Perfect Server Series: CentOS 4.6 Server Setup: LAMP, Email, DNS, FTP, ISPConfig

CentOS 4.6 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 12/17/2007

This tutorial shows how to set up a CentOS 4.6 based server that offers all services needed by ISPs and web hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 32-bit version of CentOS 4.6, but should apply to the 64-bit version with very little modifications as well.

I will use the following software:

• Web Server: Apache 2.0.x
• Database Server: MySQL 4.1
• Mail Server: Postfix
• DNS Server: BIND9 (chrooted!)
• FTP Server: proftpd
• POP3/IMAP server: dovecot
• Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

• Download the CentOS 4.6 DVD or the four CD iso images from a mirror near you (the list of mirrors can be found here: http://www.centos.org/modules/tinycontent/index.php?id=13).
• a fast internet connection…

1 Install The Base System

Boot from your CentOS 4.6 DVD or CD (CD 1).

It can take a long time to test the installation media so we skip this test here:

The welcome screen of the CentOS installer appears. Click on Next:

Choose your language next:

Select your keyboard layout:

We want to install a server so we choose Server here:

Next we do the partitioning. Select Automatically partition. This will give you a smalll /boot partition and a large / partition which is fine for our purposes:

I’m installing CentOS 4.6 on a fresh system, so I answer Yes to the question Would you like to initialize this drive, erasing ALL DATA?

Select Remove all partitions on this system.

We want to remove all Linux partitions, so we answer Yes to the following question:

The installer presents you an overview of our new partitions. Click on Next:

Now the boot loader GRUB will be installed. You can leave the default settings unchanged and click on Next:

On to the network settings. The default setting here is to configure the network interfaces with DHCP, but we are installing a server, so static IP addresses are not a bad idea… Click on the Edit button at the top right. In the window that pops up uncheck Configure using DHCP and give your network card a static IP address (in this tutorial I’m using the IP address 192.168.0.100 for demonstration purposes):

Set the hostname manually, e.g. server1.example.com, and enter a gateway (e.g. 192.168.0.1) and up to three DNS servers (e.g. 213.191.92.86, 145.253.2.75, and 193.174.32.18):

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the CentOS firewall).

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Click on Proceed:

Select the default language for the system and add further languages, if necessary:

Choose your time zone:

Give root a password:

Now we are to select the package groups we want to install. Select Editors, Text Based Internet, Server Configuration Tools, Web Server, Mail Server, DNS Name Server, FTP Server, MySQL Database, Development Tools, Administration Tools and System Tools and click on Next:

Click on Next to start the installation:

The hard drive is being partitioned:

The installation begins. This will take a few minutes:

Finally, the installation is complete, and you can remove your CD from the computer and reboot it:

Now, on to the configuration…

2 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1               localhost.localdomain localhost

192.168.0.100           server1.example.com server1

3 Configure Additional IP Addresses

(This section is totally optional. It just shows how to add additional IP addresses to your network interface eth0 if you need more than one IP address. If you’re fine with one IP address, you can skip this section.)

Let’s assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:

cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

BOOTPROTO=static

BROADCAST=192.168.0.255

HWADDR=00:0C:29:CD:66:08

IPADDR=192.168.0.100

NETMASK=255.255.255.0

NETWORK=192.168.0.0

ONBOOT=yes

TYPE=Ethernet

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this (we can leave out the HWADDR line as it is the same physical network card):

vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0

BOOTPROTO=static

BROADCAST=192.168.0.255

IPADDR=192.168.0.101

NETMASK=255.255.255.0

NETWORK=192.168.0.0

ONBOOT=yes

TYPE=Ethernet

Afterwards we have to restart the network:

/etc/init.d/network restart

You might also want to adjust /etc/hosts after you have added new IP addresses, although this is not necessary.

