Complete Setup Guide for Linux Seedboxes

11/03 - More tweaks and corrections. Updated the wine setup. Added to the FAQ about wine with instructions to compile wine for Debian. Removed webui.zip instructions as it's not needed with the latest uTorrent.

10/28 - Some more updates to wine installation in Section 2. Added a troubleshoot for openssl in Section 7.


10/22 - Updated to an easier way to install WebUI.

10/18 - Updated Section 2 about install wine for Debian/Ubuntu.

10/16 - Updated uTorrent to 1.8.1. Added write_enable=yes to vsftpd setup. Fixed the error about sshd restart for Debian/Ubuntu. And some minor tweaks. Added a FAQ about uTorrent dropping peer connections (wine issue: http://bugs.winehq.org/show_bug.cgi?id=14188)

9/12 - Updated the guide to install uTorrent 1.8 & latest WebUI. Added a FAQ about "Too many open files"

3/25 - Added a hosts file troubleshoot for Section 5.

3/11 - Updated the firewall section with the proper way to start Firestarter in Debian/Ubuntu

3/10 - Added a vnstat guide to Section 9. Working on FreeNX setup, though it seems to not work as well as I remembered. Removed the need for Debian/Ubuntu servers to use vnc4server. Added some more install/setup procedures for Debian/Ubuntu in section 2 & 3 (for wine and vncserver to work properly). Added optional config for Debian in Section 2 (need it to install flash).

3/09 - Added Secure SSH to Section 8.

roiko
balbaid
predateur
fatcat69
wormtail
Kflint
goodkat
dieudesorcs

Gentoo
OSResources
The Unofficial Fedora FAQ
Google
and of course, FST

Putty
WinSCP
VNC Viewer
FTP Client (Recommended: CuteFTP)

- Change FTP & SSH Ports
- Secure VNC through a SSH Tunnel
- Configure Firewall with Firestarter
- Encrypt the Hard Drive with Truecrypt - TBA
- Secure SSH

- Firefox & Flash
- Install rtorrent
- Install Torrentflux - TBA
- Configure the Fluxbox Menu
- Configure Multiple IP Addresses
- Using vnstat to monitor bandwidth usage

So you've finally received the email after waiting so impatiently for your server. Now what to do? Run Putty, of course.

Enter the IP Address of your server like shown, click Open.

Enter the root login information as provided in the email, and you should be able to login to your server. You are now in a Putty terminal, connected to your server through a secure protocol called SSH.

Tips for Putty:
- Highlight text to copy from Putty
- Right-click to paste to Putty

The Command Line Interface (what you see in front of you as you successfully login through Putty) is what we'll use throughout this guide to setup your server. Some simple commands you can type to get familiar:

- Shows the present working directory.

# pwd

- Lists the files and folders in the present directory.

# ls

- Like "ls", but also lists all hidden files and folders. You'll see that files and folders starting with "." (like .ssh/) are hidden.

# ls -a

- Change directory to the root directory. NOTE: /root is the home folder of the root user.

# cd /

- Change directory to the home folder. Since you are login as root, you are now back in /root/.

# cd ~/

Go HERE for a comprehensive list of basic commands you can do.

We want to change the most important password of the server, so your provider doesn't know it. A strong password is highly recommended.

# passwd
New password:
Verify:

Certain providers create SSH authentication keys that will allow them to login to your server as root without actually knowing the password. We want to delete the authorized_keys2 file if it's there:

# ls .ssh
authorized_keys2
# rm .ssh/authorized_keys2

Note: Try the auto-complete feature by just typing "rm .ssh/au", then press Tab, and the rest of the filename will fill automatically.

Note: Key authentication can be a secure method of login, since you'd need an actual key file on your computer to authenticate against the server. See Section 8 for instructions.

In Linux, you'll find yourself editing a lot of text files. Nano is a simple CLI text editor that you'll be using throughout this guide.

# nano

You are now in nano. The text you see on the bottom of the terminal is the various commands. For our purpose, all you need to know is "WriteOut" and "Exit", which is save and quit. The "^" character denotes the Ctrl key. So to save a file, press Ctrl+O, and to quit is Ctrl+X. Just exit nano for now.

Some servers come with SELinux enabled which will cause some problems later on, specifically with FTP setup (user login & SSH/TLS setup). Please comment if you have a workaround without turning SELinux off. But for now, we'll just disable it if it's enabled.

Check SELinux status:

# cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

If you see the line SELINUX=disabled or you don't have this file, move on to the next section.

If your output says SELINUX=enforcing or SELINUX=permissive, we'll disable it:

# nano /etc/sysconfig/selinux

change "SELINUX=..." to "SELINUX=disabled". Save & exit.

You'll need to restart the server for this change to take effect. This should be the one and only time you will have to restart your server.

# reboot

Wait a few minutes (and maybe cross your fingers ) as your server restarts. Now login again through Putty.

Linux distributions use package management systems to easily install and maintain softwares. Fedora Core and CentOS use "yum", Debian and Ubuntu use "apt". Now, we'll add a few extra repositories (servers with additional softwares for your system) to yum and apt, and then do a system-wide update before continuing on with installing softwares. Each system has its own procedure, so follow the one you have accordingly.

