Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

The Perfect Setup – OpenSuSE 10.2 (32-bit)


This is a detailed description about how to set up an OpenSuSE 10.2 based server that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.).

I will use the following software:

  • Web Server: Apache 2.2.0
  • Database Server: MySQL 5.0
  • Mail Server: Postfix
  • DNS Server: BIND9
  • FTP Server: proftpd (ISPConfig will not work with vsftpd on OpenSUSE 10.2)
  • POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.
  • Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

Requirements

To install such a system you will need the following:

  • OpenSuSE 10.2. You can download the 5 CD iso images from here: http://en.opensuse.org/Released_Version (for this tutorial you only need CD 1).
  • an internet connection…

 

1 The Base System

Boot from your first OpenSuSE 10.2-CD and select Installation from the boot screen:

2

Select your language:

4

Skip the media check by clicking on Next:

5

Accept the license agreement:

6

Select New Installation:

7

Select your time zone next:

8

At the Desktop Selection screen, choose Other and click on Select…:

9

As we want to install a server, we do not need a desktop. Therefore we select Text Mode and click on OK and then on Next.

10

The Installation Settings screen lists the available installation settings. You can change each of its choices by navigating to the appropriate headline. First, I change the partitioning scheme by clicking on Partitioning and then on Create Custom Partition Setup and then on Next:

11

12

Select Custom Partitioning (for experts):

13

Now we create the partitions. I will use the following partition scheme:

/boot 100 MB
swap 500 MB
/ the rest of the hard disk

Creating a partition: Click on Create, select Primary Partition, select the format. I will use ext3 for all partitions (I want to install quota later on, and quota works best with ext3 – you might encounter problems with reiserFS!) except the swap partition, that is of type swap. Then select the mountpoint corresponding to the above partitioning scheme.

14

15

16

17

18

Your partition table should look now similar to this one here, depending on your hard disk size. Click on Accept to proceed to the next step.

19

Now switch to Expert mode (the Expert tab in the Installation Settings), select your Keyboard Layout and Accept:

20

21

Back on the Installation Settings screen, click on Accept and then on Install:

22

The hard disk is being formatted:

23

The package installation starts (click on the Details tab to see the detailed installation progress):

24

After the basic package installation the system reboots. Remove the SuSE CD and go sure to boot from the hard disk:

25

26

27

After the system has come up again, provide a password for root. Then hit the [Tab] key until the Next is highlighted and hit return.

28

29

Next, we must provide a Hostname and a Domain Name. My server’s name is server1.example.com, so I fill in server1 as Hostname and example.com as Domain Name. Afterwards, we disable Change Hostname via DHCP because a server’s hostname should be static. Leave Write Hostname to /etc/hosts enabled.

30

On to the Network Configuration. First we disable the default firewall. This is necessary to prepare the system for the ISPConfig installation. ISPConfig provides its own firewall. If you do not want to install ISPConfig, leave the firewall enabled. To navigate in text-mode use the tab and arrow keys. Enable or disable selections by hitting the return key.

31

Then mark Network Interfaces and hit return. The following screen should come up:

32

Hit the [Tab] key until [Edit] is highlighted, then hit return. You should now be on the Network Address Setup screen:

33

I do not want to get IP addresses from a DHCP server because a server should have static IP addresses so I change this by selecting Static Address Setup and enter an IP Address (e.g. 192.168.0.100) and a Subnet Mask (e.g. 255.255.255.0):

34

Then go to the Hostname and Name Server settings. The hostname (server1.example.com) should already be there (remember, we specified this earlier in our setup). Fill in up to three Name Servers (e.g. 145.253.2.75, 193.174.32.18, and 194.25.0.60). Unfortunately we cannot disable Update Name Servers and Search List via DHCP – I think this is a bug in YaST. Afterwards, hit OK.

35

Next, go to Routing and enter the Default Gateway. For me, this is 192.168.0.1:

36

37

Then we can leave the network card configuration by hitting Next twice:

38

39

Our network configuration is finished now, therefore we hit Next again on the Network Configuration screen:

40

The network configuration is being saved:

41

Now the internet connection of the system is tested and you may download the latest updates from a SuSE mirror and install them. Be patient here, this might take a few minutes.

42

 

43

Now configure the Novell Customer Center (formerly known as Online Update) function and install the latest updates, if available:

44

45

46

47

To download and install the latest updates, select Run Update:

48

Select the packages you want to update and hit OK:

49

The packages are downloaded and installed:

50

When you are asked for Additional Installation Sources, just select the oss repository:

51

Next the list of available packages is downloaded from the oss repository:

52

53

When asked how users should authenticate, choose Local (/etc/passwd):

54

Create a second user other than root (e.g. administrator – do not use the name admin as it is already reserved on the system):

55

Read the release notes (if you like…) and hit Next:

56

Finally YaST performs a hardware check (graphics cards, printers, sound, TV cards and Bluetooth). You can accept the results of this check as this hardware is not important for a server.

57

Congratulations! Your base installation is complete.

58

On to the next step…

2 Adding Installation Sources

To make package installation easier, I will add a network installation source. If you want to install all packages from CD / DVD, you can skip this step. Start yast2:

yast2

Go to Software -> Installation Source:

59

You should now see three software repositories here: your SuSE CDs, the updates repository (http://gd.tuwien.ac.at/… in this example), and the oss repository (http://download.opensuse.org/… in this example). We want to disable the SuSE CDs so that we can download all packages from the internet. To do this, the CDs must be marked in yellow; then navigate to Source Settingsv and select Enable or Disable to disable the SuSE CDs:

60

61

The updates repository is already active, so we don’t need to enable it, but the oss repository needs activation, so we mark it, go to Source Settingsv again and select Enable or Disable again to enable it. Your list of repositories should now resemble this one:

62

Then hit Finish and then Quit on the next screen to leave YaST.

 

3 Install Some Software

Now we install a few packages that are needed later on. Run

yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ make

 

4 Quota

To install quota, run

yast2 -i quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to partition /dev/sda3 (mount point /; your device name might be /dev/hda2 or similar):

vi /etc/fstab

/dev/sda3            /                    ext3       acl,user_xattr,usrquota,grpquota        1 1
/dev/sda1            /boot                ext3       acl,user_xattr        1 2
/dev/sda2            swap                 swap       defaults              0 0
proc                 /proc                proc       defaults              0 0
sysfs                /sys                 sysfs      noauto                0 0
debugfs              /sys/kernel/debug    debugfs    noauto                0 0
devpts               /dev/pts             devpts     mode=0620,gid=5       0 0
/dev/fd0             /media/floppy        auto       noauto,user,sync      0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*

and reboot the system:

shutdown -r now

After the system has come up again, enable quota like this:

quotacheck -avugm
quotaon -avug

 

5 DNS Server

Run

yast2 -i bind bind-chrootenv bind-devel bind-utils

Then we add the system startup links for BIND and start it:

chkconfig –add named
/etc/init.d/named start

Bind will run in a chroot jail under /var/lib/named.

6 MySQL

In order to install MySQL, we run

yast2 -i mysql mysql-client mysql-shared perl-DBD-mysql perl-DBI perl-Data-ShowTable mysql-devel

Then we add the system startup links for MySQL and start it:

chkconfig –add mysql
/etc/init.d/mysql start

Now check that networking is enabled. Run

netstat -tap

In the output you should see a line like this one:

[...]
tcp        0      0 *:mysql                 *:*                     LISTEN      4298/mysqld
[...]

If you don’t see a line like this, edit /etc/my.cnf, comment out the option skip-networking:

vi /etc/my.cnf

[...]#skip-networking
[...]

and restart your MySQL server:

/etc/init.d/mysql restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

 

7 Postfix With SMTP-AUTH And TLS

Postfix is already installed, but we must install Cyrus-SASL now:

yast2 -i cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd

Then we add the system startup links for saslauthd and start it:

chkconfig –add saslauthd
/etc/init.d/saslauthd start

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for SMTP-AUTH and TLS:

postconf -e ‘mydomain = example.com’
postconf -e ‘myhostname = server1.$mydomain’
postconf -e ‘mynetworks = 127.0.0.0/8’
postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains’
postconf -e ‘inet_interfaces = all’
postconf -e ‘alias_maps = hash:/etc/aliases’
postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

To enable TLS connections in Postfix, edit /etc/postfix/master.cf and uncomment the tlsmgr line so that it looks like this one:

vi /etc/postfix/master.cf

[...]
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
[...]

Now restart Postfix:

/etc/init.d/postfix restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

then everything is fine.

On my system the output looks like this:

server1:/etc/postfix/ssl # telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
server1:/etc/postfix/ssl #

Type

quit

to return to the system’s shell.

 

8 Courier-IMAP/Courier-POP3

I want to use a POP3/IMAP daemon that has Maildir support. That’s why I use Courier-IMAP and Courier-POP3.

yast2 -i courier-imap fam-server courier-authlib expect tcl

Afterwards we add the system startup links and start POP3, IMAP, POP3s and IMAPs:

chkconfig –add fam
chkconfig –add courier-authdaemon
chkconfig –add courier-pop
chkconfig –add courier-imap
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
chkconfig –add courier-pop-ssl
chkconfig –add courier-imap-ssl
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user’s Maildir*:

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

9 Apache/PHP5

Now we install Apache with PHP5:

yast2 -i apache2 apache2-devel apache2-mod_perl apache2-mod_php5 apache2-prefork perl-HTML-Parser perl-HTML-Tagset perl-Tie-IxHash perl-URI perl-libwww-perl php5 php5-devel zlib zlib-devel

Then we install some PHP5 modules:

yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dbase php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mhash php5-mysql php5-ncurses php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl

Next we edit /etc/apache2/httpd.conf:

vi /etc/apache2/httpd.conf

and change DirectoryIndex to

[...]
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx
[...]

Edit /etc/sysconfig/apache2 and add rewrite to the APACHE_MODULES line:

vi /etc/sysconfig/apache2

[...]
APACHE_MODULES="actions alias auth_basic authn_file [...] setenvif ssl suexec userdir php5 rewrite"
[...]

Also add SSL to the APACHE_SERVER_FLAGS line:

[...]
APACHE_SERVER_FLAGS="SSL"
[...]

Now configure your system to start Apache at boot time:

chkconfig –add apache2

Then run

SuSEconfig
/etc/init.d/apache2 start

 

9.1 Disable PHP And Perl Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP and Perl on a per-website basis, i.e. you can specify which website can run PHP and Perl scripts and which one cannot. This can only work if PHP and Perl are disabled globally because otherwise all websites would be able to run PHP/Perl scripts, no matter what you specify in ISPConfig.

To disable PHP and Perl globally, we edit /etc/mime.types and comment out the application/x-perl and application/x-php lines:

vi /etc/mime.types

[...]
#application/x-perl pl pm al perl
#application/x-php php php3 php4
[...]

Afterwards we restart Apache:

/etc/init.d/apache2 restart

 

10 Proftpd

I want to use Proftpd instead of vsftpd which is SuSE’s default FTP server because the control panel software I am going to install on this server (ISPConfig) requires Proftpd on OpenSuSE 10.2 (on other distributions this is different). Since there are no OpenSuSE packages for Proftpd I have to compile it manually:

cd /tmp/
wget –passive-ftp ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0a.tar.gz
tar xvfz proftpd-1.3.0a.tar.gz
cd proftpd-1.3.0a/
./configure –sysconfdir=/etc
make
make install
cd ..
rm -fr proftpd-1.3.0a*

Now create the file /etc/init.d/proftpd:

vi /etc/init.d/proftpd

#! /bin/sh
# Copyright (c) 2000-2001 SuSE GmbH Nuernberg, Germany.
# All rights reserved.
#
# Original author: Marius Tomaschewski <mt@suse.de>
#
# Slightly modified in 2003 for use with SuSE Linux 8.1,
# by http://www.learnlinux.co.uk/
#
# Slightly modified in 2005 for use with SuSE Linux 9.2,
# by Falko Timme
#
# /etc/init.d/proftpd
#
### BEGIN INIT INFO
# Provides:                proftpd
# Required-Start:        $network $remote_fs $syslog $named
# Required-Stop:
# Default-Start:        3 5
# Default-Stop:        0 1 2 6
# Description:                Starts ProFTPD server
### END INIT INFO

# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}

# Force execution if not called by a runlevel directory.
test $link = $base && START_PROFTPD=yes  # Modified by learnlinux.co.uk
test "$START_PROFTPD" = yes || exit 0    # Modified by learnlinux.co.uk

# Return values acc. to LSB for all commands but
# status (see below):
#
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running

proftpd_cfg="/etc/proftpd.conf"
proftpd_bin="/usr/local/sbin/proftpd"
proftpd_pid="/usr/local/var/proftpd.pid"

[ -r $proftpd_cfg ] || exit 6
[ -x $proftpd_bin ] || exit 5

# Source status functions
. /etc/rc.status

# First reset status of this service
rc_reset

case "$1" in
    start)
  echo -n "Starting ProFTPD Server: "
  test -f /etc/shutmsg && rm -f /etc/shutmsg
  /sbin/startproc $proftpd_bin
  rc_status -v
  ;;

    stop)
  echo -n "Shutting down ProFTPD Server: "
  test -x /usr/local/sbin/ftpshut && /usr/local/sbin/ftpshut now && sleep 1
  /sbin/killproc -TERM $proftpd_bin
  test -f /etc/shutmsg && rm -f /etc/shutmsg
  rc_status -v
  ;;

    restart)
  ## If first returns OK call the second, if first or
  ## second command fails, set echo return value.
  $0 stop
  $0 start
  rc_status
  ;;

    try-restart)
  ## Stop the service and if this succeeds (i.e. the
  ## service was running before), start it again.
  ## Note: not (yet) part of LSB (as of 0.7.5)
  $0 status >/dev/null &&  $0 restart
  rc_status
  ;;

    reload|force-reload)
  ## Exclusive possibility: Some services must be stopped
  ## and started to force a new load of the configuration.
  echo -n "Reload ProFTPD Server: "
  /sbin/killproc -HUP $proftpd_bin
  rc_status -v
  ;;

    status)
  # Status has a slightly different for the status command:
  # 0 - service running
  # 1 - service dead, but /var/run/  pid  file exists
  # 2 - service dead, but /var/lock/ lock file exists
  # 3 - service not running
  echo -n "Checking for ProFTPD Server: "
  checkproc $proftpd_bin
  rc_status -v
  ;;

    probe)
  ## Optional: Probe for the necessity of a reload,
  ## give out the argument which is required for a reload.
  [ $proftpd_cfg -nt $proftpd_pid ] && echo reload
  ;;

    *)
  echo "Usage: $0 {start|stop|status|restart|reload|try-restart|probe}"
  exit 1
  ;;
esac

# Set an exit status.
rc_exit

Then run

chmod 755 /etc/init.d/proftpd
chkconfig –add proftpd

Start Proftpd:

/etc/init.d/proftpd start

For security reasons you can add the following lines to /etc/proftpd.conf:

vi /etc/proftpd.conf

[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
[...]

Be sure to comment out the following lines in order to allow ftp users to CHMOD:

[...]
# Bar use of SITE CHMOD by default
#<Limit SITE_CHMOD>
#  DenyAll
#</Limit>
[...]

and restart Proftpd:

/etc/init.d/proftpd restart

11 Webalizer

To install webalizer, just run

yast2 -i webalizer

 

12 Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yast2 -i xntp

Add an NTP server with YaST:

yast2

Select Network Services -> NTP Configuration:

63

Then select Automatically Start NTP Daemon During Boot. Under NTP Server Configuration enable Use Random Servers from pool.ntp.org. Then select Finish, Quit.

64

13 Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

Run

yast2 -i perl-HTML-Parser perl-Net-DNS perl-Digest-SHA1

 

14 Disable AppArmor

AppArmor is a security extension of SuSE (similar to Fedora’s SELinux) that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

 

15 ISPConfig

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. Please check out the ISPConfig installation: http://www.ispconfig.org/manual_installation.htm

15.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /srv/www as the home directory for websites created by ISPConfig as OpenSuSE 10.2’s suExec is compiled with /srv/www as Doc_Root. Run /usr/sbin/suexec2 -V, and the output should look like this:

/usr/sbin/suexec2 -V

server1:~ # /usr/sbin/suexec2 -V
-D AP_DOC_ROOT=”/srv/www”
-D AP_GID_MIN=96
-D AP_HTTPD_USER=”wwwrun”
-D AP_LOG_EXEC=”/var/log/apache2/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=96
-D AP_USERDIR_SUFFIX=”public_html”
server1:~ #

Unless you install ISPConfig in expert mode and change the default web root (which is /srv/www), you will be able to run CGI scripts under suExec with ISPConfig. The following screenshot is taken from an ISPConfig installation in expert mode. If you want to use ISPConfig, then don’t change the default web root:

65

  • OpenSuSE: http://www.opensuse.org
  • ISPConfig: http://www.ispconfig.org

 

Comments

comments