a file and then go into your settings for the browser. You then just go add that certificate to your trusted authenticate sites. This will vary depending on the browser you use, so google it and it's pretty straight forward.

    Conclusion
    You should now have a fully fictional seedbox that when you communicate with it, either via SSH, SFTP, or ruTorrent, you will have fully encrypted and secure data transmission. There are plenty of places to go from here. On these forums and others you will find plenty of tutorials for getting yourself set up for auto-downloading of torrents, using plugins, getting IRC or whatever else set up. The goal of this guide was to hopefully get you to the point where you have a fully functional seedbox that can get you started that is safe and secure. Hope you found this helpful, if you come across an error or anything, let me know. I pretty much just took all the commands I ran and copied it to a notepad. So hopefully I didn't miss anything or mistype something.

    EDIT: I added using your seedbox as a SOCKS Proxy for secure browsing.
    EDIT: Made some changes to commands and streamlined a few processes.

    Happy Seeding!
    Last edited by Flynn89; April 9, 2014, 02:10 PM. Reason: Changed some commands

  • #2
    Hey thanks a lot for taking the time to right this up. (Rep added)

    This will definitely help ppl out i can guarantee that. There are great tutorials on T-i for seedboxe's, but it doesn't hurt to have more, Especially updated tutorials.


    Comment


    • #3
      Thanks man, I appreciate it!

      Comment


      • #4
        Absolutely in depth, killer guide!

        Thanks a bazillion for writing this up. Man, so much to learn.
        T-I RULES!

        Comment


        • #5
          I also use online.net .
          I use flizbox script.But I find that it is not stable.It is often down.Sometimes I must reboot the machine.I dont know the reason.So I am finding the best script.

          Comment


          • #6
            lovely guide , btw i used flizbox on exactly same box and got it up and running. Doing ok so far

            Comment


            • #7
              yeah that's weird, for some reason it kept failing for me. I have no idea where it was going wrong because of course it does everything for you and there is no way for me troubleshoot it without spending way more time than it would take to just install everything myself. Plus I noticed that SSL wouldn't work when I tried it, and if I can't use SFTP and HTTPS it's a no go for me anyway.

              Comment


              • #8
                Encrypted ftp/tls using implicit ssl never worked when i installed the flizbox either. But after looking at the vsftp config is wasnt enabled either. So once you enable it ftp/tls with ssl works fine. I also had the same problem with ftp/tls not working on ovh servers after installing flizbox, but again after enabling it in the config it worked fine.

                But dont forget for a very secure ftp, sftp over ssh comes pre installed on ssh and can be used right away, no installing any ftp software (such as proftpd, vsftpd, pureftpd)

                For those wondering thou, The Flizbox worked fine on my Online.net server as well, i bought the dedibox Gen2 for 10$.

                However this tutorial that flynn wrote up is great and will work just the same
                Last edited by Tml4Life; January 20, 2014, 02:00 PM.


                Comment


                • #9
                  I just added some additional info for configuring your seedbox to act as a SOCKS Proxy for secure web browsing.

                  Comment


                  • #10
                    Hey Flynn89 :)

                    Thanks so much for this awesome tutorial!
                    Just one question, I had trouble when I added torrents to rutorrent they would auto pause, I think this was because of the permissions of the download folder.
                    What should I chmod this directory to so that it is accessible? 777 seems to work but is this safe?

                    Thanks :)

                    Comment


                    • #11
                      seedemon 755 should be more than enough, never relax your security policy and never give more permissions than necesary.

                      Comment


                      • #12
                        Originally posted by Bakkra View Post
                        seedemon 755 should be more than enough, never relax your security policy and never give more permissions than necesary.
                        Thanks Bakkra :) Many thanks :)

                        Comment


                        • #13
                          i was going to get this box but i got kimsufi... not happy with speed will try to move to online


                          btw abot to try this out.. thnk for tut

                          Comment


                          • #14
                            Hey seedmon, like Bakkra said, 755 is more than enough, it's also a good idea to chmod your watch dir the same way, that way when you ftp into the box and you want to commit mass uploads, you can just sftp it straight into place.

                            Comment


                            • #15
                              error, newb needs help

                              I have online.net box, and using your script, when I run this line of code
                              Code:
                              sudo ln -s /etc/apache2/mods-available/scgi.load /etc/apache2/mods-enabled/scgi.loadsudo mkdir /install
                              I get this error in putty
                              Code:
                              ln: target `/install' is not a directory

                              Comment

                              Working...
                              X