Fedora Core 4:

# cd /etc
# mv yum.conf yum.conf.bak
# wget http://www.fedorafaq.org/fc4/samples/yum.conf
# rpm -Uvh http://www.fedorafaq.org/fc4/yum
# yum update

Say yes when asked to update all softwares.

Fedora Core 5:

# cd /etc
# mv yum.conf yum.conf.bak
# wget http://www.fedorafaq.org/fc5/samples/yum.conf
# rpm -Uvh http://www.fedorafaq.org/fc5/yum http://rpm.livna.org/livna-release-5.rpm
# yum update

Say yes when asked to update all softwares.

Fedora Core 6:

# rpm -Uvh http://www.fedorafaq.org/fc6/yum http://rpm.livna.org/livna-release-6.rpm 
# yum update

Say yes when asked to update all softwares.

NOTE: Thanks to The Unofficial Fedora FAQ for the instructions above.

CentOS 4/5:

# nano /etc/yum.repos.d/Extra.repo

Copy & paste the following into the Extra.repo file:

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1

[kbs-CentOS-Extras]
name=CentOS.Karan.Org-EL$releasever - Stable
gpgcheck=1
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/stable/$basearch/RPMS/

[kbs-CentOS-Misc]
name=CentOS.Karan.Org-EL$releasever - Stable
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
gpgcheck=1
enabled=1
baseurl=http://centos.karan.org/el$releasever/misc/stable/$basearch/RPMS/

Save & exit.

# rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
# rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
# yum update

Say yes when asked to update all softwares.

Debian & Ubuntu:

Install the wine repository:

Update: Debian users should NOT follow this step at the moment due to a bug in wine that drops peer connections in uTorrent. The older version in Debian (0.9.25) works fine enough. See the FAQ for more details.

Ubuntu Hardy Heron (8.04):

# wget http://wine.budgetdedicated.com/apt/387EE263.gpg
# apt-key add 387EE263.gpg
# wget http://wine.budgetdedicated.com/apt/sources.list.d/hardy.list -O /etc/apt/sources.list.d/winehq.list

Ubuntu Intrepid Ibex (8.10):

# wget http://wine.budgetdedicated.com/apt/387EE263.gpg
# apt-key add 387EE263.gpg
# wget http://wine.budgetdedicated.com/apt/sources.list.d/intrepid.list -O /etc/apt/sources.list.d/winehq.list

Next, run a system update:

# apt-get update
# apt-get upgrade

Say yes when asked to update all softwares.

Optional configuration for Debian (will need it if you want Flash):

We are gonna assume you are running Debian 4.0 (Etch), we can install the "backports" repository which will have more updated softwares than the stable tree.

Edit the sources.list file:

# nano /etc/apt/sources.list

Insert the following line to the end:

deb http://www.backports.org/debian etch-backports main contrib non-free

Save and exit.

Get the verification key:

# wget http://backports.org/debian/archive.key
# apt-key add archive.key

Run update:

# apt-get update

You can also run "apt-get -t etch-backports upgrade", but it's not necessary.

The following softwares will be installed in one easy command:

vncserver - Provides a GUI interface with a VNC Desktop (Virtual Network Computing)
wine - Windows emulation software for uTorrent
xterm - a GUI terminal
fluxbox - a light-weight Windows Manager for your VNC Desktop
vsftpd - a FTP server (File Transfer Protocol)
firefox - a web browser
vnstat - a bandwidth monitoring tool

Fedora Core & CentOS:

# yum install vnc-server wine xterm fluxbox vsftpd firefox vnstat

Say yes when asked. You'll see many dependencies packages being installed as well.

Debian & Ubuntu:

# apt-get install vncserver wine xterm fluxbox vsftpd firefox vnstat
# update-menus

Say yes when asked. You'll see many dependencies packages being installed as well.

Debian & Ubuntu systems don't download all the needed dependencies for vncserver, so we'll have to install them manually.

# apt-get install xfonts-base xfonts-75dpi xfonts-100dpi

Optional for Debian:

Install a newer version of fluxbox:

# apt-get -t etch-backports install fluxbox

We do not want to use root as a user, since root is an administrative account with full control over your server, it is not meant to be used due to possible screwups and security purposes. Therefore, we'll create a new user to use.

Note: Repeat Section 4 - 6 to create additional users. All users will be able to run their own instances of VNC desktop & uTorrent, as well as login with FTP. See Section 9 for instructions on how setup separated IP Addresses for multiple users.

# useradd -m pirate

Note: Replace pirate with any username you like.

Create a password for this new account:

# passwd pirate
New password:
Verify:

Now we can login to Putty again with this new user account. Right-click on Putty's title bar, select "Duplicate Session", and login with pirate. You can close the old Putty window that is logged in under root.

Now that we are logged in as a new user. Notice first, where your home folder is located

$ pwd
/home/pirate

Note: Notice the "$" sign used above. From now on, this means the command is executed under the user account. And "#" is for commands executed under the root account.

We need to configure fluxbox to run when starting the VNC Desktop:

$ mkdir .vnc
$ nano .vnc/xstartup

Insert the following into the xstartup file:

fluxbox

Save and exit.

