A complete tutorial for installing Flood alongside rTorrent, a hardenned Nginx reverse proxy, an SFTP configuration, with all those features using service accounts for a greater global security.
server { listen 80; listen [::]:80; server_name seedbox2.myowncloud.cf; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$server_name$request_uri; # $server_name is server side so more secure than $host that can be modified in http header }
In order to do not install apache-tools, manually generate the auth file for sdbox user (it will write over the file and don't forget to change the password in the command):
1
$ echo -n "sdbox:" | sudo tee /etc/nginx/auth/seedbox_auth && openssl passwd -apr1 password | sudo tee -a /etc/nginx/auth/seedbox_auth
Modify the sshd config (/etc/ssh/sshd_config) and add these lines at the end:
1 2 3 4 5 6 7 8 9
# Need to be at the end Match User sftpuser ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no AllowTcpForwarding no PermitTTY no
Restart the sshd server:
1
# systemctl restart sshd.service
Change chroot directory rights, this is required or sftp won't let you connect. The home directory must be owned by root and not writable by another user or group. This includes the path leading to the directory.
You won't be able to connect in sftp if your user has /usr/bin/nologin shell as it's not defined in the /etc/shells. To disable normal ssh login, add /usr/bin/nologin in /etc/shells and change sdbox shell:
1
# usermod -s /usr/bin/nologin sftpuser
Test ssh access: (access should be refused if /usr/bin/nologin is used or PermitTTY no is set in sshd configuration)
1
# ssh sftpuser@localhost -p $SSH_PORT$
Test sftp access: (sftp user should be placed in the chroot environment)
1
# sftp -P $SSH_PORT$ sftpuser@localhost
Create the torrent folder to let sftp user access to sdbox download folder:
1
# mkdir /home/sftpuser/torrents
Give the torrent folder the appropriate rights:
1
# chown sftpuser:sftpuser /home/sftpuser/torrents
As sftpuser will be chrooted in his home directory (/home/sftpuser/) he won't be able to access /home/sdbox/torrents/ and a symbolic link like ln -s /home/sdbox/torrents /home/sftpuser/torrents won't work because it is outside the chroot environment. For sftpuser accessing via sftp to the chroot environment, /home/sftpuser/ will be the root directory / so the symbolic link to /home/sdbox/torrents will in fact be wrong as /home/sftpuser/home/sdbox/torrents doesn't exist.
We can't directly chroot sftpuser in /home/sdbox/torrents because that will require to change the /home/sdbox/torrents folder ownership to root:root and so sdbox user won't be able to access it anymore.
We must chroot sftp user because letting him access to the whole system would be a security issue.
So we will give sftp user two home directory: one SFTP home that is locked down by root (/home/sftpuser/) and one home he can write to (/home/sftpuser/torrents/) so sshd will be satisfied and the system will remain secure. To do that, we will make the sdbox folder (the writable home directory) appear as a subdirectory inside the SFTP home directory:
1
# mount --bind /home/sdbox/torrents /home/sftpuser/torrents
We can also add this into /etc/fstab to make this configuration permanent even after a reboot: