Сейчас 127 заметки.

Установка/настройка хостинг панели ISPConfig 3 на Debian: различия между версиями

Материал из ЗАметки
Строка 93: Строка 93:
  
 
===6. Synchronize the System Clock===
 
===6. Synchronize the System Clock===
 +
 +
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run
 +
apt-get install ntp ntpdate
 +
 +
and your system time will always be in sync.
 +
 +
===7.  Install Postfix, Dovecot, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils===
 +
 +
We can install Postfix, Dovecot, Saslauthd, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:
 +
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server
 +
openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d sudo
 +
 +
You will be asked the following questions:
 +
 +
<pre>
 +
General type of mail configuration: <-- Internet Site
 +
System mail name: <-- server1.example.com
 +
New password for the MySQL "root" user: <-- yourrootsqlpassword
 +
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
 +
</pre>
 +
 +
Next open the TLS/SSL and submission ports in Postfix:
 +
vi /etc/postfix/master.cf
 +
 +
Uncomment the submission and smtps sections (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it):
 +
 +
<pre>
 +
[...]
 +
submission inet n      -      -      -      -      smtpd
 +
  -o syslog_name=postfix/submission
 +
  -o smtpd_tls_security_level=encrypt
 +
  -o smtpd_sasl_auth_enable=yes
 +
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
#  -o milter_macro_daemon_name=ORIGINATING
 +
smtps    inet  n      -      -      -      -      smtpd
 +
  -o syslog_name=postfix/smtps
 +
  -o smtpd_tls_wrappermode=yes
 +
  -o smtpd_sasl_auth_enable=yes
 +
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
#  -o milter_macro_daemon_name=ORIGINATING
 +
[...]
 +
</pre>
 +
Restart Postfix afterwards:
 +
/etc/init.d/postfix restart
 +
 +
We want MySQL to listen on all interfaces, not just localhost, therefore we edit
 +
/etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:
 +
 +
vi /etc/mysql/my.cnf
 +
 +
 +
<pre>
 +
[...]
 +
# Instead of skip-networking the default is now to listen only on
 +
# localhost which is more compatible and is not less secure.
 +
#bind-address          = 127.0.0.1
 +
[...]
 +
</pre>
 +
 +
Then we restart MySQL:
 +
/etc/init.d/mysql restart
 +
 +
Now check that networking is enabled. Run
 +
netstat -tap | grep mysql
 +
 +
The output should look like this:
 +
 +
<pre>
 +
root@server1:~# netstat -tap | grep mysql
 +
tcp        0      0 *:mysql      *:*        LISTEN      10617/mysqld
 +
root@server1:~#
 +
</pre>
 +
 +
 +
===8. Install Amavisd-new, SpamAssassin, And Clamav===
 +
 +
To install amavisd-new, SpamAssassin, and ClamAV, we run
 +
<pre>
 +
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj
 +
nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs
 +
daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
 +
</pre>
 +
 +
The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:
 +
/etc/init.d/spamassassin stop
 +
update-rc.d -f spamassassin remove
 +
 +
 +
===9. Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt===
 +
 +
Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:
 +
<pre>
 +
apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork
 +
apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd
 +
php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-
 +
suexec php-pear php-auth php5-curl php5-mcrypt mcrypt php5-imagick imagemagick
 +
libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-python libapache2-
 +
mod-perl2
 +
</pre>
 +
 +
You will see the following questions:
 +
<pre>
 +
Web server to reconfigure automatically: <-- apache2
 +
Configure database for phpmyadmin with dbconfig-common? <-- No
 +
</pre>
 +
 +
Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):
 +
a2enmod suexec rewrite ssl actions include
 +
a2enmod dav_fs dav auth_digest
 +
 +
Restart Apache afterwards:
 +
/etc/init.d/apache2 restart
 +
 +
 +
===10.Install PureFTPd And Quota===
 +
 +
PureFTPd and quota can be installed with the following command:
 +
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
 +
 +
Edit the file /etc/default/pure-ftpd-common...
 +
vi /etc/default/pure-ftpd-common
 +
 +
... and make sure the start mode is set to standalone and set VIRTUALCHROOT=true:
 +
<pre>
 +
[...]
 +
STANDALONE_OR_INETD=standalone
 +
[...]
 +
VIRTUALCHROOT=true
 +
[...]</pre>
 +
 +
Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:
 +
vi /etc/inetd.conf
 +
 +
If there is a line beginning withftp stream tcp, comment it out (if there's no such file, then that is fine, and you don't have to modify /etc/inetd.conf):
 +
 +
<pre>
 +
[...]
 +
#:STANDARD: These are standard services.
 +
#ftp    stream  tcp    nowait  root    /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper
 +
[...]
 +
</pre>
 +
 +
If you had to modify /etc/inetd.conf, restart inetd now:
 +
/etc/init.d/openbsd-inetd restart
 +
 +
Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.
 +
 +
If you want to allow FTP and TLS sessions, run
 +
echo 1 > /etc/pure-ftpd/conf/TLS
 +
 +
In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:
 +
mkdir -p /etc/ssl/private/
 +
 +
Afterwards, we can generate the SSL certificate as follows:
 +
<pre>
 +
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/
 +
pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
 +
</pre>
 +
 +
<pre>
 +
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
 +
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
 +
Locality Name (eg, city) []: <-- Enter your City.
 +
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your
 +
Organization Name (e.g., the name of your company).
 +
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name
 +
(e.g. "IT Department").
 +
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name
 +
of the system (e.g. "server1.example.com").
 +
Email Address []: <-- Enter your Email Address.
 +
</pre>
 +
 +
Change the permissions of the SSL certificate:
 +
chmod 600 /etc/ssl/private/pure-ftpd.pem
 +
 +
Then restart PureFTPd:
 +
/etc/init.d/pure-ftpd-mysql restart
 +
 +
Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):
 +
vi /etc/fstab
 +
 +
<pre>
 +
# /etc/fstab: static file system information.
 +
#
 +
# Use 'blkid' to print the universally unique identifier for a
 +
# device; this may be used with UUID= as a more robust way to name devices
 +
# that works even if disks are added and removed. See fstab(5).
 +
#
 +
# <file system> <mount point>  <type>  <options>      <dump>  <pass>
 +
proc            /proc          proc    defaults        0      0
 +
# / was on /dev/sda1 during installation
 +
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /              ext3    errors=remount-
 +
ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0      1
 +
# swap was on /dev/sda5 during installation
 +
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0      0
 +
/dev/scd0      /media/cdrom0  udf,iso9660 user,noauto    0      0
 +
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0      0
 +
</pre>
 +
 +
To enable quota, run these commands:
 +
mount -o remount /
 +
quotacheck -avugm
 +
quotaon -avug
 +
 +
 +
 +
===11.  Install BIND DNS Server===
 +
 +
BIND can be installed as follows:
 +
apt-get install bind9 dnsutils
 +
 +
 +
 +
===12. Install Vlogger, Webalizer, And AWstats===
 +
 +
Vlogger, webalizer, and AWstats can be installed as follows:
 +
apt-get install vlogger webalizer awstats geoip-database
 +
 +
Open /etc/cron.d/awstats afterwards...
 +
vi /etc/cron.d/awstats
 +
 +
... and comment out both cron jobs in that file:
 +
 +
<pre>
 +
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
 +
# Generate static reports:
 +
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
 +
</pre>
 +
 +
 +
===13. Install Jailkit===
 +
 +
Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):
 +
apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper
 +
 +
<pre>
 +
cd /tmp
 +
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
 +
tar xvfz jailkit-2.14.tar.gz
 +
cd jailkit-2.14
 +
./debian/rules binary
 +
cd ..
 +
dpkg -i jailkit_2.14-1_*.deb
 +
rm -rf jailkit-2.14*
 +
</pre>
 +
 +
 +
===14. Install fail2ban===

