Home
when radio is on air you can tune in by clicking on the Peppies-Jukebox link on the top of the page (members only) and by leaving it open you can browse the site content and join in with stuff all at the same time or if you join us you can join us in the irc channel to see whats being played, make requests and join in with us there too. 
Introduction
This guide will walk you through a full install of a secure seedbox environment, running rtorrent with the rutorrent web front end and the pureftpd FTP server.
The guide also includes optional steps to configure for multiple users, each with their own web login and running instance of rtorrent.
Pre-requisites: An Ubuntu 9.10 or later server (should also work on some earlier versions, and on other Debian based distros, but this is untested) with root SSH access.
Initial login
Login to your server as root via SSH
Create a new user that we�ll install everything with
For security purposes, we�re going to add a new user and disable SSH access for the root user
Quote:
adduser <username>
Replace <username> with a username of your choosing.
Fill in all the details when prompted (e.g. password)
Add your new user to the sudoers file. This allows this user to use elevated privileges when needed to do things that normally only the root user could do.
Quote:
visudo
In recent versions of Ubuntu this opens the sudoers file for editing in a lightweight editor called nano.
Scroll down and find this line:
Quote:
root ALL=(ALL) ALL
On the next line add:
Quote:
<username> ALL=(ALL) ALL
Replace <username> with the username we created earlier.
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Lock down SSH
(Optional but advisable)
Now we will change some SSH settings.
We're going to use a different port, and prevent root access via SSH
Quote:
nano /etc/ssh/sshd_config
Change the following lines as below.
Use a high port of your choosing. I recommend a port over 20000
Quote:
Port 21976
Protocol 2
PermitRootLogin no
X11Forwarding no
Then add these lines at the end of the file:
Quote:
UseDNS no
AllowUsers <username>
(As usual, replace <username> with the name of the user you created)
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now restart the SSH daemon
Quote:
/etc/init.d/ssh reload
Log out of SSH and log back in as the new user you created earlier
Quote:
exit
ssh -p 21976 <username>@<server IP>
(Note the -p argument which specifies the new SSH port that you configured in the last step)
Type the password as requested
Update packages
Ok, now we're going to make sure our Ubuntu installation is up to date.
Quote:
sudo apt-get update
This will update the package database with all the latest packages available. Using the sudo command will temporarily elevate your privileges to be able to execute these commands that normally only a super user could execute.
Quote:
sudo apt-get upgrade
This will upgrade any packages that are out of date on your install.
Install necessary basic packages
Ok, now lets install some important packages that we're going to need throughout this guide:
Quote:
sudo apt-get install apache2 apache2.2-common apache2-utils autoconf automake autotools-dev binutils build-essential bzip2 ca-certificates comerr-dev cpp cpp-4.1 dpkg-dev file g++ g++-4.1 gawk gcc gcc-4.1 libapache2-mod-php5 libapache2-mod-scgi libapr1 libaprutil1 libc6-dev libcppunit-dev libcurl3 libcurl4-openssl-dev libexpat1 libidn11 libidn11-dev libkdb5-4 libgssrpc4 libkrb5-dev libmagic1 libncurses5 libncurses5-dev libneon26 libpcre3 libpq5 libsigc++-2.0-dev libsqlite0 libsqlite3-0 libssl-dev libssp0-dev libstdc++6-4.1-dev libsvn1 libtool libxml2 linux-libc-dev lynx m4 make mime-support ntp ntpdate openssl patch perl perl-modules php5 php5-cgi php5-cli php5-common php5-curl php5-dev php5-geoip php5-sqlite php5-xmlrpc pkg-config python-scgi screen sqlite ssl-cert subversion ucf unrar zlib1g-dev pkg-config unzip htop screen irssi libwww-perl curl
Configure Apache
Basic configuration
We need to configure the Apache web server with some modules that we�ll need:
Quote:
a2enmod ssl
a2enmod auth_digest
a2enmod scgi
We want to edit our apache conf file for scgi support which is used to communicate with the rutorrent web front end.
Quote:
sudo nano /etc/apache2/apache2.conf
Add this line at the end:
Quote:
SCGIMount /RPC2 127.0.0.1:5000
servername localhost
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Reboot the server
Quote:
sudo reboot
After a few minutes, log back in via SSH using the new port and user you created
Lets just check apache is up and running
Open a browser and go to
Quote:
[You must be registered and logged in to see this link.] or IP>
You should see this message:
Quote:
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
Configure Apache for HTTPS and password protection
We are going to create an SSL certificate so that we can access the server via https
Quote:
openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem
chmod 600 /etc/apache2/apache.pem
This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.
Now lets add password protection
Quote:
sudo htdigest -c /etc/apache2/passwords gods <webusername>
Where <webusername> is the username you'll use to connect to the rutorrent web UI.
It can be the same as the system username you�ve created previously if you like.
After running this command, you'll be prompted for a password. This will be the password you enter to log into the rutorrent web UI.
Quote:
sudo nano /etc/apache2/sites-available/default
Now copy the following and paste to replace the contents of the file we're editing.
Then replace all instances of <servername or IP> with your real servername or IP
Quote:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ [You must be registered and logged in to see this link.] or IP>/rutorrent
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ [You must be registered and logged in to see this link.] or IP>/rutorrent
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>
</VirtualHost>
Now lets configure apache for HTTPS
Quote:
sudo a2ensite default-ssl
And now lets reload Apache
Quote:
sudo /etc/init.d/apache2 reload
Check that everything is working by opening a browser and going to:
Quote:
[You must be registered and logged in to see this link.] or IP>
You should see this message:
Quote:
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
Code
Webmin
(optional section)
I like to use Webmin for web based administration of my servers. It offers a very convenient way to remotely administer your server from anywhere with a net connection and a web browser.
First lets add the webmin repository to our sources.list file so that we can use apt to install is easily
Quote:
sudo nano /etc/apt/sources.list
Add this line to the end of the file:
Quote:
deb [You must be registered and logged in to see this link.] sarge contrib
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Lets now fetch and install the PGP key for this new repository so we're not warned about it
Quote:
wget [You must be registered and logged in to see this link.]
sudo apt-key add jcameron-key.asc
Now we can install webmin
Quote:
sudo apt-get update
sudo apt-get install webmin
Test webmin is working by opening a browser and going to:
Quote:
[You must be registered and logged in to see this link.] or IP>:10000
Login with the system user you created earlier
We will return to use Webmin later for an easy way to configure the Linux IPTables firewall
rtorrent
Ok, now lets install rtorrent
Building rtorrent from source
You can install rtorrent using apt, but the package there isn�t compiled with xmlrpc-c, which we need to use with rutorrent.
So we're going to compile our own version of rtorrent using xmlrpc-c
Quote:
cd ~/
mkdir source
cd source
svn co [You must be registered and logged in to see this link.] xmlrpc-c
wget [You must be registered and logged in to see this link.]
wget [You must be registered and logged in to see this link.]
tar -xvzf libtorrent-0.12.6.tar.gz
tar -xvzf rtorrent-0.8.6.tar.gz
rm *.tar.gz
Now we�ll configure and make xmlrpc-c
Quote:
cd xmlrpc-c
./configure --disable-cplusplus
make
sudo make install
Now time to do the same for libtorrent and rtorrent
Quote:
cd ../libtorrent-0.12.6
./autogen.sh
./configure
make
sudo make install
cd ../rtorrent-0.8.6
./autogen.sh
./configure --with-xmlrpc-c
make
sudo make install
sudo ldconfig
Configuring rtorrent
Ok, now we've got rtorrent installed, but we have to configure it.
rtorrent needs a config file to initialize it. Heres mine...you'll need to edit it for your own environment, and make sure that the paths all exist and are writable by the user you will run rtorrent with.
Quote:
# This is an example resource file for rTorrent. Copy to
# ~/.rtorrent.rc and enable/modify the options as needed. Remember to
# uncomment the options you wish to enable.
#
# Based on original .rtorrent.rc file from [You must be registered and logged in to see this link.]
# Modified by Lemonberry for rtGui [You must be registered and logged in to see this link.]
#
# This assumes the following directory structure:
#
# /Torrents/Downloading - temporaray location for torrents while downloading (see "directory")
# /Torrents/Complete - Torrents are moved here when complete (see "on_finished")
# /Torrents/TorrentFiles/Auto - The 'autoload' directory for rtorrent to use. Place a file
# in here, and rtorrent loads it #automatically. (see "schedule = watch_directory")
# /Torrents/Downloading/rtorrent.session - for storing rtorrent session information
#
# Maximum and minimum number of peers to connect to per torrent.
#min_peers = 40
max_peers = 100
# Same as above but for seeding completed torrents (-1 = same as downloading)
min_peers_seed = -1
max_peers_seed = -1
# Maximum number of simultanious uploads per torrent.
max_uploads = 50
# Global upload and download rate in KiB. "0" for unlimited.
download_rate = 0
upload_rate = 0
# Default directory to save the downloaded torrents.
directory = /home/downloads/<username>
# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /home/downloads/<username>/.session
# Watch a directory for new torrents, and stop those that have been
# deleted.
schedule = watch_directory,5,5,load_start=/home/downloads/<username>/watch/*.torrent
schedule = untied_directory,5,5,stop_untied=
# Close torrents when diskspace is low. */
schedule = low_diskspace,5,60,close_low_diskspace=100M
# Stop torrents when reaching upload ratio in percent,
# when also reaching total upload in bytes, or when
# reaching final upload ratio in percent.
# example: stop at ratio 2.0 with at least 200 MB uploaded, or else ratio 20.0
#schedule = ratio,60,60,stop_on_ratio=200,200M,2000
# When the torrent finishes, it executes "mv -n <base_path> ~/Download/"
# and then sets the destination directory to "~/Download/". (0.7.7+)
# on_finished = move_complete,"execute=mv,-u,$d.get_base_path=,/home/downloads/<username>/complete/ ;d.set_directory=/home/downloads/<username>/complete/"
