217,803pages on
this wiki
Discuss this page0

Welcome to the QuantactDebianVPS mini wiki at Scratchpad!

You can use the box below to create new pages for this mini-wiki. Make sure you type [[Category:QuantactDebianVPS]] on the page before you save it to make it part of the QuantactDebianVPS wiki (preload can be enabled to automate this task, by clicking this link and saving that page. Afterwards, you may need to purge this page, if you still see this message).

I will put here notes about configuring a debian server hosted at They have xen hosting and offer shell access to the VPS even if its network is down, which avoids being locked up, I'll call it "access from xen host".

I first meddled with the soon to be replaced panel, made vdisks made the debian 3.1 configuration and booted in single user mode, so that no services are running.

First of all, the most basic firewall

Access from xen host, get a root prompt.

Block all incoming tcp connections

# iptables -A INPUT -i eth0 -p tcp --syn -j DROP

Starting the multi user mode

#init 5

Security and system update, tracking unstable stuff

system says to do this:

#mv /lib/tls /lib/tls.disabled

updating the system first:

# aptitude update && aptitude upgrade

edit /etc/apt/sources.list adding unstable:

deb unstable main contrib non-free

edit /etc/apt/preferences:

Package: *

Pin: release a=sarge Pin-Priority: 850

Package: *

Pin: release a=unstable Pin-Priority: 800

edit /etc/apt/apt.conf:

APT::Default-Release "sarge"; APT::Cache-Limit 15000000; Apt::Get::Purge; APT::Clean-Installed; APT::Get::Fix-Broken; APT::Get::Fix-Missing; APT::Get::Show-Upgraded "true";

# aptitude install -t unstable arno-iptables-firewall

ext interface: eth0 open ports: 80 (and 443 - ssl port if you are going to use it)

then edit by hand details in /etc/default/arno... to grant yourself full access

RESOLV_IPS=1 FULL_ACCESS_HOSTS="IP, hostname, dynamic hostname"

have cron restarting the firewall every 15 mins if using dynamic hostname:

# crontab -e

5-59/15 * * * * /etc/init.d/arno-iptables-firewall restart

good moment to name the host

# hostname rugserver

remote ssh access

first we chose a non standard port for ssh, edit /etc/ssh/sshd_config:

Port 8553

Since I will be connecting with ssh from the same local machine most of the time, I prefer logging in using public key instead of sending the root password each time. How does that work? The local machine generates a pair of keys: whatever is encrypted with one of the key can be decrypted only by the other key. One of the key is sent to the remote server and it's called the public key. So once the server has your public key, the local and the server can exchange the actual authentication data in a secure way. Also, the other key, called the private one, gets password-encrypted itself so that somebody snooping onto your hard disk cannot grab it and use it to authenticate to your remote server.

~$ ssh-keygen -t dsa

Generating public/private dsa key pair. Enter file in which to save the key (/home/ruglocal/.ssh/id_dsa): Created directory '/home/ruglocal/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ruglocal/.ssh/id_dsa. Your public key has been saved in /home/ruglocal/.ssh/ The key fingerprint is: XX:XX:XX:XX:XX:XX:....

Now let's send it securely to the server using scp (secure copy command, part of ssh) MIND THE COLON AT THE END

~$ scp -P 8553 .ssh/ root@

the first time an ssh connection is made some more warning will appear

The authenticity of host '' can't be established. RSA key fingerprint is XX:XX:XX:XX:XX:XX..... Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '' (RSA) to the list of known hosts.

root@'s password: 100% 607 0.6KB/s 00:00

Now I need to add this key to ssh authorized keys list, so let's access the server through ssh to accomplish this

~$ ssh root@

root@'s password: ...

create .ssh folder if it doesn't exist

# mkdir .ssh

~# cat >> .ssh/authorized_keys2

~# rm

CTRL-D to exit Now let's try if it works by reconnecting through ssh

~$ ssh root@

Enter passphrase for key '/[...]/.ssh/id_dsa':

Note that ssh doesn't ask for root password anymore but for the passphrase used to encrypt the private key, instead. If this kind of authentication fails or the user refuses it by pressing CTRL-D, then the old password authentication method is used. This behaviour can be altered by configuring ssh, for details

web server

I chose lighttpd for its memory footprint and rails popularity.

#aptitude install lighttpd

remember to check server.bind for the correct interfaces else it works only in local

# lighty-enable-mod ssl

Note i had to manually install perl-modules too.

SSL needs a certificate. Either sign one yourself or use it needs registering the domain and giving em a csr

How to generate the requested csr for server certificates

openssl genrsa -out 1024 openssl req -new -key -out

cacert gives you a certificate back, cut and paste in an editor, add at the beginning the content of and rename to .pem (that's the needed .pem for ssl)


BT works this way: you download the .torrent for the file(s) you want; the .torrent contains, among other info, a tracker URL. The BT client contacts the tracker and tries to download from other BT clients. So we need a .torrent, a tracker, and another BT client (called "seed") which has already got the whole file.

I suggest NOT running as root.

First, choose a port for the tracker and open the firewall for it (usually it's 6969). Open 6881 to 6889 for the BT client too. Then aptitude get bittornado (client and tracker software).

Make the .torrent

btmakemetafile http://[vps url]:6969/announce [file to share]

Host it somewhere, make sure the server has a mime configuration for .torrent

Using a script to launch tracker, like this

(bttrack --port 6970 --allowed_list [allowed files] --dfile [kinda of log file] &)

where allowed files is empty and kind of log file will be automatically created.

ditto for the seed

(btdownloadheadless --url [url of .torrent] --saveas [file to share] 1>/dev/null &)

now look with a browser at http://[vps url]:6969, note the file(s) hashes and add them in a separate line into [allowed files] If problems arise try first time with no --allowed list option.

Around Wikia's network

Random wikia