Ubuntu Server w/ GUI, Auto Connect SSH, Fail2Ban, rtorrent

First off let me say this guide is deffinately open to suggestion on improvements. So please leave comments if a better way to do something in this guide is needed, also if anything is outdated and is in need of an update. Thank You.


This guide is for those who want their server with GUI, rtorrent/rutorrent, SFTP, Webmin, Fail2ban, Firewall, and permenant auto connecting SSH Tunnel, and/or Proxy from a home Windows machine to a remote Ubuntu server.

Every command with # next to it is to be performed as root
Every command with $ next to it is to be performed as your user
-Do not type these symbols into Putty when logged into your server. They are there only to show if you need to be root or your normal user.
-Do not enter multiple lines of code at once. Take your time and go one by one, line by line. This is a server setup, not a race...It is supposed to take a couple hours.

Pre-requisites:

A Ubuntu 9.10 - Ubuntu 11.04 (x86 or x64) with root access via Putty
**NOTE**
Might work on some earlier versions, and on other Debian based distros, but this is untested

-and-

A windows home machine running Windows XP - Windows 7 (x86 - x64)

Basics:

Initial Login

Login to your server as root via SSH

Windows:
-Download Putty and run it
-Download Putty from here

Quote:

http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

-Once open enter the IP address of your server where Host is, and enter the port number where asked as well. (Usually 22)
-Set the Radio button to SSH
-In the box below type in the name you want to save this connection as. Such as OVH or LeaseWeb...or whatever you want.
-Click the Save button
**NOTE**
This will save the seesion so you do not need to enter this info in everytime you want to connect via SSH. All you will need to do is double click the saved connection in the box and Putty will connect.
-Click Open and when connected the server will ask for username. Enter it (Usually root) and do the same for the password when asked.

**OPTIONAL**
After connected and you are root, you may change the password to something you would remember a bit easier.
Make sure to make your new password is:
-NOT a dictionary word
-includes ATLEAST two numbers
-uses upper AND lowercase letters
-is ATLEAST 10 characters long

Change Password:

Quote:

# passwd

-Press Enter
-Set the new password (You will be asked twice for it)

Delete SSH Authorized Keys

This is for added protection to keep people from logging into your server unauthorized.

Quote:

# ls .sshauthorized_keys2
# rm .ssh/authorized_keys2

Update Packages

Ok, now we're going to make sure our Ubuntu installation is up to date.

Quote:

# apt-get update

This will update the package database with all the latest packages available.

Quote:

apt-get upgrade

This will upgrade any packages that are out of date on your install. When asked if you want to do the upgrades (if any) type y and press Enter.

**NOTE**
-To run both together and not have to enter a command twice you should use && like so

Quote:

# apt-get update && apt-get upgrade

-To clean the system of old packages and/or broken packages enter the following command.

Quote:

# apt-get clean && apt-get autoclean

Add two packages to be used

Before we add a user to use we need to make sure that packages 'sudo' and 'nano' are installed. Use this command to install them.

Quote:

# apt-get install sudo nano

Create a new user that we’ll install everything with

For security purposes, we’re going to add a new user and disable SSH access for the root user.

Quote:

# adduser <username>

Replace <username> with a username of your choosing.
Fill in all the details when prompted (e.g. password)
Add your new user to the sudoers file. This allows this user to use elevated privileges when needed to do things that normally only the root user could do.

Quote:

# visudo

In recent versions of Ubuntu this opens the sudoers file for editing in a lightweight editor called nano.
Scroll down and find this line:

Quote:

root ALL=(ALL) ALL

On the next line add:

Quote:

<username> ALL=(ALL) ALL

Replace <username> with the username we created earlier.
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

Lock down SSH

Now we will change some SSH settings.
We're going to use a different port, and prevent root access via SSH

Quote:

# nano /etc/ssh/sshd_config

Change the following lines as below.
Use a high port of your choosing. I recommend a port over 20000.

Quote:

Port 32002
Protocol 2
PermitRootLogin no
X11Forwarding no

Then add these lines at the end of the file:

Quote:

UseDNS no
AllowUsers <username>

**NOTE**
As usual, replace <username> with the name of the user you created. Any additional usernames to be added such as nx (Add this if you use NX Server or FreeNX) should be separated with a space.
-Example-

Quote:

AllowUsers heebyjeeby nx gnarkill sally

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now restart the SSH daemon

Quote:

# /etc/init.d/ssh reload

Log out of SSH and log back in as the new user you created earlier.

Quote:

# exit

Windows Putty Session with New Port

-To add your new port to your saved session in Putty, first open Putty back up. Click once on the name of your saved session from earlier so it is highlighted. Click Load, and at the top where port is, change the port to the new port you put in on the sshd_config file we just edited. Click save, and from now on you will be able to connect on the new port to your server by opening Putty and double clicking your saved session.
-Now login with the new user and password you created when asked to do so.

