Extending Perfect Server - Debian Squeeze [ISPConfig 3] - Page 2

3. ROUNDCUBE

Following the above instructions you can install roundcube via apt-get. However following another logic (if you have the time and the courage) you can install roundcube in it's own subdomain, manually.

In "Perfect Server ...." you usually install Squirrelmai. However if you don't want it you can remove it:

apt-get remove squirrelmail

and delete the /etc/apache2/conf.d/squirrelmail.conf:

rm /etc/apache2/conf.d/squirrelmail.conf

OR if you want it edit the /etc/apache2/conf.d/squirrelmail.conf and change the alias to something like 'webmail1'.

Install roundcube. (You MUST have the mysql administrator's password before you proceed -- Let dbconfig-common configure the database. You will be asked some questions about the password of the db administrator and the password of the new user that will be created for roundcube. Answer those questions and continue:

apt-get install roundcube roundcube-mysql

Examle answers:
"Configure database for roundcube with dbconfig-common?" .... Answer Yes
"Database type to be used by roundcube: ...Answer mysql
"Password of the database's administrative user:" ... Answer your-admin-DB-password
"MySQL application password for roundcube:" ... Answer the-password-you-want-to-give-to-the-roundcube-user
"Password confirmation:"... Answer the-password-you-want-to-give-to-the-roundcube-user

If something goes wrong you can always run:

dpkg-reconfigure roundcube-core

For more information, please see this post.

For everyone to be able to access his webmail (under his domain name) you have to create or edit the file /etc/apache2/conf.d/roundcube so as to set the alias to 'webmail'. If you want SSL you should include the last two directives (IfModule mod_rewrite.c) to have apache ALWAYS redirect to your SSL installation of ISPConfig.

nano /etc/apache2/conf.d/roundcube

# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
# Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
Alias /roundcube /var/lib/roundcube
Alias /webmail /var/lib/roundcube

# Access to tinymce files
<Directory "/usr/share/tinymce/www/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>

<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>

# Protecting basic directories:
<Directory /var/lib/roundcube/config>
Options -FollowSymLinks
AllowOverride None
</Directory>

<Directory /var/lib/roundcube/temp>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>

<Directory /var/lib/roundcube/logs>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /webmail>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /roundcube>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>


# For ISPConfig 3.0.5.1 and above, also, add the following

<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .:/usr/share/php:/usr/share/pear
php_admin_value upload_tmp_dir /var/lib/roundcube/temp
php_admin_value open_basedir /usr/share/php:/usr/lib/roundcube:/etc/roundcube:/usr/share/roundcube:/var/lib/roundcube:/var/log/roundcube
php_flag register_globals off
</IfModule>

Edit /var/lib/roundcube/config/main.inc.php:

nano /var/lib/roundcube/config/main.inc.php

and SET some variables in the file (if this is the first time you edit the file the lines are 60 and 66):

auto_create_user = TRUE;
$rcmail_config['default_host'] = 'localhost';

If you will install the following plugin (the logger that helps fail2ban) you have to extend the list of plugins in the same file. If the only plugin is the one that will be istalled right afterward you have to edit the line (42) as below:

$rcmail_config['plugins'] = array('fail2ban'); 

Install the roundcube logger plugin from http://mattrude.com/projects/roundcube-fail2ban-plugin/.

Basically you have to download the file (fail2ban.php) and paste it in the fail2ban folder in the plugins folder of roundcube. Finally you must have this file:  /usr/share/roundcube/plugins/fail2ban/fail2ban.php. Execute:

cd /usr/share/roundcube/plugins/
wget --no-check-certificate http://github.com/downloads/mattrude/rc-plugin-fail2ban/roundcube-fail2ban-plugin.1.0.tgz
tar -xvzf roundcube-fail2ban-plugin.1.0.tgz
touch /var/log/roundcube/userlogins
chown www-data:www-data /var/log/roundcube/userlogins

This plugin will update the log file with each failed login attempt: /var/log/roundcube/userlogins

Don't forget to edit the link for the webmail in ISPConfig (System -> Interface Config -> (tab) Mail) and set it to /webmail. Lastly, restart apache.

