Extending Perfect Server - Debian Squeeze [ISPConfig 3]

Version 1.0
Author: Thomas (http://iopen.gr)
Last edited 2012-02-05 (05 February 2012)

The following tutorial will extend the "Perfect Server.... " for ISPConfig 3 with BIND & Courier installed in Debian Squeeze. It explains how to change default ports (ssh, ispconfig, webmin), how to install some useful applications (webmin, roundcube, atop, htop, multitail, tiger etc), how to update awstats periodically (more than once a day) or whenever you want, how to create clients' data backups (periodically) accessible under their folder and finally it explains how to tweak your system for performance (mysqltuner, tuning-primer) or security (custom firewall rules, (D)Dos Deflate, fail2ban modified).

This tutorial works for me, I corrected the mistakes mentioned in comments but I can not guarantee that it will work for you.

In specific this tutorial explains how to:

1. install Webmin and change it's port to 50000
2. change the default port for ISPConfig from 8080 to 50443
3. install Roundcube so as all users can access it over SSL (port 50443 -- as ISPConfig ) under /webmail
4. extend fail2ban (for webmin, roundcube, ssh) and  apply a small patch
5. install multitail and use a simple command to see all useful logs
6. change the port 22 for SSH to 50022
7. access phpmyadmin over SSL (port 50443 -- as ISPConfig ) under a different url than the default (e.g. /mydomaindb)
8. install some useful apps/extensions to you server (htop, php-apc, iptraf, logwatch etc)
9. update awstats manually or automatic whenever you want
10. impove mysql settings using scripts like mysqltuner or tuning-primer that suggest which settings to tweak in your mysql installation
11. harden you system (simple steps), by blocking specific --insistent-- IPs or networks, or/and by using custom rules to protect your server against simple ddos attacks, in companion with (D)Dos Deflate.
12. create daily backup of clients' web folders and their databases in their folders, so as they will be able to download them
    

To follow this tutorial you have to read and apply the following:

- If you want to access ISPconfig Panel and webmail through SSL I also assume that you followed the chapter 6.2 Enabling SSL For The ISPConfig Web Interface of The ISPConfig 3 manual or this post (This is only needed if you want to access the control panel AND the webmail interface through ssl on port 8080).

A note here: To NOT have problems after a future update do:

cp /etc/apache2/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt
cp /etc/apache2/ssl/ispserver.key  /usr/local/ispconfig/interface/ssl/ispserver.key

and edit /etc/apache2/sites-enabled/000-ispconfig.vhost, removing the lines that you pasted following the manual, and uncommenting the default lines for SSL.

nano /etc/apache2/sites-enabled/000-ispconfig.vhost

The contents must look like:

[...]

  # SSL Configuration

  SSLEngine On

  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
[...]

- If you followed the above, then I finally assume that you read the workaround about suExec and ISPConfig 3 in this post.

This how to, is a (major) updated version of  Easy RoundCube (Over SSL) And Webmin With fail2ban For ISPConfig 3 On Debian Squeeze with a lot more additions.

Before you proceed make sure that your server is functional, and you are satisfied with it.  If you follow this tutorial you will make a lot of changes, and this (by it's own) needs a lot of debugging in case of errors!

1. WEBMIN

Please have in mind that if you install webmin you MUST be very careful in using it. You should not use webmin for editing settings of critical parts of ISPConfig (apache, postfix, imap, pop3, dns). Use it only in emergency cases or when you need to do things that DON'T interfere with ISPConfig (e.g. firewall, bootscripts, cron e.t.c)

To install webmin we must first install some dependencies:

apt-get install libapt-pkg-perl libauthen-pam-perl libio-pty-perl apt-show-versions

Download the latest webmin from http://www.webmin.com/download.html:

cd /tmp
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb

and install it:

dpkg -i webmin_1.530_all.deb

Before changing a port to something else than the default, DON'T forget to add the port to your firewall. If you are using the defaults of ISPConfig, go to System -> Firewall and add the port you want (In this manual we will use 50000 for Webmin, 50443 for ISPConfig, 50022 for ssh). Save and DON'T remove old ports (8080, 10000, 22) until you are absolutely sure that the new ports are working.

To change the default port of webmin, edit the file /etc/webmin/miniserv.conf:

nano /etc/webmin/miniserv.conf

and change the Port=10000 and listen=10000 to Port=50000 and listen=50000. Restart webmin:

/etc/init.d/webmin restart

Visit https://www.example.com:50000 to install updates through webmin interface. You will have to accept the security warning, as the certificate of webmin is custom signed.

2. Set a different port for ISPConfig Control Panel

Before changing a port to something else than the default, DON'T forget to add the port to your firewall. If you are using the defaults of ISPConfig, go to System -> Firewall and add the port you want (In this manual we will use 50000 for Webmin, 50443 for ISPConfig, 50022 for ssh). Save and DON'T remove old ports (8080, 10000, 22) until you are absolutely sure that the new ports are working.

To change the default port of ISPConfig Control Panel (8080), to a different one (e.g. 50443):

nano /etc/apache2/sites-enabled/000-ispconfig.vhost

and make sure that all references to 8080 are changed to 50443. Mine looks like this (ONLY the first lines are showing):

[...]
Listen 50443
NameVirtualHost *:50443

<VirtualHost _default_:50443>
[...]

Restart apache and access the control panel at https://www.example.com:50443:

/etc/init.d/apache2 restart