Complete Setup Guide for Linux Seedboxes
This guide will help you setup your newly purchased server with uTorrent, FTP server, Firefox, and more. Instructions for rtorrent and Torrentflux are also available, but we recommend uTorrent as it is the most user-friendly, and reported to work well even with only 256MB of RAM. The general principal of this guide will be to setup your server in a secure manner, and perhaps will get you to learn a bit about the Linux system along the way.
Questions, comments, corrections, and suggestions are welcomed.
When asking for help, please post as much details as possible about your problem, such as the OS, error messages, and a log file if available.
Updates:
11/03 – More tweaks and corrections. Updated the wine setup. Added to the FAQ about wine with instructions to compile wine for Debian. Removed webui.zip instructions as it’s not needed with the latest uTorrent.
10/28 – Some more updates to wine installation in Section 2. Added a troubleshoot for openssl in Section 7.
10/22 – Updated to an easier way to install WebUI.
10/18 – Updated Section 2 about install wine for Debian/Ubuntu.
10/16 – Updated uTorrent to 1.8.1. Added write_enable=yes to vsftpd setup. Fixed the error about sshd restart for Debian/Ubuntu. And some minor tweaks. Added a FAQ about uTorrent dropping peer connections (wine issue: http://bugs.winehq.org/show_bug.cgi?id=14188)
9/12 – Updated the guide to install uTorrent 1.8 & latest WebUI. Added a FAQ about “Too many open files”
3/25 – Added a hosts file troubleshoot for Section 5.
3/11 – Updated the firewall section with the proper way to start Firestarter in Debian/Ubuntu
3/10 – Added a vnstat guide to Section 9. Working on FreeNX setup, though it seems to not work as well as I remembered. Removed the need for Debian/Ubuntu servers to use vnc4server. Added some more install/setup procedures for Debian/Ubuntu in section 2 & 3 (for wine and vncserver to work properly). Added optional config for Debian in Section 2 (need it to install flash).
3/09 – Added Secure SSH to Section 8.
Thanks to the following people:
roiko
balbaid
predateur
fatcat69
wormtail
Kflint
goodkat
dieudesorcs
Thanks to the following websites:
Gentoo
OSResources
The Unofficial Fedora FAQ
and of course, FST
Programs needed:
Putty
WinSCP
VNC Viewer
FTP Client (Recommended: CuteFTP)
Index:
1. Initial Login
2. Initial Setup
3. Install Softwares
4. Create User
5. Setup VNC Desktop
6. Setup uTorrent & WebUI
7. Setup VSFTPD
8. Security:
– Change FTP & SSH Ports
– Secure VNC through a SSH Tunnel
– Configure Firewall with Firestarter
– Encrypt the Hard Drive with Truecrypt – TBA
– Secure SSH
9. Miscellaneous:
– Firefox & Flash
– Install rtorrent
– Install Torrentflux – TBA
– Configure the Fluxbox Menu
– Configure Multiple IP Addresses
– Using vnstat to monitor bandwidth usage
10. FAQ
11. History
1. Initial login
So you’ve finally received the email after waiting so impatiently for your server. Now what to do? Run Putty, of course.
Enter the IP Address of your server like shown, click Open.
Enter the root login information as provided in the email, and you should be able to login to your server. You are now in a Putty terminal, connected to your server through a secure protocol called SSH.
Tips for Putty:
– Highlight text to copy from Putty
– Right-click to paste to Putty
2. Initial Setup
The CLI
The Command Line Interface (what you see in front of you as you successfully login through Putty) is what we’ll use throughout this guide to setup your server. Some simple commands you can type to get familiar:
– Shows the present working directory.
# pwd
– Lists the files and folders in the present directory.
# ls
– Like “ls”, but also lists all hidden files and folders. You’ll see that files and folders starting with “.” (like .ssh/) are hidden.
# ls -a
– Change directory to the root directory. NOTE: /root is the home folder of the root user.
# cd /
– Change directory to the home folder. Since you are login as root, you are now back in /root/.
# cd ~/
Go HERE for a comprehensive list of basic commands you can do.
Change root password
We want to change the most important password of the server, so your provider doesn’t know it. A strong password is highly recommended.
# passwd
New password:
Verify:
Delete SSH key authentication
Certain providers create SSH authentication keys that will allow them to login to your server as root without actually knowing the password. We want to delete the authorized_keys2 file if it’s there:
# ls .ssh authorized_keys2 # rm .ssh/authorized_keys2
Note: Try the auto-complete feature by just typing “rm .ssh/au”, then press Tab, and the rest of the filename will fill automatically.
Note: Key authentication can be a secure method of login, since you’d need an actual key file on your computer to authenticate against the server. See Section 8 for instructions.
Nano – The text editor
In Linux, you’ll find yourself editing a lot of text files. Nano is a simple CLI text editor that you’ll be using throughout this guide.
# nano
You are now in nano. The text you see on the bottom of the terminal is the various commands. For our purpose, all you need to know is “WriteOut” and “Exit”, which is save and quit. The “^” character denotes the Ctrl key. So to save a file, press Ctrl+O, and to quit is Ctrl+X. Just exit nano for now.
Disable SELinux
(Not applicable to Debian/Ubuntu systems, AFAIK)
Some servers come with SELinux enabled which will cause some problems later on, specifically with FTP setup (user login & SSH/TLS setup). Please comment if you have a workaround without turning SELinux off. But for now, we’ll just disable it if it’s enabled.
Check SELinux status:
# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
If you see the line SELINUX=disabled or you don’t have this file, move on to the next section.
