NaQ's Complete Setup Guide (fastsh.it version)
From Fastsh.it
Original guide by NaQ of FST
This guide will help you setup your newly purchased server with uTorrent, FTP server, Firefox, and more. Instructions for rtorrent and Torrentflux are also available, but we recommend uTorrent as it is the most user-friendly, and reported to work well even with only 256MB of RAM. The general principal of this guide will be to setup your server in a secure manner, and perhaps will get you to learn a bit about the Linux system along the way.
Questions, comments, corrections, and suggestions are welcomed.
When asking for help, please post as much details as possible about your problem, such as the OS, error messages, and a log file if available.
[edit] Programs needed:
Putty WinSCP VNC Viewer FTP Client (Recommended: CuteFTP)
[edit] 1. Initial login
So you've finally received the email after waiting so impatiently for your server. Now what to do? Run Putty, of course.
http://img150.imageshack.us/img150/715/puttylogin1qt0.jpg
Enter the IP Address of your server like shown, click Open.
http://img135.imageshack.us/img135/8840/puttylogin2ag7.jpg
Enter the login information as provided in the email, and you should be able to login to your server. You are now in a Putty terminal, connected to your server through a secure protocol called SSH.
http://img166.imageshack.us/img166/871/puttylogin3cw6.jpg
Tips for Putty: - Highlight text to copy from Putty - Right-click to paste to Putty
[edit] 2. Initial Setup
The CLI
The Command Line Interface (what you see in front of you as you successfully login through Putty) is what we'll use throughout this guide to setup your server. Some simple commands you can type to get familiar:
- Shows the present working directory - pwd - Lists the files and folders in the present directory - ls - Like "ls", but also lists all hidden files and folders. You'll see that files and folders starting with "." (like .ssh/) are hidden - ls -a - Change directory to the root directory. NOTE: /root is the home folder of the root user - cd / - Change directory to the home folder - cd ~
Go HERE for a comprehensive list of basic commands you can do.
[edit] Change password
We want to change the password of the server, so your provider doesn't know it. A strong password is highly recommended.
passwd
[edit] Nano - The text editor
In Linux, you'll find yourself editing a lot of text files. Nano is a simple CLI text editor that you'll be using throughout this guide.
nano
You are now in nano. The text you see on the bottom of the terminal is the various commands. For our purpose, all you need to know is "WriteOut" and "Exit", which is save and quit. The "^" character denotes the Ctrl key. So to save a file, press Ctrl+O, and to quit is Ctrl+X. Just exit nano for now.
[edit] System Updates
Linux distributions use package management systems to easily install and maintain softwares. Debian and Ubuntu use "apt". Now, we'll add a few extra repositories (servers with additional softwares for your system) to apt, and then do a system-wide update before continuing on with installing softwares.
Install the wine repository:
wget http://wine.budgetdedicated.com/apt/387EE263.gpg
sudo apt-key add 387EE263.gpg
sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/intrepid.list -O /etc/apt/sources.list.d/winehq.list
Next, run a system update:
sudo apt-get update
sudo apt-get upgrade
Say yes when asked to update all softwares.
[edit] 3. Install Softwares
The following softwares will be installed in one easy command:
vncserver - Provides a GUI interface with a VNC Desktop (Virtual Network Computing) wine - Windows emulation software for uTorrent xterm - a GUI terminal fluxbox - a light-weight Windows Manager for your VNC Desktop vsftpd - a FTP server (File Transfer Protocol) vnstat - a bandwidth monitoring tool
sudo apt-get install vncserver wine xterm fluxbox vsftpd firefox vnstat && update-menus
Debian & Ubuntu systems don't download all the needed dependencies for vncserver, so we'll have to install them manually.
sudo apt-get install xfonts-base xfonts-75dpi xfonts-100dpi
[edit] 5. Setup VNC Desktop
We need to configure fluxbox to run when starting the VNC Desktop:
mkdir .vnc
nano .vnc/xstartup
Insert the following into the xstartup file:
fluxbox
Save and exit.
Make the xstartup file executable:
chmod +x .vnc/xstartup
That's all we needed in order to start up our VNC Desktop. Since this is the first time you start vncserver, you'll be asked to enter a new password for access to the VNC Desktop. For simplicity, you can just use the same password for your user account here.
vncserver :1
The above command will be used whenever you want to start a new VNC Desktop, for instance if when your server crash and you need to start things up again.
