Ubuntu 18.04 (Bionic Beaver) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1
Om ervoor te zorgen dat we niet overal sudo voor moeten typen gebruiken we hetvolgende commando.
sudo -s
Zorg voor de laatste updates:
apt update
apt upgrade
Voor ISPConfig moeten we dash uitschakelen als default shell.
dpkg-reconfigure dash
Kies daar voor NO
Verwijder AppArmor om later voor ISPConfig problemen te voorkomen:
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
Zorg ervoor dat de klok altijd in sync loopt:
apt install ntp
We gaan postfix gebruiken en moeten ervoor zorgen dat sendmail verwijderd is:
service sendmail stop; update-rc.d -f sendmail remove
Als je een error krijgt, is sendmail waarschijnlijk niet aanwezig.
We gaan nu belangrijkste packages installeren (Postfix, Dovecot, MariaDB, rkhunter, binutils, etc.)
apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo
Je krijgt de volgende vragen:
General type of mail configuration: <– Internet Site
System mail name: <– server1.example.com
Nu gaan we met de postfix configuratie aan de slag:
nano /etc/postfix/master.cf
Haal het # weg bij de submission en smtps secties als volgend . Voeg de volgende regel toe aan beide secties:
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Zoals dit:
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING
LET OP: De spaties voor de -o zijn belangrijk
We willen dat MySQL luistert op alle interfaces.
Daarvoor passen de /etc/mysql/mariadb.conf.d/50-server.cnf aan.
We zetten het # voor bind-address = 127.0.0.1: weg
nano /etc/mysql/mariadb.conf.d/50-server.cnf
Voorbeeld:
# Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1
Nu gaan we MariaDB een wachtwoord geven:
mysql_secure_installation
De volgende vragen krijg je:
Enter current password for root (enter for none): <-- press enter Set root password? [Y/n] <-- y New password: <-- Enter the new MariaDB root password here Re-enter new password: <-- Repeat the password Remove anonymous users? [Y/n] <-- y Disallow root login remotely? [Y/n] <-- y Reload privilege tables now? [Y/n] <-- y
Zet de password authenticatie in MariaDB naar native zodat we later PHPMyAdmin kunnen inloggen als root.
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
Pas de volgende file aan: /etc/mysql/debian.cnf Zet op beide password plekken het wachtwoord. Voorbeeld:
# Automatically generated for Debian scripts. DO NOT TOUCH! [client] host = localhost user = root password = RootWachtwoord socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = root password = RootWachtwoord socket = /var/run/mysqld/mysqld.sock basedir = /usr
Hierna herstarten we MariaDB
service mysql restart
Check of het allemaal draait:
netstat -tap | grep mysql
Het zou er ongeveer zo uit moeten zien:
root@vps:~# netstat -tap | grep mysql tcp6 0 0 [::]:mysql [::]:* LISTEN 1317/mysqld root@vps:~#
We gaan weer wat packages installeren:Amavisd-new, SpamAssassin, and Clamav etc.
apt install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey
ISPConfig 3 gebruikt de SpamAssassin filter bibliotheek intern. Dus we kunnen de service uitzetten.
service spamassassin stop update-rc.d -f spamassassin remove
Om ClamAV te starten:
freshclam service clamav-daemon start
De volgend error kunnen we bij de eerste start negeren:
ERROR: /var/log/clamav/freshclam.log is locked by another process ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
Het programma amavisd-new heeft een bug in ubuntu 18.04 wat voorkomt dat emails correct worden ondertekent met Dkim. Het volgende commando zorgt ervoor dat het programma wordt gepatched.
cd /tmp wget https://git.ispconfig.org/ispconfig/ispconfig3/raw/stable-3.1/helper_scripts/ubuntu-amavisd-new-2.11.patch cd /usr/sbin cp -pf amavisd-new amavisd-new_bak patch < /tmp/ubuntu-amavisd-new-2.11.patch
Mocht je een error krijgen, dan heeft ubuntu er waarschijnlijk het probleem opgelost. We gaan weer een aantal packages installeren: Apache, PHP, phpMyAdmin, FCGI, SuExec, Pear, mcrypt etc.
apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-imap phpmyadmin php7.2-cli php7.2-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt imagemagick libruby libapache2-mod-python php7.2-curl php7.2-intl php7.2-pspell php7.2-recode php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl memcached php-memcache php-imagick php-gettext php7.2-zip php7.2-mbstring php-soap php7.2-soap
Je krijgt weer een aantal vragen:
Web server to reconfigure automatically: <-- apache2 Configure database for phpmyadmin with dbconfig-common? <-- Yes MySQL application password for phpmyadmin: <-- Press enter
We gaan nu een aantal apache modules inschakelen: suexec, rewrite, ssl, actions en include (plus dav, dav_fs, and auth_digest if you want to use WebDAV)
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest headers
Om ervoor te zorgen dat de server niet kan worden aangevallen met de HTTP_PROXY vulnerability, gaan we dit uitschakelen.
nano /etc/apache2/conf-available/httpoxy.conf
Zet daarin de het volgende:
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
Activeer de configuratie:
a2enconf httpoxy
Herstart apache om alles actief te maken:
service apache2 restart
OpCache installeren
apt-get -y install php7.2-opcache php-apcu
PHP-FPM
apt-get -y install php7.2-fpm a2enmod actions proxy_fcgi alias service apache2 restart
Let's Encrypt ISPConfig 3 heeft ondersteuning voor Let's Encrypt
apt-get -y install certbot
Mailman (mailinglists)
apt-get -y install mailman
Kies in ieder geval 1 taal: Languages to support: <-- nl (Dutch) Missing site list <-- Ok
Voordat we Mailman kunnen starten moeten we een nieuwe lijst mailman maken.
newlist mailman
voorbeeld:
root@server1:~# newlist mailman
Enter the email of the person running the list: <– admin email address, e.g. listadmin@example.com
Initial mailman password: <– admin password for the mailman list
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases’ program:
## mailman mailing list
mailman: “|/var/lib/mailman/mail/mailman post mailman”
mailman-admin: “|/var/lib/mailman/mail/mailman admin mailman”
mailman-bounces: “|/var/lib/mailman/mail/mailman bounces mailman”
mailman-confirm: “|/var/lib/mailman/mail/mailman confirm mailman”
mailman-join: “|/var/lib/mailman/mail/mailman join mailman”
mailman-leave: “|/var/lib/mailman/mail/mailman leave mailman”
mailman-owner: “|/var/lib/mailman/mail/mailman owner mailman”
mailman-request: “|/var/lib/mailman/mail/mailman request mailman”
mailman-subscribe: “|/var/lib/mailman/mail/mailman subscribe mailman”
mailman-unsubscribe: “|/var/lib/mailman/mail/mailman unsubscribe mailman”
Hit enter to notify mailman owner… <– ENTER
Open nu de /etc/aliases
nano /etc/aliases
En voeg daar het volgend toe:
## mailman mailing list mailman: "|/var/lib/mailman/mail/mailman post mailman" mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman" mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman" mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman" mailman-join: "|/var/lib/mailman/mail/mailman join mailman" mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman" mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman" mailman-request: "|/var/lib/mailman/mail/mailman request mailman" mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman" mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
Voer daarna het volgende commando uit:
newaliases
En herstart postfix:
service postfix restart
Nu kunnen we de mailman apache config inschakelen.
ln -s /etc/mailman/apache.conf /etc/apache2/conf-available/mailman.conf
Dit activeerd de alias /cgi-bin/mailman/ voor alle Apache vhosts, wat betekend dat je de Mailman admin interface voor een lijst kan vinden op http://<vhost>/cgi-bin/mailman/admin/<listname> en de webpagina voor gebruikers van een mailinglijst http://<vhost>/cgi-bin/mailman/listinfo/<listname>. Onder http://<vhost>/pipermail kan je de archieven vinden. Activeer nu de configuratie:
a2enconf mailman
Herstart apache
service apache2 restart
en start Mailman
service mailman start
PureFTPd and Quota
Installeer de volgende packages:
apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool
Edit de volgende file /etc/default/pure-ftpd-common
nano /etc/default/pure-ftpd-common
Zorg ervoor dat de start modus staat op standalone en zet de VIRTUALCHROOT=true:
Nu configureren we PureFTPd voor FTP en TLS sessies.
echo 1 > /etc/pure-ftpd/conf/TLS
Om TLS te gebruiken moeten we een SSL certficaat genereren.
mkdir -p /etc/ssl/private/
Nu kunnen we het certificaat aanmaken.
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Even een paar vragen beantwoorden:
Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “NL”).
State or Province Name (full name) [Some-State]:<– Enter your State or Province Name.
Locality Name (eg, city) []:<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:<– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []:<– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []:<– Enter your Email Address.
Zet de permissies goed op het certificaat:
chmod 600 /etc/ssl/private/pure-ftpd.pem
Herstart nu PureFTPd
service pure-ftpd-mysql restart
Bind DNS Server
BIND installeren
apt-get -y install bind9 dnsutils haveged
En om de haveged daemon te starten.
systemctl enable haveged
systemctl start haveged
Vlogger, Webalizer en AWStats
Om te installeren:
apt-get -y install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Hiernat openen we de /etc/cron.d/awstats
nano /etc/cron.d/awstats
En zetten we overal een # voor:
#MAILTO=root #*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh # Generate static reports: #10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
JailKit (voor SSH chroot) Installeer JailKit (Dit moet voor ISPConfig gebeuren en kan niet achteraf)
apt-get -y install build-essential autoconf automake1.11 libtool flex bison debhelper binutils
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
echo 5 > debian/compat
The current 2.19 version of Jailkit has a syntax error which prevents its compilation. To fix that, open the file debian/changelog with nano:
nano debian/changelog
And add the following line in line 5 plus an empty line afterward:
-- Olivier <olivier@marshall> Wed, 18 Nov 2015 20:38:44 +0100
So that the resulting first part of the file looks like this (the inserted line in red):
jailkit (2.19-1) UNRELEASED; urgency=medium
* somehow a bug URL was pasted into the ini file location in the sourcecode for jk_chrootsh in the 2.18 release. Fixed.
— Olivier <olivier@marshall> Wed, 18 Nov 2015 20:38:44 +0100
jailkit (2.18-1) UNRELEASED; urgency=medium
* maintenance release, fix uid_t printing for very high uid numbers
* minor improvements to jk_init.ini
* add possibility to force –login in jk_chrootsh
— Olivier <olivier@marshall> Wed, 18 Nov 2015 20:38:44 +0100
Then build the jailkit package by running this command:
./debian/rules binary
You can now install the Jailkit .deb package as follows:
cd ..
dpkg -i jailkit_2.19-1_*.deb
rm -rf jailkit-2.19*
Fail2Ban en UFW
apt-get -y install fail2ban
To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:
nano /etc/fail2ban/jail.local
[pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3
Restart fail2ban afterwards:
service fail2ban restart
To install the UFW firewall, run this apt command:
apt-get install ufw
Roudcube Webmail
Om te installeren:
apt-get -y install roundcube roundcube-core roundcube-mysql roundcube-plugins javascript-common libjs-jquery-mousewheel php-net-sieve tinymce
De volgende vragen worden gesteld:
Configure database for roundcube with dbconfig-common? <– Yes
MySQL application password for roundcube: <– Press enter
Pas nu de roundcube apache config file aan;
nano /etc/apache2/conf-enabled/roundcube.conf
and remove the # in front of the Alias line, then add the second Alias line for /webmail and add the line “AddType application/x-httpd-php .php” right after the “<Directory /var/lib/roundcube>” line:
# Those aliases do not work properly with several hosts on your apache server # Uncomment them to use it or adapt them to your configuration Alias /roundcube /var/lib/roundcube Alias /webmail /var/lib/roundcube [...] <Directory /var/lib/roundcube> AddType application/x-httpd-php .php [...]
Restart apache
service apache2 restart
Edit de /etc/roundcube/config.inc.php
nano /etc/roundcube/config.inc.php
Verander de default host naar localhost
$config['default_host'] = 'localhost';
ISPConfig 3.1 om te installeren:
cd /tmp wget -O ispconfig.tar.gz https://git.ispconfig.org/ispconfig/ispconfig3/repository/archive.tar.gz?ref=stable-3.1 tar xfz ispconfig.tar.gz cd ispconfig3*/install/
De volgende stap:
php -q install.php
This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you.
# php -q install.php
——————————————————————————–
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `–.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `–. \ __/ | | / _ \| ‘_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
——————————————————————————–
>> Initial configuration
Operating System: Ubuntu 18.04 (Bionic Beaver)
Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in “quit” (without the quotes) to stop the installer.
Select language (en,de) [en]: <– Hit Enter
Installation mode (standard,expert) [standard]: <– Hit Enter
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.canomi.com]: <– Hit Enter
MySQL server hostname [localhost]: <– Hit Enter
MySQL server port [3306]: <– Hit Enter
MySQL root username [root]: <– Hit Enter
MySQL root password []: <– Enter your MySQL root password
MySQL database to create [dbispconfig]: <– Hit Enter
MySQL charset [utf8]: <– Hit Enter
Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
……………………………………………………………..++
……………………………………………………………………………………………………………………….++
writing new private key to ‘smtpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]: <– Enter 2 letter country code
State or Province Name (full name) [Some-State]: <– Enter the name of the state
Locality Name (eg, city) []: <– Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter company name or press enter
Organizational Unit Name (eg, section) []: <– Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <– Enter the server hostname, in my case: server1.example.com
Email Address []: <– Hit Enter
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Jailkit
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Metronome XMPP Server
writing new private key to ‘localhost.key’
—–
Country Name (2 letter code) [AU]: <– Enter 2 letter country code
Locality Name (eg, city) []: <– Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter company name or press enter
Organizational Unit Name (eg, section) []: <– Hit Enter
Common Name (e.g. server FQDN or YOUR name) [server1.canomi.com]: <– Enter the server hostname, in my case: server1.example.com
Email Address []: <– Hit Enter
Configuring Ubuntu Firewall
Configuring Fail2ban
[INFO] service OpenVZ not detected
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:
Admin password [admin]:
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <– Hit Enter
Generating RSA private key, 4096 bit long modulus
…………………..++
………………………………………………………………………………………………………………..++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]: <– Enter 2 letter country code
State or Province Name (full name) [Some-State]: <– Enter the name of the state
Locality Name (eg, city) []: <– Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter company name or press enter
Organizational Unit Name (eg, section) []: <– Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <– Enter the server hostname, in my case: server1.example.com
Email Address []: <– Hit Enter
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: <– Hit Enter
An optional company name []: <– Hit Enter
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services …
Installation completed.
The installer automatically configures all underlying services, so there is no manual configuration needed.
Afterward you can access ISPConfig 3 under http(s)://server1.example.com:8080/ or http(s)://192.168.0.100:8080/(HTTP or HTTPS depends on what you chose during installation). Log in with the username admin and the password admin (you should change the default password after your first login):
Recent Comments