Quote:

Login: <New User>
Password: <Users Password>

Install Necessary Basic Packages

**NOTE**
Now we use the $ symbol and the word sudo before a command. This means you are to be logged into the remote server as the new user we just created, and sudo is the command to temporarily retain root priviliges when you are a normal user on your server.

Ok, now lets install some important packages that we're going to need throughout this guide:

Quote:

$ sudo apt-get install apache2 apache2.2-common apache2-utils aptitude autoconf automake autotools-dev binutils build-essential bzip2 ca-certificates comerr-dev cpp cpp-4.1 dpkg-dev file firestarter g++ g++-4.1 gawk gcc gcc-4.1 git-core libapache2-mod-php5 libapache2-mod-scgi libapr1 libaprutil1 libc6-dev libcppunit-dev libcurl3 libcurl4-openssl-dev libexpat1 libidn11 libidn11-dev libkdb5-4 libgssrpc4 libkrb5-dev libmagic1 libncurses5 libncurses5-dev libncursesw5-dev libneon26 libpcre3 libpq5 libsigc++-2.0-dev libsqlite0 libsqlite3-0 libssl-dev libssp0-dev libstdc++6-4.1-dev libsvn1 libtool libxml2 linux-libc-dev lynx m4 make mktorrent mime-support ntp ntpdate openssl patch perl perl-modules php5 php5-cgi php5-cli php5-common php5-curl php5-dev php5-geoip php5-sqlite php5-xmlrpc pkg-config python-scgi rar screen sqlite ssl-cert subversion ucf unrar zlib1g-dev pkg-config unzip htop screen irssi libwww-perl curl

Windows Auto Logon SSH Tunnel:

MyEnTunnel

On your Windows machine open your internet browser and go to

Quote:

http://nemesis2.qx.net/pages/MyEnTunnel

Scroll down and download the latest Stable version.

Plink

On your Windows machine open your internet browser and go to

Quote:

http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe

Download the file when asked.

Create Permenant Tunnel

-Copy MyEnTunnel.exe and Plink.exe to your C: drive and together.
-Open MyEnTunnel
-Click the settings tab
-Set your settings as if it were Putty

Quote:

SSH Server = <Server IP address>
SSH Port = <Servers SSH Port>
Username = <Your Normal User on the Server>
Passphrase = <Your Normal User's Password on the Server>
Port = <Whatever port you want your tunnel to be under. I set mine to the same as the SSH Port on the server for less confusion>

-Check mark whatever boxes youd like. Enable Dynamic Socks MUST be checked. Other notable ones would be

Quote:

Connect on Startup
Reconnect on Failure
Enable Slow Polling
Infinite Retry Attempts
Enable Compression

-Click Connect, and after it has connected click Save, and then Hide. Now it is down by your clock.
-Any program you want to use this tunnel (Firefox, uTorrent, mIRC, etc...) you must set it to use a SOCKS proxy with the IP address of 127.0.0.1 and the Port for whatever you chose MyEnTunnel to use.

Proxy:

**NOTE**
If you are going to use all of your connections from your Windows machine to your seaerver tunneled through SSH, you do not need this Proxy setup on your server. Just continue to GUI below and skip this. If you are like me and only want your uTorrent (or whatever client you use) traffic to be sent through your tunnel, and all others through an HTTP/HTTPS proxy, then continue setting up this Proxy on your server.

Tinyproxy

Install Tinyproxy

Quote:

$ sudo apt-get install tinyproxy

Enter the root password if asked.
Now we need to edit the conf file of Tinyproxy.

Quote:

$ sudo nano /etc/tinyproxy.conf

Enter the root password if asked.
Find this line

Quote:

# Port to listen on.
#
Port 8888

And change the port to whatever port you wish, I will use port 33002 in this tutorial. So now it should look like this

Quote:

# Port to listen on.
#
Port 33002

Next step is to configure Tinyproxy to only accept connection from your IP address. So scroll down the config file until you see this

Quote:

#
# The following is the authorization controls. If there are any access
# control keywords then the default action is to DENY. Otherwise, the
# default action is ALLOW.

#
# Also the order of the controls are important. The incoming connections
# are tested against the controls based on order.
#

Allow 127.0.0.1

And add this text under it

Quote:

Allow <Your Public IP address>

This should look like this

Quote:

Allow 192.168.1.1

To check what your IP address is, go to whatismyip.com
**NOTE**
If you have a Dynamic (Changes) IP you can also use a domain string instead of an IP address. For example, if you are connected to your ISP as something-adsl-sanfran-comcast.com, you could specify “Allow adsl-sanfran-comcast.com” (Without the Quotes) which would allow all Comcast ADSL users in San Francisco to connect. This is MUCH less secure, but a solution if you are not on a Static (Always the Same) IP address.
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Configuration is completed. Now restart the service to affect the new configuration

Quote:

$ sudo /etc/init.d/tinyproxy restart

Your proxy server is now ready. Open the Network settings of your browser and enable proxy. Put the server’s IP address in the proxy hostname/address box and 33002 (put whatever port you set in the conf file) as proxy port. Now, your page requests will be served through your proxy.
**NOTE**
Tinyproxy is extremely lightweight however, you may restart it occasionally to refresh memory usages. You may also set a cron job to do it automatically, but that is beyond the scope of this tutorial for now.