If your output says SELINUX=enforcing or SELINUX=permissive, we’ll disable it:
# nano /etc/sysconfig/selinux
change “SELINUX=…” to “SELINUX=disabled”. Save & exit.
You’ll need to restart the server for this change to take effect. This should be the one and only time you will have to restart your server.
# reboot
Wait a few minutes (and maybe cross your fingers ) as your server restarts. Now login again through Putty.
System Updates
Linux distributions use package management systems to easily install and maintain softwares. Fedora Core and CentOS use “yum”, Debian and Ubuntu use “apt”. Now, we’ll add a few extra repositories (servers with additional softwares for your system) to yum and apt, and then do a system-wide update before continuing on with installing softwares. Each system has its own procedure, so follow the one you have accordingly.
Fedora Core 4:
# cd /etc # mv yum.conf yum.conf.bak # wget http://www.fedorafaq.org/fc4/samples/yum.conf # rpm -Uvh http://www.fedorafaq.org/fc4/yum # yum update
Say yes when asked to update all softwares.
Fedora Core 5:
# cd /etc # mv yum.conf yum.conf.bak # wget http://www.fedorafaq.org/fc5/samples/yum.conf # rpm -Uvh http://www.fedorafaq.org/fc5/yum http://rpm.livna.org/livna-release-5.rpm # yum update
Say yes when asked to update all softwares.
Fedora Core 6:
# rpm -Uvh http://www.fedorafaq.org/fc6/yum http://rpm.livna.org/livna-release-6.rpm # yum update
Say yes when asked to update all softwares.
NOTE: Thanks to The Unofficial Fedora FAQ for the instructions above.
CentOS 4/5:
# nano /etc/yum.repos.d/Extra.repo
Copy & paste the following into the Extra.repo file:
[dag] name=Dag RPM Repository for Red Hat Enterprise Linux baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag gpgcheck=1 enabled=1 [kbs-CentOS-Extras] name=CentOS.Karan.Org-EL$releasever - Stable gpgcheck=1 gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt enabled=1 baseurl=http://centos.karan.org/el$releasever/extras/stable/$basearch/RPMS/ [kbs-CentOS-Misc] name=CentOS.Karan.Org-EL$releasever - Stable gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt gpgcheck=1 enabled=1 baseurl=http://centos.karan.org/el$releasever/misc/stable/$basearch/RPMS/
Save & exit.
# rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt # rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt # yum update
Say yes when asked to update all softwares.
Debian & Ubuntu:
Install the wine repository:
Update: Debian users should NOT follow this step at the moment due to a bug in wine that drops peer connections in uTorrent. The older version in Debian (0.9.25) works fine enough. See the FAQ for more details.
Ubuntu Hardy Heron (8.04):
# wget http://wine.budgetdedicated.com/apt/387EE263.gpg # apt-key add 387EE263.gpg # wget http://wine.budgetdedicated.com/apt/sources.list.d/hardy.list -O /etc/apt/sources.list.d/winehq.list
Ubuntu Intrepid Ibex (8.10):
# wget http://wine.budgetdedicated.com/apt/387EE263.gpg # apt-key add 387EE263.gpg # wget http://wine.budgetdedicated.com/apt/sources.list.d/intrepid.list -O /etc/apt/sources.list.d/winehq.list
Next, run a system update:
# apt-get update # apt-get upgrade
Say yes when asked to update all softwares.
Optional configuration for Debian (will need it if you want Flash):
We are gonna assume you are running Debian 4.0 (Etch), we can install the “backports” repository which will have more updated softwares than the stable tree.
Edit the sources.list file:
# nano /etc/apt/sources.list
Insert the following line to the end:
deb http://www.backports.org/debian etch-backports main contrib non-free
Save and exit.
Get the verification key:
# wget http://backports.org/debian/archive.key
# apt-key add archive.key
Run update:
# apt-get update
You can also run “apt-get -t etch-backports upgrade”, but it’s not necessary.
3. Install Softwares
The following softwares will be installed in one easy command:
vncserver – Provides a GUI interface with a VNC Desktop (Virtual Network Computing)
wine – Windows emulation software for uTorrent
xterm – a GUI terminal
fluxbox – a light-weight Windows Manager for your VNC Desktop
vsftpd – a FTP server (File Transfer Protocol)
firefox – a web browser
vnstat – a bandwidth monitoring toolFedora Core & CentOS:
# yum install vnc-server wine xterm fluxbox vsftpd firefox vnstat
Say yes when asked. You’ll see many dependencies packages being installed as well.
Debian & Ubuntu:
# apt-get install vncserver wine xterm fluxbox vsftpd firefox vnstat # update-menus
Say yes when asked. You’ll see many dependencies packages being installed as well.
Debian & Ubuntu systems don’t download all the needed dependencies for vncserver, so we’ll have to install them manually.
# apt-get install xfonts-base xfonts-75dpi xfonts-100dpi
Optional for Debian:
Install a newer version of fluxbox:
# apt-get -t etch-backports install fluxbox
4. Create User
We do not want to use root as a user, since root is an administrative account with full control over your server, it is not meant to be used due to possible screwups and security purposes. Therefore, we’ll create a new user to use.
Note: Repeat Section 4 – 6 to create additional users. All users will be able to run their own instances of VNC desktop & uTorrent, as well as login with FTP. See Section 9 for instructions on how setup separated IP Addresses for multiple users.
# useradd -m pirate
Note: Replace pirate with any username you like.
Create a password for this new account:
# passwd pirate
New password:
Verify:
Now we can login to Putty again with this new user account. Right-click on Putty’s title bar, select “Duplicate Session”, and login with pirate. You can close the old Putty window that is logged in under root.
5. Setup VNC Desktop
Now that we are logged in as a new user. Notice first, where your home folder is located
$ pwd
/home/pirate
Note: Notice the “$” sign used above. From now on, this means the command is executed under the user account. And “#” is for commands executed under the root account.
We need to configure fluxbox to run when starting the VNC Desktop:
$ mkdir .vnc $ nano .vnc/xstartup
Insert the following into the xstartup file:
fluxbox
Save and exit.
Make the xstartup file executable:
$ chmod +x .vnc/xstartup
That’s all we needed in order to start up our VNC Desktop. Since this is the first time you start vncserver, you’ll be asked to enter a new password for access to the VNC Desktop. For simplicity, you can just use the same password for your user account here.
$ vncserver :1
New 'your.hostname:1 (pirate)' desktop is your.hostname:1
Starting applications specified in /home/pirate/.vnc/xstartup
Log file is /home/pirate/.vnc/your.hostname:1.log
The above command will be used whenever you want to start a new VNC Desktop, for instance if when your server crash and you need to start things up again.
The command to stop the VNC Desktop is:
WARNING: This command is here just so you know it, DON’T enter it next.
$ vncserver -kill :1
Killing Xvnc process ID 3489
Launch VNC Viewer. Enter the address of your server in VNC Viewer as shown below. And remember, the address is “your.ip:1“.
RealVNC Viewer:
TightVNC Viewer:
At this point, if you are prompted for the VNC password, you’ve succeeded for the most part in setting up your Linux server.
Note: To change the VNC password, type this command:
$ vncpasswd
Note: If you are setting up the 2nd VNC Desktop for another user, remember that you’ll have to use a different display number. For example: “$ vncserver :2”. Then connect to “your.ip:2” in VNC Viewer.
Troubleshoot: If you are unsuccessful here in connecting to your VNC Desktop, please post in this thread the VNC Viewer error and the VNC log, which can be displayed by:
$ cat .vnc/your.hostname.log
Sample VNC connection error:
Troubleshoot: Your server might came with a firewall installed, which would block the VNC connection attempt. We’ll setup a firewall later in the guide, so for now we can disable this firewall if it exists. To find out, type the following in Putty while login as root to list the filter table of iptables:
# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The above output means there is no firewall. If your output has entries under the 3 chains (INPUT, FORWARD, OUTPUT) and/or has more chains, then we’ll need to flush the iptables:
# iptables -F
List the table again to make sure it’s empty. Then try to connect with VNC Viewer again.
Troubleshoot: Your server may not have a proper hosts file setup which will result in this error (you can see it in the log):
_X11TransSocketINETConnect() can't get address for your.hostname: Name or service not known
If you get this error, open the hosts file:
$ su # nano /etc/hosts
Make sure the file has the following two lines:
127.0.0.1 localhost your.ip your.hostname
Replace “your.ip” & “your.hostname” with the ones for your server. If you don’t know your hostname, type:
# hostname
Then restart the vncserver using the commands above.
6. Setup uTorrent & WebUI
From now on, you can close the Putty program as we’ll use the xterm terminal in the VNC Desktop.
As you successfully login to your remote desktop, you’ll see a blank screen with a taskbar on the bottom. Right-click anywhere on the desktop for the fluxbox menu, and find xterm (usually under Terminals).
xterm is just another terminal like Putty.
It’s time to install uTorrent, in the new xterm window, type:
$ wget http://download.utorrent.com/1.8.1/utorrent.exe
The latest uTorrent (version 1.8.1) is now downloaded to your home folder.
Start uTorrent:
WARNING:At the setup screen, click CANCEL as we don’t want to install uTorrent like in Windows. It runs fine as a stand-alone application.
$ wine utorrent.exe
Suggested tips to configure uTorrent:
– Use Speed Guide and set your connection to “xx/100Mbps” or “xx/10Mbps” depending on what you have
– Choose any port above 45,000
– Enable Encryption
– Disable DHT, Local Peer Discovery, Peer Exchange
– No randomize ports, disable UPnP port mapping & NAT-PMP port mapping
– Enable WebUI Interface, insert WebUI’s un & pw
– In Advanced Options, set gui.delete_to_trash to FALSE
– Un-check Minimize to tray & Close to trayNote: See the FAQ about Disk Overloaded Errors and how to work around it.
All set.
WebUI should also work if you configure it. The address will be http://your.ip:xxxxx/gui , where xxxxx is the uTorrent’s port number you setup previously. If successfully connected, the browser will prompt for your WebUI’s un & pw that you set in uTorrent. We recommend that you set the WebUI’s un & pw to be different from your user account. So if WebUI is compromised, your server is still safe.
That’s it. Now it’s time to put your server to the test . We are gonna assume you know how to use uTorrent and/or WebUI. Read on if you want to setup a FTP server, Firefox & Flash, configure multiple IPs, configure firewall, and more. See the FAQ for some useful info as well.
7. Setup the FTP Server (VSFTPD)
You can setup a FTP Server on your seedbox to transfer files to and from your home PC. This is quite advantageous since you most likely will be able to download files from your server to your PC at the maximum speed provided by your ISP, as well as reducing the need to use Bittorrent at home.
We had already installed VSFTPD from Section 3. Configuring VSFTPD is simple, however we also want to configure VSFTPD to use TLS/SSH authentication.
Note: Enabling TLS/SSH authentication will NOT work if SELinux is enabled. See Section 2 to check if SELinux is enabled. And if so, to disable it.
Note: Users will NOT be able to login if SELinux is enabled. See Section 2 to check if SELinux is enabled, and if so, to disable it.
Note: The root user is not allowed to login with FTP by default.
In VNC Desktop:
We need root privileges to configure VSFTPD. The command “su” will let us switch user. Type in xterm (remember not to use the one that’s running uTorrent):
$ su
Password:
#
Here, we need to enter the root password to switch to the root user.
Create a new SSH certificate for VSFTPD:
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /root/vsftpd.pem -out /root/vsftpd.pem
The command above will ask you a bunch of information. Insert whatever you like.
Troubleshoot: If you encountered the error: “openssl command not found”, then openssl isn’t installed on your server. To install it:
Fedora Core/CentOS: # yum install openssl Debian/Ubuntu: # apt-get install openssl
Now it’s time to configure VSFTPD through editing the vsftpd.conf file:
Fedora Core & CentOS:
# nano /etc/vsftpd/vsftpd.conf
Debian & Ubuntu:
# nano /etc/vsftpd.conf
Relevant changes:
anonymous_enable=NO
local_enable=YES
write_enable=YESNote: make sure to remove the comment sign from the settings you want (#)
Relevant additions to the end of the file:
ssl_enable=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/root/vsftpd.pemSave & exit.
Start VSFTPD:
# /etc/init.d/vsftpd start
Starting vsftpd for vsftpd: [ OK ]
When making changes to vsftpd.conf, you’ll need to restart VSFTPD, to do so:
# /etc/init.d/vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
To have VSFTPD autostart on boot:
Fedora Core & CentOS:
# chkconfig vsftpd on
Debian & Ubuntu:
# update-rc.d vsftpd defaults
Now, you can try to login to your server using the FTP Client of your choice with your pirate account. Make sure to select the connection type as “FTP with TLS/SSH”.
Exit out of the root user in xterm:
# exit
$
Note: See Section 8 to change the default ports for the FTP & SSH services.
If you need help with your Windows FTP Client, see fatcat69’s FTP guide HERE.
Note: CuteFTP is recommended for its ability to download 1 large file with multiple connections to maximize speed. Please post if you know of other clients that have this feature.
8. Security
This section will deal with setting up various security features on your server.
Change FTP & SSH Ports
FTP & SSH use ports 21 & 22 respectively. These two ports are under constant brute force login attempts by bots trying to compromise systems. Therefore, we want to change them.
Change FTP Port:
$ su Fedora Core & CentOS: # nano /etc/vsftpd/vsftpd.conf Debian & Ubuntu: # nano /etc/vsftpd.conf
Add the following line to the end:
listen_port=54321
Save and exit. Choose any port number you want. Remember, you’ll have to specify this same number in your FTP Client.After this change, we’ll need to restart VSFTPD:
# /etc/init.d/vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] # exit $
Change SSH Port:
$ su # nano /etc/ssh/sshd_config
Change the following line:
# Port 22 to Port 54322
Save and exit. Choose any port number you want. Remember, you’ll have to specify this same number in Putty and WinSCP.
Fedora Core & CentOS: # /etc/init.d/sshd restart Debian & Ubuntu: # /etc/init.d/ssh restart Stopping sshd: [ OK ] Starting sshd: [ OK ] # exit $
Secure VNC through a SSH Tunnel
Notice so far, we are using 4 network services/programs. They are SSH, FTP, VNC, and Bittorrent. SSH is a secure protocol. We’ve setup FTP to use a secure authentication method, although the transferring of data isn’t so (Note: you can use SFTP for secure FTP transfers, but at the cost of speed). VNC isn’t a secure service, so we’ll use a SSH’s feature called tunnel to encrypt the traffic.
Your VNC Desktop is currently running on display :1 with the network port being 5901. With setting up a tunnel, this port isn’t needed to be accessible from outside, since we are using the SSH protocol & port. So, let’s restart vncserver with the “localhost” option. First, exit uTorrent in your existing VNC Desktop to ensure no issue with your active torrents. Then, in Putty:
$ vncserver -kill :1
Killing Xvnc process ID 3489
This command will start a VNC Desktop that will only allow connection from the same machine:
$ vncserver -localhost :1
Tip: For a bigger resolution VNC Desktop, you can add the “-geometry” syntax, like so:
$ vncserver -localhost -geometry 1920x1080 :1
Note: If you already start vncserver without setting the geometry, then you’ll need to kill it first. Replace 1920×1080 with any resolution you prefer.
Close Putty and open a new Putty window on your PC, enter the IP & Port information for SSH. On the left window, go to Connections – SSH – Tunnels. Under “Add new forwarded port:”, insert the following:
Source port: 5900
Destination: localhost:5901Click Add
Go back to Session on the left window, we’ll save the Putty settings for convenience. Under “Saved Sessions”, insert any name you like, and click Save. From now on, to connect to your server with Putty, just double click on the Saved Session. The tunnel for VNC will also be loaded automatically as well.
That’s it, we’ve created a tunnel for VNC. The source port 5900 (which is conveniently the default port in VNC Viewer) is the port on your home PC, and the destination port is 5901 on your server, which is the port for your running VNC Desktop. Let’s login. Open VNC Viewer, the address is simply “localhost”
Troubleshoot: If VNC Viewer reports connection refused, try checking for a proper hosts file on your server. The instruction is in Section 5 (Setup VNC Desktop).
Note: Now that we’ve secured VNC, the next section will deal with securing the rest of your server. Notice that we currently have 3 active ports: 54321 for FTP, 54322 for SSH, and the uTorrent port, which we’ll just use 54320 for convenience. Thus, when setting up the firewall next, we’ll just have to add one entry, which is to allow ports 54320 – 54322.
Configure Firewall with Firestarter
Linux comes with a powerful tool called iptables to intercept and manipulate network packets. We’ll setup iptables in this section to be the firewall for the server. Since manually configuring iptables is beyond the scope of this guide, we’ll use a GUI frontend to iptables called Firestarter. Let’s install Firestarter.
Fedora Core & CentOS 4:
$ su # yum install firestarter # exit $
CentOS 5:
$ wget http://centos.karan.org/el4/extras/stable/i386/RPMS/firestarter-1.0.3-1.i386.rpm $ su # yum install firestarter-1.0.3-1.i386.rpm # exit $
Debian & Ubuntu:
$ su # apt-get install firestarter # exit $
In your VNC Desktop, open a new xterm, start Firestarter:
Fedora Core & CentOS:
$ firestarter
You need to provide the root password here, as Firestarter requires administrator privileges.
Debian & Ubuntu:
Firestarter requires the user to have sudo permission, which is a quicker way for users to execute root commands with out “su”. So we’ll have to give it:
$ su # visudo
You are now looking at the sudoers file using “vi” which is another text editor. Press “i” for Insert Mode to edit text, insert the following to the end, after the same line for “root”:
pirate ALL=(ALL) ALL
This image has been resized. Click this bar to view the full image. The original image is sized 854×571. Press “ESC” to quit Insert Mode. Type “:wq” to save and exit.
Launch Firestarter:
# exit $ sudo firestarter [sudo] password for pirate:
Type your pirate‘s password here.
The first time Firestarter runs, it’ll run a short Setup Wizard, click through it following these settings:
– Makes sure the network device is eth0
– No Internet Connection Sharing
– Don’t check “Start Firewall Now”We don’t want to start the firewall yet because we haven’t open the proper ports. Go to the “Policy” Tab, right-click under “Allow Service”, select “Add Rule”. In the Port field, insert the port range you need. So according to this guide, the range we’ll need is 54320-54322.
This image has been resized. Click this bar to view the full image. The original image is sized 633×558. Note: If you don’t want to use VNC through the SSH Tunnel, you’ll need to add another rule for port 5901.
Click Apply Policy. Then Start Firewall.
Click this bar to view the full image. Note: Remember that Firestarter is just a frontend to iptables, you don’t have to leave it running. We recommend you close it to save resources. Also, the firewall will autostart on reboot.
That’s it for setting up the basic firewall. However, you’ll notice that we can’t login to the FTP server anymore. The reason is the FTP server uses random ports above 1024 for data connections. So we’ll need to specify a port range for FTP connections, which we’ll use port 54323 – 54340 for convenience.
Edit the VSFTPD config file:
$ su # nano /etc/vsftpd/vsftpd.conf Note: for Debian & Ubuntu users, the config file is in a different location, type: # nano /etc/vsftpd.conf
Insert the following lines to the end:
pasv_min_port=54323 pasv_max_port=54340
Save and exit.
Then, in Firestarter, edit the rule from 54320-54322 to 54320-54340. Click Apply Policy.
Tip: To see all the entries Firestarter added to iptables, type the following in Putty when login as root:
# iptables -t filter -L
Tip: To monitor the firewall without running Firestarter, open a new xterm, type:
$ su # tail -f /var/log/messages
The above command actively updates the terminal when new entries are added to the system log. To exit from “tail”, press Ctrl+C. The file “/var/log/messages” contains all events log for your server. It is wise to keep an eye on it from time to time to find out if anything is wrong.
Tip: When you see constant attempts to connect to your server under one port like the screenshot below, you may not want iptables to log all the drop connections (the log file will grow too big). To do so, right-click on an entry under “Events” and select “Disable Events on Port”. You can remove/add logged ports in Firestarter’s Settings.
Click this bar to view the full image.
Encrypt the Hard Drive with Truecrypt
TBA
Secure SSH
Thanks to The Fedora Unity Project for portions of this section.
This section will guide you to secure the SSH server. The instructions here are border-lining on paranoia (perhaps completely). However, there is one advantage as you won’t need to enter your password when login with Putty, which is very convenient when you are using SSH to tunnel your VNC Desktop. What we’ll do is setup the Key Authentication feature for all users before disabling Password Authentication, so that only people possessing the key file will be able to login to your server.
First, login to your server from Putty as root. Following are the needed configuration options in sshd_config:
# nano /etc/ssh/sshd_config
We had setup an alternate port previously:
Port 54322
Make sure SSH only uses Protocol 2:
Protocol 2
Allow root login only through key authentication. We don’t want to disable root login altogether, since if you haven’t notice, certain things can only be done under root login.
PermitRootLogin without-password
Limit the maximum number of simultaneous unauthenticated connections:
MaxStartups 3:50:10
Reduce the amount of time allowed to successfully login to 30 seconds:
LoginGraceTime 30
Allow only known users:
AllowUsers root pirate
Enable key authentication:
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Save and exit.
Now, we’ll create a pair of keys for the root user, a private and a public key.
Note: Repeat the steps from here on for additional users you want to have Key Authentication. Make sure you login as that user first.
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e8:41:87:32:13:25:93:b5:ae:3a:76:ce:14:fe:9a:b5 root@hostname
We don’t need to use a passphrase for convenience. Enter a passphrase if you think your private key file may be compromised.
Two files were created in the folder /root/.ssh/. The id_rsa file is your private key that we’ll need to transfer to your PC. The id_rsa.pub file will be store in the authorized_keys file on your server. The matching of these two keys is how the SSH server will authenticate the root user.
Since this is the first time you create a key pair, there is no authorized_keys file. Therefore, we can simply do this:
# mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
Note: if you are creating a 2nd pair of keys for the same user, we’ll have to add the public key to the existing authorized_keys file instead:
# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Open WinSCP to use sFTP to transfer the private key id_rsa to your own PC. Remember, the file is in the .ssh/ folder.
Now, we’ll need to convert the private key into a format that Putty will recognized. Download Putty Key Generator.
In Putty Key Generator, click Load and select the id_rsa file. You probably will have to change the filter to “All Files” in Browse to see it. Click Save Private Key to save the key in .ppk format.
Once successfully done, you can delete the id_rsa file on both your PC and the server.
In Putty, we’ll restart the SSH server to enable all our previous settings.
Fedora Core & CentOS: # /etc/init.d/sshd restart Debian & Ubuntu: # /etc/init.d/ssh restart Stopping sshd: [ OK ] Starting sshd: [ OK ] # exit $
Close the existing Putty session and open a new one. Hopefully, you already have a Saved Session by now. Select it and click Load. If not, enter your IP & Port information. On the left window, go to Connection – SSH – Auth. Under “Private key file for authentication”, browse to your private_key.ppk file.
Save the session, and click Open.
Enter root as the username, and you will be login automatically. If you entered a passphrase, then you’ll have to type it in at this point.
If you’ve come this far, you can choose to disable the normal Password Authentication login method after setting up Key Authentication for all users. To do so, set this line in sshd_config:
WARNING: By doing so, only Key Authentication is allowed. If you lose your private key, you won’t be able to access your server.
PasswordAuthentication no
Restart the SSH server for the change to take effect.
9. Miscellaneous
This section contains additional and optional configurations for your server.
Firefox & Flash
You probably noticed we’ve already installed Firefox from Section 3. To launch it, just right-click on the VNC Desktop for the fluxbox menu, locate Firefox and click. If you need the Flash plugin for Speed Tests, follow these instructions:
Fedora Core 4:
$ su # yum --enablerepo=flash install flash-plugin # exit
Fedora Core 5/6 & CentOS:
$ su # yum install flash-plugin # exit
Ubuntu:
$ su # apt-get install flashplugin-nonfree # exit $
Debian: (Assuming you installed Backports in Section 2)
$ su # apt-get -t etch-backports install flashplugin-nonfree # exit $
Start or restart Firefox.
Install rtorrent
If you don’t like uTorrent for whatever reasons, rtorrent is a good alternative. rtorrent runs in a terminal and isn’t as easy to use, but I hope by now, you are more familiar and not affraid of the Linux ways.
To install rtorrent:
Fedora Core & CentOS:
$ su # yum install rtorrent # exit $
Debian & Ubuntu:
TBA
Note: If rtorrent cannot be installed with the instructions above, you’ll need to manually compile and install it. For that, as well as instructions for rtorrent, please see fstokebanget’s “How to install and use rtorrent properly in CentOS” guide.
Install Torrentflux
TBA
Configure the Fluxbox Menu
You can configure the fluxbox menu to your liking. Here is an example:
To get the menu above, we need to edit the following file:
Note: Use Putty instead of xterm to copy & paste text.
Tip: Ctrl+K in nano will delete the line the cursor is on.
$ nano ~/.fluxbox/menu
Edit it to look like this:
[begin] (Fluxbox-1.0.0) [encoding] {UTF-8} [exec] (firefox) {firefox} [exec] (xterm) {xterm} [exec] (uTorrent) {wine ~/utorrent.exe} [submenu] (fluxbox menu) [config] (Configure) [submenu] (System Styles) {Choose a style...} [stylesdir] (/usr/share/fluxbox/styles) [end] [submenu] (User Styles) {Choose a style...} [stylesdir] (~/.fluxbox/styles) [end] [workspaces] (Workspace List) [submenu] (Tools) [exec] (Screenshot - JPG) {import screenshot.jpg && display -resize 50% screenshot.jpg} [exec] (Screenshot - PNG) {import screenshot.png && display -resize 50% screenshot.png} [exec] (Run) {fbrun } [exec] (Regen Menu) {../util/fluxbox-generate_menu } [end] [submenu] (Window Managers) [restart] (mwm) {mwm} [restart] (kde) {startkde} [end] [commanddialog] (Fluxbox Command) [reconfig] (Reload config) [restart] (Restart) [exec] (About) {(fluxbox -v; fluxbox -info | sed 1d) 2> /dev/null | xmessage -file - -center} [separator] [exit] (Exit) [end] [endencoding] [end]
Save and exit.
For information on how to manually edit the menu file, go HERE.
Configure Multiple IP Addresses
(Only for Fedora Core/CentOS right now)
If your server comes with more than one IP Address, we can add the extra IPs to your system. The purpose is for each user to have his/her own IP, which will avoid sharing one address when two or more users are downloading from the same tracker. This is only needed if your tracker specifies that two users cannot share one IP. You will need to contact your tracker’s staff to find out this information. You also need to setup each user with his/her own VNC Desktop to run separate instances of uTorrent. Follow Section 4 – 6 to create additional users.