# The ip address reported to the tracker.
#ip = 127.0.0.1
#ip = rakshasa.no
# The ip address the listening socket and outgoing connections is
# bound to.
#bind = 127.0.0.1
#bind = rakshasa.no
# Port range to use for listening.
port_range = 55995-56000
# Start opening ports at a random position within the port range.
#port_random = yes
scgi_port = 127.0.0.1:5000
# Check hash for finished torrents. Might be usefull until the bug is
# fixed that causes lack of diskspace not to be properly reported.
#check_hash = no
# Set whetever the client should try to connect to UDP trackers.
#use_udp_trackers = no
# Alternative calls to bind and ip that should handle dynamic ip's.
#schedule = ip_tick,0,1800,ip=rakshasa
#schedule = bind_tick,0,1800,bind=rakshasa
# Encryption options, set to none (default) or any combination of the following:
# allow_incoming, try_outgoing, require, require_RC4, enable_retry, prefer_plaintext
#
# The example value allows incoming encrypted connections, starts unencrypted
# outgoing connections but retries with encryption if they fail, preferring
# plaintext to RC4 encryption after the encrypted handshake
#
encryption = allow_incoming,enable_retry,prefer_plaintext
# Enable DHT support for trackerless torrents or when all trackers are down.
# May be set to "disable" (completely disable DHT), "off" (do not start DHT),
# "auto" (start and stop DHT as needed), or "on" (start DHT immediately).
# The default is "off". For DHT to work, a session directory must be defined.
#
dht = disable
# UDP port to use for DHT.
#
# dht_port = 6881
# Enable peer exchange (for torrents not marked private)
#
peer_exchange = no
#
# Do not modify the following parameters unless you know what you're doing.
#
# Hash read-ahead controls how many MB to request the kernel to read
# ahead. If the value is too low the disk may not be fully utilized,
# while if too high the kernel might not be able to keep the read
# pages in memory thus end up trashing.
#hash_read_ahead = 10
# Interval between attempts to check the hash, in milliseconds.
#hash_interval = 100
# Number of attempts to check the hash while using the mincore status,
# before forcing. Overworked systems might need lower values to get a
# decent hash checking rate.
#hash_max_tries = 10
# Max number of files to keep open simultaniously.
#max_open_files = 128
# Number of sockets to simultaneously keep open.
#max_open_sockets = <no default>
# Example of scheduling commands: Switch between two ip's every 5
# seconds.
#schedule = "ip_tick1,5,10,ip=torretta"
#schedule = "ip_tick2,10,10,ip=lampedusa"
# Remove a scheduled event.
#schedule_remove = "ip_tick1"
The file should be saved in the home directory of the user you will run rtorrent with. I use the same system user we created earlier
Quote:
sudo nano ~/.rtorrent.rc
Paste your config into that file
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Ensure that the correct directories exist as you specified in the .rtorrent.rc file
Quote:
sudo mkdir /home/downloads
sudo mkdir /home/downloads/<username>
sudo mkdir /home/downloads/<username>/watch
sudo mkdir /home/downloads/<username>/.session
sudo chown -R <username>:<username> <username>
Now check your config file is ok by trying to start rtorrent
Quote:
rtorrent
If rtorrent starts, you're good. Use CTRL-Q to quit it.
If rtorrent doesnt start and you get an error, then note the error and fix your config file as necessary.
rtorrent startup script
Since we dont want to have to start rtorrent manually every time the server boots, we're going to start it automatically, and we'll run it in a screen session.
Now we'll create the startup script
Edit this example as necessary to change the username that you want rtorrent to run as.
Quote:
#!/bin/sh
#############
###<Notes>###
#############
# This script depends on screen.
# For the stop function to work, you must set an
# explicit session directory using ABSOLUTE paths (no, ~ is not absolute) in your rtorrent.rc.
# If you typically just start rtorrent with just "rtorrent" on the
# command line, all you need to change is the "user" option.
# Attach to the screen session as your user with
# "screen -dr rtorrent". Change "rtorrent" with srnname option.
# Licensed under the GPLv2 by lostnihilist: lostnihilist _at_ gmail _dot_ com
##############
###</Notes>###
##############
#######################
##Start Configuration##
#######################
# You can specify your configuration in a different file
# (so that it is saved with upgrades, saved in your home directory,
# or whateve reason you want to)
# by commenting out/deleting the configuration lines and placing them
# in a text file (say /home/user/.rtorrent.init.conf) exactly as you would
# have written them here (you can leave the comments if you desire
# and then uncommenting the following line correcting the path/filename
# for the one you used. note the space after the ".".
# . /etc/rtorrent.init.conf
#Do not put a space on either side of the equal signs e.g.
# user = user
# will not work
# system user to run as
user="<username>"
# the system group to run as, not implemented, see d_start for beginning implementation
# group=`id -ng "$user"`
# the full path to the filename where you store your rtorrent configuration
config="`su -c 'echo $HOME' $user`/.rtorrent.rc"
# set of options to run with
options=""
# default directory for screen, needs to be an absolute path
base="`su -c 'echo $HOME' $user`"
# name of screen session
srnname="rtorrent"
# file to log to (makes for easier debugging if something goes wrong)
logfile="/var/log/rtorrentInit.log"
#######################
###END CONFIGURATION###
#######################
PATH=/usr/bin:/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin
DESC="rtorrent"
NAME=rtorrent
DAEMON=$NAME
SCRIPTNAME=/etc/init.d/$NAME
checkcnfg() {
exists=0
for i in `echo "$PATH" | tr ':' '\n'` ; do
if [ -f $i/$NAME ] ; then
exists=1
break
fi
done
if [ $exists -eq 0 ] ; then
echo "cannot find rtorrent binary in PATH $PATH" | tee -a "$logfile" >&2
exit 3
fi
if ! [ -r "${config}" ] ; then
echo "cannot find readable config ${config}. check that it is there and permissions are appropriate" | tee -a "$logfile" >&2
exit 3
fi
session=`getsession "$config"`
if ! [ -d "${session}" ] ; then
echo "cannot find readable session directory ${session} from config ${config}. check permissions" | tee -a "$logfile" >&2
exit 3
fi
}
d_start() {
[ -d "${base}" ] && cd "${base}"
stty stop undef && stty start undef
su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "screen -dm -S ${srnname} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
# this works for the screen command, but starting rtorrent below adopts screen session gid
# even if it is not the screen session we started (e.g. running under an undesirable gid
#su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "sg \"$group\" -c \"screen -fn -dm -S ${srnname} 2>&1 1>/dev/null\"" ${user} | tee -a "$logfile" >&2
su -c "screen -S "${srnname}" -X screen rtorrent ${options} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
}
d_stop() {
session=`getsession "$config"`
if ! [ -s ${session}/rtorrent.lock ] ; then
return
fi
pid=`cat ${session}/rtorrent.lock | awk -F: '{print($2)}' | sed "s/[^0-9]//g"`
if ps -A | grep -sq ${pid}.*rtorrent ; then # make sure the pid doesn't belong to another process
kill -s INT ${pid}
fi
}
getsession() {
session=`cat "$1" | grep "^[[:space:]]*session[[:space:]]*=" | sed "s/^[[:space:]]*session[[:space:]]*=[[:space:]]*//" `
echo $session
}
checkcnfg
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "."
