The Perfect Server - OpenSUSE 12.1 x86_64 With Nginx [ISPConfig 3] - Page 5

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2011-11-29 19:11. ::

11 Mailman

Since version 3.0.4, ISPConfig also allows you to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:

yast2 -i mailman

Before we can start Mailman, a first mailing list called mailman must be created:

/usr/lib/mailman/bin/newlist mailman

server1:~ # /usr/lib/mailman/bin/newlist mailman
Enter the email of the person running the list:
<-- admin email address, e.g. info@example.com
Initial mailman password: <-- admin password for the mailman list
Hit enter to notify mailman owner... <-- ENTER

server1:~ #

Create the system startup links for Mailman...

systemctl enable mailman.service

... and start it:

systemctl start mailman.service

Next restart Postfix:

systemctl restart postfix.service

Now we need to create this symlink to make Mailman work with ISPConfig:

cd /usr/lib/mailman/cgi-bin/
ln -s ./ mailman

If you want to use Mailman from your web sites created through ISPConfig, this is a bit more complicated than for Apache because nginx does not have global aliases (i.e., aliases that can be defined for all vhosts). Therefore you have to define these aliases for each vhost from which you want to access Mailman.

To do this, paste the following into the nginx Directives field on the Options tab of the web site in ISPConfig:

        location /mailman {
               root /usr/lib/mailman/cgi-bin/;
               fastcgi_split_path_info (^/mailman/[^/]*)(.*)$;
               include /etc/nginx/fastcgi_params;
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
               fastcgi_param PATH_INFO $fastcgi_path_info;
               fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
               fastcgi_intercept_errors on;
               fastcgi_pass unix:/var/run/fcgiwrap.socket;
        }

        location /mailmanicons {
               alias /usr/lib/mailman/icons;
        }

        location /pipermail {
               alias /var/lib/mailman/archives/public;
               autoindex on;
        }

This defines the alias /mailman/ for your vhost, which means you can access the Mailman admin interface for a list at http://<vhost>/mailman/admin/<listname>, and the web page for users of a mailing list can be found at http://<vhost>/mailman/listinfo/<listname>.

Under http://<vhost>/pipermail you can find the mailing list archives.

 

12 Install PureFTPd

Install the pure-ftpd FTP daemon. Run:

yast2 -i pure-ftpd

systemctl enable pure-ftpd.service
systemctl start pure-ftpd.service

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

yast2 -i openssl

Open /etc/pure-ftpd/pure-ftpd.conf...

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1
[...]

If you want to accept TLS sessions only (no FTP), set TLS to 2:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      2
[...]

To not allow TLS at all (only FTP), set TLS to 0:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      0
[...]

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

systemctl restart pure-ftpd.service

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS - see the next chapter how to do this with FileZilla.

 

13 Install BIND

The BIND nameserver can be installed as follows:

yast2 -i bind

Create the BIND system startup links and start it:

systemctl enable named.service
systemctl start named.service

 

14 Install Webalizer And AWStats

Since ISPConfig 3 lets you choose if you want to use Webalizer or AWStats to create your web site statistics, we install both:

yast2 -i webalizer perl-DateManip

zypper install http://download.opensuse.org/repositories/network:/utilities/openSUSE_12.1/noarch/awstats-7.0-14.1.noarch.rpm

 

15 Install fail2ban

fail2ban can be installed as follows:

yast2 -i fail2ban

 

16 Install Jailkit

Jailkit can be installed like this:

zypper install http://download.opensuse.org/repositories/security/openSUSE_12.1/x86_64/jailkit-2.13-1.1.x86_64.rpm

 

17 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yast2 -i xntp

Then add system startup links for ntp and start ntp:

systemctl enable ntp.service
systemctl start ntp.service

 

18 Install rkhunter

rkhunter can be installed as follows:

yast2 -i rkhunter


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.