Make the xstartup file executable:

$ chmod +x .vnc/xstartup

That's all we needed in order to start up our VNC Desktop. Since this is the first time you start vncserver, you'll be asked to enter a new password for access to the VNC Desktop. For simplicity, you can just use the same password for your user account here.

$ vncserver :1
New 'your.hostname:1 (pirate)' desktop is your.hostname:1

Starting applications specified in /home/pirate/.vnc/xstartup
Log file is /home/pirate/.vnc/your.hostname:1.log

The above command will be used whenever you want to start a new VNC Desktop, for instance if when your server crash and you need to start things up again.

The command to stop the VNC Desktop is:

WARNING: This command is here just so you know it, DON'T enter it next.

$ vncserver -kill :1
Killing Xvnc process ID 3489

Launch VNC Viewer. Enter the address of your server in VNC Viewer as shown below. And remember, the address is "your.ip:1".

RealVNC Viewer:

TightVNC Viewer:





At this point, if you are prompted for the VNC password, you've succeeded for the most part in setting up your Linux server.

Note: To change the VNC password, type this command:

$ vncpasswd

Note: If you are setting up the 2nd VNC Desktop for another user, remember that you'll have to use a different display number. For example: "$ vncserver :2". Then connect to "your.ip:2" in VNC Viewer.

Troubleshoot: If you are unsuccessful here in connecting to your VNC Desktop, please post in this thread the VNC Viewer error and the VNC log, which can be displayed by:

$ cat .vnc/your.hostname.log

Sample VNC connection error:

Troubleshoot: Your server might came with a firewall installed, which would block the VNC connection attempt. We'll setup a firewall later in the guide, so for now we can disable this firewall if it exists. To find out, type the following in Putty while login as root to list the filter table of iptables:

# iptables -t filter -L
 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination

 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination

The above output means there is no firewall. If your output has entries under the 3 chains (INPUT, FORWARD, OUTPUT) and/or has more chains, then we'll need to flush the iptables:

# iptables -F

List the table again to make sure it's empty. Then try to connect with VNC Viewer again.

Troubleshoot: Your server may not have a proper hosts file setup which will result in this error (you can see it in the log):

_X11TransSocketINETConnect() can't get address for your.hostname: Name or service not known

If you get this error, open the hosts file:

$ su
# nano /etc/hosts

Make sure the file has the following two lines:

127.0.0.1 localhost
your.ip your.hostname

Replace "your.ip" & "your.hostname" with the ones for your server. If you don't know your hostname, type:

# hostname

Then restart the vncserver using the commands above.

From now on, you can close the Putty program as we'll use the xterm terminal in the VNC Desktop.

As you successfully login to your remote desktop, you'll see a blank screen with a taskbar on the bottom. Right-click anywhere on the desktop for the fluxbox menu, and find xterm (usually under Terminals).

xterm is just another terminal like Putty.

It's time to install uTorrent, in the new xterm window, type:

$ wget http://download.utorrent.com/1.8.1/utorrent.exe

The latest uTorrent (version 1.8.1) is now downloaded to your home folder.

Start uTorrent:

WARNING:At the setup screen, click CANCEL as we don't want to install uTorrent like in Windows. It runs fine as a stand-alone application.

$ wine utorrent.exe

Suggested tips to configure uTorrent:

- Use Speed Guide and set your connection to "xx/100Mbps" or "xx/10Mbps" depending on what you have
- Choose any port above 45,000
- Enable Encryption
- Disable DHT, Local Peer Discovery, Peer Exchange
- No randomize ports, disable UPnP port mapping & NAT-PMP port mapping
- Enable WebUI Interface, insert WebUI's un & pw
- In Advanced Options, set gui.delete_to_trash to FALSE
- Un-check Minimize to tray & Close to tray

Note: See the FAQ about Disk Overloaded Errors and how to work around it.

All set.

WebUI should also work if you configure it. The address will be http://your.ip:xxxxx/gui , where xxxxx is the uTorrent's port number you setup previously. If successfully connected, the browser will prompt for your WebUI's un & pw that you set in uTorrent. We recommend that you set the WebUI's un & pw to be different from your user account. So if WebUI is compromised, your server is still safe.

That's it. Now it's time to put your server to the test . We are gonna assume you know how to use uTorrent and/or WebUI. Read on if you want to setup a FTP server, Firefox & Flash, configure multiple IPs, configure firewall, and more. See the FAQ for some useful info as well.

You can setup a FTP Server on your seedbox to transfer files to and from your home PC. This is quite advantageous since you most likely will be able to download files from your server to your PC at the maximum speed provided by your ISP, as well as reducing the need to use Bittorrent at home.

We had already installed VSFTPD from Section 3. Configuring VSFTPD is simple, however we also want to configure VSFTPD to use TLS/SSH authentication.

Note: Enabling TLS/SSH authentication will NOT work if SELinux is enabled. See Section 2 to check if SELinux is enabled. And if so, to disable it.

Note: Users will NOT be able to login if SELinux is enabled. See Section 2 to check if SELinux is enabled, and if so, to disable it.

Note: The root user is not allowed to login with FTP by default.

In VNC Desktop:

We need root privileges to configure VSFTPD. The command "su" will let us switch user. Type in xterm (remember not to use the one that's running uTorrent):

$ su
Password:
#

Here, we need to enter the root password to switch to the root user.

Create a new SSH certificate for VSFTPD:

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /root/vsftpd.pem -out /root/vsftpd.pem

The command above will ask you a bunch of information. Insert whatever you like.

Troubleshoot: If you encountered the error: "openssl command not found", then openssl isn't installed on your server. To install it:

Fedora Core/CentOS:
# yum install openssl
Debian/Ubuntu:
# apt-get install openssl

Now it's time to configure VSFTPD through editing the vsftpd.conf file:

Fedora Core & CentOS:

# nano /etc/vsftpd/vsftpd.conf

Debian & Ubuntu:

# nano /etc/vsftpd.conf

Relevant changes:

anonymous_enable=NO
local_enable=YES
write_enable=YES

Note: make sure to remove the comment sign from the settings you want (#)

Relevant additions to the end of the file:

ssl_enable=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/root/vsftpd.pem

Save & exit.

Start VSFTPD:

# /etc/init.d/vsftpd start
Starting vsftpd for vsftpd:                                [  OK  ]

When making changes to vsftpd.conf, you'll need to restart VSFTPD, to do so:

# /etc/init.d/vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

To have VSFTPD autostart on boot:

Fedora Core & CentOS:

# chkconfig vsftpd on

Debian & Ubuntu:

# update-rc.d vsftpd defaults

Now, you can try to login to your server using the FTP Client of your choice with your pirate account. Make sure to select the connection type as "FTP with TLS/SSH".

Exit out of the root user in xterm:

# exit
$

Note: See Section 8 to change the default ports for the FTP & SSH services.

If you need help with your Windows FTP Client, see fatcat69's FTP guide HERE.

Note: CuteFTP is recommended for its ability to download 1 large file with multiple connections to maximize speed. Please post if you know of other clients that have this feature.

This section will deal with setting up various security features on your server.

FTP & SSH use ports 21 & 22 respectively. These two ports are under constant brute force login attempts by bots trying to compromise systems. Therefore, we want to change them.

Change FTP Port:

$ su

Fedora Core & CentOS:

# nano /etc/vsftpd/vsftpd.conf

Debian & Ubuntu:

# nano /etc/vsftpd.conf

Add the following line to the end:

listen_port=54321

Save and exit. Choose any port number you want. Remember, you'll have to specify this same number in your FTP Client.

After this change, we'll need to restart VSFTPD:

# /etc/init.d/vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
# exit
$

Change SSH Port:

$ su
# nano /etc/ssh/sshd_config

Change the following line:

# Port 22
to
Port 54322

Save and exit. Choose any port number you want. Remember, you'll have to specify this same number in Putty and WinSCP.

Fedora Core & CentOS:
# /etc/init.d/sshd restart

Debian & Ubuntu:
# /etc/init.d/ssh restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
# exit
$

Notice so far, we are using 4 network services/programs. They are SSH, FTP, VNC, and Bittorrent. SSH is a secure protocol. We've setup FTP to use a secure authentication method, although the transferring of data isn't so (Note: you can use SFTP for secure FTP transfers, but at the cost of speed). VNC isn't a secure service, so we'll use a SSH's feature called tunnel to encrypt the traffic.

Your VNC Desktop is currently running on display :1 with the network port being 5901. With setting up a tunnel, this port isn't needed to be accessible from outside, since we are using the SSH protocol & port. So, let's restart vncserver with the "localhost" option. First, exit uTorrent in your existing VNC Desktop to ensure no issue with your active torrents. Then, in Putty:

$ vncserver -kill :1
 Killing Xvnc process ID 3489

This command will start a VNC Desktop that will only allow connection from the same machine:

$ vncserver -localhost :1

Tip: For a bigger resolution VNC Desktop, you can add the "-geometry" syntax, like so:

$ vncserver -localhost -geometry 1920x1080 :1

Note: If you already start vncserver without setting the geometry, then you'll need to kill it first. Replace 1920x1080 with any resolution you prefer.

Close Putty and open a new Putty window on your PC, enter the IP & Port information for SSH. On the left window, go to Connections - SSH - Tunnels. Under "Add new forwarded port:", insert the following:

Source port: 5900
Destination: localhost:5901

Click Add

Go back to Session on the left window, we'll save the Putty settings for convenience. Under "Saved Sessions", insert any name you like, and click Save. From now on, to connect to your server with Putty, just double click on the Saved Session. The tunnel for VNC will also be loaded automatically as well.



That's it, we've created a tunnel for VNC. The source port 5900 (which is conveniently the default port in VNC Viewer) is the port on your home PC, and the destination port is 5901 on your server, which is the port for your running VNC Desktop. Let's login. Open VNC Viewer, the address is simply "localhost"

Troubleshoot: If VNC Viewer reports connection refused, try checking for a proper hosts file on your server. The instruction is in Section 5 (Setup VNC Desktop).

Note: Now that we've secured VNC, the next section will deal with securing the rest of your server. Notice that we currently have 3 active ports: 54321 for FTP, 54322 for SSH, and the uTorrent port, which we'll just use 54320 for convenience. Thus, when setting up the firewall next, we'll just have to add one entry, which is to allow ports 54320 - 54322.

