Linux and Open Source Blog » servers

How To Install VMware Server On OpenSUSE Linux 10.3

Linewbie.com — Thu, 27 Mar 2008 12:55:51 +0000

bold writing are command that you need to enter

red letting are command that you need to issue as root

click on Computer > More Applications > YaST
Put in root password for YaST
Scroll down until you see Software Management and single click on it
Check for the following software. If you don’t have it installed, install it
1. kernel-source
2. gcc
3. gcc-c++
4. make (This is most likely already installed, but just to double check)

Once you have installed that software, lets head over to the command line. Right click on the desktop and select â€œopen terminalâ€
Once you get into the terminal, you want to log in as a super user or root. You can do this by using the su command

clmowers@linux-box:~> SUPassword:linux-box:/home/clmowers #

Next you want to run the following command. This will check for the needed software and it will also show you the kernel modules that are installed. You MUST have the same kernel numbers though out, or you will have issues later down the road

rpm -qa kernel* gcc* make

It will look like this when the command is run

linux-box:/home/clmowers # rpm -qa kernel* gcc* make gcc-c++-4.2-24make-3.81-66kernel-source-2.6.22.17-0.1 gcc42-c++-4.2.1_20070724-17

kernel-default-2.6.22.17-0.1

gcc-4.2-24

gcc42-4.2.1_20070724-17

Notice that both of the kernels are the same. If these numbers are diffent then you need to run the online updates to get the lastest ones and to make sure everything matches. ***Just remember that these numbers change, This was the latest kernel when I wrote this, yours might be different from mine.

OK, lets move on. Next we want to change the directory to /usr/scr/linux. We can do that by this command

linux-box:/home/clmowers # cd /usr/src/linux
next we want to issue these commands. Don’t worry, we are almost done in the command line for the time being.

linux-box:/home/clmowers # make mrproper; make cloneconfig; make modules_prepareYou will notice that it is done when you get back to this linelinux-box:/home/clmowers #
YEA!!! The moment we all have been waiting for, installing vmware server. But we are not done yet. Once vmware server is installed we will need to configure it. Then you can start adding all the VM that your heart desires.
Next you want to go to where you have downloaded the file and right click and select install software
Once the windows closes we are ready to configure it. I know I know, but we are almost done. Just 2 more minutes.
open up a new terminal window (or open the one you already had) and issue this command

linux-box:/home/clmowers # cd /usr/binlinux-box:/usr/bin #
This will bring you to the /usr/bin directory. Next we want to run the pl script the vmware was so kind of to provide us. This will let us configure the server

linux-box:/usr/bin # vmware-config.pl
We will start out by reading the EULA. Hit space or enter to go through the agreement. Once you are done reading hit Q and then type yes. Now what I did was just accept all the defaults. This will give you a very good install of vmware. My only suggestion would be to create a folder under your /home/username/ directory called vms. When you get to the question asking you where you want to have your virutual machine saved, type in that location.
You will be ask for your license key, so make sure that you have one. Type it in and press eneter.

Reduce Apache Load With lighttpd On Debian Etch Linux

Linewbie.com — Thu, 14 Feb 2008 05:16:43 +0000

Lighttpd, sometimes pronounced “Lighty”, is a lightweight HTTP server that can help alleviate Apache’s load by serving static content. Since Lighttpd uses less resources per request than Apache, it generally serves most static content faster than Apache. This tutorial shows how to install Lighttpd behind Apache via ApacheÂ´s proxy module.

No guarantee that this will work for you!

1 Requirements

To install such a system you will need the following:

2 Setting up lighttpd

Once Lighttpd is installed, you’ll have to modify the configuration file to use it

vi /etc/lighttpd/lighttpd.conf

#bind to port (Default: 80)
server.port = 81



# bind to localhost (recommended for proxy behind Apache, otherwise comment this out for all)
server.bind = "localhost"

This is not a full listing of the configuration file, but rather a highlight of the most important parts. Notice that we’ve set the server port to 81. By doing this, we’re making sure it doesn’t clash with Apache listening on port 80. If you wanted to let Lighttpd power your entire site instead of Apache, you can set this to port 80, or comment it out to accept the default.
Then we restart Lighttpd:

/etc/init.d/lighttpd restart

3 Setting up Apache’s proxy

To let Apache take the output of Lighttpd on port 81 and map it to your website, you’ll need to make sure the Proxy module of Apache is loaded.
Using the Perfect Setup tutorial this module will either be there already but not activated.

a2enmod proxy_http
a2enmod proxy_connect

If you are using virtual hosting, you will want to use the following code to set up a proxy between the applicable directives:

ProxyRequests Off
ProxyPreserveHost On
ProxyPass /media http://0.0.0.0:81/
ProxyPassReverse / http://0.0.0.0:81/

Then we restart Apache:

/etc/init.d/apache2 reload

4 Final notice

In the above example, Lighttpd will serve up your media folder, leaving Apache to do the rest. Set this to any folder that has static content in it and Lighttpd will serve it, instead of Apache. Another good use of Lighttpd would be to serve up multimedia files, taking the load off of Apache. The increase of performance you’ll gain is dependent on many factors. If you only have Lighttpd serve up your images, it probably won’t help too much. You can put all of your static content, including HTML and PDF files, images, and movies in a folder called /static and then set the ProxyPass variable to that for a slightly better performance.

The increase of performance you’ve gained so far with Lighttpd is not phenomenal, but helps to increase the website performance and reduces the load on your server.

5 Links

Lighttpd: http://www.lighttpd.net
Apache Module mod_proxy: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
PHP: http://www.php.net
MySQL: http://www.mysql.com
Debian: http://www.debian.org

Installing Lighttpd With PHP5 And MySQL Support On Fedora 8

Linewbie.com — Mon, 11 Feb 2008 04:19:31 +0000

Version 1.0
Author: Falko Timme
Last edited 01/11/2008

Lighttpd is a secure, fast, standards-compliant web server designed for speed-critical environments. This tutorial shows how you can install Lighttpd on a Fedora 8 server with PHP5 support (through FastCGI) and MySQL support.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.

2 Installing MySQL 5.0

First we install MySQL 5.0 like this:

yum install mysql mysql-server

Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:

chkconfig –levels 235 mysqld on
/etc/init.d/mysqld start

Create a password for the MySQL user root (replace yourrootsqlpassword with the password you want to use):

mysqladmin -u root password yourrootsqlpassword

Then check with

netstat -tap | grep mysql

on which addresses MySQL is listening. If the output looks like this:

tcp 0 0 localhost.localdo:mysql *:* LISTEN 2713/mysqld

which means MySQL is listening on localhost.localdomain only, then you’re safe with the password you set before. But if the output looks like this:

tcp 0 0 *:mysql *:* LISTEN 2713/mysqld

you should set a MySQL password for your hostname, too, because otherwise anybody can access your database and modify data:

mysqladmin -h server1.example.com -u root password yourrootsqlpassword

3 Installing Lighttpd

Lighttpd is available as a Fedora package, therefore we can install it like this:

yum install lighttpd

Then we create the system startup links for Lighttpd (so that Lighttpd starts automatically whenever the system boots) and start it:

chkconfig –levels 235 lighttpd on
/etc/init.d/lighttpd start

Now direct your browser to http://192.168.0.100, and you should see the Lighttpd placeholder page:

Lighttpd’s default document root is /srv/www/lighttpd on Fedora, and the configuration file is /etc/lighttpd/lighttpd.conf.

4 Installing PHP5

We can make PHP5 work in Lighttpd through FastCGI. Therefore we install the packages lighttpd-fastcgi and php-cli:

yum install lighttpd-fastcgi php-cli

5 Configuring Lighttpd And PHP5

To enable PHP5 in Lighttpd, we must modify two files, /etc/php.ini and /etc/lighttpd/lighttpd.conf. First we open /etc/php.ini and add the line cgi.fix_pathinfo = 1 right at the end of the file:

vi /etc/php.ini

[...]
cgi.fix_pathinfo = 1

Then we open /etc/lighttpd/lighttpd.conf and uncomment “mod_fastcgi”, in the server.modules stanza:

vi /etc/lighttpd/lighttpd.conf

[...]
server.modules              = (
#                               "mod_rewrite",
#                               "mod_redirect",
#                               "mod_alias",
                                "mod_access",
#                               "mod_cml",
#                               "mod_trigger_b4_dl",
#                               "mod_auth",
#                               "mod_status",
#                               "mod_setenv",
                                "mod_fastcgi",
#                               "mod_proxy",
#                               "mod_simple_vhost",
#                               "mod_evhost",
#                               "mod_userdir",
#                               "mod_cgi",
#                               "mod_compress",
#                               "mod_ssi",
#                               "mod_usertrack",
#                               "mod_expire",
#                               "mod_secdownload",
#                               "mod_rrdtool",
                                "mod_accesslog" )
[...]

and then, further down the file, there’s a fastcgi.server stanza which we uncomment as well:

[...]
#### fastcgi module
## read fastcgi.txt for more info
## for PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini
fastcgi.server             = ( ".php" =>
                               ( "localhost" =>
                                 (
                                   "socket" => "/var/run/lighttpd/php-fastcgi.socket",
                                   "bin-path" => "/usr/bin/php-cgi"
                                 )
                               )
                            )
[...]

Then we restart Lighttpd:

/etc/init.d/lighttpd restart

Install and Set Up Subversion And Trac As Virtual Hosts On An Ubuntu Linux Server

Linewbie.com — Sat, 12 Jan 2008 09:06:11 +0000

This howto outlines the process by which one can set up the Subversion version control system, and have it work in tandem with Trac, the project manager for software development projects, on a server running Ubuntu (or possibly Debian). It is brought to you by Openject Consulting.

Setting up Subversion

For detailed information on this, including alternate setups, have a look at Version Control with Subversion.

Install the required packages.

sudo aptitude install enscript libapache2-mod-python python-docutils trac db4.3-util libapache2-svn subversion-tools
Create a virtual host directory for SVN. We’ll use /var/local/svn instead of /var/www so that Subversion instances don’t clog up the directory of web root directories.

sudo mkdir -p /var/local/svn/svn.example.com
Create a development group, and add the web user to it.

sudo addgroup example; sudo adduser www-data example
Add users to the development group. These are persons that need access to the repository.
1. sudo adduser username1 example
2. sudo adduser username2 example
3. sudo adduser username3 example
Set the proper permissions.

sudo chmod 2770 /var/local/svn/svn.example.com
Set up the repository.

sudo svnadmin create /var/local/svn/svn.example.com
Clear the current password file. By default it’s for the svnserve protocol, but we’ll be using HTTPS (or just HTTP). We’ll be adding users to this file later in the process.

sudo rm /var/local/svn/svn.example.com/conf/passwd
sudo touch /var/local/svn/svn.example.com/conf/passwd
Allow the group to write to the repository.

sudo chmod -R g+w /var/local/svn/svn.example.com
Set proper file ownership.

sudo chown -R www-data:example /var/local/svn/svn.example.com
Set the repository access permissions. Information on how to do this can be found in the Path-Based Authorization section of Version Control with Subversion.

sudo vi /var/local/svn/svn.example.com/conf/authz
Create a directory for the log files.

sudo mkdir /var/log/apache2/svn.example.com
Add the site to the log rotation list.

sudo vi /etc/logrotate.d/apache2

Configure the virtual host…

sudo vi /etc/apache2/sites-available/svn.example.com

…with the following data. If you don’t care about SSL, you can ignore the SSL options and run this on port 80.


  ServerName svn.example.com
  
    DAV svn
    AuthType Basic
    AuthName "svn.example.com"
    AuthUserFile /var/local/svn/svn.example.com/conf/passwd
    AuthzSVNAccessFile /var/local/svn/svn.example.com/conf/authz
    SVNPath /var/local/svn/svn.example.com
    Require valid-user
  
  CustomLog /var/log/apache2/svn.example.com/access.log combined
  ErrorLog /var/log/apache2/svn.example.com/error.log
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/apache.pem
# Add this once there is a real (non self-signed) certificate.
#  SSLCertificateKeyFile /etc/apache2/ssl/server.key


  ServerName svn.example.com
  Redirect / https://svn.example.com/

Reference:

/etc/apache2/mods-enabled/dav_svn.conf

Enable the subversion virtual host.

sudo a2ensite svn.example.com
Create user/password combinations.

htpasswd /var/local/svn/svn.example.com/conf/passwd username
Restart the web server.

sudo /etc/init.d/apache2 restart
If you’re going to have users working locally, set up svnwrap. (See the man page for details.)

sudo ln -s /usr/bin/svnwrap /usr/local/bin/svn

Setting up Trac

Create the web directory. We’ll use /var/local/trac instead of /var/www so as not to clog up the directory of webroots.

sudo mkdir /var/local/trac/trac.example.com
Set the proper permissions.

sudo chmod 2770 /var/local/trac/trac.example.com
Create a Trac instance.

sudo trac-admin /var/local/trac/trac.example.com initenv
Set proper ownership on the web directory.

sudo chown -R www-data:example /var/local/trac/trac.example.com
Allow the group to write to the repository.

sudo chmod -R g+w /var/local/trac/trac.example.com
Configure it.

sudo vi /var/local/trac/trac.example.com/conf/trac.ini
Create a directory for the log files.

sudo mkdir /var/log/apache2/trac.example.com
Add the site to the log rotation list.

sudo vi /etc/logrotate.d/apache2

Configure the virtual host…

sudo vi /etc/apache2/sites-available/trac.example.com

…with the following data. If you don’t care about SSL, you can skip the SSL options and run this on port 80.

# Trac Configuration

  ServerName trac.example.com
  Redirect / https://trac.example.com/


  ServerName trac.example.com
  DocumentRoot /var/local/trac/trac.example.com/
  Alias /trac/ /usr/share/trac/htdocs
  
      Options Indexes MultiViews
      AllowOverride None
      Order allow,deny
      Allow from all
  
  
      SetHandler mod_python
      PythonHandler trac.web.modpython_frontend
      PythonInterpreter main_interpreter
      PythonOption TracEnv /var/local/trac/trac.example.com/
      PythonOption TracUriRoot /
      AuthType Basic
      AuthName "trac.example.com"
      # Use the SVN password file.
      AuthUserFile /var/local/svn/svn.example.com/conf/passwd
      Require valid-user
  
  CustomLog /var/log/apache2/trac.example.com/access.log combined
  ErrorLog /var/log/apache2/trac.example.com/error.log
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/apache.pem
# Add this once there is a real (non self-signed) certificate.
#  SSLCertificateKeyFile /etc/apache2/ssl/server.key

Reference:

http://trac.edgewall.org/wiki/TracOnUbuntu

Enable the Trac virtual host.

sudo a2ensite trac.example.com
Restart the web server.

sudo /etc/init.d/apache2 restart

The last thing to do is add the subdomains “svn” and “trac” to the DNS configuration for your domain. Once this is done, Subversion and Trac will be integrated into your server environment, and will be accessible from the web.