/etc/init.d/apache2 restart

You can now access webmail at http://www.example.com/webmail

 

4. FAIL2BAN

Extend the jail.local file that falko suggests in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]: /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

You have to append or edit the following:

[roundcube]
enabled = true
port = http,50443
filter = roundcube
logpath = /var/log/roundcube/userlogins
maxretry = 5

[webmin-auth]
enabled = true
port = 50000
filter = webmin-auth
logpath = /var/log/auth.log
maxretry = 3

[ssh]
enabled = true
port = 50022
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

The 50443 port in roundcube is only needed if you enabled the redirection to https (look in the beggining of this tutorial).
The 50000 port in webmin-auth is the changed port (look in the beggining of this tutorial).
The 50022 port in ssh is the changed port (look in the following sections of this tutorial).

Last (and very important) don't forget to create the roundcube.conf file /etc/fail2ban/filter.d/roundcube.conf.

nano /etc/fail2ban/filter.d/roundcube.conf

with the following contents:

[Definition]
failregex = FAILED login for .*. from <host>
ignoreregex =

Lucky us the webmin-auth and the ssh filters are already done for us by the fail2ban itself. Restart fail2ban:

/etc/init.d/fail2ban restart

If someone adds a lot of jails in fail2ban, then some of them may not start (errors in /var/log/fail2ban.log but not in the output !!!). See it by yourself by executing:

iptables -L -n

Unfortunately the solution is a bit of a hack... but at least it is a solution:

In the file /usr/bin/fail2ban-client at line 145 you have to insert time.sleep(0.1) or time.sleep(0.05):

nano /usr/bin/fail2ban-client

So before the change the file looks like this:

[...]
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
beautifier.setInputCmd(c)
try:
[...]

And afterward the file looks like this:

[...]
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
time.sleep(0.05)
beautifier.setInputCmd(c)
try:
[...]

Restart again fail2ban:

/etc/init.d/fail2ban restart

You can check that all jails are active with the command:

iptables -L -n

Share this page:

32 Comment(s)

Add comment

Comments

From: at: 2011-03-22 19:50:03

There is a small typo in download of the webmin

 

cd /tmp wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb

 

should actually be 

 cd /tmp

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb

From: teddy at: 2011-08-19 18:28:47

Hi, I've followed the perfect debian server with ispconfig3 tutorial, then the SSL post on faqforge, and everything went ok on my virtualized server and on the online one. Once it gets to changing default port for webmin, activating it on ispconfig firewall, restarting webmin and apache, and no way, the page I get on the browser (url is https://x.x.x.x:1888) is (Chrome in this case, but the timeout is consistent for all browsers.

 Error 118 (net::ERR_CONNECTION_TIMED_OUT)

 I've checked with a netstat, but the port is listening

 tcp        0      0 0.0.0.0:18888           0.0.0.0:*               LISTEN      32521/perl

udp        0      0 0.0.0.0:18888           0.0.0.0:*                           32521/perl

an iptables list gives this response
 
  <code>

 Chain INPUT (policy DROP)

target     prot opt source               destination

DROP       tcp  --  anywhere             loopback/8

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

DROP       all  --  base-address.mcast.net/4  anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere


Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

DROP       all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere


Chain INT_IN (0 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

DROP       all  --  anywhere             anywhere


Chain INT_OUT (0 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere


Chain PAROLE (15 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere


Chain PUB_IN (4 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable

ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp-data

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imap2

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http-alt

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:tproxy

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:8000

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:18888

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:webmin

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql

DROP       icmp --  anywhere             anywhere

DROP       all  --  anywhere             anywhere

...

 </code>

 So, everything seems in order, what could it be stopping me from accessing webmin from alternative port? Please consider that default port works, and all other services work, since I've followed letter by letter you instructions...

 Did I forget anything? Where could I look?

 

From: at: 2011-12-17 14:30:14

Good tutorial, I just want to thank you for taking the time to write it.

From: Frank at: 2012-05-31 10:56:40

hi,
it is possible to coexist squirrelmail and roundcube?

thanks!

From: Frederik at: 2011-06-01 14:07:54

Hy!

 

There is a typo in 4. FAIL2BAN.

 nano /etc/fail2ban/jail.local -> nano /etc/fail2ban/jail.conf

 

 

 

my regards

From: at: 2011-06-26 17:16:23

This is not a typo.

The jain.local will not be overwritten in a future update.