GUI Install:

Ubuntu Desktop with FreeNX

First we will install the Ubuntu Desktop Environment. There are several choices to choose from, this tutorial is for GNOME but you could use any of them if you wanted to fiddle with them. Be warned though - Not all Ubuntu desktop environments play nice with all programs. So install the one you think you would like to see and use for your server.
First we will make sure all of your packages are up to date.

Quote:

$ sudo apt-get update && sudo apt-get upgrade

Now install a desktop.
**GNOME**

Quote:

$ sudo apt-get install ubuntu-desktop

**NOTE**
-If you wan to install GNOME desktop manager without some of the desktop addons like Evolution and OpenOffice use this command to save on server resources:

Quote:

$ sudo aptitude install --no-install-recommends ubuntu-desktop

**XFCE**

Quote:

$ sudo apt-get install xubuntu-desktop

**KDE**

Quote:

$ sudo apt-get install kubuntu-desktop

FreeNX

Add the FreeNX PPA

Quote:

$ sudo add-apt-repository ppa:freenx-team

**NOTE**
If you do not have add-apt-repository installed add the following

Quote:

$ sudo apt-get install python-software-properties

-As of July 2011, there are no packages built for Maverick (10.10) or Natty (11.04), but the packages for Lucid seem to work. Update the sources list as follows:
Ubuntu Natty (11.04):

Quote:

$ sudo sed -i 's/natty/lucid/g' /etc/apt/sources.list.d/freenx-team-ppa-natty.list

Ubuntu Maverick (10.10)

Quote:

$ sudo sed -i 's/maverick/lucid/g' /etc/apt/sources.list.d/freenx-team-ppa-maverick.list

Update Apt

Quote:

$ sudo apt-get update

Install FreeNX

Quote:

$ sudo apt-get install freenx

Get the nxsetup script
-As of July 2011, the FreeNX PPA package is missing the nxsetup script. The script can be downloaded from here by issuing:

Quote:

$ wget https://bugs.launchpad.net/freenx-server/+bug/576359/+attachment/1378450/+files/nxsetup.tar.gz

Unpack the nxsetup script:

Quote:

$ tar -xvf nxsetup.tar.gz

Copy the setup script to /usr/lib/nx:

Quote:

$ sudo cp nxsetup /usr/lib/nx/nxsetup

Run nxsetup:

Quote:

$ sudo /usr/lib/nx/nxsetup --install

**NOTE**
After installation, FreeNX will ask you to use the default keys or a custom pair of keys. If your IP address is Static (Never changes) then you can use the default keys as the Firewall will only be allowing your IP to access SSH, but it should be noted that under any cicumstances that it is a security risk. You can use custom keys if you prefer higher security or have a Dynamic (Changes) IP address, as the Firewall will not be able to only allow your IP but all IP's. Custom keys are beyond the scope of this tutorial at the moment, and will be added at a later date.
Now open up your NX Connection Wizard and the options as it asks them.
-Session can be named whatever you want
-Host is your server IP address
-Port is the same as your SSH port
-The environment should be Unix and Gnome, unless you used a different desktop then select accordingly
....and connect.
If asked to import/replace a key, do so.
After connected, close NX on your Windows machine, and connect through Putty. After connected with your normal user, reboot it.

Quote:

$ sudo reboot

**NOTE**
You do not need to install  the VNC tutorial below if you have chose to install this version of desktop. Skip it and continue on to Configuring Apache.

VNC

Login through Putty as Root on your server.
If you are already logged in under your user on your server type this

Quote:

$ su root

Enter the root user password when asked and you will now be root on your server.
To exit out of root user and return to your normal user you can type

Quote:

# exit

after you are done doing what you need to do as root user.
Install the environment first

Quote:

# apt-get install vnc4server xterm fluxbox firefox firestarter
# update-menus
# apt-get install xfonts-base xfonts-75dpi xfonts-100dpi

Return your normal user

Quote:

# exit

Make sure you are in your home directory:

Quote:

$ cd ~

Configure VNC:

Quote:

$ mkdir .vnc

Now we need to open the xstartup file and add fluxbox

Quote:

$ nano .vnc/xstartup
$ fluxbox

Save (ctrl + o) and exit (ctrl + x). This will start Fluxbox with VNC.
Make the xstartup file executable:

Quote:

$ chmod +x .vnc/xstartup

Now start the vnc4server. The first time u start it, it will ask u to create a password no longer then 8 characters:

Quote:

$ vnc4server :1
Password:
Verify:

**NOTE**
-To kill VNC use this command

Quote:

$ vnc4server -kill :1

-Never run VNC as root user.
Now Open VncViewer or TightVNC on your home computer and set the server to <Server IP Address>:1 and press connect. Then type in your password when asked and you will see your desktop.
After connected, close NX on your Windows machine, and connect through Putty. After connected with your normal user, reboot it.