Perfect Server Series: CentOS 4.6 Server Setup: LAMP, Email, DNS, FTP, ISPConfig

Linewbie.com — Thu, 10 Jan 2008 09:06:09 +0000

CentOS 4.6 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server)

Version 1.0
Author: Falko Timme
Last edited 12/17/2007

This tutorial shows how to set up a CentOS 4.6 based server that offers all services needed by ISPs and web hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 32-bit version of CentOS 4.6, but should apply to the 64-bit version with very little modifications as well.

I will use the following software:

Web Server: Apache 2.0.x
Database Server: MySQL 4.1
Mail Server: Postfix
DNS Server: BIND9 (chrooted!)
FTP Server: proftpd
POP3/IMAP server: dovecot
Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

Download the CentOS 4.6 DVD or the four CD iso images from a mirror near you (the list of mirrors can be found here: http://www.centos.org/modules/tinycontent/index.php?id=13).
a fast internet connection…

1 Install The Base System

Boot from your CentOS 4.6 DVD or CD (CD 1).

It can take a long time to test the installation media so we skip this test here:

The welcome screen of the CentOS installer appears. Click on Next:

Choose your language next:

Select your keyboard layout:

We want to install a server so we choose Server here:

Next we do the partitioning. Select Automatically partition. This will give you a smalll /boot partition and a large / partition which is fine for our purposes:

I’m installing CentOS 4.6 on a fresh system, so I answer Yes to the question Would you like to initialize this drive, erasing ALL DATA?

Select Remove all partitions on this system.

We want to remove all Linux partitions, so we answer Yes to the following question:

The installer presents you an overview of our new partitions. Click on Next:

Now the boot loader GRUB will be installed. You can leave the default settings unchanged and click on Next:

On to the network settings. The default setting here is to configure the network interfaces with DHCP, but we are installing a server, so static IP addresses are not a bad idea… Click on the Edit button at the top right. In the window that pops up uncheck Configure using DHCP and give your network card a static IP address (in this tutorial I’m using the IP address 192.168.0.100 for demonstration purposes):

Set the hostname manually, e.g. server1.example.com, and enter a gateway (e.g. 192.168.0.1) and up to three DNS servers (e.g. 213.191.92.86, 145.253.2.75, and 193.174.32.18):

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the CentOS firewall).

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Click on Proceed:

Select the default language for the system and add further languages, if necessary:

Choose your time zone:

Give root a password:

Now we are to select the package groups we want to install. Select Editors, Text Based Internet, Server Configuration Tools, Web Server, Mail Server, DNS Name Server, FTP Server, MySQL Database, Development Tools, Administration Tools and System Tools and click on Next:

Click on Next to start the installation:

The hard drive is being partitioned:

The installation begins. This will take a few minutes:

Finally, the installation is complete, and you can remove your CD from the computer and reboot it:

Now, on to the configuration…

2 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1               localhost.localdomain localhost

192.168.0.100           server1.example.com server1

3 Configure Additional IP Addresses

(This section is totally optional. It just shows how to add additional IP addresses to your network interface eth0 if you need more than one IP address. If you’re fine with one IP address, you can skip this section.)

Let’s assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:

cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

BOOTPROTO=static

BROADCAST=192.168.0.255

HWADDR=00:0C:29:CD:66:08

IPADDR=192.168.0.100

NETMASK=255.255.255.0

NETWORK=192.168.0.0

ONBOOT=yes

TYPE=Ethernet

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this (we can leave out the HWADDR line as it is the same physical network card):

vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0

BOOTPROTO=static

BROADCAST=192.168.0.255

IPADDR=192.168.0.101

NETMASK=255.255.255.0

NETWORK=192.168.0.0

ONBOOT=yes

TYPE=Ethernet

Afterwards we have to restart the network:

/etc/init.d/network restart

You might also want to adjust /etc/hosts after you have added new IP addresses, although this is not necessary.

Now run

ifconfig

You should now see your new IP address in the output:

[root@server1 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:CD:66:08
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecd:6608/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:373 errors:0 dropped:0 overruns:0 frame:0
TX packets:385 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31529 (30.7 KiB) TX bytes:64449 (62.9 KiB)
Interrupt:177 Base address:0×1400

eth0:0 Link encap:Ethernet HWaddr 00:0C:29:CD:66:08
inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:177 Base address:0×1400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

[root@server1 ~]#

4 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall during the basic system installation.)

Run

system-config-securitylevel

Select Disabled and press OK.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 ~]#

5 Disable SELinux

(You can skip this chapter if you have already disabled SELinux during the basic system installation.)

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - SELinux is fully disabled.

SELINUX=disabled

# SELINUXTYPE= type of policy in use. Possible values are:

#       targeted - Only targeted network daemons are protected.

#       strict - Full SELinux protection.

SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

6 Install Some Software

First we import the GPG keys for software packages:

rpm –import /usr/share/rhn/RPM-GPG-KEY*

Then we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils gcc gcc-c++

7 Quota

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):

vi /etc/fstab

# This file is edited by fstab-sync - see 'man fstab-sync' for details

/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1

LABEL=/boot             /boot                   ext3    defaults        1 2

none                    /dev/pts                devpts  gid=5,mode=620  0 0

none                    /dev/shm                tmpfs   defaults        0 0

none                    /proc                   proc    defaults        0 0

none                    /sys                    sysfs   defaults        0 0

/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

/dev/hdc                /media/cdrecorder       auto    pamconsole,exec,noauto,managed 0 0

/dev/fd0                /media/floppy           auto    pamconsole,exec,noauto,managed 0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

8 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Then do this:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig –levels 235 named on
/etc/init.d/named start

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

9 MySQL (4.1)

To install MySQL, we do this:

yum install mysql mysql-devel mysql-server

The MySQL init script on CentOS might cause problems when you try to restart MySQL. In some cases it tries to start MySQL before the old MySQL process has stopped which leads to a failure. The solution is to edit the restart section of /etc/init.d/mysqld and add a few seconds delay between the stop and the start of MySQL.

Edit /etc/init.d/mysqld:

vi /etc/init.d/mysqld

and change this section:

[...]

restart(){

    stop

    start

}

[...]

so that it looks like this:

[...]

restart(){

    stop

    sleep 3

    start

}

[...]

This adds a three second delay between the stop and start of MySQL.

Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:

chkconfig –levels 235 mysqld on
/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

It should show something like this:

[root@server1 ~]# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 3590/mysqld
[root@server1 ~]#

If it does not, edit /etc/my.cnf and comment out the option skip-networking:

vi /etc/my.cnf

[...]

#skip-networking

[...]

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

10 Postfix With SMTP-AUTH And TLS

Now we install Postfix and dovecot (dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
postconf -e ‘mynetworks = 127.0.0.0/8′

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit Centos 4.6 you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd

mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1′
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):

postconf -e ‘myhostname = server1.example.com’

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

mail_owner = postfix

inet_interfaces = all

mydestination = $myhostname, localhost.$mydomain, localhost

unknown_local_recipient_reject_code = 550

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.2.10/samples

readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES

smtpd_sasl_local_domain =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

mynetworks = 127.0.0.0/8

smtpd_tls_auth_only = no

smtp_use_tls = yes

smtpd_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

myhostname = server1.example.com

By default, CentOS’ dovecot daemon provides only IMAP and IMAPs services. Because we also want POP3 and POP3s we must configure dovecot to do so. We edit /etc/dovecot.conf and put the line protocols = imap imaps pop3 pop3s into it:

vi /etc/dovecot.conf

[...]

# Base directory where to store runtime data.

#base_dir = /var/run/dovecot/# Protocols we want to be serving:

#  imap imaps pop3 pop3s

protocols = imap imaps pop3 pop3s

[...]

Now start Postfix, saslauthd, and dovecot:

chkconfig –levels 235 sendmail off
chkconfig –levels 235 postfix on
chkconfig –levels 235 saslauthd on
chkconfig –levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine.

[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system’s shell.

10.1 Maildir

dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user’s Maildir:

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

11 Apache2 With PHP

Now we install Apache with PHP (this is PHP 4.3.9; CentOS does not provide PHP5 packages):

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel

Then edit /etc/httpd/conf/httpd.conf:

vi /etc/httpd/conf/httpd.conf

and change DirectoryIndex to

[...]

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl

[...]

Now configure your system to start Apache at boot time:

chkconfig –levels 235 httpd on

Start Apache:

/etc/init.d/httpd start

11.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddType line:

vi /etc/httpd/conf.d/php.conf

#

# PHP is an HTML-embedded scripting language which attempts to make it

# easy for developers to write dynamically generated webpages.

#LoadModule php4_module modules/libphp4.so

#

# Cause the PHP interpreter to handle files with a .php extension.

#

#AddType application/x-httpd-php .php

# AddType application/x-httpd-php-source .phps

#

# Add index.php to the list of files that will be served as directory

# indexes.

#

DirectoryIndex index.php

Afterwards we restart Apache:

/etc/init.d/httpd restart

12 ProFTPd

ISPConfig has better support for proftpd than vsftpd, so let’s remove vsftpd:

yum remove vsftpd

Because CentOS has no proftpd package, we must use a third-party yum repository to install it:

cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
rpm –import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt

Now we can install proftpd:

yum install proftpd

Let’s create proftpd‘s system startup links and start it:

chkconfig –levels 235 proftpd on
/etc/init.d/proftpd start

Then create the file /etc/pam.d/ftp with the following content (otherwise you will not be able to log in with system users using FTP):

vi /etc/pam.d/ftp

#%PAM-1.0

auth    required        pam_unix.so     nullok

account required        pam_unix.so

session required        pam_unix.so

and restart proftpd:

/etc/init.d/proftpd restart

13 Webalizer

To install webalizer, just run

yum install webalizer

14 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yum install ntp

chkconfig –levels 235 ntpd on
ntpdate 0.pool.ntp.org
/etc/init.d/ntpd start

15 Install Some Perl Modules

ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the required Perl modules with a single command:

yum install perl-DBI perl-Net-DNS perl-Digest-SHA1

We also need the module HTML::Parser. We could install the CentOS package perl-HTML-Parser, but this version is too old for the SpamAssassin version that comes with ISPConfig. It would result in the following error message during ISPConfig installation:

REQUIRED module out of date: HTML::Parser

Therefore we must install the latest HTML::Parser using the Perl shell.

Run the following command to start the Perl shell:

perl -MCPAN -e shell

If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok. Because there’s no ncftp package for CentOS, the Perl shell cannot find the programs ncftpget and ncftp, and you’ll see something like this:

Warning: ncftpget not found in PATH
Where is your ncftpget program? []
Warning: ncftp not found in PATH
Where is your ncftp program? []

It’s ok to hit ENTER in both cases.

Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.

Now type in the following command to install the Perl module HTML::Parser:

install HTML::Parser

If the installation is successful, you’ll see a line like this at the end:

/usr/bin/make install — OK

Type

afterwards to leave the Perl shell.

16 The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

16.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as CentOS’ suExec is compiled with /var/www as Doc_Root. Run

/usr/sbin/suexec -V

and the output should look like this:

[root@server1 ~]# /usr/sbin/suexec -V
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=”public_html”
[root@server1 ~]#

So if you want to use suExec with ISPconfig, don’t change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can’t change the web root anyway so you’ll be able to use suExec in any case).

17 Links

CentOS: http://www.centos.org
ISPConfig: http://www.ispconfig.org

other
click here
click here
clicky
other
other
other
friendly link
friendly link
read more
read more
friendly link
clicky
click here
friendly link

How to build the Perfect Server – with Ubuntu Gutsy Gibbon (Ubuntu 7.10)

Linewbie.com — Fri, 19 Oct 2007 01:38:47 +0000

This tutorial shows how to set up a Ubuntu Gutsy Gibbon (Ubuntu 7.10) based server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Courier POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 32-bit version of Ubuntu Gutsy Gibbon, but should apply to the 64-bit version with very little modifications as well.

I will use the following software:

Web Server: Apache 2.2
Database Server: MySQL 5.0
Mail Server: Postfix
DNS Server: BIND9
FTP Server: proftpd
POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.
Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

1 Requirements

To install such a system you will need the following:

the Ubuntu Gutsy Gibbon server CD, available here: http://releases.ubuntu.com/7.10/ubuntu-7.10-server-i386.iso
a fast internet connection.

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

3 The Base System

Insert your Ubuntu install CD into your system and boot from it. Select Install to the hard disk:

The installation starts, and first you have to choose your language:

Then select your location:

Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed):

The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:

Enter the hostname. In this example, my system is called server1.example.com, so I enter server1:

Now you have to partition your hard disk. For simplicity’s sake I will create one big partition (with the mount point /) and a little swap partition so I select Guided – use entire disk (of course, the partitioning is totally up to you – if you like, you can create more than just one big partition, and you can also use LVM):

Select the disk that you want to partition:

When you’re finished, hit Yes when you’re asked Write the changes to disks?:

Afterwards, your new partitions are being created and formatted:

Configure your system’s clock. Normally UTC is a good choice:

Create a user, for example the user Administrator with the user name administrator (don’t use the user name admin as it is a reserved name on Gutsy Gibbon):

Now the base system is being installed:

We need a DNS, mail, and LAMP server, but nevertheless I don’t select any of them now because I like to have full control over what gets installed on my system. We will install the needed packages manually later on. The only item I select here is OpenSSH server so that I can immediately connect to the system with an SSH client such as PuTTY after the installation has finished:

The installation continues:

The GRUB boot loader gets installed:

The base system installation is now finished. Remove the installation CD from the CD drive and hit Continue to reboot the system:

On to the next step…

4 Enable The root Account

After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial as root user, we must enable the root account now.

Run

sudo passwd root

and give root a password. Afterwards we become root by running

5 Install The SSH Server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu Gutsy Gibbon server and follow the remaining steps from this tutorial.

6 Install vim-full (Optional)

I’ll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-full:

apt-get install vim-full

(You don’t have to do this if you use a different text editor such as joe or nano.)

7 Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

vi /etc/network/interfaces

# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet static

address 192.168.0.100

netmask 255.255.255.0

network 192.168.0.0

broadcast 192.168.0.255

gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1       localhost.localdomain   localhost192.168.0.100   server1.example.com     server1# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts

Now run

echo server1.example.com > /etc/hostname
/etc/init.d/hostname.sh start

Afterwards, run

hostname
hostname -f

Both should show server1.example.com now.

8 Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:

vi /etc/apt/sources.list

## deb cdrom:[Ubuntu-Server 7.10 _Gutsy Gibbon_ - Release i386 (20071016)]/ gutsy main restricted#deb cdrom:[Ubuntu-Server 7.10 _Gutsy Gibbon_ - Release i386 (20071016)]/ gutsy main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to

# newer versions of the distribution.

deb http://de.archive.ubuntu.com/ubuntu/ gutsy main restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ gutsy main restricted

## Major bug fix updates produced after the final release of the

## distribution.

deb http://de.archive.ubuntu.com/ubuntu/ gutsy-updates main restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ gutsy-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu

## team, and may not be under a free licence. Please satisfy yourself as to

## your rights to use the software. Also, please note that software in

## universe WILL NOT receive any review or updates from the Ubuntu security

## team.

deb http://de.archive.ubuntu.com/ubuntu/ gutsy universe

deb-src http://de.archive.ubuntu.com/ubuntu/ gutsy universe

deb http://de.archive.ubuntu.com/ubuntu/ gutsy-updates universe

deb-src http://de.archive.ubuntu.com/ubuntu/ gutsy-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu

## team, and may not be under a free licence. Please satisfy yourself as to

## your rights to use the software. Also, please note that software in

## multiverse WILL NOT receive any review or updates from the Ubuntu

## security team.

deb http://de.archive.ubuntu.com/ubuntu/ gutsy multiverse

deb-src http://de.archive.ubuntu.com/ubuntu/ gutsy multiverse

deb http://de.archive.ubuntu.com/ubuntu/ gutsy-updates multiverse

deb-src http://de.archive.ubuntu.com/ubuntu/ gutsy-updates multiverse

## Uncomment the following two lines to add software from the 'backports'

## repository.

## N.B. software from this repository may not have been tested as

## extensively as that contained in the main release, although it includes

## newer versions of some applications which may provide useful features.

## Also, please note that software in backports WILL NOT receive any review

## or updates from the Ubuntu security team.

# deb http://de.archive.ubuntu.com/ubuntu/ gutsy-backports main restricted universe multiverse

# deb-src http://de.archive.ubuntu.com/ubuntu/ gutsy-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's

## 'partner' repository. This software is not part of Ubuntu, but is

## offered by Canonical and the respective vendors as a service to Ubuntu

## users.

# deb http://archive.canonical.com/ubuntu gutsy partner

# deb-src http://archive.canonical.com/ubuntu gutsy partner

deb http://security.ubuntu.com/ubuntu gutsy-security main restricted

deb-src http://security.ubuntu.com/ubuntu gutsy-security main restricted

deb http://security.ubuntu.com/ubuntu gutsy-security universe

deb-src http://security.ubuntu.com/ubuntu gutsy-security universe

deb http://security.ubuntu.com/ubuntu gutsy-security multiverse

deb-src http://security.ubuntu.com/ubuntu gutsy-security multiverse

Then run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).

9 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

ln -sf /bin/bash /bin/sh

If you don’t do this, the ISPConfig installation will fail.

10 Install Some Software

Now we install a few packages that are needed later on. Run

apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential

(This command must go into one line!)

11 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, run

apt-get install quota

Edit /etc/fstab. Mine looks like this (I added ,usrquota,grpquota to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
#                
proc            /proc           proc    defaults        0       0
# /dev/sda1
UUID=9fc157ff-975c-4f20-9fef-6a70085abdbd /               ext3    defaults,errors=remount-ro,usrquota,grpquota 0       1
# /dev/sda5
UUID=48fb7dd8-f099-4d63-ac1b-30e886ac7436 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec 0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec 0       0

To enable quota, run these commands:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /

quotacheck -avugm
quotaon -avug

12 DNS Server

Run

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS=”-u bind” so that it reads OPTIONS=”-u bind -t /var/lib/named”:

vi /etc/default/bind9

OPTIONS="-u bind -t /var/lib/named"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD=”" so that it reads: SYSLOGD=”-a /var/lib/named/dev/log”:

vi /etc/default/syslogd

#
# Top configuration file for syslogd
#

#
# Full documentation of possible arguments are found in the manpage
# syslogd(8).
#

#
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

13 MySQL

In order to install MySQL, we run

apt-get install mysql-server mysql-client libmysqlclient15-dev

You will be asked to provide a password for the MySQL root user – this password is valid for the user root@localhost as well as root@server1.example.com, so we don’t have to specify a MySQL root password manually later on (as was the case with previous Ubuntu versions):