The command to stop the VNC Desktop is:
WARNING: This command is here just so you know it, DON'T enter it next.
vncserver -kill :1
Launch VNC Viewer. Enter the address of your server in VNC Viewer as shown below. And remember, the address is "your.ip:1".
http://img86.imageshack.us/img86/984/vncviewergt3.jpg
http://img211.imageshack.us/img211/6025/vncviewerpasswordyv5.jpg
At this point, if you are prompted for the VNC password, you've succeeded for the most part in setting up your Linux server.
Note: To change the VNC password, type this command:
vncpasswd
Note: If you are setting up the 2nd VNC Desktop for another user, remember that you'll have to use a different display number. For example: "$ vncserver :2". Then connect to "your.ip:2" in VNC Viewer.
[edit] 6. Setup uTorrent & WebUI
[edit] 7. Setup the FTP Server (VSFTPD)
You can setup a FTP Server on your seedbox to transfer files to and from your home PC. This is quite advantageous since you most likely will be able to download files from your server to your PC at the maximum speed provided by your ISP, as well as reducing the need to use Bittorrent at home.
We had already installed VSFTPD from Section 3. Configuring VSFTPD is simple, however we also want to configure VSFTPD to use TLS/SSH authentication.
Note: The root user is not allowed to login with FTP by default.
Create a new SSH certificate for VSFTPD:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /root/vsftpd.pem -out /root/vsftpd.pem
The command above will ask you a bunch of information. Insert whatever you like.
Now it's time to configure VSFTPD through editing the vsftpd.conf file:
nano /etc/vsftpd.conf
Relevant changes:
anonymous_enable=NO local_enable=YES write_enable=YES
Note: make sure to remove the comment sign from the settings you want (#)
Relevant additions to the end of the file:
ssl_enable=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES rsa_cert_file=/root/vsftpd.pem
Save & exit.
Start VSFTPD:
sudo /etc/init.d/vsftpd start
When making changes to vsftpd.conf, you'll need to restart VSFTPD, to do so:
sudo /etc/init.d/vsftpd restart
Now, you can try to login to your server using the FTP Client of your choice with your pirate account. Make sure to select the connection type as "FTP with TLS/SSH".
Note: CuteFTP is recommended for its ability to download 1 large file with multiple connections to maximize speed.
[edit] 8. Security
This section will deal with setting up various security features on your server.
Change FTP & SSH Ports FTP & SSH use ports 21 & 22 respectively. These two ports are under constant brute force login attempts by bots trying to compromise systems. Therefore, we want to change them.
Change FTP Port:
sudo nano /etc/vsftpd.conf
Add the following line to the end:
listen_port=54321
Save and exit. Choose any port number you want. Remember, you'll have to specify this same number in your FTP Client.
After this change, we'll need to restart VSFTPD:
sudo /etc/init.d/vsftpd restart
Change SSH Port:
sudo nano /etc/ssh/sshd_config
Change the line 'Port 22' to 'Port 54322'. Save and exit. Choose any port number you want. Remember, you'll have to specify this same number in Putty and WinSCP.
sudo /etc/init.d/ssh restart
[edit] Secure VNC through a SSH Tunnel
Notice so far, we are using 4 network services/programs. They are SSH, FTP, VNC, and Bittorrent. SSH is a secure protocol. We've setup FTP to use a secure authentication method, although the transferring of data isn't so (Note: you can use SFTP for secure FTP transfers, but at the cost of speed). VNC isn't a secure service, so we'll use a SSH's feature called tunnel to encrypt the traffic.
Your VNC Desktop is currently running on display :1 with the network port being 5901. With setting up a tunnel, this port isn't needed to be accessible from outside, since we are using the SSH protocol & port. So, let's restart vncserver with the "localhost" option. First, exit uTorrent in your existing VNC Desktop to ensure no issue with your active torrents. Then, in Putty:
vncserver -kill :1
This command will start a VNC Desktop that will only allow connection from the same machine:
vncserver -localhost :1
Tip: For a bigger resolution VNC Desktop, you can add the "-geometry" syntax, like so:
vncserver -localhost -geometry 1920x1080 :1
Note: If you already start vncserver without setting the geometry, then you'll need to kill it first. Replace 1920x1080 with any resolution you prefer.
Close Putty and open a new Putty window on your PC, enter the IP & Port information for SSH. On the left window, go to Connections - SSH - Tunnels. Under "Add new forwarded port:", insert the following:
Source port: 5900 Destination: localhost:5901
Click Add
http://img141.imageshack.us/img141/8775/putty5aw6.jpg
Go back to Session on the left window, we'll save the Putty settings for convenience. Under "Saved Sessions", insert any name you like, and click Save. From now on, to connect to your server with Putty, just double click on the Saved Session. The tunnel for VNC will also be loaded automatically as well.
http://img235.imageshack.us/img235/5893/putty4sz3.jpg
That's it, we've created a tunnel for VNC. The source port 5900 (which is conveniently the default port in VNC Viewer) is the port on your home PC, and the destination port is 5901 on your server, which is the port for your running VNC Desktop. Let's login. Open VNC Viewer, the address is simply "localhost"
http://img239.imageshack.us/img239/9868/vnc6kx8.jpg
Troubleshoot: If VNC Viewer reports connection refused, try checking for a proper hosts file on your server. The instruction is in Section 5 (Setup VNC Desktop).
