Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

The Perfect Server – OpenSUSE 11.4 x86_64 [ISPConfig 3]


This is a detailed description about how to set up an OpenSUSE 11.4 64bit (x86_64) server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable) with PHP, CGI and SSI support, Postfix mail server with SMTP-AUTH, TLS and virtual mail users, BIND DNS server, Pureftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc.

I will use the following software:

  • Web Server: Apache 2.2 with PHP 5
  • Database Server: MySQL
  • Mail Server: Postfix with virtual users
  • DNS Server: BIND
  • FTP Server: pureftpd
  • POP3/IMAP: Dovecot
  • Webalizer and AWStats for web site statistics

In the end you should have a system that works reliably and is easily manageable with the ISPConfig 3 control panel. The following guide is for the 64bit version of OpenSUSE.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Notice: This guide is for ISPConfig 3.0.1 or newer. It is not suitable for ISPConfig 2.x!

 

1 Requirements

To install such a system you will need the following:

  • The OpenSUSE 11.4 DVD. You can download it here: http://download.opensuse.org/distribution/11.4/iso/openSUSE-11.4-DVD-x86_64.iso
  • A fast Internet connection…

 

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

3 The Base System

Boot from your OpenSUSE 11.4 DVD and select Installation:

1

Select your language, keyboard layout and accept the licence terms:

2

The installer analyzes your hardware and builds the software repository cache:

3

Select New Installation:

4

Select the region and timezone:

5

We select Other > Minimal Server Selection (Text Mode) here as we want to install a server without X-Window desktop. The X-Window system is not necessary to run the server and would slow down the system. We will do all administration tasks on the shell or through an SSH connection, e.g. via PuTTY from a remote desktop.

6

Click on Edit Partition Setup… to change the proposed partitions. As this is a server setup, we need a large /srv partition instead of the /home partition:

7

Select /dev/sda3 and click on Edit…:

8

Change the Mount Point to /srv and click on Finish:

9

Click on Accept:

10

 

Click on Next:

11

 

Now I create a user named administrator. You may use any username you like. Make sure that you disable the Automatic Login checkbox for this user. The password that you enter here will be used as the root password:

12

The installer shows an overview of the selected install options. Scroll down to the Firewall and SSH section and enable SSH…

13

… and then disable the firewall (ISPConfig 3 comes with its own firewall):

14

Click on Install to start the installation process:

15

Confirm that you want to start the installation:

16

The installer formats the hard disk, installs the software packages and prepares the system configuration for the first boot:

17

After the basic installation is finished, the system will do an automatic reboot:

18

The automatic configuration starts right after the system has rebooted:

19

Now log in with the username root and the password that you selected during the installation.

4 Configure The Network Settings

We use Yast, the OpenSuSE system management tool to reconfigure the network card settings. After the first boot, the system is configured to get the IP address with DHCP. For a server we will switch it to a static IP address.

Run

yast2

Select Network Devices > Network Settings:

20

Select your network card and then Edit:

21

Select Statically assigned IP Address and enter the IP address, subnet mask and hostname and save the changes by selecting Next:

22

Now select Hostname/DNS and enter the hostname (e.g. server1.example.com) and nameservers (e.g. 145.253.2.75 and 8.8.8.8):

23

Now select Routing and enter the default gateway and hit OK:

24

To configure the firewall (in case you didn’t configure it during the basic installation), select Security and Users > Firewall in Yast:

25

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default OpenSUSE firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the OpenSUSE firewall).

Select Disable Firewall Automatic Starting and Stop Firewall Now, then hit Next:

26

Hit Finish and leave Yast:

27

5 Install Updates

Now we install the latest updates from the openSUSE repositories. Run

zypper update

And then reboot the server as you most likely installed some kernel updates, too:

reboot

 

6 Install Some Basic Packages

Run

yast2 -i findutils readline glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico sudo perl-TimeDate

 

7 Journaled Quota

To install quota, run

yast2 -i quota

Edit /etc/fstab to look like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the mountpoints / and /srv):

vi /etc/fstab

/dev/sda1            swap                 swap       defaults              0 0
/dev/sda2            /                    ext4       acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0        1 1
/dev/sda3            /srv                 ext4       acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0        1 2
proc                 /proc                proc       defaults              0 0
sysfs                /sys                 sysfs      noauto                0 0
debugfs              /sys/kernel/debug    debugfs    noauto                0 0
devpts               /dev/pts             devpts     mode=0620,gid=5       0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

mount -o remount /
mount -o remount /srv

quotacheck -avugm
quotaon -avug

Dont be worried if you see these error messages – they are normal when you run quotacheck for the first time:

server1:~ # quotacheck -avugm
quotacheck: WARNING –  Quotafile //aquota.user was probably truncated. Cannot save quota settings…
quotacheck: WARNING –  Quotafile //aquota.group was probably truncated. Cannot save quota settings…
quotacheck: Scanning /dev/sda2 [/] done
quotacheck: Checked 4416 directories and 35532 files
quotacheck: WARNING –  Quotafile /srv/aquota.user was probably truncated. Cannot save quota settings…
quotacheck: WARNING –  Quotafile /srv/aquota.group was probably truncated. Cannot save quota settings…
quotacheck: Scanning /dev/sda3 [/srv] done
quotacheck: Checked 6 directories and 2 files
server1:~ #

