Deluge-web RPI Security

General support for problems installing or using Deluge
Post Reply
therahmaniac
New User
New User
Posts: 4
Joined: Sat Jun 25, 2016 1:13 pm

Deluge-web RPI Security

Post by therahmaniac »

I have an RPI3 with deluge daemon running 24/7. I connect from my other pcs, mobile onto the RPI daemon(within Home network) and things were fine. I decided to go for a dynamic dns and chose duckdns and exposed deluge-web onto the internet. My deluge web password is pretty decent. But there was a snooper who had got in, crossed the password and messed up my deluge settings badly. I still have no trace (dont know how to) to identify this notorious person.
Has anyone faced anything similar / Know how a person could do that ? What are ways to prevent such attacks in specific?
Is there any way other than passwords thats used to identify a client connecting to deluge web from the internet?
User avatar
gderf
Seeder
Seeder
Posts: 155
Joined: Sat Jun 18, 2016 1:32 am

Re: Deluge-web RPI Security

Post by gderf »

I would look into ssh tunneling exposed on a non standard port using public/private keys instead of passwords.
therahmaniac
New User
New User
Posts: 4
Joined: Sat Jun 25, 2016 1:13 pm

Re: Deluge-web RPI Security

Post by therahmaniac »

I primarily use web ui from a PC(windows) and mobile (android). If i do ssh tunneling would I still be able to use webui from these? Also it is possible to setup ssh tunneling as the only way of accessing webui? Based on some googling I found "TLS mutual authentication". Do you think its useful/ doable?
User avatar
gderf
Seeder
Seeder
Posts: 155
Joined: Sat Jun 18, 2016 1:32 am

Re: Deluge-web RPI Security

Post by gderf »

You can ssh tunnel anything that runs over TCP, and the webui runs over TCP.

I can't say what's possible over your android phone as I do not know if a ssh tunnel application is available for it or not.

Do not expose the webui to the internet. It needs to only be reachable from the local machine. The tunnel connects to it there. This makes it reachable only via the tunnel.

TLS mutual authentication wouldn't hurt anything, but it probably doesn't add much to the protection if ssh tunnel is the only way in.
therahmaniac
New User
New User
Posts: 4
Joined: Sat Jun 25, 2016 1:13 pm

Re: Deluge-web RPI Security

Post by therahmaniac »

AS i understand it
1. I need to prevent the deluge web on its port being exposed directly to th web(May be i will add some firewall rules for it)
2. Set up ssh tunnels making it the only way to access deluge-web.
Please do correct if am wrong and if there are any guides do share! Thanks
therahmaniac
New User
New User
Posts: 4
Joined: Sat Jun 25, 2016 1:13 pm

Re: Deluge-web RPI Security

Post by therahmaniac »

I did some searching and wanted to make use of Iptables to block traffic from internet(I could establish the tunnel Thanks!). But I get the empty tracker error.
The ports I have configured to use on deluge are 49161-49179.
[*] I tried a rigid firewall policy whose default INPUT policy is chosen to DROP. Am sure I have chosen to ACCEPT for all tcp connections to above ports. The test active port on deluge also shows Okay. But all torrents run into empty tracker error.
[*]Next I chose to block only the web UI port that am currently using (49181) from web. Note: in this case default INPUT policy is only ACCEPT here and not DROP. Even in this case deluge errors out (empty message) on most torrents.
Any ideas? My version is 1.3.10.
User avatar
kkmic
New User
New User
Posts: 7
Joined: Tue Oct 20, 2015 10:08 am

Re: Deluge-web RPI Security

Post by kkmic »

You can install OpenVPN on your RPI (quite easily using http://www.pivpn.io/ - though it will take an hour or two). If you don't have a fixed IP address, keep using the duckdns service.
Create a user, copy its key to your phone and connect to the VPN using the OpenVPN Connect Android application.
Now you may connect to your Deluge WebUI using the local network address, like 192.168.0.15, without having to actually directly expose Deluge on the web.
Feriman
New User
New User
Posts: 8
Joined: Mon Feb 05, 2018 9:50 am

Re: Deluge-web RPI Security

Post by Feriman »

Use fail2ban on server side. I set up this and works well.
Post Reply