Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

The Perfect Setup – SuSE 10.1 (32-bit)


This is a detailed description about how to set up a SuSE 10.1 based server that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.).

I will use the following software:

  • Web Server: Apache 2.2.0
  • Database Server: MySQL 5.0
  • Mail Server: Postfix
  • DNS Server: BIND9
  • FTP Server: proftpd (ISPConfig will not work with vsftpd on SUSE 10.1)
  • POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.
  • Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

1 The Base System

Boot from your first SuSE 10.1-CD and select Installation from the boot screen:

2

Select your language:

3

Skip the media check by clicking on Next:

4

Accept the license agreement:

5

Select New installation:

6

Select your time zone next:

7

At the Desktop Selection screen, choose Other and click on Select…:

8

As we want to install a server, we do not need a desktop. Therefore we select Text Mode and click on OK and then on Next.

9

The Installation Settings screen lists the available installation settings. You can change each of its choices by navigating to the appropriate headline. First, I change the partitioning scheme by clicking on Partitioning and then on Create Custom Partition Setup and then on Next:

10

11

Select Custom Partitioning (for experts):

12

Now we create the partitions. I will use the following partition scheme:

/boot 100 MB
swap 500 MB
/ the rest of the hard disk

Creating a partition: Click on Create, select Primary Partition, select the format. I will use ext3 for all partitions (I want to install quota later on, and quota works best with ext3 – you might encounter problems with reiserFS!) except the swap partition, that is of type swap. Then select the mountpoint corresponding to the above partitioning scheme.

13

14

15

16

17

Your partition table should look now similar to this one here, depending on your hard disk size. Click on Finish to proceed to the next step.

18

Now switch to Expert mode (the Expert tab in the Installation Settings), select your Keyboard Layout and Accept:

19

20

Back on the Installation Settings screen, click on Accept and then on Install:

21

The hard disk is being formatted:

22

The package installation starts (click on the Details tab to see the detailed installation progress):

23

After the basic package installation the system reboots. Remove the SuSE CD and go sure to boot from the hard disk:

24

25

After the system has come up again, we must provide a Hostname and a Domain Name. My server’s name is server1.example.com, so I fill in server1 as Hostname and example.com as Domain Name. Afterwards, we disable Change Hostname via DHCP because a server’s hostname should be static.

26

Next provide a password for root. Then hit the [Tab] key until the Next is highlighted and hit return.

27

On to the Network Configuration. First we disable the default firewall. This is necessary to prepare the system for the ISPConfig installation. ISPConfig provides its own firewall. If you do not want to install ISPConfig, leave the firewall enabled. To navigate in text-mode use the tab and arrow keys. Enable or disable selections by hitting the return key.

28

Then mark Network Interfaces and hit return. The following screen should come up:

29

Hit the [Tab] key until [Edit] is highlighted, then hit return. You should now be on the Network Address Setup screen:

30

Then go to the Hostname and Name Server settings. The hostname (server1.example.com) should already be there (remember, we specified this earlier in our setup). Fill in up to three Name Servers (e.g. 145.253.2.75, 193.174.32.18, and 194.25.0.60). Unfortunately we cannot disable Update Name Servers and Search List via DHCP – I think this is a bug in YaST. Afterwards, hit OK.

32

Next, go to Routing and enter the Default Gateway. For me, this is 192.168.0.1:

33

34

Then we can leave the network card configuration by hitting Next twice:

35

Our network configuration is finished now, therefore we hit Next again on the Network Configuration screen:

37

The network configuration is being saved:

38

Now the internet connection of the system is tested and you may download the latest updates from a SuSE mirror and install them. Be patient here, this might take a few minutes (package management is really slow on SuSE 10.1).

39

40

Now configure the Online Update function and install the latest updates, if available:

41

42

43

44

When asked how users should authenticate, choose Local (/etc/passwd):

45

Create a second user other than root (e.g. admin):

46

Read the release notes (if you like…) and hit Next:

47

Finally YaST performs a hardware check (graphics cards, printers, sound, TV cards and Bluetooth). You can accept the results of this check as this hardware is not important for a server.

