Project

General

Profile

Ubuntu 12.04 Internet Server with ISPConfig

Technical documentation
01/10/2013

This is a guide to deploy a very common server configuration capable of handling web services, email, DNS, Database, and even VPS support. This guide covers a single server setup, however this setup can be scaled up if built properly. This server configuration is the default server configuration for GNet Cyber Solutions.

Get and install Ubuntu 12.04

Hostname:server1.example.com
IP Address: 192.168.0.100

1. Just install the SSH server.

This will be a a headless deployment. Log in as root

2. Install vim-nox

apt-get install vim-nox

3. Configure network insterfaces in /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        dns-nameservers 8.8.8.8 8.8.4.4

4. Restart network services with /etc/init.d/networking restart

5. Configure hosts in /etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

6. Set hostname and restart hostname service with:
echo server1.example.com > /etc/hostname
/etc/init.d/hostname restart

7. Verify hostname was set with:

hostname
hostname -f

Output should be server1.example.com

8. Configure Network time:

apt-get install ntp ntpdate

9. Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutils

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo

The built in configuration script will ask the following:

  • New password for the MySQL "root" user: <-- yourrootsqlpassword
  • Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
  • General type of mail configuration: <-- Internet Site with smart relay
  • System mail name: <-- server1.example.com

10. Secure the SMTP server by adding the TLS/SSL and submission ports in /etc/postfix/master.cf

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

11. Restart Postfix with /etc/init.d/postfix restart

12. Allow MySQL connections from local network only by editing /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address           = 192.168.0.1
[...]

13. Restart MySQL with /etc/init.d/mysql restart

14. Install Amavisd-new, SpamAssassin, And Clamav

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove

15. Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-curl php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-python libapache2-mod-perl2

Configure as such:
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, include, dav, dav_fs, and auth_digest:

a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest

16. Restart Apache with /etc/init.d/apache2 restart

[OPTIONAL] To enable Ruby on sites hosted from this server, comment out the ruby application definition /etc/mime.types

[...]
#application/x-ruby                             rb
[...]

17. Restart Apache with */etc/init.d/apache2 restart*

18. Install Xcache

Xcache is a free and open PHP opcode cacher for caching and optimizing PHP intermediate code. It's similar to other PHP opcode cachers, such as eAccelerator and APC. It is strongly recommended to have one of these installed to speed up your PHP page.

apt-get install php5-xcache

19. Restart Apache with /etc/init.d/apache2 restart

20. Install PHP-FPM

Starting with the upcoming ISPConfig 3.0.5, there will be an additional PHP mode that you can select for usage with Apache: PHP-FPM. If you plan to use this PHP mode, it makes sense to configure your system for it now so that later on when you upgrade to ISPConfig 3.0.5, your system is prepared (the latest ISPConfig version at the time of this writing is ISPConfig 3.0.4.4).

To use PHP-FPM with Apache, we need the mod_fastcgi Apache module (please don't mix this up with mod_fcgid - they are very similar, but you cannot use PHP-FPM with mod_fcgid). We can install PHP-FPM and mod_fastcgi as follows:

apt-get install libapache2-mod-fastcgi php5-fpm

21. Make sure you enable the module and restart Apache:

a2enmod actions fastcgi alias
/etc/init.d/apache2 restart

22. Install PureFTPd and Quota

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

23. Configure PureFTPd in /etc/default/pure-ftpd-common

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Now configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

echo 1 > /etc/pure-ftpd/conf/TLS

24. Create a temporary self-signed SSL certificate for PureFTPd

mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name
Locality Name (eg, city) []: <-- Enter your City
Organization Name (eg, company) []: <-- Enter your Organization Name
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name
Common Name (eg, server name) []: <-- Enter the Fully Qualified Domain Name of the system
Email Address []: <-- Enter your Email Address

25. Make the key accessible by the key owner

chmod 600 /etc/ssl/private/pure-ftpd.pem

26. Restart PureFTPd with /etc/init.d/pure-ftpd-mysql restart

27. Setup Quota for hard drives by adding usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to drive options in /etc/fstab like so

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /boot           ext2    defaults        0       2
/dev/mapper/server1-swap_1 none            swap    sw              0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

28. Remount the currently mounted / partition

mount -o remount /

29. Initialize the Quota

quotacheck -avugm
quotaon -avug

30. Install BIND DNS Server

apt-get install bind9 dnsutils

31. Install Vlogger, Webalizer, AWstats

apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl

32. Comment out everything in /etc/cron.d/awstats

#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

33. Install Jailkit

Important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!)

First resolve the dependencies for Jailkit

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold

Then build Jailkit install package

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.16.tar.gz
cd jailkit-2.16
./debian/rules binary

Install the Jailkit package

cd ..
dpkg -i jailkit_2.16-1_*.deb
rm -rf jailkit-2.16*

34. Install fail2ban

apt-get install fail2ban

To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

Create PureFTPd filter in /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

Create the Dovecot POP3/IMAP filter in /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Restart fail2ban with /etc/init.d/fail2ban restart

Install SquirrelMail

apt-get install squirrelmail

Configure SquirrelMail

squirrelmail-configure

  1. D - Set pre-defined settings for specific IMAP servers
  2. Set for dovecot
  3. S - Save the configuration data
  4. Q - Quit the configuration

Now we will configure SquirrelMail so that you can use it from within your web sites (created through ISPConfig) by using the /squirrelmail or /webmail aliases. So if your website is www.example.com, you will be able to access SquirrelMail using www.example.com/squirrelmail or www.example.com/webmail.