Note: Now that we've secured VNC, the next section will deal with securing the rest of your server. Notice that we currently have 3 active ports: 54321 for FTP, 54322 for SSH, and the uTorrent port, which we'll just use 54320 for convenience. Thus, when setting up the firewall next, we'll just have to add one entry, which is to allow ports 54320 - 54322.
[edit] Configure Firewall with Firestarter
Linux comes with a powerful tool called iptables to intercept and manipulate network packets. We'll setup iptables in this section to be the firewall for the server. Since manually configuring iptables is beyond the scope of this guide, we'll use a GUI frontend to iptables called Firestarter. Let's install Firestarter.
sudo apt-get install firestarter
In your VNC Desktop, open a new xterm, start Firestarter:
sudo firestarter
The first time Firestarter runs, it'll run a short Setup Wizard, click through it following these settings:
- Makes sure the network device is eth0 - No Internet Connection Sharing - Don't check "Start Firewall Now"
We don't want to start the firewall yet because we haven't open the proper ports. Go to the "Policy" Tab, right-click under "Allow Service", select "Add Rule". In the Port field, insert the port range you need. So according to this guide, the range we'll need is 54320-54322.
http://img132.imageshack.us/img132/387/firestarter6lb3.jpg
Note: If you don't want to use VNC through the SSH Tunnel, you'll need to add another rule for port 5901.
Click Apply Policy. Then Start Firewall.
http://img134.imageshack.us/img134/9735/firestarter7to7.jpg
Note: Remember that Firestarter is just a frontend to iptables, you don't have to leave it running. We recommend you close it to save resources. Also, the firewall will autostart on reboot.
That's it for setting up the basic firewall. However, you'll notice that we can't login to the FTP server anymore. The reason is the FTP server uses random ports above 1024 for data connections. So we'll need to specify a port range for FTP connections, which we'll use port 54323 - 54340 for convenience.
Edit the VSFTPD config file:
sudo nano /etc/vsftpd.conf
Insert the following lines to the end:
pasv_min_port=54323 pasv_max_port=54340
Save and exit.
Then, in Firestarter, edit the rule from 54320-54322 to 54320-54340. Click Apply Policy.
Tip: To see all the entries Firestarter added to iptables, type the following in Putty:
sudo iptables -t filter -L
Tip: To monitor the firewall without running Firestarter, open a new xterm, type:
sudo tail -f /var/log/messages
The above command actively updates the terminal when new entries are added to the system log. To exit from "tail", press Ctrl+C. The file "/var/log/messages" contains all events log for your server. It is wise to keep an eye on it from time to time to find out if anything is wrong.
Tip: When you see constant attempts to connect to your server under one port like the screenshot below, you may not want iptables to log all the drop connections (the log file will grow too big). To do so, right-click on an entry under "Events" and select "Disable Events on Port". You can remove/add logged ports in Firestarter's Settings.
http://img220.imageshack.us/img220/844/firestarter1dt1.jpg
[edit] Secure SSH
Thanks to The Fedora Unity Project for portions of this section.
This section will guide you to secure the SSH server. The instructions here are border-lining on paranoia (perhaps completely). However, there is one advantage as you won't need to enter your password when login with Putty, which is very convenient when you are using SSH to tunnel your VNC Desktop. What we'll do is setup the Key Authentication feature for all users before disabling Password Authentication, so that only people possessing the key file will be able to login to your server.
First, login to your server from Putty. Following are the needed configuration options in sshd_config:
sudo nano /etc/ssh/sshd_config
We had setup an alternate port previously:
Port 54322
Make sure SSH only uses Protocol 2:
Protocol 2
Limit the maximum number of simultaneous unauthenticated connections:
MaxStartups 3:50:10
Reduce the amount of time allowed to successfully login to 30 seconds:
LoginGraceTime 30
Allow only known users:
AllowUsers root pirate
Enable key authentication:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Save and exit.
Now, we'll create a pair of keys for the root user, a private and a public key.
Note: Repeat the steps from here on for additional users you want to have Key Authentication. Make sure you login as that user first.
ssh-keygen
We don't need to use a passphrase for convenience. Enter a passphrase if you think your private key file may be compromised.
