Page 1 of 1

Deluge-web RPI Security

Posted: Sat Jun 25, 2016 1:15 pm
by therahmaniac
I have an RPI3 with deluge daemon running 24/7. I connect from my other pcs, mobile onto the RPI daemon(within Home network) and things were fine. I decided to go for a dynamic dns and chose duckdns and exposed deluge-web onto the internet. My deluge web password is pretty decent. But there was a snooper who had got in, crossed the password and messed up my deluge settings badly. I still have no trace (dont know how to) to identify this notorious person.
Has anyone faced anything similar / Know how a person could do that ? What are ways to prevent such attacks in specific?
Is there any way other than passwords thats used to identify a client connecting to deluge web from the internet?

Re: Deluge-web RPI Security

Posted: Sat Jun 25, 2016 1:43 pm
by gderf
I would look into ssh tunneling exposed on a non standard port using public/private keys instead of passwords.

Re: Deluge-web RPI Security

Posted: Sun Jun 26, 2016 2:35 am
by therahmaniac
I primarily use web ui from a PC(windows) and mobile (android). If i do ssh tunneling would I still be able to use webui from these? Also it is possible to setup ssh tunneling as the only way of accessing webui? Based on some googling I found "TLS mutual authentication". Do you think its useful/ doable?

Re: Deluge-web RPI Security

Posted: Sun Jun 26, 2016 11:19 am
by gderf
You can ssh tunnel anything that runs over TCP, and the webui runs over TCP.

I can't say what's possible over your android phone as I do not know if a ssh tunnel application is available for it or not.

Do not expose the webui to the internet. It needs to only be reachable from the local machine. The tunnel connects to it there. This makes it reachable only via the tunnel.

TLS mutual authentication wouldn't hurt anything, but it probably doesn't add much to the protection if ssh tunnel is the only way in.

Re: Deluge-web RPI Security

Posted: Sun Jul 03, 2016 2:53 am
by therahmaniac
AS i understand it
1. I need to prevent the deluge web on its port being exposed directly to th web(May be i will add some firewall rules for it)
2. Set up ssh tunnels making it the only way to access deluge-web.
Please do correct if am wrong and if there are any guides do share! Thanks

Re: Deluge-web RPI Security

Posted: Mon Jul 18, 2016 1:13 am
by therahmaniac
I did some searching and wanted to make use of Iptables to block traffic from internet(I could establish the tunnel Thanks!). But I get the empty tracker error.
The ports I have configured to use on deluge are 49161-49179.
[*] I tried a rigid firewall policy whose default INPUT policy is chosen to DROP. Am sure I have chosen to ACCEPT for all tcp connections to above ports. The test active port on deluge also shows Okay. But all torrents run into empty tracker error.
[*]Next I chose to block only the web UI port that am currently using (49181) from web. Note: in this case default INPUT policy is only ACCEPT here and not DROP. Even in this case deluge errors out (empty message) on most torrents.
Any ideas? My version is 1.3.10.

Re: Deluge-web RPI Security

Posted: Mon Aug 08, 2016 2:43 pm
by kkmic
You can install OpenVPN on your RPI (quite easily using http://www.pivpn.io/ - though it will take an hour or two). If you don't have a fixed IP address, keep using the duckdns service.
Create a user, copy its key to your phone and connect to the VPN using the OpenVPN Connect Android application.
Now you may connect to your Deluge WebUI using the local network address, like 192.168.0.15, without having to actually directly expose Deluge on the web.

Re: Deluge-web RPI Security

Posted: Sat Feb 24, 2018 8:52 pm
by Feriman
Use fail2ban on server side. I set up this and works well.