Welcome to the QuantactDebianVPS mini wiki at Scratchpad!
You can use the box below to create new pages for this mini-wiki. Make sure you type
[[Category:QuantactDebianVPS]] on the page before you save it to make it part of the QuantactDebianVPS wiki (preload can be enabled to automate this task, by clicking this link and saving that page. Afterwards, you may need to purge this page, if you still see this message).
I will put here notes about configuring a debian server hosted at quantact.com. They have xen hosting and offer shell access to the VPS even if its network is down, which avoids being locked up, I'll call it "access from xen host".
I first meddled with the soon to be replaced panel, made vdisks made the debian 3.1 configuration and booted in single user mode, so that no services are running.
First of all, the most basic firewall
Access from xen host, get a root prompt.
Block all incoming tcp connections
# iptables -A INPUT -i eth0 -p tcp --syn -j DROP
Starting the multi user mode
Security and system update, tracking unstable stuff
system says to do this:
#mv /lib/tls /lib/tls.disabled
updating the system first:
# aptitude update && aptitude upgrade
edit /etc/apt/sources.list adding unstable:
deb http://ftp.us.debian.org/debian/ unstable main contrib non-free
Pin: release a=sarge Pin-Priority: 850
Pin: release a=unstable Pin-Priority: 800
APT::Default-Release "sarge"; APT::Cache-Limit 15000000; Apt::Get::Purge; APT::Clean-Installed; APT::Get::Fix-Broken; APT::Get::Fix-Missing; APT::Get::Show-Upgraded "true";
# aptitude install -t unstable arno-iptables-firewall
ext interface: eth0 open ports: 80 (and 443 - ssl port if you are going to use it)
then edit by hand details in /etc/default/arno... to grant yourself full access
RESOLV_IPS=1 FULL_ACCESS_HOSTS="IP, hostname, dynamic hostname"
have cron restarting the firewall every 15 mins if using dynamic hostname:
# crontab -e
5-59/15 * * * * /etc/init.d/arno-iptables-firewall restart
good moment to name the host
# hostname rugserver
remote ssh access
first we chose a non standard port for ssh, edit /etc/ssh/sshd_config:
Since I will be connecting with ssh from the same local machine most of the time, I prefer logging in using public key instead of sending the root password each time. How does that work? The local machine generates a pair of keys: whatever is encrypted with one of the key can be decrypted only by the other key. One of the key is sent to the remote server and it's called the public key. So once the server has your public key, the local and the server can exchange the actual authentication data in a secure way. Also, the other key, called the private one, gets password-encrypted itself so that somebody snooping onto your hard disk cannot grab it and use it to authenticate to your remote server.
~$ ssh-keygen -t dsa
Generating public/private dsa key pair. Enter file in which to save the key (/home/ruglocal/.ssh/id_dsa): Created directory '/home/ruglocal/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ruglocal/.ssh/id_dsa. Your public key has been saved in /home/ruglocal/.ssh/id_dsa.pub. The key fingerprint is: XX:XX:XX:XX:XX:XX:....
Now let's send it securely to the server using scp (secure copy command, part of ssh) MIND THE COLON AT THE END
~$ scp -P 8553 .ssh/id_dsa.pub firstname.lastname@example.org:
the first time an ssh connection is made some more warning will appear
The authenticity of host '188.8.131.52' can't be established. RSA key fingerprint is XX:XX:XX:XX:XX:XX..... Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '184.108.40.206' (RSA) to the list of known hosts.
email@example.com's password: id_dsa.pub 100% 607 0.6KB/s 00:00
Now I need to add this key to ssh authorized keys list, so let's access the server through ssh to accomplish this
~$ ssh firstname.lastname@example.org
email@example.com's password: ...
create .ssh folder if it doesn't exist
# mkdir .ssh
~# cat id_dsa.pub >> .ssh/authorized_keys2
~# rm id_dsa.pub
CTRL-D to exit Now let's try if it works by reconnecting through ssh
~$ ssh firstname.lastname@example.org
Enter passphrase for key '/[...]/.ssh/id_dsa':
Note that ssh doesn't ask for root password anymore but for the passphrase used to encrypt the private key, instead. If this kind of authentication fails or the user refuses it by pressing CTRL-D, then the old password authentication method is used. This behaviour can be altered by configuring ssh, openssh.org for details
I chose lighttpd for its memory footprint and rails popularity.
#aptitude install lighttpd
remember to check server.bind for the correct interfaces else it works only in local
# lighty-enable-mod ssl
Note i had to manually install perl-modules too.
SSL needs a certificate. Either sign one yourself or use cacert.org. it needs registering the domain and giving em a csr
How to generate the requested csr for server certificates
openssl genrsa -out mydomain.com.key 1024 openssl req -new -key mydomain.com.key -out mydomain.com.csr
cacert gives you a certificate back, cut and paste in an editor, add at the beginning the content of mydomain.com.key and rename to .pem (that's the needed .pem for ssl)
BT works this way: you download the .torrent for the file(s) you want; the .torrent contains, among other info, a tracker URL. The BT client contacts the tracker and tries to download from other BT clients. So we need a .torrent, a tracker, and another BT client (called "seed") which has already got the whole file.
I suggest NOT running as root.
First, choose a port for the tracker and open the firewall for it (usually it's 6969). Open 6881 to 6889 for the BT client too. Then aptitude get bittornado (client and tracker software).
Make the .torrent
btmakemetafile http://[vps url]:6969/announce [file to share]
Host it somewhere, make sure the server has a mime configuration for .torrent
Using a script to launch tracker, like this
(bttrack --port 6970 --allowed_list [allowed files] --dfile [kinda of log file] &)
where allowed files is empty and kind of log file will be automatically created.
ditto for the seed
(btdownloadheadless --url [url of .torrent] --saveas [file to share] 1>/dev/null &)
now look with a browser at http://[vps url]:6969, note the file(s) hashes and add them in a separate line into [allowed files] If problems arise try first time with no --allowed list option.