Linux comes with a powerful tool called iptables to intercept and manipulate network packets. We'll setup iptables in this section to be the firewall for the server. Since manually configuring iptables is beyond the scope of this guide, we'll use a GUI frontend to iptables called Firestarter. Let's install Firestarter.

Fedora Core & CentOS 4:

$ su
# yum install firestarter
# exit
$

CentOS 5:

$ wget http://centos.karan.org/el4/extras/stable/i386/RPMS/firestarter-1.0.3-1.i386.rpm
$ su
# yum install firestarter-1.0.3-1.i386.rpm
# exit
$

Debian & Ubuntu:

$ su
# apt-get install firestarter
# exit
$

In your VNC Desktop, open a new xterm, start Firestarter:

Fedora Core & CentOS:

$ firestarter

You need to provide the root password here, as Firestarter requires administrator privileges.

Debian & Ubuntu:

Firestarter requires the user to have sudo permission, which is a quicker way for users to execute root commands with out "su". So we'll have to give it:

$ su
# visudo

You are now looking at the sudoers file using "vi" which is another text editor. Press "i" for Insert Mode to edit text, insert the following to the end, after the same line for "root":

pirate    ALL=(ALL) ALL

Press "ESC" to quit Insert Mode. Type ":wq" to save and exit.

Launch Firestarter:

# exit
$ sudo firestarter
[sudo] password for pirate:

Type your pirate's password here.

The first time Firestarter runs, it'll run a short Setup Wizard, click through it following these settings:

- Makes sure the network device is eth0
- No Internet Connection Sharing
- Don't check "Start Firewall Now"

We don't want to start the firewall yet because we haven't open the proper ports. Go to the "Policy" Tab, right-click under "Allow Service", select "Add Rule". In the Port field, insert the port range you need. So according to this guide, the range we'll need is 54320-54322.



Note: If you don't want to use VNC through the SSH Tunnel, you'll need to add another rule for port 5901.

Click Apply Policy. Then Start Firewall.



Note: Remember that Firestarter is just a frontend to iptables, you don't have to leave it running. We recommend you close it to save resources. Also, the firewall will autostart on reboot.

That's it for setting up the basic firewall. However, you'll notice that we can't login to the FTP server anymore. The reason is the FTP server uses random ports above 1024 for data connections. So we'll need to specify a port range for FTP connections, which we'll use port 54323 - 54340 for convenience.

Edit the VSFTPD config file:

$ su
# nano /etc/vsftpd/vsftpd.conf
Note: for Debian & Ubuntu users, the config file is in a different location, type: 
# nano /etc/vsftpd.conf

Insert the following lines to the end:

pasv_min_port=54323
pasv_max_port=54340

Save and exit.

Then, in Firestarter, edit the rule from 54320-54322 to 54320-54340. Click Apply Policy.

Tip: To see all the entries Firestarter added to iptables, type the following in Putty when login as root:

# iptables -t filter -L

Tip: To monitor the firewall without running Firestarter, open a new xterm, type:

$ su
# tail -f /var/log/messages

The above command actively updates the terminal when new entries are added to the system log. To exit from "tail", press Ctrl+C. The file "/var/log/messages" contains all events log for your server. It is wise to keep an eye on it from time to time to find out if anything is wrong.

Tip: When you see constant attempts to connect to your server under one port like the screenshot below, you may not want iptables to log all the drop connections (the log file will grow too big). To do so, right-click on an entry under "Events" and select "Disable Events on Port". You can remove/add logged ports in Firestarter's Settings.

TBA

Thanks to The Fedora Unity Project for portions of this section.

This section will guide you to secure the SSH server. The instructions here are border-lining on paranoia (perhaps completely). However, there is one advantage as you won't need to enter your password when login with Putty, which is very convenient when you are using SSH to tunnel your VNC Desktop. What we'll do is setup the Key Authentication feature for all users before disabling Password Authentication, so that only people possessing the key file will be able to login to your server.

First, login to your server from Putty as root. Following are the needed configuration options in sshd_config:

# nano /etc/ssh/sshd_config

We had setup an alternate port previously:

Port 54322

Make sure SSH only uses Protocol 2:

Protocol 2

Allow root login only through key authentication. We don't want to disable root login altogether, since if you haven't notice, certain things can only be done under root login.

PermitRootLogin without-password

Limit the maximum number of simultaneous unauthenticated connections:

MaxStartups 3:50:10

Reduce the amount of time allowed to successfully login to 30 seconds:

LoginGraceTime 30

Allow only known users:

AllowUsers root pirate

Enable key authentication:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Save and exit.

Now, we'll create a pair of keys for the root user, a private and a public key.

Note: Repeat the steps from here on for additional users you want to have Key Authentication. Make sure you login as that user first.

# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e8:41:87:32:13:25:93:b5:ae:3a:76:ce:14:fe:9a:b5 root@hostname

We don't need to use a passphrase for convenience. Enter a passphrase if you think your private key file may be compromised.

Two files were created in the folder /root/.ssh/. The id_rsa file is your private key that we'll need to transfer to your PC. The id_rsa.pub file will be store in the authorized_keys file on your server. The matching of these two keys is how the SSH server will authenticate the root user.

