Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

The Perfect Server – OpenSUSE 11.1


This is a detailed description about how to set up an OpenSUSE 11.1 server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 32-bit version of OpenSUSE 11.1, but should apply to the 64-bit version with very little modifications as well.

I will use the following software:

  • Web Server: Apache 2.2.10 with PHP 5.2.6, Ruby, and Python
  • Database Server: MySQL 5.0.67
  • Mail Server: Postfix
  • DNS Server: BIND9
  • FTP Server: proftpd
  • POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.
  • Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Requirements

To install such a system you will need the following:

  • The OpenSUSE 11.1DVD. You can download it here: http://download.opensuse.org/distribution/11.1/iso/openSUSE-11.1-DVD-i586.iso
  • A fast internet connection…

 

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

 

3 The Base System

Boot from your OpenSUSE 11.1 DVD and select Installation:

1

Select your language, keyboard layout and accept the licence terms:

2

The installer analyzes your hardware and builds the software repository cache:

3

Select New Installation:

4

Select the region and timezone:

5

We select Other > Minimal Server Selection (Text Mode) here as we want to install a server without X-Window desktop. The X-Window system is not nescessary to run the server and would slow down the system. We will do all administration tasks on the shell or trough an SSH connection, e.g. via PuTTY from a remote desktop.

6

Click on Edit partition setup… to change the proposed partitions. As this is a server setup, we need a large /srv partition instead of the /home partition:

7

Select /dev/sda3 and click on Edit…:

8

Change the Mount Point to /srv and click on Finish:

9

Click on Accept:

10

The resulting setup should look like this. Click on Next:

11

Now I create a user named administrator. You may use any username you like. Make sure that you disable the Automatic Login checkbox for this user. The password that you enter here will be used as the root password:

12

The installer shows an overview of the selected install options. Click on Install to start the installation process.

13

Confirm that you want to start the installation:

14

The installer formats the hard disk, installs the software packages and prepares the system configuration for the first boot:

15

16

After the basic installation is finished, the system will do an automatic reboot:

17

The automatic configuration starts right after the system has rebooted:

18

Now log in with the username root and the password that you selected during the installation.

4 Configure the Network settings

We use Yast, the OpenSuSE system management tool to reconfigure the network card settings. After the first boot, the system is configured to get the IP address with DHCP. For a server we will switch it to a static IP address.

Run

yast2

Select Network Devices > Network Settings:

19

Select your network card and then Edit:

20

Select Statically assigned IP Address and enter the IP address, subnet mask and hostname and save the changes by selecting Next:

21

Now select Hostname/DNS and enter the hostname (e.g. server1.example.com) and nameservers (e.g. 145.253.2.75 and 213.191.92.86):

22

23

Now select Routing and enter the default gateway and hit OK:

To configure the firewall, select Security and Users > Firewall in Yast:

24

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default OpenSUSE firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the OpenSUSE firewall).

Select Disable Firewall Automatic Starting and Stop Firewall Now, then hit Next:

25

Hit Finish and leave Yast:

28

5 Install updates

Now we install the latest updates from the openSUSE repositories. Run

zypper update

And then reboot the server as you most likely installed some kernel updates, too:

reboot
6 Quota

To install quota, run

yast2 -i quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the mountpoints / and /srv):

vi /etc/fstab

/dev/sda1 swap swap defaults 0 0
/dev/sda2 / ext3 acl,user_xattr,usrquota,grpquota 1 1
/dev/sda3 /srv ext3 acl,user_xattr,usrquota,grpquota 1 2
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

mount -o remount /
mount -o remount /srv

quotacheck -avugm
quotaon -avug

Dont be worried if you see these error messages – they are normal when you run quotacheck for the first time:

quotacheck: WARNING – Quotafile //aquota.user was probably truncated. Cannot save quota settings…
quotacheck: WARNING – Quotafile //aquota.group was probably truncated. Cannot save quota settings…
quotacheck: Scanning /dev/sda2 [/] done
quotacheck: Checked 5286 directories and 45399 files
quotacheck: WARNING – Quotafile /srv/aquota.user was probably truncated. Cannot save quota settings…
quotacheck: WARNING – Quotafile /srv/aquota.group was probably truncated. Cannot save quota settings…
quotacheck: Scanning /dev/sda3 [/srv] done
quotacheck: Checked 7 directories and 4 files
7 Install some basic packes and the compilers that we need later

Run

yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico

8 Install Postfix, Courier, Saslauthd, MySQL

Run

yast2 -i postfix postfix-mysql mysql mysql-client courier-imap courier-authlib courier-authlib-mysql python cron cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd libmysqlclient-devel pwgen

Start MySQL, Postfix, SASL and Courier and enable the services to be started at boot time.

chkconfig –add mysql
chkconfig –add postfix
chkconfig –add saslauthd
chkconfig –add fam
chkconfig –add courier-authdaemon
chkconfig –add courier-pop
chkconfig –add courier-imap
chkconfig –add courier-pop-ssl
chkconfig –add courier-imap-ssl
/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start

Now I install some rpm packages which are not available from the openSUSE main repositorys.

cd /tmp
rpm -i http://download.opensuse.org/repositories/server:/mail/openSUSE_11.0/i586/getmail-4.7.6-1.4.i586.rpm
rpm –force -i http://download.opensuse.org/repositories/home:/atzewilms/openSUSE_11.1_Update/i586/maildrop-2.0.4-10.5.i586.rpm

Warnings like: “warning: getmail-4.7.6-1.4.i586.rpm: Header V3 DSA signature: NOKEY, key ID 367fe7fc” can be ignored.

Next I install the pam_mysql module from source. pam_mysql is not available from the main openSUSE repository and the package from the build service does not worked for me.

yast2 -i pam-devel
cd /tmp
wget http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
tar xvfz pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1
./configure
make
make install
rm -rf /tmp/pam_mysql-0.7RC1
rm /tmp/pam_mysql-0.7RC1.tar.gz

To secure the MySQL installation, run:

mysql_secure_installation

Now you will be asked several questions:

server1:~ # mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we’ll need the current
password for the root user. If you’ve just installed MySQL, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] <– Y
New password: <– fill in your desired MySQL root password
Re-enter new password: <– confirm that password
Password updated successfully!
Reloading privilege tables..
… Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] <– Y
… Success!

Normally, root should only be allowed to connect from ‘localhost’. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] <– Y
… Success!

By default, MySQL comes with a database named ‘test’ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] <– Y
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] <– Y
… Success!

Cleaning up…

All done! If you’ve completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
server1:~ #

Now your MySQL setup should be secured.
9 Amavisd-new, Spamassassin and Clamav

Install Amavisd-new, Spamassassin and Clamav antivirus. Run

yast2 -i amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql

To enable it, run:

chkconfig –add amavis
chkconfig –add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start
10 Install the apache 2 Webserver and PHP5

Inastall apache2 and suphp. Run:

yast2 -i apache2 apache2-mod_fcgid

rpm -i http://download.opensuse.org/repositories/server:/php/server_database_apache_openSUSE_11.0/i586/suphp-0.6.2-10.41.i586.rpm

Install PHP5:

yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dbase php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-ncurses php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5

Then run these commands to enable the apache modules:

a2enmod suexec
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2

And start Apache.

chkconfig –add apache2
/etc/init.d/apache2 start

Installing phpMyAdmin:

rpm -i http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.1/noarch/phpMyAdmin-3.1.2-1.1.noarch.rpm

Warnings like “warning: phpMyAdmin-3.1.2-1.1.src.rpm: Header V3 DSA signature: NOKEY, key ID 367fe7fc” can be ignored.
11 pure-ftpd

Install the pure-ftpd FTP daemon. Run:

yast2 -i pure-ftpd quota

chkconfig –add pure-ftpd
/etc/init.d/pure-ftpd start

12 MyDNS

Install the MyDNS DNS Server. Run:

cd /tmp
wget http://download.opensuse.org/repositories/home:/bajizs_cnt/openSUSE_11.1/i586/mydns-ng-1.2.8-1.1.i586.rpm
wget http://download.opensuse.org/repositories/home:/bajizs_cnt/openSUSE_11.1/i586/mydns-ng-mysql-1.2.8-1.1.i586.rpm
rpm -i mydns*.rpm
rm -f mydns*.rpm

chkconfig –add mydns

 

13 Install vlogger and Webalizer

cd /tmp
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*
yast2 -i webalizer perl-DateManip

 

14 Install fail2ban

rpm -i http://download.opensuse.org/repositories/home:/leonardocf/openSUSE_11.0/i586/fail2ban-0.8.2-5.2.i586.rpm

Warnings like “warning: /var/tmp/rpm-xfer.SCm0TM: Header V3 DSA signature: NOKEY, key ID 5b00c76e” can be ignored.
15 Install jailkit

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.5.tar.gz
tar xvfz jailkit-2.5.tar.gz
cd jailkit-2.5
./configure
make
make install
cd ..
rm -rf jailkit-2.5*
16 Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yast2 -i xntp

Then add system startup links for ntp and start ntp:

chkconfig –add ntp
/etc/init.d/ntp start

17 ISPConfig 3

Download the current ISPConfig version and install it. The ISPConfig installer will configure all services like postfix, sasl, courier, etc. for you. A manual setup as required for ISPConfig 2 is not nescessary anymore.

cd /tmp
wget http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.1.tar.gz?use_mirror=
tar xvfz ISPConfig-3.0.1.tar.gz
cd ispconfig3_install/install/

Now start the installation process by executing:

php -q install.php

——————————————————————————–
_____ ___________ _____ __ _
|_ _/ ___| ___ \ / __ \ / _(_)
| | \ `–.| |_/ / | / \/ ___ _ __ | |_ _ __ _
| | `–. \ __/ | | / _ \| ‘_ \| _| |/ _` |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| |
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, |
__/ |
|___/
——————————————————————————–
>> Initial configuration

Operating System: openSUSE 11.1 or compatible

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in “quit” (without the quotes) to stop the installer.
Select language (en,de) [en]: en

Installation mode (standard,expert) [standard]: standard

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: server1.example.com

MySQL server hostname [localhost]: localhost

MySQL root username [root]: root

MySQL root password []: Kreationnext

MySQL database to create [dbispconfig]: dbispconfig

MySQL charset [utf8]: utf8

Generating a 2048 bit RSA private key
…………+++
……..+++
writing new private key to ‘smtpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kreationnext
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring MyDNS
Configuring Apache
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]:8080

Configuring DBServer
Installing Crontab
no crontab for root
no crontab for getmail
Restarting services …
Restarting service MySQL
Shutting down service MySQL ..done
Starting service MySQL ..done
Shutting down mail service (Postfix)..done
Starting mail service (Postfix)..done
Shutting down service saslauthd..done
Starting service saslauthd..done
Waiting for the process [10980] to terminate
Waiting for the process [10980] to terminate
Daemon [10980] terminated by SIGTERM
Shutting down virus-scanner (amavisd-new):..done
Starting virus-scanner (amavisd-new):..done
Shutting down Clam AntiVirus daemon ..done
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
Starting Clam AntiVirus daemon ..done
Shutting down Courier Authentication Daemon ..done
Starting Courier Authentication Daemon ..done
Shutting down Courier-IMAP ..done
Starting Courier-IMAP ..done
Shutting down Courier-IMAP (SSL)..done
Starting Courier-IMAP (SSL)..done
Shutting down Courier-POP3 ..done
Starting Courier-POP3 ..done
Shutting down Courier-POP3 (SSL)..done
Starting Courier-POP3 (SSL)..done
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) ..done
Starting httpd2 (prefork) Shutting down pure-ftpd..done
Starting pure-ftpd..done
Installation completed.

Create a symlink for phpMyAdmin:

ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin

Cleanup the /tmp directory:

rm -f /tmp/ispconfig3_install
rm -f ISPConfig-3.0.1.tar.gz

To log in to the ISPConfig control panel, open this URL in your browser (replace the IP to match your settings!):

http://192.168.0.105:8080/

The default login is:

user: admin
password: admin
17.1 ISPConfig 3 Manual

In order to learn how to use ISPConfig 3, I strongly recommend to download the ISPConfig 3 Manual.

On nearly 300 pages, it covers the concept behind ISPConfig (admin, resellers, clients), explains how to install and update ISPConfig 3, includes a reference for all forms and form fields in ISPConfig together with examples of valid inputs, and provides tutorials for the most common tasks in ISPConfig 3. It also lines out how to make your server more secure and comes with a troubleshooting section at the end.
18 Optional

Install a webbased email client:

rpm -i http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.1/noarch/squirrelmail-1.4.17-1.2.noarch.rpm
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail
19 Disable AppArmor

AppArmor is a security extension of SUSE (similar to Fedora’s SELinux) that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor
20 Links

OpenSUSE: http://www.opensuse.org
ISPConfig: http://www.ispconfig.org

 

 

 

 

 

 

 

Comments

comments