From: Maurizio Marini at: 2011-08-07 15:30:40

file /var/lib/roundcube/config/main.inc.php line 60 is already:

$rcmail_config['auto_create_user'] = TRUE;

i think that your

auto_create_user = TRUE;

is relative to older versions ...

or should we change:

$rcmail_config['auto_create_user'] = TRUE;

with

auto_create_user = TRUE;

?

From: at: 2011-08-04 15:13:00

Hi,

I found that if I added 0.05 to the sleep command I would end up with errors in the fail2ban.log that I also found here http://oschgan.com/drupal/node/52 and when I changed it to 0.1 it worked perfectly.

Regards,

Steve

 

From: Anonymous at: 2012-01-13 02:01:27

I'm using BIND + Dovecot and extending with roundcube and following line

failregex = FAILED login for .*. from <host>
 in /etc/fail2ban/filter.d/roundcube.conf give me an error:
fail2ban.filter : ERROR  No 'host' group in 'FAILED login for .*. from <host>'
So i think it's only a typo, if i write <HOST> with uppercase, then all seems to be great.
 THX

From: michael at: 2012-04-02 09:16:59

Hi, first, thanks for the useful info!

 In step 8:

 

"If you want to install Drupal (or other cms) you will propably need uploadprogress and json. To accomplish their installation, do:

apt-get install php5-dev php-services-json
pecl install uploadprogress
touch /etc/php5/apache2/conf.d/uploadprogress.ini
nano /etc/php5/apache2/conf.d/uploadprogress.ini"

The sites gave 500-errors all around. I ran apt-get remove php5-dev and the sites came up again. Will that have an effect on the other things or is there a work-around for the 500-errors? 

From: Benoit Lallemand at: 2011-04-21 15:53:22

I think the parameter -p in command, here after, is wrong !

#!/bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
/usr/bin/php -p /root/scripts/mycron.php

From: Web Worlds at: 2011-05-05 08:56:45

I agree, also with me it was not working with the '-p' in the PHP command.

From: lenz at: 2011-06-07 09:49:06

there is a typo

wget http://mysqltuner.com/mysqltuner.pl

From: at: 2012-05-19 20:27:36

I really like this tutorial, so that is why i wish to improve it by posting this error that i have found with the email the cron job mycron.php sends.

I have gone through this tutorial twice, both starting from the perfect server here.

Both times i keep getting this error email from mycron.php.

HERE IS THE ERROR:

Email Subject:    Cron <root@node1> test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; } (failed)

Email Message:  /usr/lib/tiger/config: line 360: /config: No such file or directory


How can i fix this error. I followed the tutorial to a 'T' so i dont think it was an error on my part.

From: at: 2012-09-05 11:07:11

Did you install tigercron?

(Please use the forums for questions)

From: at: 2011-04-22 15:56:50

unloadfw and loadfw are exactly the same... it is an error, please can be those lines corrected?

Thanks in advance, awesome tutorial ;)

From: Frederik at: 2011-06-01 14:25:40

No they are different.

The one script calls the flag -I to init a rule, the other one -D to delete a rule.

 

:)

From: Benoit Lallemand at: 2011-04-21 19:01:14

On the top of this pages : 

mkdir /root/scripts
touch /root/scripts/loadfw
touch /root/scripts/unloadfw
touch /root/scripts/IPs

touch /root/scripts/fwrules  --> fwrules with "s"

touch /root/scripts/reloadfail2ban
cd /root/scripts
nano loadfw

 and in the script, here after, you read "fwrule" without "s"

# Simple iptables IP/subnet unload script
# ---------------------------------------------------------


cd /root/scripts/

IPT=/sbin/iptables
DROPMSG="fwBLOCKED "
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/IPs)

while read fwrule
do
$IPT -D INPUT $fwrule

done < /root/scripts/fwrules

From: at: 2011-06-26 17:32:08

fwrule is the variable.

At the end of the while is the file (/root/scripts/fwrules):

 while read fwrule
do
  $IPT -D INPUT $fwrule

done < /root/scripts/fwrules

 

From: Frederik at: 2011-06-01 14:59:17

Hy, I applyed this tutorial to my Debian 6 Server.

 When i execute /root/scripts/reloadfail2ban my console tells me:

 

  • root@lvpsXXXXXXXXX:~/scripts# /root/scripts/reloadfail2ban
  • Restarting authentication failure monitor: fail2ban.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • iptables: No chain/target/match by that name.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • [...] some more stuff
  • iptables: No chain/target/match by that name.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • [...] some more stuff
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.

