Friday, July 19, 2013

Notes for a BitTorrent Sync Setup

I was looking into a few "self-hosted" cloud services and finally settled on btsync the other day.  I had taken a look at the synology disk station, and seafile / owncloud.  Ultimately I think the fact that btsync has security built from the ground up is why I chose it.  I don't need a ton of advanced features, but I don't want just anyone looking at my data.  I do, however, need something that runs on windows / linux / synology and andriod.  BTSync meets all of that.


Btsync is now at version 1.1.42 and with every version it is getting better and better.  I just recently had a chance to test out the beta app for andriod and it worked great!


A couple of notes to consider when using btsync.


1)  Use separate accounts to run the executable

I think this is important.  If you run btsync as yourself, you are giving it the same access that you have.  In all reality, the btsync application only needs access to the folder it is syncing.  Ideally, you can create "service accounts" for this, but keep in mind that by default btsync tries to create .sync files in home directories.  Not a big deal, this is all configurable (at least in linux).


I set up a btsync account on both my linux and windows box and then gave it access to one folder to sync.  This way, if the executable ever gets cracked, it won't (by default) have access to all of my user settings, etc.


2) TCP over LAN didn't work for me

I'm not sure if I did something wrong here, but I couldn't get my clients to connect using TCP over the lan.  They kept defaulting to UDP regardless of the settings on both clients.  Remember this if your lan isn't working like you planned

3)  Make sure you secure the webGUI

If you are using the webGUI (linux users almost always will) be careful about the webGUI.  By default it listens to 0.0.0.0 on port 8888.  The first thing you can do is ensure your firewall is on and protecting that port from the outside world.  The other thing you can do is set a basic username and password in the config file.  (See the user manual)

4)  Monitor connections from the interweb

Remember, if you open a port on your firewall allowing the internet directly in, it is always good to have that go through some type of proxy.  Ultimately this is not going to be feasible for most people, so we have to rely on the bittorrent coders not making any buffer overflow mistakes!

5)  If you can, stay away from the tracker service and the "relay service"

Try it without those features turned on.  I know in most cases, for most people, those settings are turned on because it will just work.  In the case of the tracker stuff, you are broadcasting that your ip is hosting something and what port it is accessible on.  Yes they may not have the secret, but if you don't need that service, just don't use it.  The second is the relay service.  You will need this if you are behind certain network architectures, but for the most part you should be okay with out.  This way your data is not traversing through a server it doesn't have to.  I know the NSA is watching everything, but we might as well try and limit where we are sending our data.  These days, most "dynamic" ips are fairly static.  There are also a few dns services you could use.

6)  256-bit AES is a great choice

But I wonder how the key is derived from the secret and if this could be figured out some how.  According to the docs you can substitute your own base64 encoded key that is more than 40 symbols long.  This might be easier than sharing the base64 encoded version as you could come up with a poem line or something like that, and share it with friends/family.  I do like how you can change the key at any time, they have really through a lot of this stuff through.

All in all, so far I am really impressed by the product.  It works fast and is configurable to tweak in some of your own settings.  I look forward to future releases!