Perfect Server Automated ISPConfig 3 Installation on Debian 11 and Debian 12, Ubuntu 22.04 and Ubuntu 24.04

This tutorial will help install your ISPConfig 3 single server setup using the ISPConfig auto-installer. This installer follows the old Perfect Server guides but is more modular and easy to follow. If you want to set up a multiserver setup with dedicated servers for each service instead, see the Perfect Multiserver guide.

This guide works for Debian 11 and 12, Ubuntu 22.04, and Ubuntu 24.04. It currently supports the x86_64 (also known as AMD64) and ARM (ARM64) CPU architectures. We will use the hostname server1.example.com. Replace it where necessary. The guide requires a freshly installed and empty base OS; do not try to use it on a system where you have already configured other services.

Prerequisites

• Operating System: Debian 11 and Debian 12, Ubuntu 22.04, or Ubuntu 24.04.
• Intel or AMD 64-Bit CPU architecture (x86_64, also known as AMD64) or ARM (ARM64) CPU architecture.
• The System must have internet access to download and install software with apt.
• Start from a clean- and empty base OS installation. The system must be fully accessible from the internet; do not block access with a firewall, especially not port 80 for LE cert issuing and port 8080 for ISPConfig access, plus ports for all services you use on that system. The server must also have internet access to download and install software during installation and resolve domain names via DNS.

1. Log in to the server

Log in as root or run

su --login

on Debian to become the root user on your server before you proceed. IMPORTANT: You must use 'su --login' or 'su -' and not just 'su'. Otherwise, Debian will set your PATH variable wrongly.

On Ubuntu, use the command:

sudo -s

to become root user.

2. Configure the hostname and hosts

The hostname of your server should be a subdomain like "server1.example.com". Do not use a domain name without a subdomain part like "example.com" as hostname, as this will cause problems later with your setup. First, you should check the hostname in /etc/hosts and change it when necessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". For our hostname server1.example.com, the file shall look like this (some lines may be different; it can differ per hosting provider):

nano /etc/hosts

127.0.0.1 localhost.localdomain   localhost
# This line should be changed to the correct servername:
127.0.1.1 server1.example.com server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:

server1

Finally, reboot the server to apply the change:

systemctl reboot

Log in again and check if the hostname is correct now with these commands:

hostname
hostname -f

The output shall be like this:

root@server1:~$ hostname
server1
root@server1:~$ hostname -f
server1.example.com

You will also have to set up a DNS record with your DNS provider that points to your server. There should be an A (and/or AAAA) record for the subdomain that points to your public IP.

3. Update the system

To update the system packages, run the command:

apt update && apt upgrade

4. Run the autoinstaller

We can now run the auto-installer. The basic setup contains the following software packages (plus their dependencies, of course): Apache2, PHP (versions 5.6 - 8.3), MariaDB, Postfix, Dovecot, Rspamd, BIND, Jailkit, Roundcube, PHPMyAdmin, Mailman, Webalizer, AWStats and GoAccess. You can easily choose not to use certain functions or install extra services by passing arguments to the installer. See Chapter 6 for available command-line options.

Install ISPConfig with Apache web server

You can now run the script with arguments. For example, if you want a normal install with Apache web server and a port range for Passive FTP + unattended-upgrades, run:

wget -O - https://get.ispconfig.org | sh -s -- --use-ftp-ports=40110-40210 --unattended-upgrades

The following steps are described in the chapter "Running the auto installer".

Install ISPConfig with Nginx web server

You can now run the script with arguments. For example, if you want a normal install with Nginx web server and a port range for Passive FTP + unattended-upgrades, run:

wget -O - https://get.ispconfig.org | sh -s -- --use-nginx --use-ftp-ports=40110-40210 --unattended-upgrades

Running the auto-installer

After some time, you will see:

WARNING! This script will reconfigure your complete server!
It should be run on a freshly installed server and all current configuration that you have done will most likely be lost!
Type 'yes' if you really want to continue:

Answer "yes" and hit enter. The installer will now start.