48

Congratulations! Your base installation is complete.

49

On to the next step…

2 Adding Installation Sources

To make package installation easier, I will add a network installation source. If you want to install all packages from CD / DVD, you can skip this step. Start yast2:

yast2

Go to Software -> Installation Source:

50

Select Add and enter a mirror near you. You can find a list of mirrors here: http://www.opensuse.org/Mirrors_Development_Build.

I selected this http mirror ( yes, it is an http mirror even though the URL starts with ftp 🙂 ):

ftp.uni-erlangen.de/pub/mirrors/opensuse/distribution/SL-10.1/inst-source

51

52

As Server Name, I enter ftp.uni-erlangen.de, and as Directory on Server I fill in /pub/mirrors/opensuse/distribution/SL-10.1/inst-source:

53

Finally I move my new installation source to the top of the list so that it will be the preferred location to fetch software packages from. At the same time I delete my SuSE CDs from the list (normally it would be enough to move the CDs down the list, but YaST seems to be buggy – whenever I moved the CDs down, they were back at the top when I entered YaST the next time…).

54

Hit Finish afterwards. You have to be patient now, in my tests it took about ten minutes(!) until YaST updated the installation sources. During that period, it seems as if YaST was hanging, but in fact it is working. You can check that in a second shell windows with the command

tail -f /var/log/YaST2/y2log

I don’t know what the SuSE developers did to YaST, but it’s a change for the worse for sure…

3 Install Some Software

Now we install a few packages that are needed later on. Run

yast -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++

If you’re on a 64-bit system (only then!), you must also install openssl-devel-32bit:

yast -i openssl-devel-32bit

4 Quota

To install quota, run

yast -i quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to partition /dev/sda3 (mount point /; your device name might be /dev/hda2 or similar):

vi /etc/fstab

/dev/sda3            /                    ext3       acl,user_xattr,usrquota,grpquota        1 1
/dev/sda1            /boot                ext3       acl,user_xattr        1 2
/dev/sda2            swap                 swap       defaults              0 0
proc                 /proc                proc       defaults              0 0
sysfs                /sys                 sysfs      noauto                0 0
debugfs              /sys/kernel/debug    debugfs    noauto                0 0
devpts               /dev/pts             devpts     mode=0620,gid=5       0 0
/dev/fd0             /media/floppy        auto       noauto,user,sync      0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*

and reboot the system:

shutdown -r now

After the system has come up again, enable quota like this:

quotacheck -avugm
quotaon -avug

5 DNS Server

Run

yast -i bind bind-chrootenv bind-devel bind-utils

Then we add the system startup links for BIND and start it:

chkconfig –add named
/etc/init.d/named start

Bind will run in a chroot jail under /var/lib/named.

6 MySQL

In order to install MySQL, we run

yast -i mysql mysql-client mysql-shared perl-DBD-mysql perl-DBI perl-Data-ShowTable mysql-devel

Then we add the system startup links for MySQL and start it:

chkconfig –add mysql
/etc/init.d/mysql start

Now check that networking is enabled. Run

netstat -tap

In the output you should see a line like this one:

tcp        0      0 *:mysql                 *:*                     LISTEN      6621/mysqld

If you don’t see a line like this, edit /etc/my.cnf, comment out the option skip-networking:

vi /etc/my.cnf

#skip-networking

and restart your MySQL server:

/etc/init.d/mysql restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

7 Postfix With SMTP-AUTH And TLS

Postfix is already installed, but we must install Cyrus-SASL now:

yast -i cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd

Then we add the system startup links for saslauthd and start it:

chkconfig –add saslauthd
/etc/init.d/saslauthd start

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for SMTP-AUTH and TLS:

postconf -e ‘mydomain = example.com’
postconf -e ‘myhostname = server1.$mydomain’
postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains’
postconf -e ‘inet_interfaces = all’
postconf -e ‘alias_maps = hash:/etc/aliases’
postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

To enable TLS connections in Postfix, edit /etc/postfix/master.cf and uncomment the tlsmgr line so that it looks like this one:

vi /etc/postfix/master.cf

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

Now restart Postfix:

/etc/init.d/postfix restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

then everything is fine.