Now run

ifconfig

You should now see your new IP address in the output:

[root@server1 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:CD:66:08
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecd:6608/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:373 errors:0 dropped:0 overruns:0 frame:0
TX packets:385 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31529 (30.7 KiB) TX bytes:64449 (62.9 KiB)
Interrupt:177 Base address:0x1400

eth0:0 Link encap:Ethernet HWaddr 00:0C:29:CD:66:08
inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:177 Base address:0x1400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

[root@server1 ~]#

4 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall during the basic system installation.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the CentOS firewall).

Run

system-config-securitylevel

Select Disabled and press OK.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 ~]#

5 Disable SELinux

(You can skip this chapter if you have already disabled SELinux during the basic system installation.)

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - SELinux is fully disabled.

SELINUX=disabled

# SELINUXTYPE= type of policy in use. Possible values are:

#       targeted - Only targeted network daemons are protected.

#       strict - Full SELinux protection.

SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

6 Install Some Software

First we import the GPG keys for software packages:

rpm –import /usr/share/rhn/RPM-GPG-KEY*

Then we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils gcc gcc-c++

7 Quota

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):

vi /etc/fstab

# This file is edited by fstab-sync - see 'man fstab-sync' for details

/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1

LABEL=/boot             /boot                   ext3    defaults        1 2

none                    /dev/pts                devpts  gid=5,mode=620  0 0

none                    /dev/shm                tmpfs   defaults        0 0

none                    /proc                   proc    defaults        0 0

none                    /sys                    sysfs   defaults        0 0

/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

/dev/hdc                /media/cdrecorder       auto    pamconsole,exec,noauto,managed 0 0

/dev/fd0                /media/floppy           auto    pamconsole,exec,noauto,managed 0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

8 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Then do this:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig –levels 235 named on
/etc/init.d/named start

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

9 MySQL (4.1)

To install MySQL, we do this:

yum install mysql mysql-devel mysql-server

The MySQL init script on CentOS might cause problems when you try to restart MySQL. In some cases it tries to start MySQL before the old MySQL process has stopped which leads to a failure. The solution is to edit the restart section of /etc/init.d/mysqld and add a few seconds delay between the stop and the start of MySQL.

Edit /etc/init.d/mysqld:

vi /etc/init.d/mysqld

and change this section:

[...]

restart(){

    stop

    start

}

[...]

so that it looks like this:

[...]

restart(){

    stop

    sleep 3

    start

}

[...]

This adds a three second delay between the stop and start of MySQL.

Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:

chkconfig –levels 235 mysqld on
/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

It should show something like this:

[root@server1 ~]# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 3590/mysqld
[root@server1 ~]#

If it does not, edit /etc/my.cnf and comment out the option skip-networking:

vi /etc/my.cnf

[...]

#skip-networking

[...]

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

10 Postfix With SMTP-AUTH And TLS

Now we install Postfix and dovecot (dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
postconf -e ‘mynetworks = 127.0.0.0/8’

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit Centos 4.6 you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd

mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):

postconf -e ‘myhostname = server1.example.com’

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

mail_owner = postfix

inet_interfaces = all

mydestination = $myhostname, localhost.$mydomain, localhost

unknown_local_recipient_reject_code = 550

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.2.10/samples

readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES

smtpd_sasl_local_domain =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

mynetworks = 127.0.0.0/8

smtpd_tls_auth_only = no

smtp_use_tls = yes

smtpd_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

myhostname = server1.example.com

By default, CentOS’ dovecot daemon provides only IMAP and IMAPs services. Because we also want POP3 and POP3s we must configure dovecot to do so. We edit /etc/dovecot.conf and put the line protocols = imap imaps pop3 pop3s into it:

vi /etc/dovecot.conf

[...]

# Base directory where to store runtime data.

#base_dir = /var/run/dovecot/# Protocols we want to be serving:

#  imap imaps pop3 pop3s

protocols = imap imaps pop3 pop3s

[...]

