Extending Perfect Server - Debian Squeeze [ISPConfig 3] - Page 3

5. multitail

In Debian install multitail via apt:

apt-get install multitail

Create the folder /root/scripts (if you didn't do it before) and insert the command that will allow you to see multiple file simultaneously:

mkdir /root/scripts
cd /root/scripts
nano mytail

Paste the lines:

#!/bin/bash
multitail -ci yellow -e "ailed" -n 1000 /var/log/auth.log \ -ci red -e "Ban" -n 1000 -I /var/log/fail2ban.log \ -ci red -e "fw" -n 1000 -I /var/log/messages \ -ci green -e "Unban" -n 1000 -I /var/log/messages \ -ci blue -e "fail" -n 1000 -I /var/log/syslog

Save, exit and make it executable for root:

chmod 700 /root/scripts/mytail

Execute it (to see the output) with the command (press "q" for exit):

/root/scripts/mytail

 

6. SSH over 50022 port

Before changing a port to something else than the default, DON'T forget to add the port to your firewall. If you are using the defaults of ISPConfig, go to System -> Firewall and add the port you want (In this manual we will use 50000 for Webmin, 50443 for ISPConfig, 50022 for ssh). Save and DON'T remove old ports (8080, 10000, 22) until you are absolutely sure that the new ports are working.

In debian you install ssh server (if you don't have it already) with apt-get. After that edit the config file (/etc/ssh/sshd_config)

apt-get install ssh openssh-server openssh-client
nano /etc/ssh/sshd_config

Leave "Port 22" and ADD "Port 50022" right after "Port 22". Save, exit and restart ssh:

/etc/init.d/ssh restart

CAUTION: You have to relogin over ssh to port 50022. After the above modification even sftp will be accessible over the port 50022. If you remove the port 22, then you can access ssh AND sftp ONLY over the port 50022.

If you succeed to login in using the port 50022 (with the following command) you can remove the line "Port 22" from /etc/ssh/sshd_config:

ssh -p 50022 [email protected]

If you did the above then you have to override ssh jail and change the port of the fail2ban SSH jail (from ssh to 50022) in /etc/fail2ban/jail.local.

(If you followed the tutorial from the beginning, you have already done this in the Fail2ban section.)

 

7. phpmyadmin under different url (+ ssl tip)

To access phpmyadmin over ssl under mydomaindb, (or another unique name) you can apply the same tip as with roundcube (for the ssl part). As for the new url you have to edit the /etc/apache2/conf.d/phpmyadmin.conf , change the Alias from "/phpmyadmin" to "/mydomaindb" and ensure that you have the following lines in it (Notice the last lines from <IfModule mod_rewrite.c> to.... </IfModule> which are used to redirect to SSL):

# phpMyAdmin default Apache configuration

Alias /mydomaindb /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php

<IfModule mod_php5.c>
AddType application/x-httpd-php .php

php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_value include_path .
</IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
Order Deny,Allow
Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
Order Deny,Allow
Deny from All
</Directory>

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /mydomaindb>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>

After this, restart Apache

/etc/init.d/apache2 restart

Don't forget to change the link of phpmyadmin in ISPConfig 3 GUI (Interface Config -> Sites (tab).

 

8. Install a php accelarator (apc) and other useful apps.

In this section we will install apc (php accelarator), which is developed by the guys who develop php and some apps (htop, iptraf, logwatch, tiger).

apt-get install php-apc htop iptraf logwatch tiger

Edit /etc/php5/conf.d/apc.ini, so as to increase the memory cache:

nano /etc/php5/conf.d/apc.ini

And append the following line:

apc.shm_size=128

Finally restart Apache:

/etc/init.d/apache2 restart

With htop you can see system info in a better way than top, with iptraf you can see real time statistics for your connection, with logwatch you can have your system mail you a summary of log files and with tiger you can have yourself mailed with a periodically report of your system's security vulnerabilities (if any exists).

As a lot of scripts/apps send a lot of mails to user root, you can alias root's mail, to a more 'real' email address. So, after you set up a 'real' mail for your example.com domain, you can edit the aliases and add an alias to root user:

nano /etc/aliases

and change the line

root:root

to something like

root:[email protected]

After this execute:

newaliases

If you want to install Drupal (or other cms) you will propably need uploadprogress and json. To accomplish their installation, do:

apt-get install php5-dev php-services-json
pecl install uploadprogress
touch /etc/php5/apache2/conf.d/uploadprogress.ini
nano /etc/php5/apache2/conf.d/uploadprogress.ini

And append the following line:

extension=uploadprogress.so

Finally restart Apache:

/etc/init.d/apache2 restart
Share this page:

1 Comment(s)