57

Type

quit

to return to the system’s shell.

8 Courier-IMAP/Courier-POP3

I want to use a POP3/IMAP daemon that has Maildir support. That’s why I use Courier-IMAP and Courier-POP3.

yast -i courier-imap fam-server courier-authlib expect tcl

Afterwards we add the system startup links and start POP3, IMAP, POP3s and IMAPs:

chkconfig –add fam
chkconfig –add courier-authdaemon
chkconfig –add courier-pop
chkconfig –add courier-imap
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
chkconfig –add courier-pop-ssl
chkconfig –add courier-imap-ssl
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user’s Maildir*:

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

9 Apache/PHP5

Now we install Apache with PHP5:

yast2 -i apache2 apache2-devel apache2-mod_perl apache2-mod_php5 apache2-prefork perl-HTML-Parser perl-HTML-Tagset perl-Tie-IxHash perl-URI perl-libwww-perl php5 php5-devel zlib zlib-devel

Then we install some PHP5 modules:

yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dbase php5-debuginfo php5-dom php5-filepro php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mhash php5-mysql php5-mysqli php5-ncurses php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl

Next we edit /etc/apache2/httpd.conf:

vi /etc/apache2/httpd.conf

and change DirectoryIndex to

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx

Edit /etc/sysconfig/apache2 and add rewrite to the APACHE_MODULES line:

vi /etc/sysconfig/apache2

APACHE_MODULES="actions alias auth_basic [...] negotiation setenvif ssl suexec userdir php5 rewrite"

Also add SSL to the APACHE_SERVER_FLAGS line:

APACHE_SERVER_FLAGS="SSL"

Now configure your system to start Apache at boot time:

chkconfig –add apache2

Then run

SuSEconfig
/etc/init.d/apache2 start

9.1 Disable PHP And Perl Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP and Perl on a per-website basis, i.e. you can specify which website can run PHP and Perl scripts and which one cannot. This can only work if PHP and Perl are disabled globally because otherwise all websites would be able to run PHP/Perl scripts, no matter what you specify in ISPConfig.

To disable PHP and Perl globally, we edit /etc/mime.types and comment out the application/x-perl and application/x-php lines:

vi /etc/mime.types

#application/x-perl pl pm al perl
#application/x-php php php3 php4

Afterwards we restart Apache:

/etc/init.d/apache2 restart

10 Proftpd

I want to use Proftpd instead of vsftpd which is SuSE’s default FTP server because the control panel software I am going to install on this server (ISPConfig) requires Proftpd on SUSE 10.1 (on other distributions this is different). Since there are no SUSE packages for Proftpd I have to compile it manually:

cd /tmp/
wget –passive-ftp ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0.tar.gz
tar xvfz proftpd-1.3.0.tar.gz
cd proftpd-1.3.0/
./configure –sysconfdir=/etc
make
make install
cd ..
rm -fr proftpd-1.3.0*

Now create the file /etc/init.d/proftpd:

vi /etc/init.d/proftpd

#! /bin/sh
# Copyright (c) 2000-2001 SuSE GmbH Nuernberg, Germany.
# All rights reserved.
#
# Original author: Marius Tomaschewski <mt@suse.de>
#
# Slightly modified in 2003 for use with SuSE Linux 8.1,
# by http://www.learnlinux.co.uk/
#
# Slightly modified in 2005 for use with SuSE Linux 9.2,
# by Falko Timme
#
# /etc/init.d/proftpd
#
### BEGIN INIT INFO
# Provides:                proftpd
# Required-Start:        $network $remote_fs $syslog $named
# Required-Stop:
# Default-Start:        3 5
# Default-Stop:        0 1 2 6
# Description:                Starts ProFTPD server
### END INIT INFO

# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}

# Force execution if not called by a runlevel directory.
test $link = $base && START_PROFTPD=yes  # Modified by learnlinux.co.uk
test "$START_PROFTPD" = yes || exit 0    # Modified by learnlinux.co.uk