8 Install Postfix, Dovecot, MySQL

We need to install Python 2.7 in this chapter, but it conflicts with the package patterns-openSUSE-minimal_base. Therefore we must uninstall that package first. To do so, start YaST:

yast2

In YaST, go to Software > Software Management:

28

Type patterns-openSUSE-minimal_base in the Search field and press ENTER. The package should be listed as installed (i) in the main window. Mark the package and press the ENTER key until there’s a minus () sign in front of the package (the minus stands for uninstall), then hit [Accept]:

29

As a replacment for the package, some other packages need to be installed. Accept the selection by hitting [OK]:

30

Leave YaST afterwards.

Next r un

yast2 -i postfix postfix-mysql mysql mysql-community-server mysql-client libmysqlclient-devel dovecot12 dovecot12-backend-mysql pwgen cron python

Open /etc/postfix/master.cf

vi /etc/postfix/master.cf

… and uncomment the following line:

[...]
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
[...]

Create the following symlink:

ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot

Start MySQL, Postfix, and Dovecot and enable the services to be started at boot time.

chkconfig -f –add mysql
/etc/init.d/mysql start

chkconfig –add postfix
/etc/init.d/postfix start

chkconfig –add dovecot
/etc/init.d/dovecot start

You might see the following Dovecot warning which you can safely ignore:

Starting dovecot Warning: There is no way to login to this server: disable_plaintext_auth=yes, ssl=no, no non-plaintext auth mechanisms.
If you have trouble with authentication failures,
enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
This message goes away after the first successful login.

Now I install the getmail rpm package which is not available from the OpenSUSE main repositories.

zypper install http://download.opensuse.org/repositories/server:/mail/openSUSE_11.4/noarch/getmail-4.20.0-1.1.noarch.rpm

To secure the MySQL installation, run:

mysql_secure_installation

Now you will be asked several questions:

server1:~ # mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we’ll need the current
password for the root user.  If you’ve just installed MySQL, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): <– ENTER
OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] <– Y
New password: <– yourrootsqlpassword
Re-enter new password: <– yourrootsqlpassword
Password updated successfully!
Reloading privilege tables..
… Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] <– Y
 … Success!

Normally, root should only be allowed to connect from ‘localhost’.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] <– Y
… Success!

By default, MySQL comes with a database named ‘test’ that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] <– Y
 – Dropping test database…
… Success!
– Removing privileges on test database…
… Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] <– Y
 … Success!

Cleaning up…

All done!  If you’ve completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

server1:~ #

Now your MySQL setup should be secured.

 

9 Amavisd-new, Spamassassin And Clamav

Install Amavisd-new, Spamassassin and Clamav antivirus. Run

yast2 -i amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql

Open /etc/amavisd.conf

vi /etc/amavisd.conf

… and add the $myhostname line with your correct hostname below the $mydomain line:

[...]
$mydomain = 'example.com';   # a convenient default for other settings
$myhostname = "server1.$mydomain";
[...]

Then create a symlink from /var/run/clamav/clamd to /var/lib/clamav/clamd-socket:

mkdir -p /var/run/clamav
ln -s /var/lib/clamav/clamd-socket /var/run/clamav/clamd

To enable the services, run:

chkconfig –add amavis
chkconfig –add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start

10 Install The Apache 2 Webserver With PHP5, Ruby, WebDAV

Install Apache2 and suphp. Run:

yast2 -i apache2 apache2-mod_fcgid

Install PHP5:

yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5

zypper install http://download.opensuse.org/repositories/server:/php/openSUSE_11.4/x86_64/suphp-0.7.1-3.2.x86_64.rpm

Then run these commands to enable the Apache modules (including WebDAV):

a2enmod suexec
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2

Next we build the mod_ruby Apache module (it is not available as an OpenSUSE 11.4 package, therefore we have to build it ourselves):

yast2 -i apache2-devel ruby ruby-devel

cd /tmp
wget http://modruby.net/archive/mod_ruby-1.3.0.tar.gz
tar zxvf mod_ruby-1.3.0.tar.gz
cd mod_ruby-1.3.0/
./configure.rb –with-apr-includes=/usr/include/apr-1
make
make install

a2enmod ruby

Start Apache:

chkconfig –add apache2
/etc/init.d/apache2 start

Install phpMyAdmin:

zypper install http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/phpMyAdmin-3.3.9.2-3.1.noarch.rpm

 

11 Install PureFTPd

Install the pure-ftpd FTP daemon. Run:

yast2 -i pure-ftpd

chkconfig –add pure-ftpd
/etc/init.d/pure-ftpd start

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

yast2 -i openssl

Open /etc/pure-ftpd/pure-ftpd.conf

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
TLS                      1
[...]

If you want to accept TLS sessions only (no FTP), set TLS to 2:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
TLS                      2
[...]

To not allow TLS at all (only FTP), set TLS to 0:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
TLS                      0
[...]

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]:
<– Enter your State or Province Name.
Locality Name (eg, city) []:
<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []:
<– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []:
<– Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

/etc/init.d/pure-ftpd restart

That’s it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS – see the next chapter how to do this with FileZilla.

 

12 Install BIND

The BIND nameserver can be installed as follows:

yast2 -i bind

Create the BIND system startup links and start it:

chkconfig –add named
/etc/init.d/named start

 

13 Install Webalizer And AWStats

Since ISPConfig 3 lets you choose if you want to use Webalizer or AWStats to create your web site statistics, we install both:

yast2 -i webalizer perl-DateManip

zypper install http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.4/noarch/awstats-7.0-14.1.noarch.rpm

 

14 Install fail2ban

fail2ban can be installed as follows:

yast2 -i fail2ban

 

15 Install Jailkit

Jailkit can be installed like this:

zypper install http://download.opensuse.org/repositories/security/openSUSE_11.4/x86_64/jailkit-2.13-1.2.x86_64.rpm

 

16 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yast2 -i xntp

Then add system startup links for ntp and start ntp:

chkconfig –add ntp
/etc/init.d/ntp start

17 ISPConfig 3

Before we install ISPConfig 3, make sure that the /var/vmail/ directory exists:

mkdir /var/vmail/

Download the current ISPConfig 3 version and install it. The ISPConfig installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 is not necessary anymore.

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

Now start the installation process by executing:

php -q install.php

server1:/tmp/ispconfig3_install/install # php -q install.php

——————————————————————————–
_____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
| | \ `–.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
| |  `–. \  __/  | |    / _ \| ‘_ \|  _| |/ _` |  |_ |
_| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
——————————————————————————–

>> Initial configuration

Operating System: openSUSE or compatible, unknown version.

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in “quit” (without the quotes) to stop the installer.

Select language (en,de) [en]: <– ENTER

Installation mode (standard,expert) [standard]: <– ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <– ENTER

MySQL server hostname [localhost]: <– ENTER

MySQL root username [root]: <– ENTER

MySQL root password []: <– yourrootsqlpassword

MySQL database to create [dbispconfig]: <– ENTER

MySQL charset [utf8]: <– ENTER

Generating a 2048 bit RSA private key
.+++
………..+++
writing new private key to ‘smtpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
 <– ENTER
State or Province Name (full name) [Some-State]: <– ENTER
Locality Name (eg, city) []: <– ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– ENTER
Organizational Unit Name (eg, section) []: <– ENTER
Common Name (eg, YOUR name) []: <– ENTER
Email Address []: <– ENTER
Configuring Jailkit
Configuring Dovecot
chmod: cannot access `/etc/dovecot/dovecot-sql.conf~’: No such file or directory
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]:
 <– ENTER

Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services …
Restarting service MySQL
Shutting down service MySQL ..done
Starting service MySQL ..done
Shutting down mail service (Postfix)..done
Starting mail service (Postfix)..done
Waiting for the process [6308] to terminate
Waiting for the process [6308] to terminate
Daemon [6308] terminated by SIGTERM
Shutting down virus-scanner (amavisd-new): ..done
Starting virus-scanner (amavisd-new): ..done
Shutting down Clam AntiVirus daemon ..done
Starting Clam AntiVirus daemon ..done
Stopping dovecot ..done
Starting dovecot ..done
If you have trouble with authentication failures,
enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
This message goes away after the first successful login.
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) ..done
Starting httpd2 (prefork) ..done
Shutting down pure-ftpd..done
Starting pure-ftpd..done
Installation completed.
server1:/tmp/ispconfig3_install/install #

Create a symlink for phpMyAdmin:

ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin

Clean up the /tmp directory:

cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-3-stable.tar.gz

Open /etc/suphp.conf

vi /etc/suphp.conf

… and make sure that it contains x-httpd-suphp instead of x-httpd-php towards the end of the file:

[...]
[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/srv/www/cgi-bin/php5"
[...]

To log into the ISPConfig control panel, open this URL in your browser (replace the IP to match your settings!):

http://192.168.0.100:8080/

The default login is:

user: admin
password: admin

 

17.1 ISPConfig 3 Manual

 

18 Install SquirrelMail (Optional)

Install a SquirrelMail, a web-based email client:

zypper install http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/squirrelmail-1.4.22-1.1.noarch.rpm

ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail

 

  • OpenSUSE: http://www.opensuse.org/
  • ISPConfig: http://www.ispconfig.org/

 

 

 

 

 

 

Comments

comments