Virtual Multiserver Environment With Dedicated Web & MySQL, Email & DNS Servers On Debian Squeeze With ISPConfig 3 - Page 4
7 Extending Our Servers
We now have a perfectly working environment of one dedicated server running our virtual servers. However there are a lot of tweaks we can and should apply to them. We will do this now. Not that all of these are optinal but highly recommended.
The first steps may be repeated on all the servers.
7.0.1 SSH with authentication key instead of password
Using SSH key authentication is much more secure than password, because you have to own the private keyto access the server. If you don't already have one, create and RSA key pair (on your local machine):
Generating public/private rsa key pair.
Once the public key is installed on the server, access will be granted with no password question. SSH usually comes with an utility called ssh-copy-id that simply adds the contents of client's ~/.ssh/id_rsa.pub to the server's ~/.ssh/authorized_keys:
ssh-copy-id -i .ssh/id_rsa.pub firstname.lastname@example.org
At this point, root account on the server can be locked for password authentication:
Please first try accessing the server using the key before running this command!
passwd -l root
7.0.2 Installing Logwatch
Logwatch is a little package that will send you detailed reports on what happend/is running on your server. It's absolutely useful for monitoring.
apt-get -y install logwatch
Then adjust its configuration:
and set these values:
Output = mail Format = text MailTo = email@example.com Detail = High Service = All
You now will receive an email from Logwatch every day. You'll see, this is awesome!
7.0.3 Enabling additional fail2ban rules
Fail2ban is a great way to block unwanted users from accessing our servers. Since we already have it installed on our Web & MySQL Server as well on our Mail Server, you can skip the first step on them. Run this on your node and both DNS servers:
apt-get -y install fail2ban
We now will tell fail2ban what services it should monitor and how to handle bad requests:
These have to be run on all servers (including the Web & MySQL server and the Mail server):
and add the following to the file (do not replace already existing content!):
[ssh] enables = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 5
Fail2ban will now detect SSH break-in attemps and block them. Finally, restart fail2ban:
7.1 Extending the Node Server
7.1.1 Installing Ajenti
Ajenti is a nice server control panel. I primary use it for managing the firewall and because of the built in filemanager, console and terminal.
First we have to add it's repository to our sources.list:
deb http://repo.ajenti.org/debian main main
Afterwards you have to import it's Key:
wget http://repo.ajenti.org/debian/key -O- | sudo apt-key add -
You should now be able to access the CP via: http://192.168.1.1:8000. The default username/password is: admin
If you plan to use the built in terminal you have to install the Python PIL module:
apt-get -y install python-imaging
7.1.2 Installing Archey
This is very optional, however I like it. Archey will show you some nice information on login.
To install it, simply run:
apt-get install lsb-release scrot
At the very end, add: archey.
7.2 Extending The Web/DB Server
These steps are only run on our Web/DB server.
7.2.1 Installing cURL
apt-get -y install curl php5-curl libcurl3-dev
7.2.2 Installing ionCube Loader
You should now be able to do this by yourself. Just download the correct version over at http://www.ioncube.com/loaders.php and follow its introductions.
7.2.3 Installing APC and other useful apps
In this section we will install apc (php accelarator), which is developed by the guys who develop php and some apps (htop, iptraf, logwatch, tiger).
apt-get -y install php-apc htop iptraf tiger
Edit /etc/php5/conf.d/apc.ini, so as to increase the memory cache:
And append the following line:
Finally restart Apache:
With htop you can see system info in a better way than top, with iptraf you can see real time statistics for your connection and with tiger you can have yourself mailed with a periodically report of your system's security vulnerabilities (if any exists).
As a lot of scripts/apps send a lot of mails to user root, you can alias root's mail, to a more 'real' email address. So, after you set up a 'real' mail for your example.tld domain, you can edit the aliases and add an alias to root user:
and change the line
to something like
After this execute:
If you want to install Drupal (or other cms) you will propably need uploadprogress and json. To accomplish their installation, do:
apt-get -y install php5-dev php-services-json
And append the following line:
Finally restart Apache:
7.2.4 Installing mod_security
Install the apache mod-security 2 module with apt from the Debian repositories:
apt-get -y install libapache-mod-security
Create the folder for the mod-security configuration files:
Download and unpack the mod-security rules:
Configure apache to load the activated mod-security rules:
To enable mod-security, edit the file
and remove the # in front of the line:
Then reload Apache.
Mod security will now start to block hack attempts to your websites and log the actions in the file /var/log/apache2/modsec_audit.log.
You will see very likely some falsely blocked URL's. To whitelist them, you can add the ID's of the rules that should not be used in the whitelist file.
SecRuleRemoveById 960015 SecRuleRemoveById 960016
7.2.5 MySQL Tuning
Download tuning-primer.sh and mysqltuner.pl. These will help you to improve mysql's configuration file.
To execute them:
The scripts will ask some simple questions (user/pass) and will display in red colour, their suggestions for critical settings. You can use their suggestions to boost the performance of mysql-server.
7.2.6 Installing RoundCube
Following the above instructions you can install roundcube via apt-get. However following another logic (if you have the time and the courage) you can install roundcube in it's own subdomain, manually.
In "Perfect Server ...." you usually install Squirrelmai. However if you don't want it you can remove it:
apt-get remove squirrelmail
Install roundcube. (You MUST have the mysql administrator's password before you proceed -- Let dbconfig-common configure the database. You will be asked some questions about the password of the db administrator and the password of the new user that will be created for roundcube. Answer those questions and continue:
apt-get -y install roundcube roundcube-mysql
If something goes wrong you can always run:
For more information, please see this post.
For everyone to be able to access his webmail (under his domain name) you have to create or edit the file /etc/apache2/conf.d/roundcube so as to set the alias to 'webmail'. If you want SSL you should include the last two directives (IfModule mod_rewrite.c) to have apache ALWAYS redirect to your SSL installation of ISPConfig.
# Those aliases do not work properly with several hosts on your apache server
and SET some variables in the file (if this is the first time you edit the file the lines are 60 and 66):
auto_create_user = TRUE;
If you will install the following plugin (the logger that helps fail2ban) you have to extend the list of plugins in the same file. If the only plugin is the one that will be istalled right afterward you have to edit the line (42) as below:
$rcmail_config['plugins'] = array('fail2ban');
Install the roundcube logger plugin from http://mattrude.com/projects/roundcube-fail2ban-plugin/.
Basically you have to download the file (fail2ban.php) and paste it in the fail2ban folder in the plugins folder of roundcube. Finally you must have this file: /usr/share/roundcube/plugins/fail2ban/fail2ban.php. Execute:
This plugin will update the log file with each failed login attempt: /var/log/roundcube/userlogins
Don't forget to edit the link for the webmail in ISPConfig (System -> Interface Config -> (tab) Mail) and set it to /webmail. Lastly, restart apache.
You can now access webmail at http://web.example.tld/webmail