For this tutorial we will heavily rely on a previous tutorial: ArchLinux - Install rTorrent, Flood and SFTP.
qBittorrent has a feature-rich Web UI allowing users to control qBittorrent remotely. This is ideal for headless servers without the X window system.
Install qbittorrent#
1 | # pacman -Syu qbittorrent-nox |
qbittorrent-nox (nox means no X server) is the headless version of qbittorrent.
Creating a dedicated user#
Similar to Add an user.
- Create an user:
1
2# useradd --shell /bin/zsh --create-home sdbox
# passwd sdbox - Give user permissions:
1
2
3# chown --recursive sdbox:sdbox /home/sdbox
# chown root:root /home/sdbox
# chmod 755 /home/sdbox
Create a service file (for systemd)#
- Create the file
/etc/systemd/system/qbittorrent.service1
2
3
4
5
6
7
8
9
10
11
12[Unit]
Description=qBittorrent Daemon Service
After=network.target
[Service]
User=sdbox
Group=sdbox
ExecStart=/usr/bin/qbittorrent-nox
ExecStop=/usr/bin/killall -w qbittorrent-nox
[Install]
WantedBy=multi-user.target - Take the change into account
1
$ sudo systemctl daemon-reload
Initializing configuration#
- Run qbittorrent so that it can ask us to accept the disclaimer, and save and create the config file under
/home/sdbox/.config/qBittorrent/. For example run it atmuxsession so you will be able to detach it (send to the background) later.1
2$ sudo su sdbox
$ qbittorrent-nox - The qbittorrent WebUI should be exposed at http://127.0.0.1:8080 (on the remote server).
- You can quickly try a local port forwarding from your personal machine to check if it is working.
1
$ ssh sshuser@X.X.X.X -L 127.0.0.1:8080:127.0.0.1:8080 -N
- You just mapped the remote
127.0.0.1:8080with127.0.0.1:8080on your machine through a SSH tunnel, so enter http://127.0.0.1:8080 on your web browser. - The default credentials are
admin/adminadmin, you should see an authentication form like that.
- Back at the server's command line, exit out of qbittorrent-nox instance with
Ctrl-c. - Now, stop impersonating the qbittorrent user to return to our account with sudo access:
1
$ exit
Note: On newer version of qbittorrent, it may defaults to listen on all interfaces, exposing your port 8080 to the internet. The option to listen on on localhost only is in the advanced options menu and will help secure your server.
Start the service#
- Start the service.
1
$ sudo systemctl start qbittorrent
- Enable it so it will automatically start at boot-time.
1
$ sudo systemctl enable qbittorrent
- Verify the status of the service.
1
$ sudo systemctl status qbittorrent
- We have a working qbittorrent + WebUI now.
Hardening#
A little thing we can do it to disable the shell of the sdbox user to get a true service account that won't give a shell to the attacker if the service get compromised.
1 | $ sudo usermod -s /usr/sbin/nologin sdbox |
WebUI access#
Either we can do a SSH local port forwarding each time we want to access the WebUI if we don't use it very often, so we won't expose any web interface on internet (good for security) or we can configure a HTTPS reverse proxy to access the WebUI from internet.
The command for SSH local port forwarding is:
1 | $ ssh sshuser@X.X.X.X -L 127.0.0.1:8080:127.0.0.1:8080 -N |
Else configure a a HTTPS reverse proxy.
Setup a HTTPS reverse proxy#
See Configure Nginx but:
- Change
/etc/nginx/servers-available/flood.confinto/etc/nginx/servers-available/qbittorrent-webui.conf - Change
add_header X-Frame-Options DENY;intoadd_header X-Frame-Options "SAMEORIGIN"; - Remove the
# Transdroid / Transdroneblock - Remove the
# floodblock - Add the following
# qbittorrentblock
1 | location / { |
Please don't forget to change the default credentials of the WebUi or you'll get hacked pretty quickly.
Configure SFTP#
See Configure SFTP.