The Perfect Server - OpenSUSE 11.2 x86_64 [ISPConfig 3] - Page 5

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Thu, 2009-11-19 17:56. ::

12 MyDNS

We install the MyDNS rpm package for i386 which works on x86_64 as well:

wget http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm
rpm -ivh --force mydns-mysql-1.1.0-1.i386.rpm

Create the following MyDNS init script:

vi /etc/init.d/mydns

#! /bin/sh
# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Kurt Garloff
# Please send feedback to http://www.suse.de/feedback/
#
# /etc/init.d/mydns
#   and its symbolic link
# /(usr/)sbin/rcmydns
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Template system startup script for some example service/daemon mydns
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux (UL) based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
#
### BEGIN INIT INFO
# Provides:          mydns
# Required-Start:    $syslog $remote_fs
# Should-Start: $time ypbind sendmail
# Required-Stop:     $syslog $remote_fs
# Should-Stop: $time ypbind sendmail
# Default-Start:     3 5
# Default-Stop:      0 1 2 6
# Short-Description: mydns XYZ daemon providing ZYX
# Description:       Start mydns to allow XY and provide YZ
#       continued on second line by '#<TAB>'
#       should contain enough info for the runlevel editor
#       to give admin some idea what this service does and
#       what it's needed for ...
#       (The Short-Description should already be a good hint.)
### END INIT INFO
#
# Any extensions to the keywords given above should be preceeded by
# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
#
# Notes on Required-Start/Should-Start:
# * There are two different issues that are solved by Required-Start
#    and Should-Start
# (a) Hard dependencies: This is used by the runlevel editor to determine
#     which services absolutely need to be started to make the start of
#     this service make sense. Example: nfsserver should have
#     Required-Start: $portmap
#     Also, required services are started before the dependent ones.
#     The runlevel editor will warn about such missing hard dependencies
#     and suggest enabling. During system startup, you may expect an error,
#     if the dependency is not fulfilled.
# (b) Specifying the init script ordering, not real (hard) dependencies.
#     This is needed by insserv to determine which service should be
#     started first (and at a later stage what services can be started
#     in parallel). The tag Should-Start: is used for this.
#     It tells, that if a service is available, it should be started
#     before. If not, never mind.
# * When specifying hard dependencies or ordering requirements, you can
#   use names of services (contents of their Provides: section)
#   or pseudo names starting with a $. The following ones are available
#   according to LSB (1.1):
#       $local_fs               all local file systems are mounted
#                               (most services should need this!)
#       $remote_fs              all remote file systems are mounted
#                               (note that /usr may be remote, so
#                                many services should Require this!)
#       $syslog                 system logging facility up
#       $network                low level networking (eth card, ...)
#       $named                  hostname resolution available
#       $netdaemons             all network daemons are running
#   The $netdaemons pseudo service has been removed in LSB 1.2.
#   For now, we still offer it for backward compatibility.
#   These are new (LSB 1.2):
#       $time                   the system time has been set correctly
#       $portmap                SunRPC portmapping service available
#   UnitedLinux extensions:
#       $ALL                    indicates that a script should be inserted
#                               at the end
# * The services specified in the stop tags
#   (Required-Stop/Should-Stop)
#   specify which services need to be still running when this service
#   is shut down. Often the entries there are just copies or a subset
#   from the respective start tag.
# * Should-Start/Stop are now part of LSB as of 2.0,
#   formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
#   insserv does support both variants.
# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
#   (%fillup_and_insserv macro in %post of many RPMs) to specify whether
#   a startup script should default to be enabled after installation.
#   It's not used by insserv.
#
# Note on runlevels:
# 0 - halt/poweroff                     6 - reboot
# 1 - single user                       2 - multiuser without network exported
# 3 - multiuser w/ network (text mode)  5 - multiuser w/ network and X11 (xdm)
#
# Note on script names:
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.

# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
MYDNS_BIN=/usr/sbin/mydns
test -x $MYDNS_BIN || { echo "$mydns_BIN not installed";
        if [ "$1" = "stop" ]; then exit 0;
        else exit 5; fi; }
# Check for existence of needed config file and read it
#MYDNS_CONFIG=/etc/sysconfig/mydns
#test -r $MYDNS_CONFIG || { echo "$mydns_CONFIG not existing";
#       if [ "$1" = "stop" ]; then exit 0;
#       else exit 6; fi; }

# Read config
#. $MYDNS_CONFIG
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status:
#      rc_check         check and set local and overall rc status
#      rc_status        check and set local and overall rc status
#      rc_status -v     be verbose in local rc status and clear it afterwards
#      rc_status -v -r  ditto and clear both the local and overall rc status
#      rc_status -s     display "skipped" and exit with status 3
#      rc_status -u     display "unused" and exit with status 3
#      rc_failed        set local and overall rc status to failed
#      rc_failed <num>  set local and overall rc status to <num>
#      rc_reset         clear both the local and overall rc status
#      rc_exit          exit appropriate to overall rc status
#      rc_active        checks whether a service is activated by symlinks
. /etc/rc.status
# Reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0       - success
# 1       - generic or unspecified error
# 2       - invalid or excess argument(s)
# 3       - unimplemented feature (e.g. "reload")
# 4       - user had insufficient privileges
# 5       - program is not installed
# 6       - program is not configured
# 7       - program is not running
# 8--199  - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
case "$1" in
    start)
        echo -n "Starting mydns "
        ## Start daemon with startproc(8). If this fails
        ## the return value is set appropriately by startproc.
        startproc $MYDNS_BIN
        # Remember status and be verbose
        rc_status -v
        ;;
    stop)
        echo -n "Shutting down mydns "
        ## Stop daemon with killproc(8) and if this fails
        ## killproc sets the return value according to LSB.
        killproc -TERM $MYDNS_BIN
        # Remember status and be verbose
        rc_status -v
        ;;
    try-restart|condrestart)
        ## Do a restart only if the service was active before.
        ## Note: try-restart is now part of LSB (as of 1.9).
        ## RH has a similar command named condrestart.
        if test "$1" = "condrestart"; then
                echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
        fi
        $0 status
        if test $? = 0; then
                $0 restart
        else
                rc_reset        # Not running is not a failure.
        fi
        # Remember status and be quiet
        rc_status
        ;;
    restart)
        ## Stop the service and regardless of whether it was
        ## running or not, start it again.
        $0 stop
        $0 start
        # Remember status and be quiet
        rc_status
        ;;
    force-reload)
        ## Signal the daemon to reload its config. Most daemons
        ## do this on signal 1 (SIGHUP).
        ## If it does not support it, restart.
        echo -n "Reload service mydns "
        ## if it supports it:
        killproc -HUP $MYDNS_BIN
        #touch /var/run/mydns.pid
        rc_status -v
        ## Otherwise:
        #$0 try-restart
        #rc_status
        ;;
    reload)
        ## Like force-reload, but if daemon does not support
        ## signaling, do nothing (!)
        # If it supports signaling:
        echo -n "Reload service mydns "
        killproc -HUP $MYDNS_BIN
        #touch /var/run/mydns.pid
        rc_status -v
        ## Otherwise if it does not support reload:
        #rc_failed 3
        #rc_status -v
        ;;
    status)
        echo -n "Checking for service mydns "
        ## Check status with checkproc(8), if process is running
        ## checkproc will return with exit status 0.
        # Return value is slightly different for the status command:
        # 0 - service up and running
        # 1 - service dead, but /var/run/  pid  file exists
        # 2 - service dead, but /var/lock/ lock file exists
        # 3 - service not running (unused)
        # 4 - service status unknown :-(
        # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
        # NOTE: checkproc returns LSB compliant status values.
        checkproc $MYDNS_BIN
        # NOTE: rc_status knows that we called this init script with
        # "status" option and adapts its messages accordingly.
        rc_status -v
        ;;
    probe)
        ## Optional: Probe for the necessity of a reload, print out the
        ## argument to this init script which is required for a reload.
        ## Note: probe is not (yet) part of LSB (as of 1.9)
        test /etc/mydns/mydns.conf -nt /var/run/mydns.pid && echo reload
        ;;
    *)
        echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
        exit 1
        ;;
esac
rc_exit

Make the init script executable...

chmod 755 /etc/init.d/mydns

... and create the system startup links for MyDNS:

chkconfig --add mydns

 

13 Install vlogger and Webalizer

cd /tmp
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*
yast2 -i webalizer perl-DateManip

 

14 Install fail2ban

rpm -i http://download.opensuse.org/repositories/home:/kolbma/openSUSE_11.1/x86_64/fail2ban-0.8.4-2.1.x86_64.rpm

Warnings like warning: /var/tmp/rpm-xfer.SCm0TM: Header V3 DSA signature: NOKEY, key ID 5b00c76e can be ignored.

