Extending Perfect Server - Debian Squeeze [ISPConfig 3] - Page 3

5. multitail

In Debian install multitail via apt:

apt-get install multitail

Create the folder /root/scripts (if you didn't do it before) and insert the command that will allow you to see multiple file simultaneously:

mkdir /root/scripts
cd /root/scripts
nano mytail

Paste the lines:

#!/bin/bash
multitail -ci yellow -e "ailed" -n 1000 /var/log/auth.log \ -ci red -e "Ban" -n 1000 -I /var/log/fail2ban.log \ -ci red -e "fw" -n 1000 -I /var/log/messages \ -ci green -e "Unban" -n 1000 -I /var/log/messages \ -ci blue -e "fail" -n 1000 -I /var/log/syslog

Save, exit and make it executable for root:

chmod 700 /root/scripts/mytail

Execute it (to see the output) with the command (press "q" for exit):

/root/scripts/mytail

 

6. SSH over 50022 port

Before changing a port to something else than the default, DON'T forget to add the port to your firewall. If you are using the defaults of ISPConfig, go to System -> Firewall and add the port you want (In this manual we will use 50000 for Webmin, 50443 for ISPConfig, 50022 for ssh). Save and DON'T remove old ports (8080, 10000, 22) until you are absolutely sure that the new ports are working.

In debian you install ssh server (if you don't have it already) with apt-get. After that edit the config file (/etc/ssh/sshd_config)

apt-get install ssh openssh-server openssh-client
nano /etc/ssh/sshd_config

Leave "Port 22" and ADD "Port 50022" right after "Port 22". Save, exit and restart ssh:

/etc/init.d/ssh restart

CAUTION: You have to relogin over ssh to port 50022. After the above modification even sftp will be accessible over the port 50022. If you remove the port 22, then you can access ssh AND sftp ONLY over the port 50022.

If you succeed to login in using the port 50022 (with the following command) you can remove the line "Port 22" from /etc/ssh/sshd_config:

ssh -p 50022 root@server1.example.com

If you did the above then you have to override ssh jail and change the port of the fail2ban SSH jail (from ssh to 50022) in /etc/fail2ban/jail.local.

(If you followed the tutorial from the beginning, you have already done this in the Fail2ban section.)

 

7. phpmyadmin under different url (+ ssl tip)

To access phpmyadmin over ssl under mydomaindb, (or another unique name) you can apply the same tip as with roundcube (for the ssl part). As for the new url you have to edit the /etc/apache2/conf.d/phpmyadmin.conf , change the Alias from "/phpmyadmin" to "/mydomaindb" and ensure that you have the following lines in it (Notice the last lines from <IfModule mod_rewrite.c> to.... </IfModule> which are used to redirect to SSL):

# phpMyAdmin default Apache configuration

Alias /mydomaindb /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php

<IfModule mod_php5.c>
AddType application/x-httpd-php .php

php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_value include_path .
</IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
Order Deny,Allow
Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
Order Deny,Allow
Deny from All
</Directory>

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /mydomaindb>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>

After this, restart Apache

/etc/init.d/apache2 restart

Don't forget to change the link of phpmyadmin in ISPConfig 3 GUI (Interface Config -> Sites (tab).

 

8. Install a php accelarator (apc) and other useful apps.

In this section we will install apc (php accelarator), which is developed by the guys who develop php and some apps (htop, iptraf, logwatch, tiger).

apt-get install php-apc htop iptraf logwatch tiger

Edit /etc/php5/conf.d/apc.ini, so as to increase the memory cache:

nano /etc/php5/conf.d/apc.ini

And append the following line:

apc.shm_size=128

Finally restart Apache:

/etc/init.d/apache2 restart

With htop you can see system info in a better way than top, with iptraf you can see real time statistics for your connection, with logwatch you can have your system mail you a summary of log files and with tiger you can have yourself mailed with a periodically report of your system's security vulnerabilities (if any exists).

As a lot of scripts/apps send a lot of mails to user root, you can alias root's mail, to a more 'real' email address. So, after you set up a 'real' mail for your example.com domain, you can edit the aliases and add an alias to root user:

nano /etc/aliases

and change the line

root:root

to something like

root:server1@example.com

After this execute:

newaliases

If you want to install Drupal (or other cms) you will propably need uploadprogress and json. To accomplish their installation, do:

apt-get install php5-dev php-services-json
pecl install uploadprogress
touch /etc/php5/apache2/conf.d/uploadprogress.ini
nano /etc/php5/apache2/conf.d/uploadprogress.ini

And append the following line:

extension=uploadprogress.so

Finally restart Apache:

/etc/init.d/apache2 restart

Share this page:

32 Comment(s)

Add comment

Comments

From: at: 2011-03-22 19:50:03

There is a small typo in download of the webmin

 

cd /tmp wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb

 

should actually be 

 cd /tmp

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb

From: teddy at: 2011-08-19 18:28:47

Hi, I've followed the perfect debian server with ispconfig3 tutorial, then the SSL post on faqforge, and everything went ok on my virtualized server and on the online one. Once it gets to changing default port for webmin, activating it on ispconfig firewall, restarting webmin and apache, and no way, the page I get on the browser (url is https://x.x.x.x:1888) is (Chrome in this case, but the timeout is consistent for all browsers.

 Error 118 (net::ERR_CONNECTION_TIMED_OUT)

 I've checked with a netstat, but the port is listening

 tcp        0      0 0.0.0.0:18888           0.0.0.0:*               LISTEN      32521/perl

udp        0      0 0.0.0.0:18888           0.0.0.0:*                           32521/perl

an iptables list gives this response
 
  <code>

 Chain INPUT (policy DROP)

target     prot opt source               destination

DROP       tcp  --  anywhere             loopback/8

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

DROP       all  --  base-address.mcast.net/4  anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

PUB_IN     all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere


Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

DROP       all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere

PUB_OUT    all  --  anywhere             anywhere


Chain INT_IN (0 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

DROP       all  --  anywhere             anywhere


Chain INT_OUT (0 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere


Chain PAROLE (15 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere


Chain PUB_IN (4 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable

ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp-data

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imap2

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http-alt

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:tproxy

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:8000

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:18888

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:webmin

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql

DROP       icmp --  anywhere             anywhere

DROP       all  --  anywhere             anywhere

...

 </code>

 So, everything seems in order, what could it be stopping me from accessing webmin from alternative port? Please consider that default port works, and all other services work, since I've followed letter by letter you instructions...

 Did I forget anything? Where could I look?

 

From: at: 2011-12-17 14:30:14

Good tutorial, I just want to thank you for taking the time to write it.

From: Frank at: 2012-05-31 10:56:40

hi,
it is possible to coexist squirrelmail and roundcube?

thanks!

From: Frederik at: 2011-06-01 14:07:54

Hy!

 

There is a typo in 4. FAIL2BAN.

 nano /etc/fail2ban/jail.local -> nano /etc/fail2ban/jail.conf

 

 

 

my regards

From: at: 2011-06-26 17:16:23

This is not a typo.

The jain.local will not be overwritten in a future update.

From: Maurizio Marini at: 2011-08-07 15:30:40

file /var/lib/roundcube/config/main.inc.php line 60 is already:

$rcmail_config['auto_create_user'] = TRUE;

i think that your

auto_create_user = TRUE;

is relative to older versions ...

or should we change:

$rcmail_config['auto_create_user'] = TRUE;

with

auto_create_user = TRUE;

?

From: at: 2011-08-04 15:13:00

Hi,

I found that if I added 0.05 to the sleep command I would end up with errors in the fail2ban.log that I also found here http://oschgan.com/drupal/node/52 and when I changed it to 0.1 it worked perfectly.

Regards,

Steve

 

From: Anonymous at: 2012-01-13 02:01:27

I'm using BIND + Dovecot and extending with roundcube and following line

failregex = FAILED login for .*. from <host>
 in /etc/fail2ban/filter.d/roundcube.conf give me an error:
fail2ban.filter : ERROR  No 'host' group in 'FAILED login for .*. from <host>'
So i think it's only a typo, if i write <HOST> with uppercase, then all seems to be great.
 THX

From: michael at: 2012-04-02 09:16:59

Hi, first, thanks for the useful info!

