HOWTO: Install and setup MLDonkey on FreeBSD

MLDonkey is an open source, free software multi-network peer-to-peer application. Currently the following protocols are supported: eDonkey, Overnet, Bittorrent, Gnutella, Gnutella2, Fasttrack, FileTP and Kademlia.

Bellow are the steps needed to install MLDonkey on FreeBSD 7.x:

1. % su
2. # cd /usr/ports/net-p2p/mldonkey
3. # make WITHOUT_GUI=yes WITHOUT_X11="YES" WITHOUT_TK="YES" install clean
4. # rehash

Now that MLDonkey is installed let's activate it at boot time:

1. # echo 'mlnet_enable="YES"' >> /etc/rc.conf
2. # echo 'mlnet_user="p2p"' >> /etc/rc.conf

Notice the mlnet_user option, for added security we'll create a p2p user:

1. # pw user add p2p
2. # mkdir /home/p2p
3. # chown p2p:p2p /home/p2p

Restart the system for the changes to apply.

Now we are going to modify the MLDonkey configuration:

1. % su
2. # /usr/local/etc/rc.d/mlnet status
3. # exit
4. % telnet 127.0.0.1 4000
5. > auth admin ""
6. > passwd newpassword
7. > set allowed_ips "127.0.0.1 192.168.1.0/24"
8. > save
9. > exit

Basically, we've checked to see if MLDonkey was running and accessed it through its telnet interface. Initially the application is configured without an admin password, so step 6 takes care of that. On step 7 we set the ips that are allowed to connect to the application, in the example the localhost and all clients in the local network.

MLDonkey's web server can be accessed on http://localhost:4080, so fire-up your browser and point to the address. If your planning to access the server from another computer replace localhost bit by the server's ip or hostname.

The following are a few useful commands that can be passed on to MLDonkey:

1. # /usr/local/etc/rc.d/mlnet start
2. # /usr/local/etc/rc.d/mlnet stop
3. # /usr/local/etc/rc.d/mlnet restart
4. # /usr/local/etc/rc.d/mlnet status

There are tons of configuration options available both in the telnet and web interfaces so I've opted to mention only the basic stuff. For more information I suggest browsing the project's website at http://mldonkey.sourceforge.net/.
 
MLDonkey inside a JAIL and other hardening options

I decided to place and run MLDonkey (mlnet) from inside a jail, and here's what I did:

  • Create the jail (I used ezjail), adjust jail's config file to mount /dev, then start the jail.
  • Install net-p2p/mldonkey inside the jail, create the "p2p" user from within jail and modify the jail's /etc/rc.conf, then stop and re-start the jail. If all goes well, you should see that files were created under <jailpath>/home/p2p/.mldonkey and you can check status by:
    # jexec <jaillname> sockstat
    Code:
    p2p      mlnet-real 8791  5  tcp4   192.168.2.10:2799    *:*
    p2p      mlnet-real 8791  6  udp4   192.168.2.10:2803    *:*
    p2p      mlnet-real 8791  7  tcp4   192.168.2.10:6881    *:*
    p2p      mlnet-real 8791  8  udp4   192.168.2.10:13694   *:*
    p2p      mlnet-real 8791  9  tcp4   192.168.2.10:6882    *:*
    p2p      mlnet-real 8791  10 tcp4   192.168.2.10:4080    *:*
    p2p      mlnet-real 8791  11 tcp4   192.168.2.10:4000    *:*
    p2p      mlnet-real 8791  12 tcp4   192.168.2.10:4001    *:*
    If you got this far, you can now stop the jail.
  • Modify <jailpath>/home/p2p/.mldonkey/downloads.ini and look for allowed_ips. Add IP of the jail you created:
    Code:
     allowed_ips = [
      "127.0.0.1"; "192.168.2.10";]
    This has to be done by file alteration because the only IP the jail is aware is the one you assigned it. Now re-start the jail and continue on to setting the admin password as above.
  • You can now re-edit the jail's config file and remove the jail's ability to mount /dev. It was needed for modification of allowed_ips, but it's not needed any more. I have not tested on actual downloading, but mlnet starts without a mounted /dev. It does seem to need a /dev/urandom however, which I created as a folder and set permissions to "rw-rw-rw-"

The above setup causes a significant problem however: The allowed_ips security feature is effectively disabled since all incoming IP's will appear as coming from the IP assigned to jail (as far as mlnet is concerned).

I'm also a bit uneasy with these security holes:
  • No password has been set for p2p user, and if set it will probably have to be stored in clear text inside one of the *.ini files.
  • The pid file is in the same folder as home/p2p/.mldonkey
  • A p2p dummy user which deamonised and had /usr/sbin/nologin as shell should have been the preferred norm?
  • The setting in /etc/rc.conf for mlnet_flags="" seems to trow out "wrong setting" errors. Looks like I'll have to modify more *ini's.

CONCLUSION: I'd like to hear any comments and input on how others hardened or increased security for their MLDonkey session.
 
Back
Top