 

15 Install jailkit

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.10.tar.gz
tar xvfz jailkit-2.10.tar.gz
cd jailkit-2.10
./configure
make
make install
cd ..
rm -rf jailkit-2.10*

 

16 Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yast2 -i xntp

Then add system startup links for ntp and start ntp:

chkconfig --add ntp
/etc/init.d/ntp start

 

17 ISPConfig 3

Download the current ISPConfig version and install it. The ISPConfig installer will configure all services like postfix, sasl, courier, etc. for you. A manual setup as required for ISPConfig 2 is not necessary anymore.

cd /tmp
wget http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.1.6.tar.gz?use_mirror=
tar xvfz ISPConfig-3.0.1.6.tar.gz
cd ispconfig3_install/install/

Now start the installation process by executing:

php -q install.php

server1:/tmp/ispconfig3_install/install # php -q install.php


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _
|_   _/  ___| ___ \ /  __ \            / _(_)
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| |
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, |
                                              __/ |
                                             |___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: openSUSE 11.2 or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with <ENTER>.
    Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]:
 <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 2048 bit RSA private key
.....................+++
..............+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
 <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring MyDNS
Configuring Apache
Configuring vlogger
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]:
 <-- ENTER

Configuring DBServer
Installing Crontab
no crontab for root
no crontab for getmail
Restarting services ...
Restarting service MySQL
Shutting down service MySQL ..done
Starting service MySQL ..done
Shutting down mail service (Postfix)..done
Starting mail service (Postfix)..done
Shutting down service saslauthd..done
Starting service saslauthd..done
Waiting for the process [1836] to terminate
Waiting for the process [1836] to terminate
Waiting for the process [1836] to terminate
Waiting for the process [1836] to terminate
Daemon [1836] terminated by SIGTERM
Shutting down virus-scanner (amavisd-new): ..done
Starting virus-scanner (amavisd-new): ..done
Shutting down Clam AntiVirus daemon ..done
Starting Clam AntiVirus daemon ..done
Shutting down Courier Authentication Daemon ..done
Starting Courier Authentication Daemon ..done
Shutting down Courier-IMAP ..done
Starting Courier-IMAP ..done
Shutting down Courier-IMAP (SSL)..done
Starting Courier-IMAP (SSL) generating-SSL-certificate.....done
Shutting down Courier-POP3 ..done
Starting Courier-POP3 ..done
Shutting down Courier-POP3 (SSL)..done
Starting Courier-POP3 (SSL) generating-SSL-certificate.....done
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) ..done
Starting httpd2 (prefork) ..done
Shutting down pure-ftpd..done
Starting pure-ftpd..done
Installation completed.
server1:/tmp/ispconfig3_install/install #

Create a symlink for phpMyAdmin:

ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin

Cleanup the /tmp directory:

rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-3.0.1.6.tar.gz

To log in to the ISPConfig control panel, open this URL in your browser (replace the IP to match your settings!):

http://192.168.0.100:8080/

The default login is:

user: admin
password: admin

 

17.1 ISPConfig 3 Manual

 

18 Optional

Install a web-based email client:

rpm -i http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/squirrelmail-1.4.19-4.1.noarch.rpm
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail

 

19 Disable AppArmor

AppArmor is a security extension of SUSE (similar to Fedora's SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

 

20 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Tue, 2010-03-09 14:58.

To run Mydns after Mysql just add mydns to Runlevel 2.

Then you won't get any errors, like mydns can't connect to the database.

Submitted by Anonymous (not registered) on Sun, 2010-06-13 12:42.

This is not exactly so on OpenSUSE, but to start mydns after mysql change in mydns script this line:

From:

# Required-Start:    \$syslog \$remote_fs

To:

# Required-Start:    \$syslog \$remote_fs mysql

Then, if you have already added the service, use chkconfig --del mydns   and   chkconfig --add mydns  again. This will fix the dependency.

Submitted by villaro (registered user) on Tue, 2010-01-19 22:27.
Hello all and pardon the noob, stupid questions. I need to know where one would drop this server in a 3 legged network. External Firewall, "dmz servers", internal Firewall and private network. Can someone provide a visio diagram on this complete with sample ip addresses? (ie 192.168.x.x or 10.10.x.x)
Submitted by Anonymous (not registered) on Tue, 2009-12-08 17:18.

Hi, you state:

  * In my opinion you don't need it to configure a secure system

people is probably already be looking for servers configured by you, for fun and profit, lol

  * think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem

Never heard of AppArmor complain mode? Using a technology implies being able to use that technology. AppArmor is great, and you won't spend a week in torubleshooting, if you know how to use it.

A "perfect" setup, in my book, includes security, especially if you're building a server which offers services to the Internet (but not only).

Your setup may be good, but quite far from perfect.

JMTC, Javier

 

Submitted by Anonymous (not registered) on Sun, 2010-06-13 12:39.
I find it very difficult to deal with AppArmor and the above configuration, because of lack of time. If AppArmor important, could you please maybe extend this tutorial by adding AppArmor configuration tutorial?