;;
restart|force-reload)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 1
d_start
echo "."
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
Paste your edited config into that file
Quote:
sudo nano /etc/init.d/rtorrent
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now we need to change the user and group ownership of that file and make it executable
Quote:
sudo chown root:root /etc/init.d/rtorrent
sudo chmod a+x /etc/init.d/rtorrent
Now lets tell ubuntu to run this script at startup
Quote:
cd /etc/init.d
sudo update-rc.d rtorrent defaults
Test the script:
Quote:
sudo /etc/init.d/rtorrent start
Check that an rtorrent and a screen process are running using htop
Quote:
htop
To exit htop, hit F10
rutorrent
Ok, now to install rutorrent
ruTorrent is really just a set of php and html files, so we're going to install them to a folder under our web server root.
We�re going to get the latest 3.0 files from the subversion repository.
Quote:
cd /var/www
sudo svn checkout [You must be registered and logged in to see this link.]
Now we'll download some useful rutorrent plugins
Quote:
cd rutorrent/plugins
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
Now lets change ownership of the rutorrent files to the web server user, and change the permissions on them
Quote:
cd /var/www
sudo chown -R www-data:www-data rutorrent
sudo chmod -R 777 rutorrent
OK, now visit your rutorrent site to check its all working:
Quote:
[You must be registered and logged in to see this link.] or IP>/rutorrent
You should be prompted for the username and password we set up earlier for password protection of our web server
Now you should see the rutorrent web gui, and be able to add torrents.
FTPS / SFTP
If you just want to use SFTP (FTP over SSH), you dont need to do anything more here.
Just connect with an FTP client via SFTP to your server on the SSH port you use.
If you want to setup FTPS (FTP using SSL encryption) then we'll setup Pure-FTPd.
I usually use proftpd on my servers but a bug in the current versions (1.3.2 in the Ubuntu karmic package repo, and 1.3.3 current stable) mean that a 550 error is thrown when browsing directories with '[' in their name.
Pure-FTPd
Quote:
sudo apt-get install pure-ftpd
Now lets create another SSL certificate (you could use the ones you created earlier if you like - I prefer to keep them separate)
Quote:
sudo openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
sudo chmod 600 /etc/ssl/private/pure-ftpd.pem
This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.
Now lets edit the Pure-ftpd config.
Pure-ftpd doesn't use a config file like other FTP daemons. Instead it starts with a set of command like switches.
However, the init.d startup script that is installed when you installed the pureftpd package can parse a directory of single line 'config files' in order to dynamically build the correct set of command line switches.
So all we need to do is create these single line files in the right place:
Temporarily act as root user
Quote:
sudo su
Enter the root password when asked
Quote:
cd /etc/pure-ftpd/conf/
echo ,22005 > Bind
echo 12.34.56.78 > ForcePassiveIP
echo 27200 27210 > PassivePortRange
echo 1 > TLS
The first 'echo' line above creates a file that tells Pure-ftpd to use a particular port, so change the number to the port you wish to use.
The second 'echo' line creates a file that tells Pure-ftpd to use the given static IP address for Passive mode. You need to set this to the IP of your server.
The third 'echo' line determines what port range to use for Passive mode.
If you want additional security, also do the following:
Quote:
echo yes > ProhibitDotFilesRead
echo yes > ProhibitDotFilesWrite
echo yes > NoChmod
echo yes > BrokenClientsCompatibility
The first two 'echo' lines create files that stop users reading and writing system files that have a leading '.' in their filename (for example the '.rtorrent.rc' config file.
The third 'echo' line creates a file that stops users changing the permissions on files and folders.
The final 'echo' line creates a file that prevents clients that dont strictly adhere to the FTP/FTPS protocol from connecting.
Now lets configure how users will authenticate
Quote:
echo no > PAMAuthentication
echo yes > UnixAuthentication
Here we are configuring to use system usernames.
Now just restart the FTP service
Quote:
/etc/init.d/pure-ftpd restart
Test everything is ok by connecting to the FTP service with an FTP client set to use the FTPS protocol, on the port you chose.
Linux Firewall
Right, we�re almost done, but first its time to set up the linux firewall to close all the ports other than the ones we need.
Its easiest to use Webmin for this task
Open a browser window and go to:
Quote:
[You must be registered and logged in to see this link.] or IP>:10000
You'll need to login with the system username we created earlier
On the left hand navigation menu, go to Networking->Linux Firewall
Set up the firewall as you need..Remember that we need to open the following ports that we've configured in this guide:
Quote:
SSH: 21976
FTPS: 22005
Passive Ports for FTP: 27200 to 27210
SSL: 443
Webmin: 10000
rtorrent: 55995 to 56000 for <username>
And we can lock the rest down.
You're encouraged to change the ports used as examples in this guide - just make sure you write them down, and double check them before implementing any firewall rules.
You should also check with your host in case that they use any automatic network monitoring tools.
If they do, you may need to leave some ports open to respond to pings and so on, otherwise their tools might think your server is down and try rebooting it or putting it into recovery mode. Best just to check with them.
and return to the normal user
Quote:
exit
This guide will walk you through a full install of a secure seedbox environment, running rtorrent with the rutorrent web front end and the pureftpd FTP server.
The guide also includes optional steps to configure for multiple users, each with their own web login and running instance of rtorrent.
Pre-requisites: An Ubuntu 9.10 or later server (should also work on some earlier versions, and on other Debian based distros, but this is untested) with root SSH access.
Initial login
Login to your server as root via SSH
Create a new user that we�ll install everything with
For security purposes, we�re going to add a new user and disable SSH access for the root user
Quote:
adduser <username>
Replace <username> with a username of your choosing.
Fill in all the details when prompted (e.g. password)
Add your new user to the sudoers file. This allows this user to use elevated privileges when needed to do things that normally only the root user could do.
Quote:
visudo
In recent versions of Ubuntu this opens the sudoers file for editing in a lightweight editor called nano.
Scroll down and find this line:
Quote:
root ALL=(ALL) ALL
On the next line add:
Quote:
<username> ALL=(ALL) ALL
Replace <username> with the username we created earlier.
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Lock down SSH
(Optional but advisable)
Now we will change some SSH settings.
We're going to use a different port, and prevent root access via SSH
Quote:
nano /etc/ssh/sshd_config
Change the following lines as below.
Use a high port of your choosing. I recommend a port over 20000
Quote:
Port 21976
Protocol 2
PermitRootLogin no
X11Forwarding no
Then add these lines at the end of the file:
Quote:
UseDNS no
AllowUsers <username>
(As usual, replace <username> with the name of the user you created)
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now restart the SSH daemon
Quote:
/etc/init.d/ssh reload
Log out of SSH and log back in as the new user you created earlier
Quote:
exit
ssh -p 21976 <username>@<server IP>
(Note the -p argument which specifies the new SSH port that you configured in the last step)
Type the password as requested
Update packages
Ok, now we're going to make sure our Ubuntu installation is up to date.
Quote:
sudo apt-get update
This will update the package database with all the latest packages available. Using the sudo command will temporarily elevate your privileges to be able to execute these commands that normally only a super user could execute.
Quote:
sudo apt-get upgrade
This will upgrade any packages that are out of date on your install.
Install necessary basic packages
Ok, now lets install some important packages that we're going to need throughout this guide:
Quote:
sudo apt-get install apache2 apache2.2-common apache2-utils autoconf automake autotools-dev binutils build-essential bzip2 ca-certificates comerr-dev cpp cpp-4.1 dpkg-dev file g++ g++-4.1 gawk gcc gcc-4.1 libapache2-mod-php5 libapache2-mod-scgi libapr1 libaprutil1 libc6-dev libcppunit-dev libcurl3 libcurl4-openssl-dev libexpat1 libidn11 libidn11-dev libkdb5-4 libgssrpc4 libkrb5-dev libmagic1 libncurses5 libncurses5-dev libneon26 libpcre3 libpq5 libsigc++-2.0-dev libsqlite0 libsqlite3-0 libssl-dev libssp0-dev libstdc++6-4.1-dev libsvn1 libtool libxml2 linux-libc-dev lynx m4 make mime-support ntp ntpdate openssl patch perl perl-modules php5 php5-cgi php5-cli php5-common php5-curl php5-dev php5-geoip php5-sqlite php5-xmlrpc pkg-config python-scgi screen sqlite ssl-cert subversion ucf unrar zlib1g-dev pkg-config unzip htop screen irssi libwww-perl curl
Configure Apache
Basic configuration
We need to configure the Apache web server with some modules that we�ll need:
Quote:
a2enmod ssl
a2enmod auth_digest
a2enmod scgi
We want to edit our apache conf file for scgi support which is used to communicate with the rutorrent web front end.
Quote:
sudo nano /etc/apache2/apache2.conf
Add this line at the end:
Quote:
SCGIMount /RPC2 127.0.0.1:5000
servername localhost
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Reboot the server
Quote:
sudo reboot
After a few minutes, log back in via SSH using the new port and user you created
Lets just check apache is up and running
Open a browser and go to
Quote:
[You must be registered and logged in to see this link.] or IP>
You should see this message:
Quote:
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
Configure Apache for HTTPS and password protection
We are going to create an SSL certificate so that we can access the server via https
Quote:
openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem
chmod 600 /etc/apache2/apache.pem
This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.
Now lets add password protection
Quote:
sudo htdigest -c /etc/apache2/passwords gods <webusername>
Where <webusername> is the username you'll use to connect to the rutorrent web UI.
It can be the same as the system username you�ve created previously if you like.
After running this command, you'll be prompted for a password. This will be the password you enter to log into the rutorrent web UI.
Quote:
sudo nano /etc/apache2/sites-available/default
Now copy the following and paste to replace the contents of the file we're editing.
Then replace all instances of <servername or IP> with your real servername or IP
Quote:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ [You must be registered and logged in to see this link.] or IP>/rutorrent
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location /rutorrent>
AuthType Digest
AuthName "gods"
AuthDigestDomain /var/www/rutorrent/ [You must be registered and logged in to see this link.] or IP>/rutorrent
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www/rutorrent"
</Location>
</VirtualHost>
Now lets configure apache for HTTPS
Quote:
sudo a2ensite default-ssl
And now lets reload Apache
Quote:
sudo /etc/init.d/apache2 reload
Check that everything is working by opening a browser and going to:
Quote:
[You must be registered and logged in to see this link.] or IP>
You should see this message:
Quote:
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
Code
Webmin
(optional section)
I like to use Webmin for web based administration of my servers. It offers a very convenient way to remotely administer your server from anywhere with a net connection and a web browser.
First lets add the webmin repository to our sources.list file so that we can use apt to install is easily
Quote:
sudo nano /etc/apt/sources.list
Add this line to the end of the file:
Quote:
deb [You must be registered and logged in to see this link.] sarge contrib
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Lets now fetch and install the PGP key for this new repository so we're not warned about it
Quote:
wget [You must be registered and logged in to see this link.]
sudo apt-key add jcameron-key.asc
Now we can install webmin
Quote:
sudo apt-get update
sudo apt-get install webmin
Test webmin is working by opening a browser and going to:
Quote:
[You must be registered and logged in to see this link.] or IP>:10000
Login with the system user you created earlier
We will return to use Webmin later for an easy way to configure the Linux IPTables firewall
rtorrent
Ok, now lets install rtorrent
Building rtorrent from source
You can install rtorrent using apt, but the package there isn�t compiled with xmlrpc-c, which we need to use with rutorrent.
So we're going to compile our own version of rtorrent using xmlrpc-c
Quote:
cd ~/
mkdir source
cd source
svn co [You must be registered and logged in to see this link.] xmlrpc-c
wget [You must be registered and logged in to see this link.]
wget [You must be registered and logged in to see this link.]
tar -xvzf libtorrent-0.12.6.tar.gz
tar -xvzf rtorrent-0.8.6.tar.gz
rm *.tar.gz
Now we�ll configure and make xmlrpc-c
Quote:
cd xmlrpc-c
./configure --disable-cplusplus
make
sudo make install
Now time to do the same for libtorrent and rtorrent
Quote:
cd ../libtorrent-0.12.6
./autogen.sh
./configure
make
sudo make install
cd ../rtorrent-0.8.6
./autogen.sh
./configure --with-xmlrpc-c
make
sudo make install
sudo ldconfig
Configuring rtorrent
Ok, now we've got rtorrent installed, but we have to configure it.
rtorrent needs a config file to initialize it. Heres mine...you'll need to edit it for your own environment, and make sure that the paths all exist and are writable by the user you will run rtorrent with.
Quote:
# This is an example resource file for rTorrent. Copy to
# ~/.rtorrent.rc and enable/modify the options as needed. Remember to
# uncomment the options you wish to enable.
#
# Based on original .rtorrent.rc file from [You must be registered and logged in to see this link.]
# Modified by Lemonberry for rtGui [You must be registered and logged in to see this link.]
#
# This assumes the following directory structure:
#
# /Torrents/Downloading - temporaray location for torrents while downloading (see "directory")
# /Torrents/Complete - Torrents are moved here when complete (see "on_finished")
# /Torrents/TorrentFiles/Auto - The 'autoload' directory for rtorrent to use. Place a file
# in here, and rtorrent loads it #automatically. (see "schedule = watch_directory")
# /Torrents/Downloading/rtorrent.session - for storing rtorrent session information
#
# Maximum and minimum number of peers to connect to per torrent.
#min_peers = 40
max_peers = 100
# Same as above but for seeding completed torrents (-1 = same as downloading)
min_peers_seed = -1
max_peers_seed = -1
# Maximum number of simultanious uploads per torrent.
max_uploads = 50
# Global upload and download rate in KiB. "0" for unlimited.
download_rate = 0
upload_rate = 0
# Default directory to save the downloaded torrents.
directory = /home/downloads/<username>
# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /home/downloads/<username>/.session
# Watch a directory for new torrents, and stop those that have been
# deleted.
schedule = watch_directory,5,5,load_start=/home/downloads/<username>/watch/*.torrent
schedule = untied_directory,5,5,stop_untied=
# Close torrents when diskspace is low. */
schedule = low_diskspace,5,60,close_low_diskspace=100M
# Stop torrents when reaching upload ratio in percent,
# when also reaching total upload in bytes, or when
# reaching final upload ratio in percent.
# example: stop at ratio 2.0 with at least 200 MB uploaded, or else ratio 20.0
#schedule = ratio,60,60,stop_on_ratio=200,200M,2000
# When the torrent finishes, it executes "mv -n <base_path> ~/Download/"
# and then sets the destination directory to "~/Download/". (0.7.7+)
# on_finished = move_complete,"execute=mv,-u,$d.get_base_path=,/home/downloads/<username>/complete/ ;d.set_directory=/home/downloads/<username>/complete/"