SquirrelMail's Apache configuration is in the file /etc/squirrelmail/apache.conf, but this file isn't loaded by Apache because it is not in the /etc/apache2/conf.d/ directory. To fix this create a symlink called squirrelmail.conf in the /etc/apache2/conf.d/ directory that points to /etc/squirrelmail/apache.conf and reload Apache afterwards:

cd /etc/apache2/conf.d/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
/etc/init.d/apache2 reload

Edit /etc/apache2/conf.d/squirrelmail.conf and add the following lines to the <Directory /usr/share/squirrelmail></Directory> container that make sure that mod_php is used for accessing SquirrelMail, regardless of what PHP mode you select for your website in ISPConfig:

[...]
<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    AddType application/x-httpd-php .php
    php_flag magic_quotes_gpc Off
    php_flag track_vars On
    php_admin_flag allow_url_fopen Off
    php_value include_path .
    php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
    php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname:/var/spool/squirrelmail
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>
  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
[...]

Create temporary storage directory for SquirrelMail


mkdir /var/lib/squirrelmail/tmp

And make it owned by the user www-data:

chown www-data /var/lib/squirrelmail/tmp

Reload Apache again

/etc/init.d/apache2 reload

That's it already - /etc/apache2/conf.d/squirrelmail.conf defines an alias called /squirrelmail that points to SquirrelMail's installation directory /usr/share/squirrelmail.

You can now access SquirrelMail from your web site as follows:

http://192.168.0.100/squirrelmail
http://www.example.com/squirrelmail

You can also access it from the ISPConfig control panel vhost (after you have installed ISPConfig, see the next chapter) as follows (this doesn't need any configuration in ISPConfig):

http://server1.example.com:8080/squirrelmail

If you'd like to use the alias /webmail instead of /squirrelmail, simply add to /etc/apache2/conf.d/squirrelmail.conf.

Alias /squirrelmail /usr/share/squirrelmail
Alias /webmail /usr/share/squirrelmail

Reload Apache

/etc/init.d/apache2 reload

Now you can access Squirrelmail as follows:

http://192.168.0.100/webmail
http://www.example.com/webmail
http://server1.example.com:8080/webmail (after you have installed ISPConfig, see the next chapter)

If you'd like to define a vhost like webmail.example.com where your users can access SquirrelMail, you'd have to add the following vhost configuration to /etc/apache2/conf.d/squirrelmail.conf

<VirtualHost 0.0.0.0:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName webmail.example.com
</VirtualHost>

Make sure you replace 0.0.0.0 with the correct IP address of your server. Of course, there must be a DNS record for webmail.example.com that points to the IP address that you use in the vhost configuration. Also make sure that the vhost webmail.example.com does not exist in ISPConfig (otherwise both vhosts will interfere with each other!).

Reload Apache

/etc/init.d/apache2 reload

Install ISPConfig 3

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

Then run the install script

php -q install.php

--------------------------------------------------------------------------------
_ _______ _ _ _ _ |_ / _| _ \ / _ \ / /_ \ | | \ `--.| |_/ / | / \/ __ _ _ | |_ _ __ _ _/ / | | `--. \ / | | / _ \| '_ \| | |/ _` | | |
| |/\
/ / | | \__/\ () | | | | | | | (_| | _\ \
\
/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ | |___/
--------------------------------------------------------------------------------

Initial configuration

Operating System: Debian or compatible, unknown version.

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 2048 bit RSA private key
...........+++
.....................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
.......++
.........................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2543
  • Stopping Postfix Mail Transport Agent postfix
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    ...done.
  • Starting Postfix Mail Transport Agent postfix
    postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    /usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
    ...done.
    Stopping amavisd: (not running).
    The amavisd daemon is already running, PID: [1126]
    Starting amavisd: (failed).
  • Stopping ClamAV daemon clamd
    ...done.
  • Starting ClamAV daemon clamd
    ...done.
    Rather than invoking init scripts through /etc/init.d, use the service(8)
    utility, e.g. service dovecot restart
Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3668
  • Restarting Mailman master qrunner mailmanctl
  • Waiting...
    ...done.
    ...done.
  • Restarting web server apache2
    ... waiting . ...done.
    Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -E -H -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -8 UTF-8 -b -D -A -u 1000 -B
    Installation completed.
    root@server1:/tmp/ispconfig3_install/install#

The installer automatically configures all underlying services, so no manual configuration is needed.

You now also have the possibility to let the installer create an SSL vhost for the ISPConfig control panel, so that ISPConfig can be accessed using https:// instead of http://. To achieve this, just press ENTER when you see this question: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Afterwards you can access ISPConfig 3 under http(s)://server1.example.com:8080/ or http(s)://192.168.0.100:8080/ ( http or https depends on what you chose during installation). Log in with the username admin and the password admin (you should change the default password after your first login):

The system is now ready to be used.

Files