Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

The Perfect Server – Mandriva 2007 Spring Free


This is a detailed description about how to set up a Mandriva 2007 Spring Free server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Courier POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 32-bit version of Mandriva 2007 Spring, but should apply to the 64-bit version with very little modifications as well.

I will use the following software:

  • Web Server: Apache 2
  • Mail Server: Postfix
  • DNS Server: BIND9
  • FTP Server: proftpd
  • POP3/IMAP server
  • Webalizer for web site statistics

In the end you should have a system that works reliably and is ready for the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

In this example I will use the following settings for my system:

  • IP address: 192.168.0.100, gateway: 192.168.0.1
  • Host name: server1.example.com

Your settings will most likely differ, so you might have to adjust the instructions from this tutorial.

 

2 Requirements

To install such a system you will need the following:

  • Download the Mandriva 2007 Spring Free DVD iso image from a mirror near you (the list of mirrors can be found here: http://www.mandriva.com/en/download/free), e.g. mandriva-linux-2007-spring-free-dvd-i586.iso.
  • a fast internet connection…

 

3 The Base System

Boot from your Mandriva 2007 Spring Free DVD. Select Install Mandriva Linux 2007 Spring on your system and press Enter:

 

1

Choose your language next:

2

Accept the license and click on Next:

3

Select Standard as the Security level and leave the field Security Administrator empty:

4

Now we have to partition our hard disk. You can choose to let the Mandriva installer do the partitioning, or you can do it yourself. I want to create a small /boot partition (about 150 MB) with the file system ext3, a swap partition and a huge / partition (again with ext3):

5

6

7

8

9

10

11

Click on Next on the following screen:

12

Now we select the package groups we want to install. Select Internet station, Network Computer (client), Configuration, Console Tools, Development, Web/FTP, Mail, Database, Firewall/Router and Network Computer server, unselect all other package groups, and click on Next:

13

14

The package installation starts:

15

Afterwards, provide a root password:

16

Create another user (e.g. admin) and click on Accept user:

17

To not create yet another user, click on Next on the next screen:

18

Unselect Autologin because we are installing a server, not a desktop (we don’t want to install a graphical user interface):

19

Now the installer presents us a summary of the installation and gives us the possibility to change settings by clicking on the appropriate Configure button. First of all we adjust our keyboard layout (if you don’t have a US keyboard…):

20

Click on More to get a list of all available keyboard layouts, then select the appropriate layout and click on Next:

21

Next we configure the time zone we’re in:

22

On the next screen select hardware clock set to UTC, Automatic time synchronization (using NTP), and for NTP Server choose All servers:

23

Finally we change our network settings. Click on the Configure button next to Network – ethernet:

24

Select Ethernet unless you’re using something different:

25

Select the network interface that you want to configure:

26

We want to assign a static IP address to our network interface (remember, we’re installing a server…), so we do not want to get an IP address using BOOTP or DHCP. Therefore we choose Manual configuration:

27

Now enter the IP address, Netmask, and Gateway. Also enter the Host name (e.g. server1.example.com), up to two DNS servers (e.g. 145.253.2.75 and 193.174.32.18):

28

Do not allow users to start the connection. It’s a server, and servers are always online (at least, they should be…). But select Start the connection at boot:

29

Choose to start the network connection now:

30

31

We’ve now made all necessary configurations, so we can leave the summary screen by clicking on Next:

32

Now you can download the latest updates. Please note: this is optional. We are going to create a cron job which will update our system automatically, so you can select No here:

33

The base installation is now finished, you can now remove the CD and reboot the system:

36

Now on to the system configuration…

4 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1

 

5 Configure Additional IP Addresses

(This step is totally optional and is needed only if you want to add more IP addresses to your network interface eth0!)

Let’s assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:

cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.100
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no
DNS1=145.253.2.75
DNS2=193.174.32.18
RESOLV_MODS=yes
IPV6INIT=no
IPV6TO4INIT=no

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this:

vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
BOOTPROTO=static
IPADDR=192.168.0.101
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no
MS_DNS1=145.253.2.75
MS_DNS2=193.174.32.18
RESOLV_MODS=yes
IPV6INIT=no
IPV6TO4INIT=no

Afterwards we have to restart the network:

/etc/init.d/network restart

You might also want to adjust /etc/hosts after you have added new IP addresses, although this is not necessary.

Now let’s run

ifconfig

to see if our new IP address is working. The output should look like this:

[root@server1 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:EC:09:F4
inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feec:9f4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:356 errors:0 dropped:0 overruns:0 frame:0
TX packets:319 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:32160 (31.4 KiB)  TX bytes:64191 (62.6 KiB)
Interrupt:17 Base address:0x1400

eth0:0    Link encap:Ethernet  HWaddr 00:0C:29:EC:09:F4
inet addr:192.168.0.101  Bcast:192.168.0.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
Interrupt:17 Base address:0x1400

lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:82 errors:0 dropped:0 overruns:0 frame:0
TX packets:82 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6508 (6.3 KiB)  TX bytes:6508 (6.3 KiB)

 

6 Setting The Hostname

(This step is also optional.)