Quote:

$ sudo reboot

Configure Apache:

Basic Configuration

We need to configure the Apache web server with some modules that we’ll need:

Quote:

$ sudo a2enmod ssl
$ sudo a2enmod auth_digest
$ sudo a2enmod scgi

We want to edit our apache conf file for scgi support which is used to communicate with the rutorrent web front end.

Quote:

$ sudo nano /etc/apache2/apache2.conf

Add these two lines at the end:

Quote:

SCGIMount /RPC2 127.0.0.1:5000
servername localhost

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Reboot the server.

Quote:

$ sudo reboot

After a few minutes, log back in via Putty
Lets just check apache is up and running:
Open a browser and go to:

Quote:

http://<servername or IP>

You should see this message:

Quote:

It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.

Configure Apache for HTTPS and Password Protection:

We are going to create an SSL certificate as root user so that we can access the server via https.

Quote:

# openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem
# chmod 600 /etc/apache2/apache.pem

This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.

Now lets add password protection

Quote:

$ sudo htdigest -c /etc/apache2/passwords gods <webusername>

Where <webusername> is the username you'll use to connect to the rutorrent web UI.
It can be the same as the system username you’ve created previously if you like.
After running this command, you'll be prompted for a password. This will be the password you enter to log into the rutorrent web UI.

Quote:

$ sudo nano /etc/apache2/sites-available/default

Now copy the following and paste to replace the contents of the file we're editing.
Then replace all instances of <servername or IP> with your real servername or IP

Quote:

<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ http://<servername or IP>/rutorrent

AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>

</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@localhost

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks

AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ http://<servername or IP>/rutorrent

AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>
</VirtualHost>

Now lets configure apache for HTTPS.

Quote:

$ sudo a2ensite default-ssl

And now lets reload Apache.

Quote:

$ sudo /etc/init.d/apache2 reload

Check that everything is working by opening a browser and going to:

Quote:

https://<servername or IP>

You should see this message:

Quote:

It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.

Webmin:

I like to use Webmin for web based administration of my servers. It offers a very convenient way to remotely administer your server from anywhere with a net connection and a web browser.
First add some dependencies for Webmin

Quote:

$ sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python python-minimal libapt-pkg-perl perl-base perl-modules

Ubuntu 11.04
For libmd5-perl install it manually

Quote:

$ wget http://ftp.debian.org/pool/main/libm/libmd5-perl/libmd5-perl_2.03-1_all.deb
$ sudo dpkg -i libmd5-perl_2.03-1_all.deb

First lets add the webmin repository to our sources.list file so that we can use apt to install is easily

Quote:

$ sudo nano /etc/apt/sources.list

Add this line to the end of the file:
Ubuntu 10.04

Quote:

deb http://download.webmin.com/download/repository sarge contrib

Ubuntu 10.10

Quote:

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Ubuntu 11.04

Quote:

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Lets now fetch and install the PGP key for this new repository so we're not warned about it

Quote:

$ wget http://www.webmin.com/jcameron-key.asc
$ sudo apt-key add jcameron-key.asc

Now we can install webmin

Quote:

$ sudo apt-get update
$ sudo apt-get install webmin

Test webmin is working by opening a browser and going to:

Quote:

https://<servername or IP>:10000

Login with the system user you created earlier

rtorrent:

Building rtorrent from source

You can install rtorrent using apt, but the package there isn’t compiled with xmlrpc-c, which we need to use with rutorrent.
So we're going to compile our own version of rtorrent using xmlrpc-c
Enter these commands one line at a time, and not the whole block at once.

Create source directory

Quote:

$ cd ~/
$ mkdir source
$ cd source

Install libtorrent

Quote:

$ git clone https://github.com/rakshasa/libtorrent.git libtorrent-git
$ cd libtorrent-git
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
$ cd ../

Install xmlrpc-c

Quote:

$ svn co https://xmlrpc-c.svn.sourceforge.net/svnroot/xmlrpc-c/stable/ xmlrpc-c-svn
$ cd xmlrpc-c-svn
$ ./configure --disable-cplusplus
$ make
$ sudo make install
$ cd ../

Install rtorrent with xmlrpc-c support

Quote:

$ git clone https://github.com/rakshasa/rtorrent.git rtorrent-git
$ cd rtorrent-git
$ ./autogen.sh
$ ./configure --with-xmlrpc-c
$ make
$ sudo make install
$ echo "include /usr/local/lib" | sudo tee -a /etc/ld.so.conf
$ sudo ldconfig
$ cd ../

Configuring rtorrent

rtorrent needs a config file to initialize it. Heres mine...you'll need to edit it for your own environment, and make sure that the paths all exist and are writable by the user you will run rtorrent with.
**NOTE**
This is a good configuration for a 100 Mbit server. Gbit is 10x the values, and 10 Gbit is 100x the values.
Create the empty rtorrent configuration file

Quote:

$ sudo nano ~/.rtorrent.rc

Paste this config file into it.