Note: In our experience, two users can share a server with only 512MB of RAM. Not recommended for servers with less memory. Of course, you can have more users with more memory and good hardware.
The instructions here are a little more advanced than what we’ve done so far. First, we need to login to Putty as the root user, since “su” to root cannot modify network settings.
For this tutorial, we’ll use the following information:
IPs: 192.168.1.5, 192.168.1.6
Netmask: 255.255.255.0
Gateway: 192.168.1.1Note: You may need to request the extra IP from your provider.
Of course, you’ll need to use the IP Addresses provided by your host. If you don’t know them, issue this command, and write down the IP, Netmask, and Gateway.
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0b:6a:34:2a:9b
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.5
GATEWAY=192.168.1.1
TYPE=Ethernet
Create another network interface for your 2nd IP:
# cp /etc/sysconfig/network-scripts/ifcfg-eth0/ etc/sysconfig/network-scripts/ifcfg-eth0:0 # nano /etc/sysconfig/network-scripts/ifcfg-eth0:0
Modify DEVICE and IPADDR in this file to reflect your 2nd IP:
DEVICE=eth0:0 HWADDR=00:0b:6a:34:2a:9b ONBOOT=yes NETMASK=255.255.255.0 IPADDR=192.168.1.6 GATEWAY=192.168.1.1 TYPE=Ethernet
Save & exit.
Bring eth0:0 up:
# ifup eth0:0
To see all the network interfaces:
# ifconfig
You should see the details for eth0, eth0:0, and lo
Note: To add more IPs, just repeat the process for eth0:1, eth0:2, etc.
Now, to test if your 2nd IP works, you can try to ping it from your own PC. Start the Command Prompt, type:
C:\>ping 192.168.1.6
Pinging 192.168.1.6 with 32 bytes of data:
Reply from 192.168.1.6: bytes=32 time=1ms TTL=127
Reply from 192.168.1.6: bytes=32 time=1ms TTL=127
Reply from 192.168.1.6: bytes=32 time=1ms TTL=127
Reply from 192.168.1.6: bytes=32 time=1ms TTL=127
Ping statistics for 192.168.1.6:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
Troubleshoot: If you cannot ping your 2nd IP, please make sure you follow the steps above exactly. Make sure your ifcfg-eth0:0 file is correctly setup. Make sure you see eth0:0 when issuing “ifconfig”. And finally, you can confirm with your provider that the information is properly given and setup.
After successfully setting up the extra IP, there are two ways to make each user uses a different address. You only need to do one way, but both is OK too.
1. Specify IPs in each user’s uTorrent
Go to uTorrent Preferences – Advanced
Insert your IP into these two fields: net.bind_ip & net.outgoing_ip. For example
user1's uTorrent: net.bind_ip: 192.168.1.5 net.outgoing_ip: 192.168.1.5 user2's uTorrent: net.bind_ip: 192.168.1.6 net.outgoing_ip: 192.168.1.6
2. Using iptables
The second method requires adding an entry to iptables.
Note: Thanks to Kflint for the instructions here.
In the 1st method, we only specify uTorrent to use a specific IP. With iptables, the user will use a specific IP for all traffic, which means all Internet softwares including uTorrent, Firefox, and FTP will use the specified IP.
First we need to find out the user’s ID number:
# cat /etc/passwd
Your account is listed at the end, like so:
pirate:x:500:500::/home/pirate:/bin/bash
We need the number that comes after your account name, which is 500 in this case. Now we can add an entry to iptables:
# iptables -t nat -A POSTROUTING -m owner --uid-owner 500 -j SNAT --to 192.168.1.6
See if the above commands works:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere OWNER UID match pirate to:192.168.1.6
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Save the iptables:
# iptables-save > /etc/sysconfig/iptables
Have iptables start on boot and load the saved config:
Fedora Core & CentOS:
# chkconfig iptables on
Debian & Ubuntu:
# update-rc.d iptables defaults
You only need to add an entry to iptables for the 2nd user and any additional users. It’s also fine to add an entry for the 1st user if you want.
Note: Don’t forget to open the necessary ports for additional users in your firewall if you had set it up previously.
Using vnstat to monitor bandwidth usage
Depending on your provider, your server may not come with bandwidth monitoring. If so, you will have to monitor the bandwidth to prevent paying overage fee due to using more than the allowed limit yourself. From section 3, we already installed vnstat, which is a simple tool for bandwidth monitoring.
Vnstat by default monitors traffic on eth0, which should be your network interface. The program uses hardly any resources as it’s not a traffic sniffer, it only polls your network statistics from /proc every 5 minutes.
Type the help command for a list of available options:
Type “vnstat” for the default display which includes yesterday, today, and total bandwidth usages:
Type “vnstat -m” for monthly statistics:
10. FAQ
What is a seedbox? Where can I buy one? Which server should I buy?
For all these questions, see fatcat69’s Seedbox FAQ and 007’s BT Dedicated Server/Seedbox.
Which Linux distribution should I choose?
The 4 main distributions available when renting a server are CentOS, Debian, Fedora Core, and Ubuntu. Any of them will be fine, since this guide has instructions for all of them. If you can’t choose one, just flip a coin.
Why a Linux server instead of a Windows server?
The main reason is price. On average, renting a server with Windows cost between $15 – $20 more. If you don’t know Linux at all, and think following this guide is too hard, then Windows might be a better option.
Is Linux better than Windows for a seedbox or vice versa?
This is a user’s preference and experience question as both can work equally well.