Since this is the first time you create a key pair, there is no authorized_keys file. Therefore, we can simply do this:

# mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

Note: if you are creating a 2nd pair of keys for the same user, we'll have to add the public key to the existing authorized_keys file instead:

# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Open WinSCP to use sFTP to transfer the private key id_rsa to your own PC. Remember, the file is in the .ssh/ folder.

Now, we'll need to convert the private key into a format that Putty will recognized. Download Putty Key Generator.

In Putty Key Generator, click Load and select the id_rsa file. You probably will have to change the filter to "All Files" in Browse to see it. Click Save Private Key to save the key in .ppk format.



Once successfully done, you can delete the id_rsa file on both your PC and the server.

In Putty, we'll restart the SSH server to enable all our previous settings.

Fedora Core & CentOS:
# /etc/init.d/sshd restart

Debian & Ubuntu:
# /etc/init.d/ssh restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
# exit
$

Close the existing Putty session and open a new one. Hopefully, you already have a Saved Session by now. Select it and click Load. If not, enter your IP & Port information. On the left window, go to Connection - SSH - Auth. Under "Private key file for authentication", browse to your private_key.ppk file.



Save the session, and click Open.

Enter root as the username, and you will be login automatically. If you entered a passphrase, then you'll have to type it in at this point.



If you've come this far, you can choose to disable the normal Password Authentication login method after setting up Key Authentication for all users. To do so, set this line in sshd_config:

WARNING: By doing so, only Key Authentication is allowed. If you lose your private key, you won't be able to access your server.

PasswordAuthentication no

Restart the SSH server for the change to take effect.

This section contains additional and optional configurations for your server.

You probably noticed we've already installed Firefox from Section 3. To launch it, just right-click on the VNC Desktop for the fluxbox menu, locate Firefox and click. If you need the Flash plugin for Speed Tests, follow these instructions:

Fedora Core 4:

$ su 
# yum --enablerepo=flash install flash-plugin
# exit

Fedora Core 5/6 & CentOS:

$ su
# yum install flash-plugin
# exit

Ubuntu:

$ su
# apt-get install flashplugin-nonfree
# exit
$

Debian: (Assuming you installed Backports in Section 2)

$ su
# apt-get -t etch-backports install flashplugin-nonfree
# exit
$

Start or restart Firefox.

If you don't like uTorrent for whatever reasons, rtorrent is a good alternative. rtorrent runs in a terminal and isn't as easy to use, but I hope by now, you are more familiar and not affraid of the Linux ways.

To install rtorrent:

Fedora Core & CentOS:

$ su
# yum install rtorrent
# exit
$

Debian & Ubuntu:

TBA

Note: If rtorrent cannot be installed with the instructions above, you'll need to manually compile and install it. For that, as well as instructions for rtorrent, please see fstokebanget's "How to install and use rtorrent properly in CentOS" guide.

TBA

You can configure the fluxbox menu to your liking. Here is an example:





To get the menu above, we need to edit the following file:

Note: Use Putty instead of xterm to copy & paste text.
Tip: Ctrl+K in nano will delete the line the cursor is on.

$ nano ~/.fluxbox/menu

Edit it to look like this:

[begin] (Fluxbox-1.0.0)
[encoding] {UTF-8}
      [exec] (firefox) {firefox}
      [exec] (xterm) {xterm}
      [exec] (uTorrent) {wine ~/utorrent.exe}
[submenu] (fluxbox menu)
      [config] (Configure)
[submenu] (System Styles) {Choose a style...}
      [stylesdir] (/usr/share/fluxbox/styles)
[end]
[submenu] (User Styles) {Choose a style...}
      [stylesdir] (~/.fluxbox/styles)
[end]
      [workspaces] (Workspace List)
[submenu] (Tools)
      [exec] (Screenshot - JPG) {import screenshot.jpg && display -resize 50% screenshot.jpg}
      [exec] (Screenshot - PNG) {import screenshot.png && display -resize 50% screenshot.png}
      [exec] (Run) {fbrun }
      [exec] (Regen Menu) {../util/fluxbox-generate_menu }
[end]
[submenu] (Window Managers)
      [restart] (mwm) {mwm}
      [restart] (kde) {startkde}
[end]
      [commanddialog] (Fluxbox Command)
      [reconfig] (Reload config)
      [restart] (Restart)
      [exec] (About) {(fluxbox -v; fluxbox -info | sed 1d) 2> /dev/null | xmessage -file - -center}
      [separator]
      [exit] (Exit)
[end]
[endencoding]
[end]

Save and exit.

For information on how to manually edit the menu file, go HERE.

(Only for Fedora Core/CentOS right now)

If your server comes with more than one IP Address, we can add the extra IPs to your system. The purpose is for each user to have his/her own IP, which will avoid sharing one address when two or more users are downloading from the same tracker. This is only needed if your tracker specifies that two users cannot share one IP. You will need to contact your tracker's staff to find out this information. You also need to setup each user with his/her own VNC Desktop to run separate instances of uTorrent. Follow Section 4 - 6 to create additional users.

Note: In our experience, two users can share a server with only 512MB of RAM. Not recommended for servers with less memory. Of course, you can have more users with more memory and good hardware.