Quote:

# This is an example resource file for rTorrent. Copy to
# ~/.rtorrent.rc and enable/modify the options as needed. Remember to
# uncomment the options you wish to enable.
#
# Based on original .rtorrent.rc file from The libTorrent and rTorrent Project
# Modified by Lemonberry for rtGui rtgui - Project Hosting on Google Code
#
# This assumes the following directory structure:
#
# /Torrents/Downloading - temporaray location for torrents while downloading (see "directory")
# /Torrents/Complete - Torrents are moved here when complete (see "on_finished")
# /Torrents/TorrentFiles/Auto - The 'autoload' directory for rtorrent to use. Place a file
# in here, and rtorrent loads it #automatically. (see "schedule = watch_directory")
# /Torrents/Downloading/rtorrent.session - for storing rtorrent session information
#

# Maximum and minimum number of peers to connect to per torrent.
min_peers = 100
max_peers = 500

# Same as above but for seeding completed torrents (-1 = same as downloading)
min_peers_seed = -1
max_peers_seed = -1

# Maximum number of simultanious uploads per torrent.
max_uploads = 500

# Global upload and download rate in KiB. "0" for unlimited.
download_rate = 0
upload_rate = 0

# Default directory to save the downloaded torrents.
directory = /home/downloads/<username>

# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /home/downloads/<username>/.session

# Watch a directory for new torrents, and stop those that have been
# deleted.
schedule = watch_directory,5,5,load_start=/home/downloads/<username>/watch/*.torrent
schedule = untied_directory,5,5,stop_untied=

# Close torrents when diskspace is low. */
schedule = low_diskspace,5,60,close_low_diskspace=100M

# Stop torrents when reaching upload ratio in percent,
# when also reaching total upload in bytes, or when
# reaching final upload ratio in percent.
# example: stop at ratio 2.0 with at least 200 MB uploaded, or else ratio 20.0
#schedule = ratio,60,60,stop_on_ratio=200,200M,2000


# When the torrent finishes, it executes "mv -n <base_path> ~/Download/"
# and then sets the destination directory to "~/Download/". (0.7.7+)
# on_finished = move_complete,"execute=mv,-u,$d.get_base_path=,/home/downloads/<username>/complete/ ;d.set_directory=/home/downloads/<username>/complete/"

# The ip address reported to the tracker.
#ip = 127.0.0.1
#ip = rakshasa.no

# The ip address the listening socket and outgoing connections is
# bound to.
#bind = 127.0.0.1
#bind = rakshasa.no

# Port range to use for listening.
port_range = 57001-57001

# Start opening ports at a random position within the port range.
#port_random = yes

scgi_port = 127.0.0.1:5000

# Check hash for finished torrents. Might be usefull until the bug is
# fixed that causes lack of diskspace not to be properly reported.
#check_hash = no

# Set whetever the client should try to connect to UDP trackers.
use_udp_trackers = no

# Alternative calls to bind and ip that should handle dynamic ip's.
#schedule = ip_tick,0,1800,ip=rakshasa
#schedule = bind_tick,0,1800,bind=rakshasa

# Encryption options, set to none (default) or any combination of the following:
# allow_incoming, try_outgoing, require, require_RC4, enable_retry, prefer_plaintext
#
# The example value allows incoming encrypted connections, starts unencrypted
# outgoing connections but retries with encryption if they fail, preferring
# plaintext to RC4 encryption after the encrypted handshake
#
encryption = allow_incoming,enable_retry,prefer_plaintext

# Enable DHT support for trackerless torrents or when all trackers are down.
# May be set to "disable" (completely disable DHT), "off" (do not start DHT),
# "auto" (start and stop DHT as needed), or "on" (start DHT immediately).
# The default is "off". For DHT to work, a session directory must be defined.
#
dht = disable

# UDP port to use for DHT.
#
# dht_port = 6881

# Enable peer exchange (for torrents not marked private)
#
peer_exchange = no

#
# Do not modify the following parameters unless you know what you're doing.
#

# Hash read-ahead controls how many MB to request the kernel to read
# ahead. If the value is too low the disk may not be fully utilized,
# while if too high the kernel might not be able to keep the read
# pages in memory thus end up trashing.
#hash_read_ahead = 10

# Interval between attempts to check the hash, in milliseconds.
#hash_interval = 100

# Number of attempts to check the hash while using the mincore status,
# before forcing. Overworked systems might need lower values to get a
# decent hash checking rate.
#hash_max_tries = 10

# Max number of files to keep open simultaniously.
max_open_files = 512

# Number of sockets to simultaneously keep open.
#max_open_sockets = <no default>


# Example of scheduling commands: Switch between two ip's every 5
# seconds.
#schedule = "ip_tick1,5,10,ip=torretta"
#schedule = "ip_tick2,10,10,ip=lampedusa"

# Remove a scheduled event.
#schedule_remove = "ip_tick1"

The file should be saved in the home directory of the user you will run rtorrent with. I use the same system user we created earlier
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Ensure that the correct directories exist as you specified in the .rtorrent.rc file

Quote:

$ sudo mkdir /home/downloads
$ sudo mkdir /home/downloads/<username>
$ sudo mkdir /home/downloads/<username>/watch
$ sudo mkdir /home/downloads/<username>/.session
$ sudo chown -R <username>:<username> /home

Now check your config file is ok by trying to start rtorrent

Quote:

$ rtorrent

If rtorrent starts, you're good. Use CTRL-Q to quit it.
If rtorrent doesnt start and you get an error, then note the error and fix your config file as necessary.