Now start Postfix, saslauthd, and dovecot:

chkconfig –levels 235 sendmail off
chkconfig –levels 235 postfix on
chkconfig –levels 235 saslauthd on
chkconfig –levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine.

[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system’s shell.

10.1 Maildir

dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user’s Maildir:

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

11 Apache2 With PHP

Now we install Apache with PHP (this is PHP 4.3.9; CentOS does not provide PHP5 packages):

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel

Then edit /etc/httpd/conf/httpd.conf:

vi /etc/httpd/conf/httpd.conf

and change DirectoryIndex to

[...]

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl

[...]

Now configure your system to start Apache at boot time:

chkconfig –levels 235 httpd on

Start Apache:

/etc/init.d/httpd start

11.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddType line:

vi /etc/httpd/conf.d/php.conf

#

# PHP is an HTML-embedded scripting language which attempts to make it

# easy for developers to write dynamically generated webpages.

#LoadModule php4_module modules/libphp4.so

#

# Cause the PHP interpreter to handle files with a .php extension.

#

#AddType application/x-httpd-php .php

# AddType application/x-httpd-php-source .phps

#

# Add index.php to the list of files that will be served as directory

# indexes.

#

DirectoryIndex index.php

Afterwards we restart Apache:

/etc/init.d/httpd restart

12 ProFTPd

ISPConfig has better support for proftpd than vsftpd, so let’s remove vsftpd:

yum remove vsftpd

Because CentOS has no proftpd package, we must use a third-party yum repository to install it:

cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
rpm –import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt

Now we can install proftpd:

yum install proftpd

Let’s create proftpd‘s system startup links and start it:

chkconfig –levels 235 proftpd on
/etc/init.d/proftpd start

Then create the file /etc/pam.d/ftp with the following content (otherwise you will not be able to log in with system users using FTP):

vi /etc/pam.d/ftp

#%PAM-1.0

auth    required        pam_unix.so     nullok

account required        pam_unix.so

session required        pam_unix.so

and restart proftpd:

/etc/init.d/proftpd restart

13 Webalizer

To install webalizer, just run

yum install webalizer

14 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yum install ntp

chkconfig –levels 235 ntpd on
ntpdate 0.pool.ntp.org
/etc/init.d/ntpd start

15 Install Some Perl Modules

ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the required Perl modules with a single command:

yum install perl-DBI perl-Net-DNS perl-Digest-SHA1

We also need the module HTML::Parser. We could install the CentOS package perl-HTML-Parser, but this version is too old for the SpamAssassin version that comes with ISPConfig. It would result in the following error message during ISPConfig installation:

REQUIRED module out of date: HTML::Parser

Therefore we must install the latest HTML::Parser using the Perl shell.

Run the following command to start the Perl shell:

perl -MCPAN -e shell

If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok. Because there’s no ncftp package for CentOS, the Perl shell cannot find the programs ncftpget and ncftp, and you’ll see something like this:

Warning: ncftpget not found in PATH
Where is your ncftpget program? []
Warning: ncftp not found in PATH
Where is your ncftp program? []

It’s ok to hit ENTER in both cases.

Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.

Now type in the following command to install the Perl module HTML::Parser:

install HTML::Parser

If the installation is successful, you’ll see a line like this at the end:

/usr/bin/make install — OK

Type

q

afterwards to leave the Perl shell.

16 The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

16.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as CentOS’ suExec is compiled with /var/www as Doc_Root. Run

/usr/sbin/suexec -V

and the output should look like this:

[root@server1 ~]# /usr/sbin/suexec -V
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=”public_html”
[root@server1 ~]#

So if you want to use suExec with ISPconfig, don’t change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can’t change the web root anyway so you’ll be able to use suExec in any case).

17 Links

• CentOS: http://www.centos.org
• ISPConfig: http://www.ispconfig.org

other
click here
click here
clicky
other
other
other
friendly link
friendly link
read more
read more
friendly link
clicky
click here
friendly link