This is not necessary if you have set the correct hostname during the installation. You can check the current hostname with the commands

hostname
hostname -f

Both commands should show server1.example.com.

If the output shows a wrong hostname, you can set the correct one like this:

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

 

7 Configure urpmi

You can use the wizard on http://easyurpmi.zarb.org/ to find out how to configure urpmi so that urpmi uses online package repositories:

37

38

39

For me the wizard gave back these commands that I run on the command line:

urpmi.addmedia main ftp://ftp.tu-chemnitz.de/pub/linux/mandrakelinux/official/2007.1/i586/media/main/release with media_info/hdlist.cz

urpmi.addmedia –update main_updates ftp://ftp.tu-chemnitz.de/pub/linux/mandrakelinux/official/2007.1/i586/media/main/updates with media_info/hdlist.cz

urpmi.addmedia contrib ftp://ftp.tu-chemnitz.de/pub/linux/mandrakelinux/official/2007.1/i586/media/contrib/release with media_info/hdlist.cz

urpmi.addmedia –update contrib_updates ftp://ftp.tu-chemnitz.de/pub/linux/mandrakelinux/official/2007.1/i586/media/contrib/updates with media_info/hdlist.cz

Now we create a script /etc/cron.daily/software_update that will autmatically be run by cron daily and looks for and installs the latest software updates on your Mandriva 2007 Spring system. The script looks like this:

vi /etc/cron.daily/software_update

#!/bin/bash
urpmi.update updates
urpmi --auto --update --auto-select

Make the script executable:

chmod 755 /etc/cron.daily/software_update

 

8 Install Some Packages

Now we install a few packages that are needed later on:

urpmi fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp flex libxorg-x11-devel gcc gcc-c++

 

9 Quota

To install the quota package, run

urpmi quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the partition with the mount point /):

vi /etc/fstab

/dev/sda6 / ext3 defaults,usrquota,grpquota 1 1
/dev/sda1 /boot ext3 defaults 1 2
/dev/hdc /media/cdrom auto umask=0,users,iocharset=utf8,noauto,ro,exec 0 0
none /media/floppy supermount dev=/dev/fd0,fs=ext2:vfat,--,umask=0,iocharset=utf8,sync 0 0
none /proc proc defaults 0 0
/dev/sda5 swap swap defaults 0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

 

10 DNS Server

To install The BIND DNS server, run:

urpmi bind

Mandriva 2007 Spring’s BIND is running chrooted by default, therefore we need to create a few symlinks so that ISPConfig (if you want to install it) can deal with it:

cd /var/lib/named/var
mkdir -p lib/named/var
cd lib/named/var
ln -s ../../../named/ named
ln -s ../../../run/ run

Then start BIND:

/etc/init.d/named start

11 MySQL (5.0)

To install MySQL 5.0, we simply run:

urpmi MySQL MySQL-client libmysql15-devel

By default, networking is not enabled in Mandriva 2007 Spring’s MySQL package, but networking is required by ISPConfig. We can change this by commenting out the line skip-networking in /etc/my.cnf:

vi /etc/my.cnf

[...]
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
[...]

Afterwards, we start MySQL:

/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[root@server1 var]# netstat -tap | grep mysql
tcp        0      0 *:mysql-im                  *:*                         LISTEN      5697/mysqlmanager
tcp        0      0 *:mysql                     *:*                         LISTEN      5705/mysqld

Next, run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

 

12 Postfix With SMTP-AUTH And TLS

Install the required packages (Postfix, cyrus-sasl, imap, etc.) like this:

urpmi cyrus-sasl libsasl2 libsasl2-devel libsasl2-plug-plain libsasl2-plug-anonymous libsasl2-plug-crammd5 libsasl2-plug-digestmd5 libsasl2-plug-gssapi libsasl2-plug-login postfix imap

Then run

postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
postconf -e ‘mydomain = example.com’
postconf -e ‘myhostname = server1.$mydomain’
postconf -e ‘mydestination = /etc/postfix/local-host-names, localhost.example.com’
postconf -e ‘mynetworks = 127.0.0.0/8’
touch /etc/postfix/local-host-names
touch /var/lib/mailman/data/aliases

Edit /etc/sasl2/smtpd.conf. It should look like this:

vi /etc/sasl2/smtpd.conf

# SASL library configuration file for postfix
# all parameters are documented into:
# /usr/share/doc/cyrus-sasl-2.*/options.html

# The mech_list parameters list the sasl mechanisms to use,
# default being all mechs found.
mech_list:         plain login

# To authenticate using the separate saslauthd daemon, (e.g. for
# system or ldap users). Also see /etc/sysconfig/saslauthd.
pwcheck_method:    saslauthd
saslauthd_path:    /var/lib/sasl2/mux

# To authenticate against users stored in sasldb.
#pwcheck_method:    auxprop
#auxprop_plugin:    sasldb
#sasldb_path:       /var/lib/sasl2/sasl.db

Create the SSL certificate needed for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

and configure Postfix for TLS:

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

Now start Postfix, saslauthd, imap and pop3:

chkconfig imap on
chkconfig imaps on
chkconfig ipop3 on
chkconfig pop3s on
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
/etc/init.d/xinetd restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine:

[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix (2.3.8) (Mandriva Linux)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system’s shell.

 

13 Apache2 With PHP5

To install Apache2 and PHP5, run the following command (in one line):

urpmi apache-mod_php libphp5_common5 php-bz2 php-calendar php-ctype php-curl php-devel php-dio php-dom php-eaccelerator php-enchant php-esmtp php-event php-exif php-fam php-ffmpeg php-fileinfo php-filepro php-ftp php-gd php-gettext php-gmp php-iconv php-id3 php-idn php-imap php-imlib2 php-mailparse php-mbstring php-mcache php-mcrypt php-mhash php-ming php-mysql php-mysqli php-ncurses php-newt php-odbc php-oggvorbis php-pam_auth php-pcntl php-pcre php-pear-Net_IDNA php-posix php-pspell php-readline php-recode php-session php-shmop php-simplexml php-snmp php-soap php-sockets php-sqlite php-ssh2 php-suhosin php-sysvmsg php-sysvsem php-sysvshm php-tclink php-tcpwrap php-tidy php-xml php-xmlrpc php-zip php5-ini curl libcurl4-devel perl-libwww-perl ImageMagick

Start Apache:

/etc/init.d/httpd restart

 

13.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

Edit /etc/httpd/modules.d/70_mod_php.conf and comment out the AddType lines:

vi /etc/httpd/modules.d/70_mod_php.conf

<IfDefine HAVE_PHP5>
    <IfModule !mod_php5.c>
        LoadModule php5_module    extramodules/mod_php5.so
    </IfModule>
</IfDefine>

<IfModule mod_mime.c>
#    AddType application/x-httpd-php .php
#    AddType application/x-httpd-php .phtml
#    AddType application/x-httpd-php-source .phps
</IfModule>

<IfModule mod_php5.c>
    <IfModule mod_dir.c>
        DirectoryIndex index.php index.phtml
    </IfModule>
</IfModule>

Edit /etc/httpd/conf/mime.types and comment out the following lines:

vi /etc/httpd/conf/mime.types

[...]
#application/x-perl             perl pl
#application/x-php              php php3 php4
[...]

Edit /etc/httpd/conf/httpd.conf and add the following line to the LoadModule section:

vi /etc/httpd/conf/httpd.conf

[...]
LoadModule php5_module    extramodules/mod_php5.so
[...]

(Although this line is already in /etc/httpd/modules.d/70_mod_php.conf this is very important because otherwise the command

httpd -t

will report errors instead of Syntax OK when the virtual hosts created by ISPConfig contain lines like php_admin_flag safe_mode On or the like!)

Restart Apache:

/etc/init.d/httpd restart

14 Proftpd

Install Proftpd like this:

urpmi proftpd

For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://www.proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd.conf

[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
[...]

Be sure to comment out the following lines in /etc/proftpd.conf in order to allow ftp users to CHMOD:

[...]
# Bar use of SITE CHMOD by default
#<Limit SITE_CHMOD>
#    DenyAll
#</Limit>

Then restart Proftpd:

/etc/init.d/proftpd restart

 

15 Webalizer

Mandriva 2007 Spring doesn’t come with a Webalizer package anymore, therefore we install the static Webalizer binary from the Webalizer web site like this:

urpmi libgeoip1 geoip libgeoipupdate0 awffull

cd /tmp
wget ftp://ftp.mrunix.net/pub/webalizer/webalizer-2.01-10-static.gz
gunzip webalizer-2.01-10-static.gz
mv webalizer-2.01-10-static /usr/bin/webalizer
chmod 755 /usr/bin/webalizer

 

16 Install Some Perl Modules Needed By SpamAssassin (Comes With ISPConfig)

To install all needed Perl Modules, we can use the appropriate Mandriva packages and install them using urpmi:

urpmi perl-HTML-Parser perl-Digest-SHA1 perl-DB_File perl-Net-DNS

 

17 The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

18 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the web root for websites created by ISPConfig as Mandriva’s suExec is compiled with /var/www as Doc_Root. Run

/usr/sbin/suexec -V

and the output should look like this:

[root@server1 /]# /usr/sbin/suexec -V
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec_log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_SUEXEC_UMASK=077
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX=”public_html”
[root@server1 /]#

So if you want to use suExec with ISPconfig, don’t change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can’t change the web root anyway so you’ll be able to use suExec in any case).

 

  • Mandriva: http://www.mandrivalinux.com
  • Easyurpmi: http://easyurpmi.zarb.org
  • ISPConfig: http://www.ispconfig.org

 

Comments

comments