The instructions here are a little more advanced than what we've done so far. First, we need to login to Putty as the root user, since "su" to root cannot modify network settings.

For this tutorial, we'll use the following information:

IPs: 192.168.1.5, 192.168.1.6
Netmask: 255.255.255.0
Gateway: 192.168.1.1

Note: You may need to request the extra IP from your provider.

Of course, you'll need to use the IP Addresses provided by your host. If you don't know them, issue this command, and write down the IP, Netmask, and Gateway.

# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0b:6a:34:2a:9b
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.5
GATEWAY=192.168.1.1
TYPE=Ethernet

Create another network interface for your 2nd IP:

# cp /etc/sysconfig/network-scripts/ifcfg-eth0/ etc/sysconfig/network-scripts/ifcfg-eth0:0
# nano /etc/sysconfig/network-scripts/ifcfg-eth0:0

Modify DEVICE and IPADDR in this file to reflect your 2nd IP:

DEVICE=eth0:0
HWADDR=00:0b:6a:34:2a:9b
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.6
GATEWAY=192.168.1.1
TYPE=Ethernet

Save & exit.

Bring eth0:0 up:

# ifup eth0:0

To see all the network interfaces:

# ifconfig

You should see the details for eth0, eth0:0, and lo

Note: To add more IPs, just repeat the process for eth0:1, eth0:2, etc.

Now, to test if your 2nd IP works, you can try to ping it from your own PC. Start the Command Prompt, type:

C:\>ping 192.168.1.6

Pinging 192.168.1.6 with 32 bytes of data:

Reply from 192.168.1.6: bytes=32 time=1ms TTL=127
Reply from 192.168.1.6: bytes=32 time=1ms TTL=127
Reply from 192.168.1.6: bytes=32 time=1ms TTL=127
Reply from 192.168.1.6: bytes=32 time=1ms TTL=127
    
Ping statistics for 192.168.1.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

Troubleshoot: If you cannot ping your 2nd IP, please make sure you follow the steps above exactly. Make sure your ifcfg-eth0:0 file is correctly setup. Make sure you see eth0:0 when issuing "ifconfig". And finally, you can confirm with your provider that the information is properly given and setup.

After successfully setting up the extra IP, there are two ways to make each user uses a different address. You only need to do one way, but both is OK too.

1. Specify IPs in each user's uTorrent

Go to uTorrent Preferences - Advanced
Insert your IP into these two fields: net.bind_ip & net.outgoing_ip. For example

user1's uTorrent:
net.bind_ip: 192.168.1.5
net.outgoing_ip: 192.168.1.5

user2's uTorrent:
net.bind_ip: 192.168.1.6
net.outgoing_ip: 192.168.1.6

2. Using iptables

The second method requires adding an entry to iptables.

Note: Thanks to Kflint for the instructions here.

In the 1st method, we only specify uTorrent to use a specific IP. With iptables, the user will use a specific IP for all traffic, which means all Internet softwares including uTorrent, Firefox, and FTP will use the specified IP.

First we need to find out the user's ID number:

# cat /etc/passwd

Your account is listed at the end, like so:

pirate:x:500:500::/home/pirate:/bin/bash

We need the number that comes after your account name, which is 500 in this case. Now we can add an entry to iptables:

# iptables -t nat -A POSTROUTING -m owner --uid-owner 500 -j SNAT --to 192.168.1.6

See if the above commands works:

# iptables -t nat -L
 Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
    
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere            OWNER UID match pirate to:192.168.1.6

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Save the iptables:

# iptables-save > /etc/sysconfig/iptables

Have iptables start on boot and load the saved config:

Fedora Core & CentOS:

# chkconfig iptables on

Debian & Ubuntu:

# update-rc.d iptables defaults

You only need to add an entry to iptables for the 2nd user and any additional users. It's also fine to add an entry for the 1st user if you want.

Note: Don't forget to open the necessary ports for additional users in your firewall if you had set it up previously.

Depending on your provider, your server may not come with bandwidth monitoring. If so, you will have to monitor the bandwidth to prevent paying overage fee due to using more than the allowed limit yourself. From section 3, we already installed vnstat, which is a simple tool for bandwidth monitoring.

Vnstat by default monitors traffic on eth0, which should be your network interface. The program uses hardly any resources as it's not a traffic sniffer, it only polls your network statistics from /proc every 5 minutes.

Type the help command for a list of available options:



Type "vnstat" for the default display which includes yesterday, today, and total bandwidth usages:



Type "vnstat -m" for monthly statistics:

For all these questions, see fatcat69's Seedbox FAQ and 007's BT Dedicated Server/Seedbox.

The 4 main distributions available when renting a server are CentOS, Debian, Fedora Core, and Ubuntu. Any of them will be fine, since this guide has instructions for all of them. If you can't choose one, just flip a coin.

The main reason is price. On average, renting a server with Windows cost between $15 - $20 more. If you don't know Linux at all, and think following this guide is too hard, then Windows might be a better option.

This is a user's preference and experience question as both can work equally well.

Disk overloaded errors appear when the download speed is too fast for the hard drive to physically keep up. uTorrent uses your RAM as cache to store downloaded data that is waiting to be written to the HD. The screenshot below shows the cache getting filled up, which leads to the performance drop:



To alleviate this problem, we can increase the cache size in uTorrent (default is 32MB). We suggest you change it to 96MB first, and keep watch of the Disk Statistics screen to see the progress of the cache being used. Increase the cache higher if you need to, but always keep it about 128MB less than your total RAM.



Note: The more active torrents you have, the more the cache will be used. For a server with a 100Mbps network connection, don't have more than 2-3 active torrents downloading at high speed together. You'll have to find out the appropriate number of active torrents that will give the best performance for your server, since each seedbox differs from one another.

Note: If you have set your cache to the maximum, and you still receive disk overloaded errors, then you'll have to limit the download speed in uTorrent. Most servers can handle speed between 5-8 MB/s fine with the default cache settings.

Note: If you have a server with OVH, specifically the Kimsufi product with only 256MB or RAM, you can get a USB Flash Drive to use as additional cache if needed. See dieudesorcs' instructions HERE. UPDATE: Another user tested a 2GB flash disk as swap on a Kimsufi server with bad results. The server crashed after a short period of time when running uTorrent. We are not sure why, but after some thinking, I think using an USB flash drive as cache for uTorrent might not be a good idea, due to the intensive read/write nature of Bittorrent, which is too fast for a Flash Memory device.

You may receive this error when you download a very large torrent and/or running many torrents. The problem has to do with the default Linux limit of allowed open files per user (1024). Go HERE for the solution (edit the file /etc/security/limits.conf)

This problem is due to a bug in wine from version 0.9.40 up to 1.1.5. The latest version is 1.1.6, which fixed this issue. As of 10/16, if you follow this guide, the version of wine you should have is (after updating to the latest):
Debian: 0.9.25 or 1.1.1
Ubuntu: 1.1.7
FC/CentOS: 0.9.x

Check the version you have:

Code:

$ wine --version

If it's lower than 0.9.40 or greater than 1.1.5, you are fine. If it's between 0.9.40 - 1.1.5, and you have this issue:

Fedora Core/CentOS: Unfortunately, the wine package for these systems isn't as well supported as Debian/Ubuntu. You can either compile wine from source or down-grade wine to a lower version. Both of these methods are complicated and different based on your wine and OS versions. If you need help, post a request in this thread. If available from your provider, a re-install of your server to Debian/Ubuntu might be the best way to go.

Debian: You should keep an eye on this site http://wine.budgetdedicated.com/ to see when version 1.1.6 will be available. A temporary fix is to downgrade to version 0.9.25, the current version in Debian Etch. Basically you can skip the Wine repository setup in Section 2.

Alternatively, you can compile wine from the latest source. Here are the instructions to compile wine-1.1.7:

- Shut down the currently running uTorrent
- Login as root in Putty
- Remove the current version of wine from your server:

# apt-get remove wine

- Install the necessary tools to compile wine:

# apt-get build-dep wine

Debian 64-bit users will need some extra packages:
# apt-get install libc6-dev-i386 lib32z1-dev

- Download and extract the latest source:

# wget http://internap.dl.sourceforge.net/s...-1.1.7.tar.bz2
# tar xvjpf wine-1.1.7.tar.bz2

- Enter the folder containing the soure files you just extracted:

# cd wine-1.1.7/

- Compile and install wine:

 # ./configure && make && make install

Note: this process will take at least half an hour on most servers.

If everything went successfully, type this to check the version of wine you now have installed:

# wine --version
 wine-1.1.7

3/08 - Added a firewall troubleshoot for Section 5. Added the FAQ, not much there now, just some general answers and info about disk overloaded. Still to come: SSH Configs, Setup FreeNX, and how to use vnstat. Truecrypt isn't performing well under testing, so the guide for that might take a while. And if the performance doesn't improve, I won't write it. Went through the whole guide carefully to correct grammar and spelling mistakes as best as I can. Made a few adjustments and additions along the way.

3/07 - Added commands to autostart vsftpd & iptables.

3/06 - Separated Miscellaneous into Security and Misc. Wrote the firewall section. More adjustments.

3/04 - Fixed errors: "restart now" to "reboot" in Section 2, and "nano /etc/sshd/sshd_config" to "nano /etc/ssh/sshd_config" in section 8. Added a few lines about SELinux & FTP in section 7. And a few other minor adjustments. Thanks to goodkat & dieudesorcs for their contributions to this guide.

3/02 - Well, I didn't get anything done this weekend. Real life got in the way...I'll definitely try to complete the missing parts by next weekend. Did a few minor adjustments. Will also plan to add "FreeNX, an alternative to VNC" and "Monitoring bandwidth with vnstat". Will probably separate Miscellaneous into Security and Miscellaneous. Will add more stuff into Security about prevention and detection.

2/29 - Minor corrections and adjustments. Wrote "Secure VNC through a SSH tunnel". To come in the next few days: firewall setup with Firestarter, some FAQs including disk overloaded, SSH tips, and autostart FTP server. Maybe also Truecrypt setup too. All depends on how much free time I'll have.

1. Disable insecure Protocol 1; allowing only Protocol 2
2. Disable root login
3. Reduce MaxStartups
4. Reduce LoginGraceTime