When the installer is finished, it will show you the ISPConfig admin and MySQL root password like this:

[INFO] Your ISPConfig admin password is: 5GvfSSSYsdfdYC
[INFO] Your MySQL root password is: kkAkft82d!kafMwqxdtYs

Ensure you write this information down, as you will need it later.

5. Setting up the firewall

The last thing to do is to set up our firewall.

Log in to the ISPConfig UI, and go to System -> Firewall. Then click "Add new firewall record".

For a normal setup, it would look like this:

TCP:

20,21,22,25,80,443,40110:40210,110,143,465,587,993,995,53,8080,8081

UDP:

53

The necessary ports for every service are:

Web: 20, 21, 22, 80, 443 and 40110:40210 (All TCP, no UDP)

Mail: 25, 110, 143, 465, 587, 993, and 995 (All TCP, no UDP)

DNS: 53 (TCP and UDP)

Panel: 8080 and 8081 (All TCP, no UDP)

Your server is now set up and ready for use. You can log in at https://server1.example.com:8080

6. Advanced Options

The auto-installer has various command-line options to fine-tune the setup.

You can view all arguments with:

wget -O - https://get.ispconfig.org | sh -s -- --help

You can e.g. choose between Apache and Nginx webserver and which services shall be installed on the system. The command-line arguments are:

Usage: ispc3-ai.sh [] [...]

This script automatically installs all needed packages for an ISPConfig 3 setup using the guidelines from the "Perfect Server Setup" howtos on www.howtoforge.com.

Possible arguments are:
    --help          Show this help page.
    --debug         Enable verbose logging (logs each command with the exit code).
    --channel       Choose the channel to use for ISPConfig: --channel=<stable|dev>
                    "stable" is the latest ISPConfig release available on www.ispconfig.org
                    "dev" is the latest dev-branch from the ISPConfig git repository: https://git.ispconfig.org/ispconfig/ispconfig3/tree/develop
                    The dev channel might contain bugs and less-tested features and should only be used in production by very experienced users.
    --lang          Use language for ISPConfig installation. Specify with --lang=en|de (only en (English) and de (German) supported currently).
    --interactive   Don't install ISPConfig in non-interactive mode.
                    This is needed if you want to use expert mode, e.g. to install a slave server that shall be integrated into an existing multiserver setup.
    --use-nginx     Use nginx webserver instead of apache2.
    --use-amavis    Use amavis instead of rspamd for mail filtering.
    --use-unbound   Use unbound instead of bind9 for local resolving. Only allowed if --no-dns is set.
    --use-php       Use specific PHP versions, comma separated, instead of installing multiple PHP, e.g. --use-php=7.4,8.0 (5.6, 7.0, 7.1, 7.2, 7.3, 7.4, 8.0, 8.1, 8.2 and 8.3 available).
                    --use-php=system disables the sury repository and just installs the system's default PHP version.
                    --use-php while omitting the argument, uses all versions.
    --use-ftp-ports This option sets the passive port range for pure-ftpd. You have to specify the port range separated by hyphen, e.g. --use-ftp-ports=40110-40210.
                    If not provided the passive port range will not be configured.
    --use-certbot   Use Certbot instead of acme.sh for issuing Let's Encrypt certificates. Not advised unless you are migrating from an old server that uses Certbot.
    --no-web        Do not use ISPConfig on this server to manage webserver setting and don't install nginx/apache or pureftpd.
                    This will also prevent installing an ISPConfig UI and implies --no-roundcube as well as --no-pma.
    --no-mail       Do not use ISPConfig on this server to manage mailserver settings.
                    This will install postfix for sending system mails, but not dovecot and not configure any settings for ISPConfig mail. It implies --no-mailman.
    --no-dns        Do not use ISPConfig on this server to manage DNS entries. Bind will be installed for local DNS caching / resolving only.
    --no-local-dns  Do not install local DNS caching / resolving via bind.
    --no-firewall   Do not install ufw and tell ISPConfig to not manage firewall settings on this server.
    --no-roundcube  Do not install roundcube webmail.
    --roundcube     Install Roundcube even when --no-mail is used. Manual configuration of Roundcube config is needed.
    --no-pma        Do not install PHPMyAdmin on this server.
    --no-mailman    Do not install Mailman mailing list manager.
    --no-quota      Disable file system quota.
    --no-ntp        Disable NTP setup.
    --no-jailkit    Do not install jailkit.
    --no-ftp        Do not install pure-ftpd server.
    --monit         Install Monit and set it up to monitor installed services. Supported services: Apache2, NGINX, MariaDB, pure-ftpd-mysql, php-fpm, ssh, named, Postfix, Dovecot, rspamd.
    --monit-alert-email
                    Set up alerts for Monit to be sent to given e-mail address. e.g. [email protected].
    --ssh-port      Configure the SSH server to listen on a non-default port. Port number must be between 1 and 65535 and can not be in use by other services. e.g. --ssh-port=64.
    --ssh-permit-root
                    Configure the SSH server whether or not to allow root login: --ssh-permit-root=<yes|without-password|no>, e.g. --ssh-permit-root=without-password.
    --ssh-password-authentication
                    Configure the SSH server whether or not to allow password authentication: --ssh-password-authentication=<yes|no>, e.g. -ssh-password-authentication=no.
    --ssh-harden    Configure the SSH server to have a stronger security config.
    --unattended-upgrades
                    Install UnattendedUpgrades. You can add extra arguments for automatic cleanup and automatic reboots when necessary: --unattended-upgrades=autoclean,reboot (or only one
                    of them).
    --i-know-what-i-am-doing
                    Prevent the autoinstaller to ask for confirmation before continuing to reconfigure the server.

For example, to install a 'Perfect Server' like setup with Nginx instead of Apache, use this command:

wget -O - https://get.ispconfig.org | sh -s -- --use-nginx --use-ftp-ports=40110-40210 --unattended-upgrades

Or to install an Nginx web server without Email and DNS services:

wget -O - https://get.ispconfig.org | sh -s -- --use-nginx --no-dns --no-mail --use-ftp-ports=40110-40210 --unattended-upgrades

7. Finalizing

Your setup is now done!

You can support ISPConfig by purchasing our manual: https://www.ispconfig.org/documentation/

The following links are some valuable tutorials/pointers for further setup:

• Setting up mail (rDNS, SPF, DKIM): https://www.howtoforge.com/how-to-install-an-email-server-with-ispconfig-on-debian-10/
• Tweaking Roundcube: https://www.howtoforge.com/community/threads/tweaking-the-roundcube-settings.86387/
• Setting up autoconfig (automatic configuration for your email clients): https://schaal-it.com/ispconfig-automail/
• Improve the security of PHPMyAdmin and the Rspamd interface: https://www.howtoforge.com/community/threads/improving-the-security-of-phpmyadmin-and-rspamd-ui.86544/
• Code repository and issue tracker of the ISPConfig Autoinstaller: https://git.ispconfig.org/ispconfig/ispconfig-autoinstaller

If you have any questions, ask them on the forum.

8. Debugging in case of an error

If something goes wrong during installation, you can debug the process by adding the --debug command-line flag to the install command. This will write a log file

/tmp/ispconfig-ai/var/log/ispconfig.log

Also, the --interactive command-line option can help reveal the reason for an installation error.

9. Download as a virtual machine

This setup is available as a virtual machine download in ova/ovf format (compatible with VMWare and Virtualbox) for howtoforge subscribers. The Virtual machine is based on Debian 12 and uses Apache as web server.

Login details for the VM

• The root password is: howtoforge
• The password of the ISPConfig "admin" user is: howtoforge
• There is another shell user with the name "administrator" and password: howtoforge
• The MySQL root password is: 7s8EtDL1QhorSaeHhnRh

Please change all passwords on the first login.

• The IP address of the VM is 192.168.0.100