Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

The Perfect Setup – Ubuntu 6.06 LTS Server (Dapper Drake)


This is a detailed description about how to set up a Ubuntu 6.06 LTS (Dapper Drake) based server that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.).

1

The installation starts, and first you have to choose your language:

2

Then select your location:

3

4

Choose a keyboard layout:

5

6

7

The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:

8

9

10

Enter the hostname. In this example, my system is called server1.example.com, so I enter server1:

11b

Now you have to partition your hard disk. I will create one big partition (with the mount point /) and a little swap partition so I select Erase entire disk:

12

13

Configure your system’s clock:

14

Create a user, for example the user Administrator with the user name admin:

15

16

17

18

Now the base system is being installed:

19

20

21

The GRUB boot loader gets installed:

22

The base system installation is now finished. Remove the installation CD from the CD drive and hit Continue to reboot the system:

23

24

On to the next step…

3 Enable The root Account

After the reboot you can login with your previously created username (e.g. admin). Because we must run all the steps from this tutorial as root user, we must enable the root account now.

Run

sudo passwd root

and give root a password. Afterwards we become root by running

su

4 Install The SSH Server

Ubuntu does not install OpenSSH by default, therefore we do it now. Run

apt-get install ssh openssh-server

You will be prompted to insert the installation CD again.

5 Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1       localhost.localdomain localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

hostname
hostname -f

Both should show server1.example.com. If they do not, reboot the system:

shutdown -r now

Afterwards, run

hostname
hostname -f

again. Now they should show server1.example.com.

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu server and follow the remaining steps from this tutorial.

6 Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out the CD and enable some of the other repositories. It should look like this:

vi /etc/apt/sources.list

#
# deb cdrom:[Ubuntu-Server 6.06 _Dapper Drake_ - Release i386 (20060531)]/ dapper main restricted


#deb cdrom:[Ubuntu-Server 6.06 _Dapper Drake_ - Release i386 (20060531)]/ dapper main restricted

deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://de.archive.ubuntu.com/ubuntu/ dapper universe
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper universe

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse


deb http://security.ubuntu.com/ubuntu dapper-security main restricted
deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted
deb http://security.ubuntu.com/ubuntu dapper-security universe
deb-src http://security.ubuntu.com/ubuntu dapper-security universe

Then run these two commands:

apt-get update
apt-get upgrade

7 Install Some Software

Now we install a few packages that are needed later on. Run

apt-get install binutils cpp cpp-4.0 fetchmail flex gcc gcc-4.0 libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev linux-kernel-headers lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++

(This command should go into one line!)

8 Quota

To install quota, run

apt-get install quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to partition /dev/sda1 (mount point /; your device name might be /dev/hda1 or similar):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/sda1       /               ext3    defaults,errors=remount-ro,usrquota,grpquota 0       1
/dev/sda5       none            swap    sw              0       0
/dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

9 DNS Server

Run

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS=” -u bind so that it reads OPTIONS=”-u bind -t /var/lib/named”:

vi /etc/default/bind9

OPTIONS="-u bind -t /var/lib/named"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD=”-u syslog” so that it reads: SYSLOGD=”-u syslog -a /var/lib/named/dev/log”:

vi /etc/init.d/sysklogd

[...]
SYSLOGD="-u syslog -a /var/lib/named/dev/log"
[...]

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

10 MySQL

In order to install MySQL, we run

apt-get install mysql-server mysql-client libmysqlclient12-dev

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap

In the output you should see a line like this one:

tcp        0      0 *:mysql                 *:*                     LISTEN     4997/mysqld

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

11 Postfix With SMTP-AUTH And TLS

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail

You will be asked two questions. Answer as follows:

General type of configuration? <– Internet Site
Mail name? <– server1.example.com

Then run

dpkg-reconfigure postfix

Again, you’ll be asked some questions:

General type of configuration? <– Internet Site
Where should mail for root go <– NONE
Mail name? <– server1.example.com
Other destinations to accept mail for? (blank for none) <– server1.example.com, localhost.example.com, localhost
Force synchronous updates on mail queue? <– No
Local networks? <– 127.0.0.0/8
Use procmail for local delivery? <– Yes
Mailbox size limit <– 0
Local address extension character? <– +
Internet protocols to use? <– all

Next, do this:

postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
echo ‘pwcheck_method: saslauthd’ >> /etc/postfix/sasl/smtpd.conf
echo ‘mech_list: plain login’ >> /etc/postfix/sasl/smtpd.conf

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’
postconf -e ‘myhostname = server1.example.com’

The file /etc/postfix/main.cf should now look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart Postfix:

/etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS=”-m /var/spool/postfix/var/run/saslauthd -r”:

vi /etc/default/saslauthd

# This needs to be uncommented before saslauthd will be run automatically
START=yes

PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

We must also edit /etc/init.d/saslauthd and change the location of saslauthd’s PID file. Change the value of PIDFILE to /var/spool/postfix/var/run/${NAME}/saslauthd.pid:

vi /etc/init.d/saslauthd

[...]
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"
[...]

Now start saslauthd:

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

25

Type

quit

to return to the system’s shell.

12 Courier-IMAP/Courier-POP3

Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration ? <– No
SSL certificate required <– Ok

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user’s Maildir*:

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

13 Apache/PHP5

Now we install Apache:

apt-get install apache2 apache2-common apache2-doc apache2-mpm-prefork apache2-utils libapr0 libexpat1 ssl-cert

Next we install PHP5:

apt-get install autoconf automake1.4 autotools-dev libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php-pear php5-ldap php5-mhash php5-mysql php5-mysqli php5-snmp php5-sqlite php5-xmlrpc php5-xsl php5-imap php5-mcrypt php5-pspell

You will be asked the following question:

Continue installing libc-client without Maildir support? <– Yes

Next we edit /etc/apache2/apache2.conf

vi /etc/apache2/apache2.conf

and change DirectoryIndex to

[...]
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml
[...]

Edit /etc/apache2/ports.conf and add Listen 443:

vi /etc/apache2/ports.conf

Listen 80
Listen 443

Now we have to enable some Apache modules (SSL, rewrite, suexec, and include):

a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include

Reload the Apache configuration:

/etc/init.d/apache2 force-reload

13.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/mime.types and comment out the application/x-httpd-php lines:

vi /etc/mime.types

[...]
#application/x-httpd-php                                phtml pht php
#application/x-httpd-php-source                 phps
#application/x-httpd-php3                       php3
#application/x-httpd-php3-preprocessed          php3p
#application/x-httpd-php4                       php4
[...]

Edit /etc/apache2/mods-enabled/php5.conf and comment out the following lines:

vi /etc/apache2/mods-enabled/php5.conf

<IfModule mod_php5.c>
#  AddType application/x-httpd-php .php .phtml .php3
#  AddType application/x-httpd-php-source .phps
</IfModule>

Then restart Apache:

/etc/init.d/apache2 restart

14 Proftpd

In order to install Proftpd, run

apt-get install proftpd proftpd-common ucf

You will be asked a question:

Run proftpd from inetd or standalone? <– standalone

For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.linux.co.uk/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd.conf

[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
[...]

Then restart Proftpd:

/etc/init.d/proftpd restart

15 Webalizer

To install webalizer, just run

apt-get install webalizer

16 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

17 Install Some Perl Modules Needed By SpamAssassin (Comes With ISPConfig)

Run

apt-get install libhtml-parser-perl libdb-file-lock-perl libnet-dns-perl

18 ISPConfig

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. Please check out the ISPConfig installation: http://www.ispconfig.org/manual_installation.htm

18.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Ubuntu’s suExec is compiled with /var/www as Doc_Root. Run /usr/lib/apache2/suexec2 -V, and the output should look like this:

/usr/lib/apache2/suexec2 -V

26

To select /var/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.

33

Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /var/www as the home directory for websites.

34

Comments

comments