The Perfect Server - Fedora 10 [ISPConfig 3] - Page 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2009-03-31 16:51. ::

4 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1
::1             localhost6.localdomain6 localhost6

It is important that you add a line for server1.example.com and remove server1.example.com and server1 from the 127.0.0.1 line.

 

5 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall at the end of the basic system installation.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall).

Run

system-config-firewall

and disable the firewall.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@server1 ~]#

 

6 Disable SELinux

SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

 

7 Install Some Software

Next we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum groupinstall 'Development Tools'

yum groupinstall 'Development Libraries'

 

8 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):

vi /etc/fstab

#
# /etc/fstab
# Created by anaconda on Wed Nov 26 16:56:06 2008
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or vol_id(8) for more info
#
/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1
UUID=41be1fc5-8b1a-456d-9fb9-cd0f5d764f36 /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

 

9 Install Apache, MySQL, phpMyAdmin

This can all be installed with one single command (including the packages we need to build Courier-IMAP):

yum install ntp httpd mysql-server php php-mysql php-mbstring rpm-build gcc mysql-devel openssl-devel cyrus-sasl-devel pkgconfig zlib-devel phpMyAdmin pcre-devel openldap-devel postgresql-devel expect libtool-ltdl-devel openldap-servers libtool gdbm-devel pam-devel gamin-devel


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by antoine (not registered) on Mon, 2009-08-17 23:39.

make sure you also install:

yum install cyrus-sasl-plain

 else you get errors in mail and it won't work

Submitted by G. Lohmann (not registered) on Wed, 2009-05-06 21:24.

First of all, thanks for the work and the great HowTo for that!

However some remarks:

- 6 Disable SELinux

NOPE ... don't give this as the best advice, especially as some people may run in a virtual server environment where they could not disable it at all. I know the first confrontation with SELinux is harsh and filled with a lot of warnings and errors but it is easy to get around that.

For example:

If you have you freshly install ISPConfig and it is up and running, you may get a lot of warnings about vlogger. It will even not work as expected. The warning:

... vlogger has no access to potential wrong marked files (./localhost.localdomain) ...

sound a bit cryptic but fact is that vlogger can not write to the logging directory to write to e.g. 'localhost.localdomain-access.log', as there are rights missing.

if you do:

/var/log# ls -alZ
drwx------  root      root   system_u:object_r:httpd_log_t:s0 httpd
drwxr-xr-x  root      root   unconfined_u:object_r:var_log_t:s0 ispconfig

The entry for the user 'unconfined_u' (nobody) and for the type 'var_log_t' (inherited logging type) is already not that good. Reason is that it is a perl script like a CGI, called by apache and running with the user rights of httpd and therefore is restricted to write to that folder. As we can see for the log folder of httpd has already a different type 'httpd_log_t'.

But two single lines for changing this control settings already solve all your warnings and errors with vlogger:

/var/log# chcon -R -u system_u ispconfig
/var/log# chcon -R -t httpd_sys_script_rw_t ispconfig

The type 'httpd_sys_script_rw_t' is telling SELinux that scripts called by apache are allowed to (r)ead and (w)rite to that folder.

The example above is the most common reason for errors. That specific programs or scripts called by them and do not have write or read access to unknown folders or files that may even not belong to them.

ISPConfig should not disable but benefit from those rights as it for example would allow to 'jail' Client configurations into their own environment by defining own types for each single Client.

I am even still a beginner in SELinux, but if I find some time I will try to write a list of needed control settings to get ISPConfig completely running without the need to shutting it down.