New password for the MySQL “root” user: <– yourrootsqlpassword

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
#
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 5286/mysqld
root@server1:~#

14 Postfix With SMTP-AUTH And TLS

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules libdb3-util procmail

You will be asked two questions. Answer as follows:

General type of mail configuration: <– Internet Site
System mail name: <– server1.example.com

Then run

dpkg-reconfigure postfix

Again, you’ll be asked some questions:

General type of mail configuration: <– Internet Site
System mail name: <– server1.example.com
Root and postmaster mail recipient: <– [blank]
Other destinations to accept mail for (blank for none): <– server1.example.com, localhost.example.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? <– No
Local networks: <– 127.0.0.0/8
Use procmail for local delivery? <– Yes
Mailbox size limit: <– 0
Local address extension character: <– +
Internet protocols to use: <– all

Next, do this:

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):

postconf -e ‘myhostname = server1.example.com’
postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1′
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

The file /etc/postfix/main.cf should now look like this:

cat /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart Postfix:

/etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS=”-c” to OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”:

vi /etc/default/saslauthd

#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Now start saslauthd:

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine.

The output on my system looks like this:

root@server1:/etc/postfix/ssl# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@server1:/etc/postfix/ssl#

Type

quit

to return to the system’s shell.

15 Courier-IMAP/Courier-POP3

Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration ? <– No
SSL certificate required <– Ok

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user’s Maildir*:

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

16 Apache/PHP5

Now we install Apache:

apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert

Next we install PHP5:

apt-get install libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

You will be asked the following question:

Continue installing libc-client without Maildir support? <– Yes

Next we edit /etc/apache2/mods-available/dir.conf:

vi /etc/apache2/mods-available/dir.conf

and change the DirectoryIndex line:



          #DirectoryIndex index.html index.cgi index.pl index.php index.xhtml
          DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

Now we have to enable some Apache modules (SSL, rewrite, suexec, and include):

a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include

Reload the Apache configuration:

/etc/init.d/apache2 force-reload

16.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

To disable PHP globally, we edit /etc/mime.types and comment out the application/x-httpd-php lines:

vi /etc/mime.types

[...]
#application/x-httpd-php                                phtml pht php
#application/x-httpd-php-source                 phps
#application/x-httpd-php3                       php3
#application/x-httpd-php3-preprocessed          php3p
#application/x-httpd-php4                       php4
[...]

Edit /etc/apache2/mods-enabled/php5.conf and comment out the following lines:

vi /etc/apache2/mods-enabled/php5.conf


  #AddType application/x-httpd-php .php .phtml .php3
  #AddType application/x-httpd-php-source .phps

Then restart Apache:

/etc/init.d/apache2 restart

17 Proftpd

In order to install Proftpd, run

apt-get install proftpd ucf

You will be asked a question:

Run proftpd from inetd or standalone? <– standalone

Then open /etc/proftpd/proftpd.conf and change UseIPv6 from on to off; otherwise you’ll get a warning like this when you start Proftpd:

If you get a message like this:

– IPv6 getaddrinfo ‘server1.example.com’ error: Name or service not known

you can either modify /etc/hosts and add server1.example.com to the ::1 line:

vi /etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback server1.example.com
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

… or you can open /etc/proftpd/proftpd.conf and change UseIPv6 from on to off

vi /etc/proftpd/proftpd.conf

[...]
UseIPv6                         off
[...]

For security reasons you can also add the following lines to /etc/proftpd/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd/proftpd.conf

[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
[...]

ISPConfig expects the configuration to be in /etc/proftpd.conf instead of /etc/proftpd/proftpd.conf, therefore we create a symlink (you can skip this command if you don’t want to install ISPConfig):

ln -s /etc/proftpd/proftpd.conf /etc/proftpd.conf

Then restart Proftpd:

/etc/init.d/proftpd restart

18 Webalizer

To install webalizer, just run

apt-get install webalizer

19 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

20 Install Some Perl Modules Needed By SpamAssassin (Comes With ISPConfig)

Run

apt-get install libhtml-parser-perl libdb-file-lock-perl libnet-dns-perl

21 ISPConfig

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. Please check out the ISPConfig installation manual: http://www.ispconfig.org/manual_installation.htm

21.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Ubuntu’s suExec is compiled with /var/www as Doc_Root. Run

/usr/lib/apache2/suexec -V

and the output should look like this:

root@server1:~# /usr/lib/apache2/suexec -V
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”www-data”
-D AP_LOG_EXEC=”/var/log/apache2/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX=”public_html”
root@server1:~#

The following screenshot is taken from an ISPConfig installation in expert mode. If you want to use ISPConfig, then don’t change the default web root:

22 Links

Ubuntu: http://www.ubuntu.com
ISPConfig: http://www.ispconfig.org