# Return values acc. to LSB for all commands but
# status (see below):
#
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running

proftpd_cfg="/etc/proftpd.conf"
proftpd_bin="/usr/local/sbin/proftpd"
proftpd_pid="/usr/local/var/proftpd.pid"

[ -r $proftpd_cfg ] || exit 6
[ -x $proftpd_bin ] || exit 5

# Source status functions
. /etc/rc.status

# First reset status of this service
rc_reset

case "$1" in
    start)
  echo -n "Starting ProFTPD Server: "
  test -f /etc/shutmsg && rm -f /etc/shutmsg
  /sbin/startproc $proftpd_bin
  rc_status -v
  ;;

    stop)
  echo -n "Shutting down ProFTPD Server: "
  test -x /usr/local/sbin/ftpshut && /usr/local/sbin/ftpshut now && sleep 1
  /sbin/killproc -TERM $proftpd_bin
  test -f /etc/shutmsg && rm -f /etc/shutmsg
  rc_status -v
  ;;

    restart)
  ## If first returns OK call the second, if first or
  ## second command fails, set echo return value.
  $0 stop
  $0 start
  rc_status
  ;;

    try-restart)
  ## Stop the service and if this succeeds (i.e. the
  ## service was running before), start it again.
  ## Note: not (yet) part of LSB (as of 0.7.5)
  $0 status >/dev/null &&  $0 restart
  rc_status
  ;;

    reload|force-reload)
  ## Exclusive possibility: Some services must be stopped
  ## and started to force a new load of the configuration.
  echo -n "Reload ProFTPD Server: "
  /sbin/killproc -HUP $proftpd_bin
  rc_status -v
  ;;

    status)
  # Status has a slightly different for the status command:
  # 0 - service running
  # 1 - service dead, but /var/run/  pid  file exists
  # 2 - service dead, but /var/lock/ lock file exists
  # 3 - service not running
  echo -n "Checking for ProFTPD Server: "
  checkproc $proftpd_bin
  rc_status -v
  ;;

    probe)
  ## Optional: Probe for the necessity of a reload,
  ## give out the argument which is required for a reload.
  [ $proftpd_cfg -nt $proftpd_pid ] && echo reload
  ;;

    *)
  echo "Usage: $0 {start|stop|status|restart|reload|try-restart|probe}"
  exit 1
  ;;
esac

# Set an exit status.
rc_exit

Then run

chmod 755 /etc/init.d/proftpd
chkconfig –add proftpd

Start Proftpd:

/etc/init.d/proftpd start

For security reasons you can add the following lines to /etc/proftpd.conf:

vi /etc/proftpd.conf

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."

Be sure to comment out the following lines in order to allow ftp users to CHMOD:

# Bar use of SITE CHMOD by default
#<Limit SITE_CHMOD>
#  DenyAll
#</Limit>

and restart Proftpd:

/etc/init.d/proftpd restart

11 Webalizer

To install webalizer, just run

yast2 -i webalizer

12 Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yast2 -i xntp

Add an NTP server with YaST:

yast2

Select Network Services -> NTP Client:

54

Then select Automatically Start NTP Daemon During Boot. Under NTP Server Configuration enable Use Random Servers from pool.ntp.org. Then select Finish, Quit.

55

13 Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

Run

yast2 -i perl-HTML-Parser perl-Net-DNS perl-Digest-SHA1

14 Disable AppArmor

AppArmor is a security extension of SuSE (similar to Fedora’s SELinux) that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

15 ISPConfig

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. Please check out the ISPConfig installation: http://www.ispconfig.org/manual_installation.htm

15.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /srv/www as the home directory for websites created by ISPConfig as SUSE 10.1’s suExec is compiled with /srv/www as Doc_Root. Run /usr/sbin/suexec2 -V, and the output should look like this:

/usr/sbin/suexec2 -V

58

To select /srv/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.

59

Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /srv/www as the home directory for websites.

60

 

Comments

comments