Версия 15:22, 24 сентября 2013

1. Install The SSH Server

If you didn't install an SSH server during the basic system installation, you can do it now:

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian Squeeze server and follow the remaining steps from this tutorial

2. Install vim-nox (Optional)

I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Debian and Ubuntu; to fix this, we install vim-nox

apt-get install vim-nox

(You don't have to do this if you use a different text editor such as joe or nano.)

3. Configure The Network

Because the Debian Squeeze installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100) (please note that I replace allow-hotplug eth0 with auto eth0; otherwise restarting the network doesn't work, and we'd have to reboot the whole system):

vi /etc/network/interfaces


# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts


127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now run

echo server1.example.com > /etc/hostname

/etc/init.d/hostname.sh start

Afterwards, run

hostname

hostname -f

It is important that both show server1.example.com now!

4. Update Your Debian Installation

First make sure that your /etc/apt/sources.list contains the squeeze-updates repository (this makes sure you always get the newest updates for the ClamAV virus scanner - this project publishes releases very often, and sometimes old versions stop working)

vi /etc/apt/sources.list
[...]
deb http://ftp.de.debian.org/debian/ squeeze-updates main
[...]

Run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).

5. Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <-- No

6. Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

7. Install Postfix, Dovecot, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Dovecot, Saslauthd, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server 
openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d sudo

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

Next open the TLS/SSL and submission ports in Postfix:

vi /etc/postfix/master.cf

Uncomment the submission and smtps sections (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it):

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

We want MySQL to listen on all interfaces, not just localhost, therefore we edit

/etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf


[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql      *:*        LISTEN      10617/mysqld
root@server1:~#


8. Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj 
nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs 
daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop

update-rc.d -f spamassassin remove


9. Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork 
apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd 
php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-
suexec php-pear php-auth php5-curl php5-mcrypt mcrypt php5-imagick imagemagick 
libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-python libapache2-
mod-perl2

You will see the following questions:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest

Restart Apache afterwards:

/etc/init.d/apache2 restart

10.Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:

vi /etc/inetd.conf

If there is a line beginning withftp stream tcp, comment it out (if there's no such file, then that is fine, and you don't have to modify /etc/inetd.conf):

[...]
#:STANDARD: These are standard services.
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper
[...]

If you had to modify /etc/inetd.conf, restart inetd now:

/etc/init.d/openbsd-inetd restart

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/
pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City. 
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your 
Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name 
(e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name 
of the system (e.g. "server1.example.com").
Email Address []: <-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-
ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

mount -o remount /
quotacheck -avugm
quotaon -avug


11. Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils


12. Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh


13. Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary
cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*


14. Install fail2ban