 

 

 Is this okay or is this an error?

 

 

my regards.

From: at: 2011-06-26 17:39:53

It's OK.

You probably changed the rules before you unload the previous rules.

So the script tries to unload the new rules, but the old ones are still loaded.

Please first unload everything, after this make your changes and finally reload the rules.

The above include the part of IP addresses

To be sure that everything is ok:

Do a full restart. Unload the rules, Make the changes. Reload the rules.

Keep in mind that this is not a fully featured firewall. It's just a script with basic rules.

From: at: 2011-12-12 20:44:31

hey i get this email from cron:

 /usr/lib/tiger/config: line 360: /config: No such file or directory

 how can i fix this?

 

From: at: 2013-03-30 22:29:51

Copy the default config from


/usr/lib/tiger/systems/default/config

or

/usr/lib/tiger/systems/Linux/2/config

to

/usr/lib/tiger/

From: Stefkom at: 2013-08-25 11:11:24

very simple :)

1. sudo ln -s /usr/lib/tiger/systems/Linux/2 /usr/lib/tiger/systems/Linux/3

or

2. sudo cp -a /usr/lib/tiger/systems/Linux/2 /usr/lib/tiger/systems/Linux/3

From: at: 2011-12-12 20:51:04

just wanted to add the subject line for the cron email:

 test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; } (failed)

From: at: 2011-04-14 13:07:54

I followed the client backup tutorial, however I'm getting a error after running it as root.

The backups seems to run fine but i receive te following error and this keeps repeating in the console:

 /bin/tar: ./tmp/sess_5jrh2r2d5m8lhtaq7sf04mo3n7: Cannot open: Permission denied


From: at: 2011-05-05 05:17:55

After downloading the file, you must:

chmod +x /usr/share/roundcube/plugins/fail2ban.php
touch /var/log/roundcube/userlogins
chown www-data:www.data /var/log/roundcube/userlogins

 

I don't know if chmod +x is necesary for fail2ban.php (i was traying to make it work, I am too tired to test it lol xD) but, you MUST chown userlogins, if not, apache2 (or roundcube through apache2) will not be able to write inside the file (access denied).

 Regards

 

PD: Perfect howto xD

From: at: 2011-06-26 18:04:25

You just need the following command:

 chown www-data:www-data /var/log/roundcube/userlogins

I updated the tutorial. Thx

From: webmaster eddie at: 2011-12-17 06:50:16

I tried following your instructions - just to harden the server using ipTables and the ddos - and the backup scripts - and I could no longer ftp - i only have a dynamic ip wifi public connection to the net and it was blocking me disconnecting me from ftping files after 1 second it seems... so I reversed every single thing I did following your instructions, and now cannot ftp with any program at all - I can connect but not a single file is allowed to be transferred - i get a permission denied 553 error. Can you help me ? I have checked everything - the ports in IPSCongif 3 panel are fine, etc.

 

Also I never got the backup scripts to work at all - so I removed them. I do thank you for the 2 mysql tuning scripts which work and seem to help

From: at: 2012-01-21 01:19:17

At backup script mysqldump '--all' option is deprecated and restor from backup won't work ! Use '--create-options' instead.

From: Jonas Lateur at: 2012-04-23 14:51:53

when i run /root/scripts/mybackup.sh, i get follow error


       Site: server.ttb-ltd.eu
-------------------------------------------------------------
Backing Up site:  /var/www/clients/client1/web1/ in : /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz
tar (child): /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz: Cannot open: Permission denied
tar (child): Error is not recoverable: exiting now
/bin/tar: /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz: Cannot write: Broken pipe
/bin/tar: Error is not recoverable: exiting now
cp: cannot stat `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
/bin/chown: cannot access `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
/bin/chmod: cannot access `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
-------------------------------------------------------------

From: at: 2013-04-07 14:35:47

Hi,

at first: thnx. for this wonderfull tutorial!!!

The only problem I've got at this point is that when I execute the mybackup.sh file I get this error:

ERROR 1054 (42S22) at line 1: Unknown column 'web_database.database_user' in 'field list'

I looked into the database and there really is missing the database_user field... Is this a never version of ispConfig3 I'm using? Can you adapt the script to the newer version?

Thnx. again for your good work.

Best regards, Ingmar