GNet Solutions » GNU/Linux Administration

Installing The Web Server¶

Set the hostname of the server:

echo web.example.com > /etc/hostname
/etc/init.d/hostname.sh start

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run:

apt-get -y install ntp ntpdate

Install the MySQL server¶

A MySQL server instance is necessary on every server as ISPConfig uses it to sync the configuration between the servers:

apt-get -y install mysql-client mysql-server

Enter the new password for MySQL when requested by the installer.

We want* MySQL to listen on all interfaces* on the master server, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

...

1. Instead of skip-networking the default is now to listen only on
2. localhost which is more compatible and is not less secure.
   #bind-address = 127.0.0.1
   ...

Then restart MySQL:

service mysql restart

Now install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt as follows:

apt-get -y install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-curl php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-perl2 sudo zip wget

Web server to reconfigure automatically: apache2

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include:

a2enmod suexec rewrite ssl actions include ruby dav_fs dav auth_digest

PureFTPd¶

Install PureFTPd and quota with the following command:

apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool

Note: As of writing this there is no quota support for the virtualization solution used, LXC. Keep this in mind, as not to install unneeded packages.

Edit the file /etc/default/pure-ftpd-common

vi /etc/default/pure-ftpd-common

and make sure virtualchroot is set VIRTUALCHROOT=true:

...
VIRTUALCHROOT=true
...

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run:

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []: <-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

mount -o remount /
quotacheck -avugm
quotaon -avug

Install vlogger, webalizer, and awstats:

apt-get -y install vlogger webalizer awstats

Open /etc/cron.d/awstats afterwards:

vi /etc/cron.d/awstats

Comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

1. Generate static reports:
   #10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

Install Jailkit:

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get -y install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary
cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

Install fail2ban: This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban

To make fail2ban monitor PureFTPd, create the file /etc/fail2ban/jail.local:

vi /etc/fail2ban/jail.local

[pureftpd]

enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

Then create the following filter file:

vi /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

Install ISPConfig 3.¶

To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/

This server is will be configured to be the master server in our setup which runs the ISPConfig control panel interface.
Note: To add web server without the ISPConfig interface, make sure to select No at the "Install ISPConfig Web-Interface" option during the ISPConfig setup.

To allow the other MySQL instances to connect to the MySQL database on this node during installation, we have to add MySQL root user records in the master database for every slave server hostname and IP address.

The easiest way to do this is to use the web based phpmyadmin administration tool that we installed already. Open the URL http://192.168.0.105/phpmyadmin in a web browser, log in as MySQL root user and execute these MySQL queries:

• Mail server IP
  

  CREATE USER 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword';
  GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
  

• Database server IP
  

  CREATE USER 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword';
  GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
  

• Name server IP
  

  CREATE USER 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword';
  GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
  

• Mail server hostname
  

  CREATE USER 'root'@'mail.example.com' IDENTIFIED BY 'myrootpassword';
  GRANT ALL PRIVILEGES ON * . * TO 'root'@'mail.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
  

• Database server hostname
  

  CREATE USER 'root'@'db.example.com' IDENTIFIED BY 'myrootpassword';
  GRANT ALL PRIVILEGES ON * . * TO 'root'@'db.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
  

• Name server hostname
  

  CREATE USER 'root'@'ns1.example.com' IDENTIFIED BY 'myrootpassword';
  GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns1.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
  

In the above sql commands, replace the IP adresses (192.168.0.106 - 192.168.0.108) with the IP addresses of your servers and replace mail.example.com, db.example.com, and ns1.example.com with the hostnames of your servers and myrootpassword with the desired root password.

Click on the reload permissions button, flush privileges, or restart MySQL. Then close phpmyadmin.

Go back to the shell of web.example.com and download the latest ISPConfig 3 stable release:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

Then start the install script:

php -q install.php

Select language (en,de) [en]: <-- en
Installation mode (standard,expert) [standard]: <-- expert
Full qualified hostname (FQDN) of the server, eg server2.domain.com [web.example.com]: <-- web.example.com
MySQL server hostname [localhost]: <-- localhost
MySQL root username [root]: <-- root
MySQL root password []: <-- Enter your MySQL root password here
MySQL database to create [dbispconfig]: <-- dbispconfig
MySQL charset [utf8]: <-- utf8
Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- n
Configure Mail (y,n) [y]: <-- n
Configure Jailkit (y,n) [y]: <-- y
Configure FTP Server (y,n) [y]: <-- y
Configure DNS Server (y,n) [y]: <-- n
Configure Apache Server (y,n) [y]: <-- y
Configure Firewall Server (y,n) [y]: <-- y
Install ISPConfig Web-Interface (y,n) [y]: <-- y
ISPConfig Port [8080]: <-- 8080
Enable SSL for the ISPConfig web interface (y,n) [y]: <-- y
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER

Clean up the install directories:

cd /tmp
rm -rf /tmp/ispconfig3_install/install
rm -f /tmp/ISPConfig-3-stable.tar.gz

Adjust The Server Settings In ISPConfig¶

Log into ISPConfig on the master server with a web browser:

firefox http://192.168.0.105:8080

• Click on System -> Server services -> web.example.com

Disable all checkboxes except of the Webserver and Fileserver checkbox and click on Save.

• Click on System -> Server services -> mail.example.com

Disable all checkboxes except of the Mailserver checkbox and click on Save.

• Click on System -> Server services -> db.example.com

Disable all checkboxes except of the DB-Server checkbox and click on Save.

• Click on System -> Server services -> ns1.example.com

Disable all checkboxes except of the DNS-Server checkbox and click on Save.

Resources¶

http://www.howtoforge.com/multiserver-setup-with-dedicated-web-email-dns-and-mysql-database-servers-on-debian-squeeze-with-ispconfig-3