A few days ago we wrote a complete guide on how to setup your own headless seedbox (a.k.a. ruTorrent) and connect Plex to it so that you can get a complete media center up and running in Linux. Now, what we didn’t put in that guide was how to make it extra secure, because you don’t want anyone to be able to remotely control your ruTorrent client, right? That’s why we in this guide will walk you through how to lock down access to specific users and ban brute-force attempts with Fail2ban. As we run Nginx Reverse Proxy (frontend) with an Apache backend server we’ll assume the same setup in this guide, but we will also walk you through how to set this up on a Apache-only system.

Nginx Reverse Proxy

If you only run Apache you can skip this step, this is only done on the frontend server if you run a Reverse Proxy in Nginx.

  1. Setup a Nginx Virtual Host

    We actually prepared a script for this, so the only thing you have to do is wget the script, make changes to fit your setup, and then you’re good to go.

    $~: wget https://raw.githubusercontent.com/enoch85/scripts/master/techandme/nginx/new_reverse_proxy_host.sh
    $~: sudo nano new_reverse_proxy_host.sh

    Before you run the script you have to change the $VARIABLES in the script to your own.

    $~: sudo bash new_reverse_proxy_host.sh
  2. Add Password Authentication
    $~: sudo sh -c "echo -n 'sammy:' >> /etc/nginx/.htpasswd"

    You can add a username to the file using this command. We are using sammy as our username, but you can use whatever name you’d like.

    $~: sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"
    $~: cat /etc/nginx/.htpasswd

    The password should look something like this:

    $~: sammy:$apr1$wI1/T0nB$jEKuTJHkTOOWkopnXqC1d1
  3. Configure Nginx to prompt users

    Put auth_basic “Restricted Content”; and auth_basic_user_file /etc/nginx/.htpasswd; at the bottom in your location section like this:

    location / {
         proxy_pass_header Authorization;
         proxy_pass http://$upstream;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP  $remote_addr;
         proxy_http_version 1.1;
         proxy_set_header Connection "";
         proxy_buffering off;
         proxy_request_buffering off;
         client_max_body_size 0;
         proxy_read_timeout  36000s;
         proxy_redirect off;
         proxy_ssl_session_reuse off;
         auth_basic "Restricted Content";
         auth_basic_user_file /etc/nginx/.htpasswd;
       }
    }
  4. Restart Nginx
    $~: sudo service nginx restart
  5. Done!

    That’s all there is to it. Now try to access your domain and see what happens, you should be prompted with a login.

Apache 

If you run Nginx as a reverse proxy, the only thing you have to do is to setup the Virtual Host in Apache, without the htpasswd. Though if you only run Apache in a one-system-setup (without any Reverse Proxying) then you have to apply the htpasswd in your Apache config instead of your Apache config like we did above.

With htpasswd (single Apache host)
  1. Setup a new password
    $~: htpasswd -c /var/.htpasswd sammy

    You can put the file wherever you want as long as it’s not in the www-root.

  2. SETUP A VIRTUAL HOST IN APACHE
    $~: sudo nano /etc/apache2/sites-available/remote.conf
    <VirtualHost *:80>
     ServerName subdomain.example.se
     ServerAdmin [email protected]
     DocumentRoot /var/www/html/ruTorrent
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
    
    <Directory "/var/www/html/rutorrent">
     AuthName "Restricted Access"
     AuthType Basic
     Require valid-user
     AuthUserFile /var/.htpasswd
    </Directory>
    
     CustomLog /var/log/apache2/rutorrent.log vhost_combined
     ErrorLog /var/log/apache2/rutorrent_error.log
    
    </VirtualHost>
  3. Create log files
    $~: sudo touch /var/log/apache2/rutorrent_error.log && sudo touch /var/log/apache2/rutorrent.log && sudo chown -R root:adm /var/log/apache2/
  4. Activate host
    $~: a2ensite remote.conf && a2dissite 000-default.conf && sudo service apache2 restart

    You can find more information in the Apache docs regarding this.

Without htpasswd (if you run Nginx Reverse Proxy)
  1. Setup a Virtual host in Apache
    $~: sudo nano /etc/apache2/sites-available/remote.conf
    <VirtualHost <YOUR-BACKEND-IP>:80>
     ServerName subdomain.example.se
     ServerAdmin [email protected]
     DocumentRoot /var/www/html/ruTorrent
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
    
     CustomLog /var/log/apache2/rutorrent.log vhost_combined
     ErrorLog /var/log/apache2/rutorrent_error.log
    
    </VirtualHost>
  2. CREATE LOG FILES
    $~: sudo touch /var/log/apache2/rutorrent_error.log && sudo touch /var/log/apache2/rutorrent.log
  3. ACTIVATE HOST
    $~: a2ensite remote.conf && a2dissite 000-default.conf && sudo service apache2 restart

Fail2ban

In our case we will install Fail2ban on the frontend system, but if you only run Apache without a Reverse Proxy you would install Fail2ban on the Apache system. The setups are exactly the same.

  1. Install Fail2Ban
    $~: sudo apt-get install fail2ban -y
  2. setup a filter
    $~: sudo nano /etc/fail2ban/filter.d/remote-auth.conf

    Add this to that filer:

    [Definition]
    failregex = no user/password was provided for basic authentication.*client: <HOST>
                  user .* was not found in.*client: <HOST>
                  user .* password mismatch.*client: <HOST>
    ignoreregex = </host></host></host>
  3. Add config to jail.local
    $~: sudo nano /etc/fail2ban/jail.local

    Add this to that file

    [remote-auth]
    enabled = true
    filter = remote-auth
    action = iptables[name=NoAuthFailures, port=80, protocol=tcp]
    logpath = /var/log/nginx/error.log
    bantime = 3600 # 1 hour
    maxretry = 3
  4. Restart fail2ban
    $~: sudo service fail2ban restart
  5. Done!

    You have now setup both authentication and brute fore protection with Fail2ban. Well done! Please let us know if there are any issues with the guide.