 In step 8:

 

"If you want to install Drupal (or other cms) you will propably need uploadprogress and json. To accomplish their installation, do:

apt-get install php5-dev php-services-json
pecl install uploadprogress
touch /etc/php5/apache2/conf.d/uploadprogress.ini
nano /etc/php5/apache2/conf.d/uploadprogress.ini"

The sites gave 500-errors all around. I ran apt-get remove php5-dev and the sites came up again. Will that have an effect on the other things or is there a work-around for the 500-errors? 

From: Benoit Lallemand at: 2011-04-21 15:53:22

I think the parameter -p in command, here after, is wrong !

#!/bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
/usr/bin/php -p /root/scripts/mycron.php

From: Web Worlds at: 2011-05-05 08:56:45

I agree, also with me it was not working with the '-p' in the PHP command.

From: lenz at: 2011-06-07 09:49:06

there is a typo

wget http://mysqltuner.com/mysqltuner.pl

From: at: 2012-05-19 20:27:36

I really like this tutorial, so that is why i wish to improve it by posting this error that i have found with the email the cron job mycron.php sends.

I have gone through this tutorial twice, both starting from the perfect server here.

Both times i keep getting this error email from mycron.php.

HERE IS THE ERROR:

Email Subject:    Cron <root@node1> test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; } (failed)

Email Message:  /usr/lib/tiger/config: line 360: /config: No such file or directory


How can i fix this error. I followed the tutorial to a 'T' so i dont think it was an error on my part.

From: at: 2012-09-05 11:07:11

Did you install tigercron?

(Please use the forums for questions)

From: at: 2011-04-22 15:56:50

unloadfw and loadfw are exactly the same... it is an error, please can be those lines corrected?

Thanks in advance, awesome tutorial ;)

From: Frederik at: 2011-06-01 14:25:40

No they are different.

The one script calls the flag -I to init a rule, the other one -D to delete a rule.

 

:)

From: Benoit Lallemand at: 2011-04-21 19:01:14

On the top of this pages : 

mkdir /root/scripts
touch /root/scripts/loadfw
touch /root/scripts/unloadfw
touch /root/scripts/IPs

touch /root/scripts/fwrules  --> fwrules with "s"

touch /root/scripts/reloadfail2ban
cd /root/scripts
nano loadfw

 and in the script, here after, you read "fwrule" without "s"

# Simple iptables IP/subnet unload script
# ---------------------------------------------------------


cd /root/scripts/

IPT=/sbin/iptables
DROPMSG="fwBLOCKED "
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/IPs)

while read fwrule
do
$IPT -D INPUT $fwrule

done < /root/scripts/fwrules

From: at: 2011-06-26 17:32:08

fwrule is the variable.

At the end of the while is the file (/root/scripts/fwrules):

 while read fwrule
do
  $IPT -D INPUT $fwrule

done < /root/scripts/fwrules

 

From: Frederik at: 2011-06-01 14:59:17

Hy, I applyed this tutorial to my Debian 6 Server.

 When i execute /root/scripts/reloadfail2ban my console tells me:

 

  • root@lvpsXXXXXXXXX:~/scripts# /root/scripts/reloadfail2ban
  • Restarting authentication failure monitor: fail2ban.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • iptables: No chain/target/match by that name.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • [...] some more stuff
  • iptables: No chain/target/match by that name.
  • iptables: Bad rule (does a matching rule exist in that chain?).
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • [...] some more stuff
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.
  • iptables: No chain/target/match by that name.

 

 

 Is this okay or is this an error?

 

 

my regards.

From: at: 2011-06-26 17:39:53

It's OK.

You probably changed the rules before you unload the previous rules.

So the script tries to unload the new rules, but the old ones are still loaded.

Please first unload everything, after this make your changes and finally reload the rules.

The above include the part of IP addresses

To be sure that everything is ok:

Do a full restart. Unload the rules, Make the changes. Reload the rules.

Keep in mind that this is not a fully featured firewall. It's just a script with basic rules.

From: at: 2011-12-12 20:44:31

hey i get this email from cron:

 /usr/lib/tiger/config: line 360: /config: No such file or directory

 how can i fix this?

 

From: at: 2013-03-30 22:29:51

Copy the default config from


/usr/lib/tiger/systems/default/config

or

/usr/lib/tiger/systems/Linux/2/config

to

/usr/lib/tiger/

From: Stefkom at: 2013-08-25 11:11:24

very simple :)

1. sudo ln -s /usr/lib/tiger/systems/Linux/2 /usr/lib/tiger/systems/Linux/3

or

2. sudo cp -a /usr/lib/tiger/systems/Linux/2 /usr/lib/tiger/systems/Linux/3

From: at: 2011-12-12 20:51:04

just wanted to add the subject line for the cron email:

 test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; } (failed)

From: at: 2011-04-14 13:07:54

I followed the client backup tutorial, however I'm getting a error after running it as root.

The backups seems to run fine but i receive te following error and this keeps repeating in the console:

 /bin/tar: ./tmp/sess_5jrh2r2d5m8lhtaq7sf04mo3n7: Cannot open: Permission denied


From: at: 2011-05-05 05:17:55

After downloading the file, you must:

chmod +x /usr/share/roundcube/plugins/fail2ban.php
touch /var/log/roundcube/userlogins
chown www-data:www.data /var/log/roundcube/userlogins

 

I don't know if chmod +x is necesary for fail2ban.php (i was traying to make it work, I am too tired to test it lol xD) but, you MUST chown userlogins, if not, apache2 (or roundcube through apache2) will not be able to write inside the file (access denied).

 Regards

 

PD: Perfect howto xD

From: at: 2011-06-26 18:04:25

You just need the following command:

 chown www-data:www-data /var/log/roundcube/userlogins

I updated the tutorial. Thx

From: webmaster eddie at: 2011-12-17 06:50:16

I tried following your instructions - just to harden the server using ipTables and the ddos - and the backup scripts - and I could no longer ftp - i only have a dynamic ip wifi public connection to the net and it was blocking me disconnecting me from ftping files after 1 second it seems... so I reversed every single thing I did following your instructions, and now cannot ftp with any program at all - I can connect but not a single file is allowed to be transferred - i get a permission denied 553 error. Can you help me ? I have checked everything - the ports in IPSCongif 3 panel are fine, etc.

 

Also I never got the backup scripts to work at all - so I removed them. I do thank you for the 2 mysql tuning scripts which work and seem to help

From: at: 2012-01-21 01:19:17

At backup script mysqldump '--all' option is deprecated and restor from backup won't work ! Use '--create-options' instead.

From: Jonas Lateur at: 2012-04-23 14:51:53

when i run /root/scripts/mybackup.sh, i get follow error


       Site: server.ttb-ltd.eu
-------------------------------------------------------------
Backing Up site:  /var/www/clients/client1/web1/ in : /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz
tar (child): /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz: Cannot open: Permission denied
tar (child): Error is not recoverable: exiting now
/bin/tar: /var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz: Cannot write: Broken pipe
/bin/tar: Error is not recoverable: exiting now
cp: cannot stat `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
/bin/chown: cannot access `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
/bin/chmod: cannot access `/var/www/clients/client1/web1/server.ttb-ltd.euBU.tar.gz': No such file or directory
-------------------------------------------------------------

From: at: 2013-04-07 14:35:47

Hi,

at first: thnx. for this wonderfull tutorial!!!

The only problem I've got at this point is that when I execute the mybackup.sh file I get this error:

ERROR 1054 (42S22) at line 1: Unknown column 'web_database.database_user' in 'field list'

I looked into the database and there really is missing the database_user field... Is this a never version of ispConfig3 I'm using? Can you adapt the script to the newer version?

Thnx. again for your good work.

Best regards, Ingmar