Set Ubuntu To Have Unlimited Open Files

If you are the normal user temporarily become root

Quote:

$ su root

Enter root password when asked.

Quote:

# nano /etc/pam.d/su

Uncomment the following line

Quote:

#session    required   pam_limits.so
to
session    required   pam_limits.so

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now in the terminal do

Quote:

# nano /etc/security/limits.conf

Add the following lines to the end of the file (before the line # End of file)

Quote:

*       soft  nofile   4084                                                    
*       hard  nofile   4084

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.

rtorrent Startup Script:

Since we dont want to have to start rtorrent manually every time the server boots, we're going to start it automatically, and we'll run it in a screen session.
Now we'll create the startup script
Edit this example as necessary to change the username that you want rtorrent to run as.

Quote:

$ sudo nano /etc/init.d/rtorrent

Paste your edited config into that file.
Replace anything that says <username> with the username you created before.

Quote:

#!/bin/sh
#############
###<Notes>###
#############
# This script depends on screen.
# For the stop function to work, you must set an
# explicit session directory using ABSOLUTE paths (no, ~ is not absolute) in your rtorrent.rc.
# If you typically just start rtorrent with just "rtorrent" on the
# command line, all you need to change is the "user" option.
# Attach to the screen session as your user with
# "screen -dr rtorrent". Change "rtorrent" with srnname option.
# Licensed under the GPLv2 by lo***ihilist: lo***ihilist _at_ gmail _dot_ com
##############
###</Notes>###
##############

#######################
##Start Configuration##
#######################
# You can specify your configuration in a different file
# (so that it is saved with upgrades, saved in your home directory,
# or whateve reason you want to)
# by commenting out/deleting the configuration lines and placing them
# in a text file (say /home/user/.rtorrent.init.conf) exactly as you would
# have written them here (you can leave the comments if you desire
# and then uncommenting the following line correcting the path/filename
# for the one you used. note the space after the ".".
# . /etc/rtorrent.init.conf

#Do not put a space on either side of the equal signs e.g.
# user = user
# will not work
# system user to run as
user="<username>"

# the system group to run as, not implemented, see d_start for beginning implementation
# group=`id -ng "$user"`

# the full path to the filename where you store your rtorrent configuration
config="`su -c 'echo $HOME' $user`/.rtorrent.rc"

# set of options to run with
options=""

# default directory for screen, needs to be an absolute path
base="`su -c 'echo $HOME' $user`"

# name of screen session
srnname="rtorrent"

# file to log to (makes for easier debugging if something goes wrong)
logfile="/var/log/rtorrentInit.log"
#######################
###END CONFIGURATION###
#######################
PATH=/usr/bin:/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin
DESC="rtorrent"
NAME=rtorrent
DAEMON=$NAME
SCRIPTNAME=/etc/init.d/$NAME

checkcnfg() {
exists=0
for i in `echo "$PATH" | tr ':' '\n'` ; do
if [ -f $i/$NAME ] ; then
exists=1
break
fi
done
if [ $exists -eq 0 ] ; then
echo "cannot find rtorrent binary in PATH $PATH" | tee -a "$logfile" >&2
exit 3
fi
if ! [ -r "${config}" ] ; then
echo "cannot find readable config ${config}. check that it is there and permissions are appropriate" | tee -a "$logfile" >&2
exit 3
fi
session=`getsession "$config"`
if ! [ -d "${session}" ] ; then
echo "cannot find readable session directory ${session} from config ${config}. check permissions" | tee -a "$logfile" >&2
exit 3
fi
}

d_start() {
[ -d "${base}" ] && cd "${base}"
stty stop undef && stty start undef
su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "screen -dm -S ${srnname} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
# this works for the screen command, but starting rtorrent below adopts screen session gid
# even if it is not the screen session we started (e.g. running under an undesirable gid
#su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "sg \"$group\" -c \"screen -fn -dm -S ${srnname} 2>&1 1>/dev/null\"" ${user} | tee -a "$logfile" >&2
su -c "screen -S "${srnname}" -X screen rtorrent ${options} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
}

d_stop() {
session=`getsession "$config"`
if ! [ -s ${session}/rtorrent.lock ] ; then
return
fi
pid=`cat ${session}/rtorrent.lock | awk -F: '{print($2)}' | sed "s/[^0-9]//g"`
if ps -A | grep -sq ${pid}.*rtorrent ; then # make sure the pid doesn't belong to another process
kill -s INT ${pid}
fi
}

getsession() {
session=`cat "$1" | grep "^[[:space:]]*session[[:space:]]*=" | sed "s/^[[:space:]]*session[[:space:]]*=[[:space:]]*//" `
echo $session
}

checkcnfg

case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "."
;;
restart|force-reload)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 1
d_start
echo "."
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now we need to change the user and group ownership of that file and make it executable