I got Disk Overloaded Errors and my speed dropped, how do I prevent this?
Disk overloaded errors appear when the download speed is too fast for the hard drive to physically keep up. uTorrent uses your RAM as cache to store downloaded data that is waiting to be written to the HD. The screenshot below shows the cache getting filled up, which leads to the performance drop:
This image has been resized. Click this bar to view the full image. The original image is sized 1288×377. To alleviate this problem, we can increase the cache size in uTorrent (default is 32MB). We suggest you change it to 96MB first, and keep watch of the Disk Statistics screen to see the progress of the cache being used. Increase the cache higher if you need to, but always keep it about 128MB less than your total RAM.
Note: The more active torrents you have, the more the cache will be used. For a server with a 100Mbps network connection, don’t have more than 2-3 active torrents downloading at high speed together. You’ll have to find out the appropriate number of active torrents that will give the best performance for your server, since each seedbox differs from one another.
Note: If you have set your cache to the maximum, and you still receive disk overloaded errors, then you’ll have to limit the download speed in uTorrent. Most servers can handle speed between 5-8 MB/s fine with the default cache settings.
Note: If you have a server with OVH, specifically the Kimsufi product with only 256MB or RAM, you can get a USB Flash Drive to use as additional cache if needed. See dieudesorcs’ instructions HERE. UPDATE: Another user tested a 2GB flash disk as swap on a Kimsufi server with bad results. The server crashed after a short period of time when running uTorrent. We are not sure why, but after some thinking, I think using an USB flash drive as cache for uTorrent might not be a good idea, due to the intensive read/write nature of Bittorrent, which is too fast for a Flash Memory device.
I received the error “Too many open files” in uTorrent?
You may receive this error when you download a very large torrent and/or running many torrents. The problem has to do with the default Linux limit of allowed open files per user (1024). Go HERE for the solution (edit the file /etc/security/limits.conf)
uTorrent keeps dropping peer connections (“Peer error: error 10022”)
This problem is due to a bug in wine from version 0.9.40 up to 1.1.5. The latest version is 1.1.6, which fixed this issue. As of 10/16, if you follow this guide, the version of wine you should have is (after updating to the latest):
Debian: 0.9.25 or 1.1.1
Ubuntu: 1.1.7
FC/CentOS: 0.9.xCheck the version you have:
Code:$ wine --version
If it’s lower than 0.9.40 or greater than 1.1.5, you are fine. If it’s between 0.9.40 – 1.1.5, and you have this issue:
Fedora Core/CentOS: Unfortunately, the wine package for these systems isn’t as well supported as Debian/Ubuntu. You can either compile wine from source or down-grade wine to a lower version. Both of these methods are complicated and different based on your wine and OS versions. If you need help, post a request in this thread. If available from your provider, a re-install of your server to Debian/Ubuntu might be the best way to go.
Debian: You should keep an eye on this site http://wine.budgetdedicated.com/ to see when version 1.1.6 will be available. A temporary fix is to downgrade to version 0.9.25, the current version in Debian Etch. Basically you can skip the Wine repository setup in Section 2.
Alternatively, you can compile wine from the latest source. Here are the instructions to compile wine-1.1.7:
– Shut down the currently running uTorrent
– Login as root in Putty
– Remove the current version of wine from your server:
# apt-get remove wine
– Install the necessary tools to compile wine:
# apt-get build-dep wine Debian 64-bit users will need some extra packages: # apt-get install libc6-dev-i386 lib32z1-dev
– Download and extract the latest source:
# wget http://internap.dl.sourceforge.net/s...-1.1.7.tar.bz2 # tar xvjpf wine-1.1.7.tar.bz2
– Enter the folder containing the soure files you just extracted:
# cd wine-1.1.7/
– Compile and install wine:
# ./configure && make && make install
Note: this process will take at least half an hour on most servers.
If everything went successfully, type this to check the version of wine you now have installed:
# wine --version
wine-1.1.7
11. History
3/08 – Added a firewall troubleshoot for Section 5. Added the FAQ, not much there now, just some general answers and info about disk overloaded. Still to come: SSH Configs, Setup FreeNX, and how to use vnstat. Truecrypt isn’t performing well under testing, so the guide for that might take a while. And if the performance doesn’t improve, I won’t write it. Went through the whole guide carefully to correct grammar and spelling mistakes as best as I can. Made a few adjustments and additions along the way.
3/07 – Added commands to autostart vsftpd & iptables.
3/06 – Separated Miscellaneous into Security and Misc. Wrote the firewall section. More adjustments.
3/04 – Fixed errors: “restart now” to “reboot” in Section 2, and “nano /etc/sshd/sshd_config” to “nano /etc/ssh/sshd_config” in section 8. Added a few lines about SELinux & FTP in section 7. And a few other minor adjustments. Thanks to goodkat & dieudesorcs for their contributions to this guide.
3/02 – Well, I didn’t get anything done this weekend. Real life got in the way…I’ll definitely try to complete the missing parts by next weekend. Did a few minor adjustments. Will also plan to add “FreeNX, an alternative to VNC” and “Monitoring bandwidth with vnstat”. Will probably separate Miscellaneous into Security and Miscellaneous. Will add more stuff into Security about prevention and detection.
2/29 – Minor corrections and adjustments. Wrote “Secure VNC through a SSH tunnel”. To come in the next few days: firewall setup with Firestarter, some FAQs including disk overloaded, SSH tips, and autostart FTP server. Maybe also Truecrypt setup too. All depends on how much free time I’ll have.