ISP Sever configuration on Fedara 9.Apache server,PHP5,Ruby,Postfix,MySQL, Dovecot,Quota, Firewall. ~ Internet Fuel

I will use the following software:

Web Server: Apache 2.2.8
PHP 5.2.5
Ruby
Database Server: MySQL 5.0.51
Mail Server: Postfix
DNS Server: BIND9 (chrooted)
FTP Server: proftpd
POP3/IMAP server: Dovecot
Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig(i.e., ISPConfig runs on it out of the box).
I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Requirements

To install such a system you will need the following:

Download the Fedora 9 DVD iso image from a mirror near you (the list of mirrors can be found here:http://mirrors.fedoraproject.org/mirrorlists/publiclist/Fedora/9), e.g. http://ftp-stud.hs-esslingen.de/pub/fedora/linux/releases/9/Fedora/i386/iso/Fedora-9-i386-DVD.iso
an internet connection...

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

3 Install The Base System

Boot from your Fedora 9 DVD. Select Install or upgrade an existing system:

4 Fix The Network

When I booted the system, I noticed that I could connect to and from it within my LAN, but the system could not connect to the internet. The output of
ifconfig
revealed that eth0 was up and has the correct IP address, however
route -nee
showed that no gateway had been set although I specified the correct gateay during the setup. I took a look at
chkconfig --list
and found that the network init script was set to off in all runlevels, however there was another init script, NetworkManager, which was set to on. NetworkManager is a tool that figures out the best network connection for the system and sets it up - in my case, it seems to have forgotten the gateway. Anyway, as we only have one network connection, we don't need the NetworkManager. I disabled it and set network to on, restarted the network, and violà, networking is working as expected, also after a reboot:
chkconfig NetworkManager off
chkconfig --levels 35 network on
/etc/init.d/network restart

5 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:
vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1
::1             localhost6.localdomain6 localhost6

It is important that you add a line for server1.example.com and remove server1.example.com and server1 from the 127.0.0.1line.

6 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall at the end of the basic system installation.)
I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall).
Run
system-config-firewall

Select Disabled and press OK.
To check that the firewall has really been disabled, you can run
iptables -L
afterwards. The output should look like this:
[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@server1 ~]#

7 Disable SELinux

SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).
Edit /etc/selinux/config and set SELINUX=disabled:
vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:
reboot

8 Install Some Software

First we import the GPG keys for software packages:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
Then we update our existing packages on the system:
yum update
Now we install some software packages that are needed later on:
yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

9 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)
To install quota, we run this command:
yum install quota
Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):
vi /etc/fstab

/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1
UUID=03b23ff4-4dda-47a8-a23f-2f530df157b2 /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

Then run
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
to enable quota.

10 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:
yum install bind-chroot
Next, we change a few permissions and start BIND:
chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig --levels 235 named on
/etc/init.d/named start
BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

11 MySQL (5.0)

To install MySQL, we do this:
yum install mysql mysql-devel mysql-server
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Now check that networking is enabled. Run
netstat -tap | grep mysql
It should show something like this:
[root@server1 ~]# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 2407/mysqld
[root@server1 ~]#
If it does not, edit /etc/my.cnf and comment out the option skip-networking:
vi /etc/my.cnf

[...]
#skip-networking
[...]

and restart your MySQL server:
/etc/init.d/mysqld restart
Run
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword
to set a password for the user root (otherwise anybody can access your MySQL database!).

12 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot
Now we configure SMTP-AUTH and TLS:
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8'
We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins (on 64bit systems, this file is in/usr/lib64/sasl2/smtpd.conf). It should look like this:
vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS:
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):
postconf -e 'myhostname = server1.example.com'
After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):
cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.1/samples
readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server1.example.com

Now start Postfix, saslauthd, and Dovecot:
chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH PLAIN LOGIN
everything is fine.
[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#
Type
quit
to return to the system's shell.

12.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir underManagement -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.
If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):
postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

13 Apache2 With PHP5

Now we install Apache with PHP5 (this is PHP 5.2.5):
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-magickwand php-magpierss php-mapserver php-mbstring php-mcrypt php-mhash php-mssql php-shout php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel
Then edit /etc/httpd/conf/httpd.conf:
vi /etc/httpd/conf/httpd.conf
and change DirectoryIndex to

[...]
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl
[...]

Now configure your system to start Apache at boot time:
chkconfig --levels 235 httpd on
Start Apache:
/etc/init.d/httpd start

13.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)
In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.
To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddHandler and AddType lines:
vi /etc/httpd/conf.d/php.conf

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#

LoadModule php5_module modules/libphp5.so

#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddHandler php5-script .php
#AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

Afterwards we restart Apache:
/etc/init.d/httpd restart

14 Ruby

Starting with version 2.2.20, ISPConfig has built-in support for Ruby. Instead of using CGI/FastCGI, ISPConfig depends onmod_ruby being available in the server's Apache.
For Fedora 9, there's no mod_ruby package available, so we must compile it ourselves. First we install some prerequisites:
yum install httpd-devel ruby ruby-devel
Next we download and install mod_ruby as follows:
cd /tmp
wget http://www.modruby.net/archive/mod_ruby-1.2.6.tar.gz
tar zxvf mod_ruby-1.2.6.tar.gz
cd mod_ruby-1.2.6/
./configure.rb --with-apr-includes=/usr/include/apr-1
make
make install
Finally we must add the mod_ruby module to the Apache configuration, so we create the file /etc/httpd/conf.d/ruby.conf...
vi /etc/httpd/conf.d/ruby.conf

LoadModule ruby_module modules/mod_ruby.so

... and restart Apache:
/etc/init.d/httpd restart

15 ProFTPd (Part 1)

ISPConfig has better support for proftpd than vsftpd, so let's remove vsftpd and install proftpd:
yum remove vsftpd
yum install proftpd
Now we can create the system startup links for Proftpd and start it:
chkconfig --levels 235 proftpd on
/etc/init.d/proftpd start

16 Webalizer

To install webalizer, just run
yum install webalizer

17 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:
yum install ntp
chkconfig --levels 235 ntpd on
ntpdate 0.pool.ntp.org
/etc/init.d/ntpd start

18 Install Some Perl Modules

ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the required Perl modules with a single command:
yum install perl-HTML-Parser perl-DBI perl-Net-DNS perl-Digest-SHA1

19 ISPConfig

The configuration of the server is now finished.
If you want to install ISPConfig, there's one more thing you need to do. Fedora 9 comes with the gcc version 4.3, but the ISPConfig installation (the OpenSSL part, to be specific) fails with this gcc version. Therefore we install gcc 3.4...

yum install compat-gcc-34
... and create a symlink from /usr/bin/gcc to /usr/bin/gcc34:
cd /usr/bin
mv gcc gcc43
ln -s gcc34 gcc
You can now install ISPConfig on it, following these instructions: http://www.ispconfig.org/manual_installation.htm

19.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the web root for websites created by ISPConfig as Fedora's suExec is compiled with /var/www as Doc_Root. Run
/usr/sbin/suexec -V
and the output should look like this:
[root@server1 ~]# /usr/sbin/suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/httpd/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX="public_html"
[root@server1 ~]#
So if you want to use suExec with ISPconfig, don't change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can't change the web root anyway so you'll be able to use suExec in any case).

19.2 ProFTPd (Part 2)

(This chapter applies only if you have installed ISPConfig!)
After you have installed ISPConfig, you must modify the template file for /etc/proftpd_ispconfig.conf which is called/root/ispconfig/isp/conf/proftpd_ispconfig.conf.master, because otherwise the users that you create with ISPConfig won't be able to log in using FTP. Instead of modifying /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master (which gets overwritten each time you update ISPConfig) we copy /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master to/root/ispconfig/isp/conf/customized_templates/ and modify that one. If ISPConfig finds a template in/root/ispconfig/isp/conf/customized_templates/, it will use that one instead of the default template in /root/ispconfig/isp/conf/. Templates in /root/ispconfig/isp/conf/customized_templates/ don't get overwritten when you update ISPConfig.
cp /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master /root/ispconfig/isp/conf/customized_templates/
Now open /root/ispconfig/isp/conf/customized_templates/proftpd_ispconfig.conf.master and comment out the DefaultAddress 127.0.0.1 line:
vi /root/ispconfig/isp/conf/customized_templates/proftpd_ispconfig.conf.master

###################################
#
# ISPConfig proftpd Configuration File
#         Version 1.0
#
###################################

#DefaultAddress 127.0.0.1



        DefaultRoot             ~
        AllowOverwrite          on
        Umask                   002
        {ANON_FTP}

20 Links

Fedora: http://fedoraproject.org
ISPConfig: http://www.ispconfig.org

Internet Fuel

Amazon

Search

Sunday, April 10, 2011