Quote:

$ sudo chown root:root /etc/init.d/rtorrent
$ sudo chmod a+x /etc/init.d/rtorrent

Now lets tell ubuntu to run this script at startup

Quote:

$ cd /etc/init.d
$ sudo update-rc.d rtorrent defaults

Test the script:

Quote:

$ sudo /etc/init.d/rtorrent start

Check that an rtorrent and a screen process are running using htop

Quote:

$ htop

To exit htop, hit F10

rutorrent

ruTorrent is really just a set of php and html files, so we're going to install them to a folder under our web server root.
We’re going to get the latest files from the subversion repository, and update them to the newest version.

Quote:

$ cd /var/www
$ svn co http://rutorrent.googlecode.com/svn/trunk/rutorrent

Now we'll download some useful rutorrent plugins

Update SVN Checkout

Quote:

$ cd /var/www/rutorrent
$ sudo svn up

Quote:

$ cd rutorrent/plugins
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/_getdir/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/_task/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/autotools/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/chunks/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/cookies/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/cpuload/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/create/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/data/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/datadir/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/diskspace/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/edit/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/erasedata/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/extsearch/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/feeds/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/geoip/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/httprpc/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/ipad/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/loginmgr/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/mediainfo/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/ratio/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/retrackers/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/rpc/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/rss/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/rssurlrewrite/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/rutracker_check/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/scheduler/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/screenshots/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/seedingtime/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/show_peers_like_wtorrent/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/source/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/theme/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/throttle/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/tracklabels/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/trafic/
svn co http://rutorrent.googlecode.com/svn/trunk/plugins/unpack/

Now lets change ownership of the rutorrent files to the web server user, and change the permissions on them

Quote:

$ cd /var/www
$ sudo chown -R www-data:www-data rutorrent
$ sudo chmod -R 777 rutorrent

OK, now visit your rutorrent site to check its all working:

Quote:

https://<servername or IP>/rutorrent

You should be prompted for the username and password we set up earlier for password protection of our web server
Now you should see the rutorrent web gui, and be able to add torrents.

FTPS / SFTP

**NOTE**
If you just want to use SFTP (FTP over SSH), you dont need to do anything more here.
Just connect with an FTP client via SFTP to your server on the SSH port you use.

If you want to setup FTPS (FTP using SSL encryption) then we'll setup Pure-FTPd.

Pure-FTPd

Quote:

$ sudo apt-get install pure-ftpd

Now lets create another SSL certificate (you could use the ones you created earlier if you like - I prefer to keep them separate)

Quote:

$ sudo openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
$ sudo chmod 600 /etc/ssl/private/pure-ftpd.pem

This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.
Now lets edit the Pure-ftpd config.
Pure-ftpd doesn't use a config file like other FTP daemons. Instead it starts with a set of command like switches.
However, the init.d startup script that is installed when you installed the pureftpd package can parse a directory of single line 'config files' in order to dynamically build the correct set of command line switches.
So all we need to do is create these single line files in the right place:
Temporarily act as root user

Quote:

$ su root

Enter the root password when asked

Quote:

# cd /etc/pure-ftpd/conf/
# echo ,<port to be used for FTP> > Bind
# echo <server IP> > ForcePassiveIP
# echo <port used for Passive Mode of FTP> > PassivePortRange
# echo 1 > TLS

The first 'echo' line above creates a file that tells Pure-ftpd to use a particular port, so change the number to the port you wish to use.
The second 'echo' line creates a file that tells Pure-ftpd to use the given static IP address for Passive mode. You need to set this to the IP of your server.
The third 'echo' line determines what port range to use for Passive mode.
If you want additional security, also do the following:

Quote:

# echo yes > ProhibitDotFilesRead
# echo yes > ProhibitDotFilesWrite
# echo yes > NoChmod
# echo yes > BrokenClientsCompatibility

The first two 'echo' lines create files that stop users reading and writing system files that have a leading '.' in their filename (Hidden files)
The third 'echo' line creates a file that stops users changing the permissions on files and folders.
The final 'echo' line creates a file that prevents clients that dont strictly adhere to the FTP/FTPS protocol from connecting.
Now lets configure how users will authenticate

Quote:

# echo no > PAMAuthentication
# echo yes > UnixAuthentication

Here we are configuring to use system usernames.
Now just restart the FTP service

Quote:

# /etc/init.d/pure-ftpd restart

Test everything is ok by connecting to the FTP service with an FTP client set to use the FTPS protocol, on the port you chose.
And return to the normal user

Quote:

# exit

Linux Firewall

Now it is time to set up the linux firewall to close all the ports other than the ones we need. This is where the GUI will come in handy for those who do not understand IPTables.

First we will restart our server to make sure everything is a go, and then we will update it afterward.
So connect with Putty and type

Quote:

$ sudo reboot

After about 5 minutes reconnect with Putty as the normal user.
Now update

Quote:

$ sudo apt-get update && sudo apt-get upgrade
$sudo apt-get clean && sudo apt-get auto-clean

GUI with GNOME/NX

Connect with your NX client on your windows machine.
Now with firestarter installed we can setup the Linux Firewall. (This was previously installed at the beginning of the tutorial.)
Go to System > Administration > Firestarter
-When you launch the GUI for the first time, it will take you through a setup wizard.
-Click forward, and you will be able to select the network device. This device you must choose correctly. There may be a list of them. On almost all setups you will chose eth0.
-Select eth0
-Do check the other boxes.
-Click Forward, and then click Forward again.
-Uncheck to start the Firewall now. You must uncheck this or it will lock out all ports when you click Save.
-Click the Policy tab
-Make sure that Editing is set to Inboud Traffic Policy
-Right click under Allow Service, and you will do this individually for all your ports you need open.

Quote:

Port = 32002, 80, 443, 10000, 57001, 33002 (33002 should only be set if you setup tinyproxy)
Anyone should be set for 57001
All others are to be set to your IP, unless you have a Dynamic IP address in which case you should set all of these ports to Anyone.

VNC

Connect to your VNC desktop on your Windows machine.

Now with firestarter installed we can setup the Linux Firewall. (This was previously installed at the beginning of the tutorial.)
-Right-click on the desktop and open an xterm window.
-When xterm opens type

Quote:

$ sudo firestarter

Enter the password for root when asked. If an error appears select ok and ignore it.
-When you launch the GUI for the first time, it will take you through a setup wizard.
-Click forward, and you will be able to select the network device. This device you must choose correctly. There may be a list of them. On almost all setups you will chose eth0.
-Select eth0
-Do check the other boxes.
-Click Forward, and then click Forward again.
-Uncheck to start the Firewall now. You must uncheck this or it will lock out all ports when you click Save.
-Click the Policy tab
-Make sure that Editing is set to Inboud Traffic Policy
-Right click under Allow Service, and you will do this individually for all your ports you need open.

Quote:

Port = 32002, 80, 443, 10000, 57001 33002 (33002 should only be set if you setup tinyproxy)
Anyone should be set for 57001
All others are to be set to your IP, unless you have a Dynamic IP address in which case you should set all of these ports to Anyone.

You're encouraged to change the ports used as examples in this guide - just make sure you write them down, and double check them before implementing any firewall rules.
You should also check with your host in case that they use any automatic network monitoring tools.
If they do, you may need to leave some ports open to respond to pings and so on, otherwise their tools might think your server is down and try rebooting it or putting it into recovery mode. Best just to check with them.

Fail2Ban:

Login through Putty to your Server as your normal user, and then become root

Quote:

$ su root

Enter root password when asked.
Install Fail2ban

Quote:

# apt-get update && apt-get upgrade
# apt-get install fail2ban

Answer yes to all things asked.
Open the config file of Fail2Ban called the jail to be edited.

Quote:

# nano /etc/fail2ban/jail.conf

After you open the jail.conf file look for the following line "ignoreIP". This is where you are going to put your IP address at home so you dont get blocked. Make the following changes

Quote:

ignoreip = 127.0.0.1 Your_Home_IP

EX : ignoreip = 127.0.0.1 24.127.*.* 192.168.1.*
**NOTE**
You can use as many IP's as you want. Just use a space in between each IP address. If you have a Dynamic IP, it would be a good idea to accept the whole range like i gave in the example above.
This next 'STEP' is not done in the 'jail.conf' file and is just to show you how to unban an IP using IPTables. To flush all SSH fail2ban rules:

Quote:

# iptables -F fail2ban-ssh

To delete just 1 IP rule:

Quote:

# iptables -D fail2ban-ssh host-name/ip DROP

Now thats out of the way we can continue with the 'jail.conf' and make the following changes
[ssh]
enabled = true
port = ssh
maxretry = 5
**NOTE**
If you are using the standard port 22 for ssh then you can leave above just as "port = ssh". If u are not using that port # then u need to put it like this port = 33002
All lines for Apache should marked to true
Scroll to the bottom of jail.conf and add these lines to monitor Webmin and Pure-FTPd

Quote:

[webmin-auth]
enabled = true
port = 10000
filter = webmin-auth
logpath = /var/log/auth.log
maxretry = 3

[pure-ftpd]
enabled  = true
port = <Port used for FTP on Server>
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 3

Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
All we need to do now is restart Fail2ban with this command:

Quote:

# /etc/init.d/fail2ban restart

Please share your comments and experiences on the comment area.