Setting up a seedbox on a Kimsufi
Recently I managed to get hold of a KS1 from Kimsufi. They're a challenge to get hold of as they're so popular but they are great little machines: Atom N2800, 2GB RAM and 500GB disk. The drive has 32962 power on hours, so been around for a while but seems healthy. If you want to get hold of your own KS1 or any popular and often out of stock Kimsufi machine, I'd recommend Check OVH. Anyway these machines are great for torrenting Linux ISO's and that is what I intend to use it for... Below is a simple guide on getting everything set up using Deluge Web UI.
Lockdown the box
First things first, install your distro of choice (I opted for Debian 8) and perform the standard setup/lockdown bits:
- Update and upgrade:
apt-get update && apt-get upgrade(I also had to remove the DVD sources from /etc/apt/sources.list otherwise you get the 'please insert CD-ROM' when trying to install packages). - Add user:
adduser <name> - Set
PermitRootLoginto 0 in /etc/ssh/sshd_config - (Optional) Change SSH port in /etc/ssh/ssd_config
- Install fail2ban:
apt-get install fail2ban - Install iptables-persistent:
apt-get install iptables-persistent(or install your firwall of choice - ufw etc.)
Configure iptables
I am going to set default policy to drop across the board as this is going to be a torrent machine. Copy below in to a shell script and run it. We will revisit when we need to add our ports for torrenting.
#!/bin/bash
#clear iptables
iptables -F;
iptables -X;
#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#allow all loopback (lo0)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow input on port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#dns ports
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
When you're happy with the rules, write them to the iptables-persistent file to ensure they load at start up: iptables-save > /etc/iptables/rules.v4.
Setting up Deluged
Now we can think about installing our torrent client:
Firstly we install the deluge daemon and the web interface: apt-get install deluged deluge-web. Now we need to run deluged and deluge-web as services so they are always available and start on boot. By default deluged comes with a "older" way of running as a daemon using System V (init.d). Debian Jessie ships with systemd which is backwards compatible for the System V but there is a problem. It only comes with a launcher for the deluged service and not the deluge-web service. So we're going to following along with this tutorial to set things up using systemd. I found I had to be aware of a couple of extra things so I'm noting them below too, the rest is a copy of the tutorial on the deluge site.
Following along with the systemd tutorial
-
adduser --system --gecos "Deluge Service" --disabled-password --group --home /var/lib/deluge deluge -
adduser <username> deluge - Remove the old init.d script (take a backup just in case):
service deluged stop,rm /etc/init.d/deluged,update-rc.d deluged remove - Create the
/etc/systemd/system/deluged.serviceservice:
[Unit]
Description=Deluge Bittorrent Client Daemon
After=network-online.target
[Service]
Type=simple
User=deluge
Group=deluge
UMask=007
ExecStart=/usr/bin/deluged -d -c /var/lib/deluged -l /var/log/deluge/daemon.log -L warning
Restart=on-failure
# Configures the time to wait before service is stopped forcefully.
TimeoutStopSec=300
[Install]
WantedBy=multi-user.target
- Same again for
/etc/systemd/system/deluge-web.service:
[Unit]
Description=Deluge Bittorrent Client Web Interface
After=network-online.target
[Service]
Type=simple
User=deluge
Group=deluge
UMask=027
ExecStart=/usr/bin/deluge-web -c /var/lib/deluged -l /var/log/deluge/web.log -L warning
Restart=on-failure
[Install]
WantedBy=multi-user.target
- Create the log folder:
mkdir -p /var/log/deluge
chown -R deluge:deluge /var/log/deluge
chmod -R 750 /var/log/deluge
-
Set both services to boot at start and run them now:
systemctl enable /etc/systemd/system/deluged.service && systemctl start delugedandsystemctl enable /etc/systemd/system/deluge-web.service && systemctl start deluge-web -
Set up logrotate
/var/log/deluge/*.log {
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
systemctl restart deluged >/dev/null 2>&1 || true
systemctl restart deluge-web >/dev/null 2>&1 || true
endscript
}
That mostly follows the mentioned tutorial but with the following notes/additions:
- We're specifying a specific config path (see ExecStart) for deluge and deluge-web so that deluge doesn't create a .deluge folder in the root user's profile. I'm still not sure why it was doing that...
- If you change config path after starting service, stop and start it rather than just restarting it. Again no idea why that's required ...
- Also after modifying any service files be sure to run
systemctl daemon-reloadbefore restarting them.
Adding torrent ports
We need to let our ports through the firewall now, assuming default ports of 6881 to 6891:
iptables -A INPUT -p tcp -m tcp --dport 6881:6891 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 6881:6891 -j ACCEPT
iptables-save > /etc/iptables/rules.v4
Connecting to deluge from the outside
We don't want to expose deluge to the internet so we will just forward the port:
ssh -L 81:localhost:8112 user@server
Now browse to localhost:81 to (hopefully) see Deluge Web UI. And we're done.
Final things
- Untick some stuff in Deluge Web UI as a precaution - network -> Peer Exchange, LSD, DHT.
- Update Deluge Web UI password, not that it matters if you're using a tunnel
- Downloads by default will be in
/var/lib/deluged/Downloadsin this set up.