Skip to main content

Remote VPS file share server

 Recently, I've *allegedly* received some documents on torrent clients on my network. Of course, I wholeheartedly respect copyright laws and do my utmost to ensure that files on my systems are 100% legal. Regardless, I thought creating an offsite file download/share server might be an exciting project. 


I already had a VPS I was renting from a VPS provider, so I spun up another one with them. Relatively low specs, 4 CPUs, 4GB RAM, but it has unlimited network usage which is good for my purposes. I went with the most recent version of Ubuntu, but any OS would work with this. 


To start off, I had an idea for a setup that used a management IP that I could access to download files and communicate with the torrent client, and a download IP that ran a VPN at all times and was only used for downloading files. Luckily enough, my VPS provider had options for adding extra IPv4 addresses to the server, so I bought an extra address and got that working. OpenVPN also has an option to bind to a specific address, so I was banking on attaching that to the secondary IP and then using the primary IP for management. Unfortunately, both IPs were routing off of the same NIC, so while OpenVPN was biding to the correct IP, it was still affecting both addresses. 

This meant that I couldn't access the server using the management IP I was setting up, so I had to find a different VPN solution. I ended up going with split tunneling, which isn't necessarily ideal, but for my purpose should be fine. My VPN provider has a Linux application that works fairly well and supports split tunneling natively, so I went with that over other options. I was also able to mess with some of the VPN settings to make it slightly more secure. I set it up with my personal IP whitelisted so that traffic from my home network and the remote server wasn't captured by the VPN and I would be able to access my management portals. 

Next, I implemented a firewall to prevent other people from accessing the server. I'm a Windows guy and iptables can be a little frustrating for me, so I used gufw instead. It's essentially a GUI for iptables. It's a little more restrictive than CLI iptables, but again, for my purposes, it works well enough. Basically, I created deny all rules for incoming traffic and whitelisted my IP for web communication and SSH/RDP. I opened RDP as well as SSH because I've been on an RDP kick recently, setting it up on all of my non-interenet-facing servers. Xorg can be a little wonky, but it's been working well so far. 




After getting the security services functional, I started working on the applications I wanted running. Finding a file share solution I liked was arguably the most time-consuming aspect. Originally, I was going to do some basic FTPS/SFTP scripting to automate transfers. Maybe dump all files in X directory to my local NAS on some kind of schedule. However, Comcast really didn't like certain ports being open and started to do some "advanced security" which made it a bit annoying to do that. Instead, I opted to use FileBrowser, a self-hosted file share service I use in my home net a lot. Whenever I need to quickly share some files, and I don't feel like opening SMB or anything else, I usually use FileBrowser. It's a super nifty GUI file share service that operates through a web browser. It's dead simple to set up, and only takes a couple of minutes to get going. All I had to do was make a port 80 rule and voila, nice and neat file sharing without opening any holes in my network or setting anything up on the remote server. It isn't the ideal solution necessarily, you can't automate transfer for example, but it is simple enough to get running, and it provides exactly what I need. 



For my torrent client, I use qbittorrent. It has a WebUI, and it supports a variety of functions that can limit what/how things download. Setting up the WebUI is as easy as clicking a checkbox and typing in a password. In my case, I also bound the WebUI to the management address and the download address to the download IP. Not really necessary with how I'm routing traffic with the VPN, but if I got it, I might as well use it. 


Overall, it works really well, only has 4 ports open, all of which are whitelisted to my home IP only, and it doesn't have any complicated setup or solutions that need to be monitored. All I do is send over the DL links and then collect my files. Easy.


Comcast, if you see this, you know I was joking about those letters, right? :)

Comments

Popular posts from this blog

Using PGPy to encrypt and decrypt files and messages

 PGPy is a library for python that enables the creation, storage, and encryption/decryption of PGP keys and files in python. Recently, in a small project to reacquaint myself with python, I used PGPy for key generation and encryption and decryption. That project can be found in my github at  https://github.com/lpowell . The goal of the project was to use command-line switches to control the program, and to provide basic encryption and decryption capabilities, along with rot13 and base64 encoding.  First, to load in a key use key, _ = pgpy.PGPKey.from_file(keyfilename) . This loads the key from either a binary or ASCII armored file. You can swap out .from_file for .from_blob , if you plan on using a key stored in a string or bytes object rather than a file. In my example code, I pull the key from a file, as I found it to be the simpler method.  Next, you'll need to open a file or create a string or bytes object that contains the message you wish to encrypt. We'll call this file

Frag Attacks - A critical Wifi vulnerability

Wifi fragmentation and aggregation attacks (FragAttacks) are a new collection of vulnerabilities in which a threat actor can exfiltrate data or attack victims within radio range. Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, recently published his paper, Fragment and Forge: Breaking Wi-Fi through Frame Aggregation and Fragmentation , detailing several attack vectors and examining the intricacies of the aggregation vulnerabilities that have been part of the 802.11 standards since the inception in 1997.  Quite interestingly, every device tested was susceptible to one or more of the FragAttacks. While several 802.11 standards make these attacks harder to perform, they can be executed on all devices across all standards. It's a good thing then, that there was a nine-month embargo on information related to these attacks, allowing manufacturers to provide security updates to affected devices. Mathy Vanhoef has also created a website documenting the FragAttack

Malware analysis series by John Hammond

John Hammond, a YouTuber and Cybersecurity researcher, has a series on Youtube where he analyses malware artifacts and discerns their purpose and method of attack. For most of these, he gets access to known malware files, and then blindly goes through them, de-obfuscating and cleaning them up, in order to present a readable version that can be analyzed. I personally find these videos very exciting and entertaining, as well as incredibly educating. He also has several other series and interesting videos on his channel that I highly recommend for anyone interested in software security and other general security topics.  Link:  https://www.youtube.com/watch?v=MJBKxs8UnFE