# The ip address reported to the tracker.
#ip = 127.0.0.1
#ip = rakshasa.no
# The ip address the listening socket and outgoing connections is
# bound to.
#bind = 127.0.0.1
#bind = rakshasa.no
# Port range to use for listening.
port_range = 55995-56000
# Start opening ports at a random position within the port range.
#port_random = yes
scgi_port = 127.0.0.1:5000
# Check hash for finished torrents. Might be usefull until the bug is
# fixed that causes lack of diskspace not to be properly reported.
#check_hash = no
# Set whetever the client should try to connect to UDP trackers.
#use_udp_trackers = no
# Alternative calls to bind and ip that should handle dynamic ip's.
#schedule = ip_tick,0,1800,ip=rakshasa
#schedule = bind_tick,0,1800,bind=rakshasa
# Encryption options, set to none (default) or any combination of the following:
# allow_incoming, try_outgoing, require, require_RC4, enable_retry, prefer_plaintext
#
# The example value allows incoming encrypted connections, starts unencrypted
# outgoing connections but retries with encryption if they fail, preferring
# plaintext to RC4 encryption after the encrypted handshake
#
encryption = allow_incoming,enable_retry,prefer_plaintext
# Enable DHT support for trackerless torrents or when all trackers are down.
# May be set to "disable" (completely disable DHT), "off" (do not start DHT),
# "auto" (start and stop DHT as needed), or "on" (start DHT immediately).
# The default is "off". For DHT to work, a session directory must be defined.
#
dht = disable
# UDP port to use for DHT.
#
# dht_port = 6881
# Enable peer exchange (for torrents not marked private)
#
peer_exchange = no
#
# Do not modify the following parameters unless you know what you're doing.
#
# Hash read-ahead controls how many MB to request the kernel to read
# ahead. If the value is too low the disk may not be fully utilized,
# while if too high the kernel might not be able to keep the read
# pages in memory thus end up trashing.
#hash_read_ahead = 10
# Interval between attempts to check the hash, in milliseconds.
#hash_interval = 100
# Number of attempts to check the hash while using the mincore status,
# before forcing. Overworked systems might need lower values to get a
# decent hash checking rate.
#hash_max_tries = 10
# Max number of files to keep open simultaniously.
#max_open_files = 128
# Number of sockets to simultaneously keep open.
#max_open_sockets = <no default>
# Example of scheduling commands: Switch between two ip's every 5
# seconds.
#schedule = "ip_tick1,5,10,ip=torretta"
#schedule = "ip_tick2,10,10,ip=lampedusa"
# Remove a scheduled event.
#schedule_remove = "ip_tick1"
The file should be saved in the home directory of the user you will run rtorrent with. I use the same system user we created earlier
Quote:
sudo nano ~/.rtorrent.rc
Paste your config into that file
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Ensure that the correct directories exist as you specified in the .rtorrent.rc file
Quote:
sudo mkdir /home/downloads
sudo mkdir /home/downloads/<username>
sudo mkdir /home/downloads/<username>/watch
sudo mkdir /home/downloads/<username>/.session
sudo chown -R <username>:<username> <username>
Now check your config file is ok by trying to start rtorrent
Quote:
rtorrent
If rtorrent starts, you're good. Use CTRL-Q to quit it.
If rtorrent doesnt start and you get an error, then note the error and fix your config file as necessary.
rtorrent startup script
Since we dont want to have to start rtorrent manually every time the server boots, we're going to start it automatically, and we'll run it in a screen session.
Now we'll create the startup script
Edit this example as necessary to change the username that you want rtorrent to run as.
Quote:
#!/bin/sh
#############
###<Notes>###
#############
# This script depends on screen.
# For the stop function to work, you must set an
# explicit session directory using ABSOLUTE paths (no, ~ is not absolute) in your rtorrent.rc.
# If you typically just start rtorrent with just "rtorrent" on the
# command line, all you need to change is the "user" option.
# Attach to the screen session as your user with
# "screen -dr rtorrent". Change "rtorrent" with srnname option.
# Licensed under the GPLv2 by lostnihilist: lostnihilist _at_ gmail _dot_ com
##############
###</Notes>###
##############
#######################
##Start Configuration##
#######################
# You can specify your configuration in a different file
# (so that it is saved with upgrades, saved in your home directory,
# or whateve reason you want to)
# by commenting out/deleting the configuration lines and placing them
# in a text file (say /home/user/.rtorrent.init.conf) exactly as you would
# have written them here (you can leave the comments if you desire
# and then uncommenting the following line correcting the path/filename
# for the one you used. note the space after the ".".
# . /etc/rtorrent.init.conf
#Do not put a space on either side of the equal signs e.g.
# user = user
# will not work
# system user to run as
user="<username>"
# the system group to run as, not implemented, see d_start for beginning implementation
# group=`id -ng "$user"`
# the full path to the filename where you store your rtorrent configuration
config="`su -c 'echo $HOME' $user`/.rtorrent.rc"
# set of options to run with
options=""
# default directory for screen, needs to be an absolute path
base="`su -c 'echo $HOME' $user`"
# name of screen session
srnname="rtorrent"
# file to log to (makes for easier debugging if something goes wrong)
logfile="/var/log/rtorrentInit.log"
#######################
###END CONFIGURATION###
#######################
PATH=/usr/bin:/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin
DESC="rtorrent"
NAME=rtorrent
DAEMON=$NAME
SCRIPTNAME=/etc/init.d/$NAME
checkcnfg() {
exists=0
for i in `echo "$PATH" | tr ':' '\n'` ; do
if [ -f $i/$NAME ] ; then
exists=1
break
fi
done
if [ $exists -eq 0 ] ; then
echo "cannot find rtorrent binary in PATH $PATH" | tee -a "$logfile" >&2
exit 3
fi
if ! [ -r "${config}" ] ; then
echo "cannot find readable config ${config}. check that it is there and permissions are appropriate" | tee -a "$logfile" >&2
exit 3
fi
session=`getsession "$config"`
if ! [ -d "${session}" ] ; then
echo "cannot find readable session directory ${session} from config ${config}. check permissions" | tee -a "$logfile" >&2
exit 3
fi
}
d_start() {
[ -d "${base}" ] && cd "${base}"
stty stop undef && stty start undef
su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "screen -dm -S ${srnname} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
# this works for the screen command, but starting rtorrent below adopts screen session gid
# even if it is not the screen session we started (e.g. running under an undesirable gid
#su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "sg \"$group\" -c \"screen -fn -dm -S ${srnname} 2>&1 1>/dev/null\"" ${user} | tee -a "$logfile" >&2
su -c "screen -S "${srnname}" -X screen rtorrent ${options} 2>&1 1>/dev/null" ${user} | tee -a "$logfile" >&2
}
d_stop() {
session=`getsession "$config"`
if ! [ -s ${session}/rtorrent.lock ] ; then
return
fi
pid=`cat ${session}/rtorrent.lock | awk -F: '{print($2)}' | sed "s/[^0-9]//g"`
if ps -A | grep -sq ${pid}.*rtorrent ; then # make sure the pid doesn't belong to another process
kill -s INT ${pid}
fi
}
getsession() {
session=`cat "$1" | grep "^[[:space:]]*session[[:space:]]*=" | sed "s/^[[:space:]]*session[[:space:]]*=[[:space:]]*//" `
echo $session
}
checkcnfg
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "."
;;
restart|force-reload)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 1
d_start
echo "."
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
Paste your edited config into that file
Quote:
sudo nano /etc/init.d/rtorrent
Hit CTRL-O to save the file (and hit Enter to confirm when prompted), then hit CTRL-X to exit the editor.
Now we need to change the user and group ownership of that file and make it executable
Quote:
sudo chown root:root /etc/init.d/rtorrent
sudo chmod a+x /etc/init.d/rtorrent
Now lets tell ubuntu to run this script at startup
Quote:
cd /etc/init.d
sudo update-rc.d rtorrent defaults
Test the script:
Quote:
sudo /etc/init.d/rtorrent start
Check that an rtorrent and a screen process are running using htop
Quote:
htop
To exit htop, hit F10
rutorrent
Ok, now to install rutorrent
ruTorrent is really just a set of php and html files, so we're going to install them to a folder under our web server root.
We�re going to get the latest 3.0 files from the subversion repository.
Quote:
cd /var/www
sudo svn checkout [You must be registered and logged in to see this link.]
Now we'll download some useful rutorrent plugins
Quote:
cd rutorrent/plugins
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
sudo svn checkout [You must be registered and logged in to see this link.]
Now lets change ownership of the rutorrent files to the web server user, and change the permissions on them
Quote:
cd /var/www
sudo chown -R www-data:www-data rutorrent
sudo chmod -R 777 rutorrent
OK, now visit your rutorrent site to check its all working:
Quote:
[You must be registered and logged in to see this link.] or IP>/rutorrent
You should be prompted for the username and password we set up earlier for password protection of our web server
Now you should see the rutorrent web gui, and be able to add torrents.
FTPS / SFTP
If you just want to use SFTP (FTP over SSH), you dont need to do anything more here.
Just connect with an FTP client via SFTP to your server on the SSH port you use.
If you want to setup FTPS (FTP using SSL encryption) then we'll setup Pure-FTPd.
I usually use proftpd on my servers but a bug in the current versions (1.3.2 in the Ubuntu karmic package repo, and 1.3.3 current stable) mean that a 550 error is thrown when browsing directories with '[' in their name.
Pure-FTPd
Quote:
sudo apt-get install pure-ftpd
Now lets create another SSL certificate (you could use the ones you created earlier if you like - I prefer to keep them separate)
Quote:
sudo openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
sudo chmod 600 /etc/ssl/private/pure-ftpd.pem
This will create a self-signed certificate for your server that lasts for 1 year. You'll be prompted for a lot of of information. Whenever you're asked for a name, use your domain name if you have one. The rest you can leave blank or fill in with whatever you like.
Now lets edit the Pure-ftpd config.
Pure-ftpd doesn't use a config file like other FTP daemons. Instead it starts with a set of command like switches.
However, the init.d startup script that is installed when you installed the pureftpd package can parse a directory of single line 'config files' in order to dynamically build the correct set of command line switches.
So all we need to do is create these single line files in the right place:
Temporarily act as root user
Quote:
sudo su
Enter the root password when asked
Quote:
cd /etc/pure-ftpd/conf/
echo ,22005 > Bind
echo 12.34.56.78 > ForcePassiveIP
echo 27200 27210 > PassivePortRange
echo 1 > TLS
The first 'echo' line above creates a file that tells Pure-ftpd to use a particular port, so change the number to the port you wish to use.
The second 'echo' line creates a file that tells Pure-ftpd to use the given static IP address for Passive mode. You need to set this to the IP of your server.
The third 'echo' line determines what port range to use for Passive mode.
If you want additional security, also do the following:
Quote:
echo yes > ProhibitDotFilesRead
echo yes > ProhibitDotFilesWrite
echo yes > NoChmod
echo yes > BrokenClientsCompatibility
The first two 'echo' lines create files that stop users reading and writing system files that have a leading '.' in their filename (for example the '.rtorrent.rc' config file.
The third 'echo' line creates a file that stops users changing the permissions on files and folders.
The final 'echo' line creates a file that prevents clients that dont strictly adhere to the FTP/FTPS protocol from connecting.
Now lets configure how users will authenticate
Quote:
echo no > PAMAuthentication
echo yes > UnixAuthentication
Here we are configuring to use system usernames.
Now just restart the FTP service
Quote:
/etc/init.d/pure-ftpd restart
Test everything is ok by connecting to the FTP service with an FTP client set to use the FTPS protocol, on the port you chose.
Linux Firewall
Right, we�re almost done, but first its time to set up the linux firewall to close all the ports other than the ones we need.
Its easiest to use Webmin for this task
Open a browser window and go to:
Quote:
[You must be registered and logged in to see this link.] or IP>:10000
You'll need to login with the system username we created earlier
On the left hand navigation menu, go to Networking->Linux Firewall
Set up the firewall as you need..Remember that we need to open the following ports that we've configured in this guide:
Quote:
SSH: 21976
FTPS: 22005
Passive Ports for FTP: 27200 to 27210
SSL: 443
Webmin: 10000
rtorrent: 55995 to 56000 for <username>
And we can lock the rest down.
You're encouraged to change the ports used as examples in this guide - just make sure you write them down, and double check them before implementing any firewall rules.
You should also check with your host in case that they use any automatic network monitoring tools.
If they do, you may need to leave some ports open to respond to pings and so on, otherwise their tools might think your server is down and try rebooting it or putting it into recovery mode. Best just to check with them.
and return to the normal user
Quote:
exit