Two files were created in the folder ~/.ssh/. The id_rsa file is your private key that we'll need to transfer to your PC. The id_rsa.pub file will be store in the authorized_keys file on your server. The matching of these two keys is how the SSH server will authenticate the root user.
Since this is the first time you create a key pair, there is no authorized_keys file. Therefore, we can simply do this:
mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
Note: if you are creating a 2nd pair of keys for the same user, we'll have to add the public key to the existing authorized_keys file instead:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Open WinSCP to use sFTP to transfer the private key id_rsa to your own PC. Remember, the file is in the .ssh/ folder.
Now, we'll need to convert the private key into a format that Putty will recognized. Download Putty Key Generator.
In Putty Key Generator, click Load and select the id_rsa file. You probably will have to change the filter to "All Files" in Browse to see it. Click Save Private Key to save the key in .ppk format.
http://img221.imageshack.us/img221/3884/keyauth1gu6.jpg
Once successfully done, you can delete the id_rsa file on both your PC and the server.
In Putty, we'll restart the SSH server to enable all our previous settings.
sudo /etc/init.d/ssh restart
Close the existing Putty session and open a new one. Hopefully, you already have a Saved Session by now. Select it and click Load. If not, enter your IP & Port information. On the left window, go to Connection - SSH - Auth. Under "Private key file for authentication", browse to your private_key.ppk file.
http://img81.imageshack.us/img81/9601/keyauth2cq2.jpg
Save the session, and click Open.
Enter the username, and you will be login automatically. If you entered a passphrase, then you'll have to type it in at this point.
http://img81.imageshack.us/img81/1002/keyauth3kn5.jpg
If you've come this far, you can choose to disable the normal Password Authentication login method after setting up Key Authentication for all users. To do so, set this line in sshd_config:
WARNING: By doing so, only Key Authentication is allowed. If you lose your private key, you won't be able to access your server.
PasswordAuthentication no
Restart the SSH server for the change to take effect.
[edit] 9. Miscellaneous
Install rtorrent
Configure the Fluxbox Menu
You can configure the fluxbox menu to your liking. Here is an example:
http://img86.imageshack.us/img86/5808/addutorrenttomenukh7.jpg
To get the menu above, we need to edit the following file:
Note: Use Putty instead of xterm to copy & paste text. Tip: Ctrl+K in nano will delete the line the cursor is on.
nano ~/.fluxbox/menu
Edit it to look like this:
[begin] (Fluxbox-1.0.0)
[encoding] {UTF-8}
[exec] (firefox) {firefox}
[exec] (xterm) {xterm}
[exec] (uTorrent) {wine ~/utorrent.exe}
[submenu] (fluxbox menu)
[config] (Configure)
[submenu] (System Styles) {Choose a style...}
[stylesdir] (/usr/share/fluxbox/styles)
[end]
[submenu] (User Styles) {Choose a style...}
[stylesdir] (~/.fluxbox/styles)
[end]
[workspaces] (Workspace List)
[submenu] (Tools)
[exec] (Screenshot - JPG) {import screenshot.jpg && display -resize 50% screenshot.jpg}
[exec] (Screenshot - PNG) {import screenshot.png && display -resize 50% screenshot.png}
[exec] (Run) {fbrun }
[exec] (Regen Menu) {../util/fluxbox-generate_menu }
[end]
[submenu] (Window Managers)
[restart] (mwm) {mwm}
[restart] (kde) {startkde}
[end]
[commanddialog] (Fluxbox Command)
[reconfig] (Reload config)
[restart] (Restart)
[exec] (About) {(fluxbox -v; fluxbox -info | sed 1d) 2> /dev/null | xmessage -file - -center}
[separator]
[exit] (Exit)
[end]
[endencoding]
[end]
Save and exit.
For information on how to manually edit the menu file, go HERE.
[edit] Using vnstat to monitor bandwidth usage
Depending on your provider, your server may not come with bandwidth monitoring. If so, you will have to monitor the bandwidth to prevent paying overage fee due to using more than the allowed limit yourself. From section 3, we already installed vnstat, which is a simple tool for bandwidth monitoring.
Vnstat by default monitors traffic on eth0, which should be your network interface. The program uses hardly any resources as it's not a traffic sniffer, it only polls your network statistics from /proc every 5 minutes.
Type the help command for a list of available options:
http://img89.imageshack.us/img89/5204/vnstat1vs1.jpg
Type "vnstat" for the default display which includes yesterday, today, and total bandwidth usages:
http://img89.imageshack.us/img89/3516/vnstat2re8.jpg
Type "vnstat -m" for monthly statistics:
