Extending Perfect Server - Debian Squeeze [ISPConfig 3]

Want to support HowtoForge? Become a subscriber!
 
Submitted by 8omas (Contact Author) (Forums) on Sun, 2011-03-20 20:12. :: Debian | ISPConfig | Backup | Security | Other

Extending Perfect Server - Debian Squeeze [ISPConfig 3]

Version 1.0
Author: Thomas (http://iopen.gr)
Last edited 2012-02-05 (05 February 2012)

The following tutorial will extend the "Perfect Server.... " for ISPConfig 3 with BIND & Courier installed in Debian Squeeze. It explains how to change default ports (ssh, ispconfig, webmin), how to install some useful applications (webmin, roundcube, atop, htop, multitail, tiger etc), how to update awstats periodically (more than once a day) or whenever you want, how to create clients' data backups (periodically) accessible under their folder and finally it explains how to tweak your system for performance (mysqltuner, tuning-primer) or security (custom firewall rules, (D)Dos Deflate, fail2ban modified).

This tutorial works for me, I corrected the mistakes mentioned in comments but I can not guarantee that it will work for you.

In specific this tutorial explains how to:

  1. install Webmin and change it's port to 50000
  2. change the default port for ISPConfig from 8080 to 50443
  3. install Roundcube so as all users can access it over SSL (port 50443 -- as ISPConfig ) under /webmail
  4. extend fail2ban (for webmin, roundcube, ssh) and  apply a small patch
  5. install multitail and use a simple command to see all useful logs
  6. change the port 22 for SSH to 50022
  7. access phpmyadmin over SSL (port 50443 -- as ISPConfig ) under a different url than the default (e.g. /mydomaindb)
  8. install some useful apps/extensions to you server (htop, php-apc, iptraf, logwatch etc)
  9. update awstats manually or automatic whenever you want
  10. impove mysql settings using scripts like mysqltuner or tuning-primer that suggest which settings to tweak in your mysql installation
  11. harden you system (simple steps), by blocking specific --insistent-- IPs or networks, or/and by using custom rules to protect your server against simple ddos attacks, in companion with (D)Dos Deflate.
  12. create daily backup of clients' web folders and their databases in their folders, so as they will be able to download them

To follow this tutorial you have to read and apply the following:

- The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]

- If you want to access ISPconfig Panel and webmail through SSL I also assume that you followed the chapter 6.2 Enabling SSL For The ISPConfig Web Interface of The ISPConfig 3 manual or this post (This is only needed if you want to access the control panel AND the webmail interface through ssl on port 8080).

A note here: To NOT have problems after a future update do:

cp /etc/apache2/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt
cp /etc/apache2/ssl/ispserver.key  /usr/local/ispconfig/interface/ssl/ispserver.key

and edit /etc/apache2/sites-enabled/000-ispconfig.vhost, removing the lines that you pasted following the manual, and uncommenting the default lines for SSL.

nano /etc/apache2/sites-enabled/000-ispconfig.vhost

The contents must look like:

[...]

  # SSL Configuration

  SSLEngine On

  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
[...]

- If you followed the above, then I finally assume that you read the workaround about suExec and ISPConfig 3 in this post.

This how to, is a (major) updated version of  Easy RoundCube (Over SSL) And Webmin With fail2ban For ISPConfig 3 On Debian Squeeze with a lot more additions.

Before you proceed make sure that your server is functional, and you are satisfied with it.  If you follow this tutorial you will make a lot of changes, and this (by it's own) needs a lot of debugging in case of errors!

 

1. WEBMIN

Please have in mind that if you install webmin you MUST be very careful in using it. You should not use webmin for editing settings of critical parts of ISPConfig (apache, postfix, imap, pop3, dns). Use it only in emergency cases or when you need to do things that DON'T interfere with ISPConfig (e.g. firewall, bootscripts, cron e.t.c)

To install webmin we must first install some dependencies:

apt-get install libapt-pkg-perl libauthen-pam-perl libio-pty-perl apt-show-versions

Download the latest webmin from http://www.webmin.com/download.html:

cd /tmp
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb

and install it:

dpkg -i webmin_1.530_all.deb

Before changing a port to something else than the default, DON'T forget to add the port to your firewall. If you are using the defaults of ISPConfig, go to System -> Firewall and add the port you want (In this manual we will use 50000 for Webmin, 50443 for ISPConfig, 50022 for ssh). Save and DON'T remove old ports (8080, 10000, 22) until you are absolutely sure that the new ports are working.

To change the default port of webmin, edit the file /etc/webmin/miniserv.conf:

nano /etc/webmin/miniserv.conf

and change the Port=10000 and listen=10000 to Port=50000 and listen=50000. Restart webmin:

/etc/init.d/webmin restart

Visit https://www.example.com:50000 to install updates through webmin interface. You will have to accept the security warning, as the certificate of webmin is custom signed.

 

2. Set a different port for ISPConfig Control Panel

Before changing a port to something else than the default, DON'T forget to add the port to your firewall. If you are using the defaults of ISPConfig, go to System -> Firewall and add the port you want (In this manual we will use 50000 for Webmin, 50443 for ISPConfig, 50022 for ssh). Save and DON'T remove old ports (8080, 10000, 22) until you are absolutely sure that the new ports are working.

To change the default port of ISPConfig Control Panel (8080), to a different one (e.g. 50443):

nano /etc/apache2/sites-enabled/000-ispconfig.vhost

and make sure that all references to 8080 are changed to 50443. Mine looks like this (ONLY the first lines are showing):

[...]
Listen 50443
NameVirtualHost *:50443

<VirtualHost _default_:50443>
[...]

Restart apache and access the control panel at https://www.example.com:50443:

/etc/init.d/apache2 restart


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Frank (not registered) on Thu, 2012-05-31 11:56.

hi,
it is possible to coexist squirrelmail and roundcube?

thanks!

Submitted by voidzero (registered user) on Sat, 2011-12-17 15:30.
Good tutorial, I just want to thank you for taking the time to write it.
Submitted by teddy (not registered) on Fri, 2011-08-19 19:28.

Hi, I've followed the perfect debian server with ispconfig3 tutorial, then the SSL post on faqforge, and everything went ok on my virtualized server and on the online one. Once it gets to changing default port for webmin, activating it on ispconfig firewall, restarting webmin and apache, and no way, the page I get on the browser (url is https://x.x.x.x:1888) is (Chrome in this case, but the timeout is consistent for all browsers.

 Error 118 (net::ERR_CONNECTION_TIMED_OUT)

 I've checked with a netstat, but the port is listening

 tcp        0      0 0.0.0.0:18888           0.0.0.0:*               LISTEN      32521/perl

udp        0      0 0.0.0.0:18888           0.0.0.0:*                           32521/perl

an iptables list gives this response
 
  <code>

 Chain INPUT (policy DROP)

target     prot opt source               destination

DROP       tcp  --  anywhere             loopback/8

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

DROP       all  --  base-address.mcast.net/4  anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere


Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

DROP       all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere


Chain INT_IN (0 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

DROP       all  --  anywhere             anywhere


Chain INT_OUT (0 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere


Chain PAROLE (15 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere


Chain PUB_IN (4 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable

ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp-data

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imap2

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http-alt

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:tproxy

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:8000

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:18888

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:webmin

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql

DROP       icmp --  anywhere             anywhere

DROP       all  --  anywhere             anywhere

...

 </code>

 So, everything seems in order, what could it be stopping me from accessing webmin from alternative port? Please consider that default port works, and all other services work, since I've followed letter by letter you instructions...

 Did I forget anything? Where could I look?

 

Submitted by lubos (registered user) on Tue, 2011-03-22 20:50.

There is a small typo in download of the webmin

 

cd /tmp wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb

 

should actually be 

 cd /tmp

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb