The Perfect Server - CentOS 5.4 x86_64 [ISPConfig 3] - Page 5

14 Set MySQL Passwords And Configure phpMyAdmin

Start MySQL:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

Then set passwords for the MySQL root account:

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the <Directory "/usr/share/phpmyadmin"> stanza):

vi /etc/httpd/conf.d/phpmyadmin.conf
#
#  Web application to manage MySQL
#

#<Directory "/usr/share/phpmyadmin">
#  Order Deny,Allow
#  Deny from all
#  Allow from 127.0.0.1
#</Directory>

Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /mysqladmin /usr/share/phpmyadmin

Next we change the authentication in phpMyAdmin from cookie to http:

vi /usr/share/phpmyadmin/config.inc.php
[...]
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';
[...]

Then we create the system startup links for Apache and start it:

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

Now you can direct your browser to http://server1.example.com/phpmyadmin/ or http://192.168.0.100/phpmyadmin/ and log in with the user name root and your new root MySQL password.

 

15 Install Amavisd-new, SpamAssassin And ClamAV

To install amavisd-new, spamassassin and clamav, run the following command: 

yum install amavisd-new spamassassin clamav clamd unzip bzip2 unrar perl-DBD-mysql

Then we start freshclam, amavisd, and clamd...

chkconfig --levels 235 amavisd on
chkconfig --levels 235 clamd on
/usr/bin/freshclam
/etc/init.d/amavisd start
/etc/init.d/clamd start

... and create some necessary directories:

mkdir /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db
chown amavis /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db

 

16 Installing Apache2 With mod_php, mod_fcgi/PHP5, And suPHP

ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis.

mod_fcgid is not available in the official CentOS repositories, but there's a package for CentOS 5.x in the centos.karan.org testing repository. We enable the repository as follows:

cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo

Next we open /etc/yum.repos.d/kbsingh-CentOS-Extras.repo...

vi /etc/yum.repos.d/kbsingh-CentOS-Extras.repo

... and set gpgcheck to 0 and enabled to 1 in the [kbs-CentOS-Testing] section:

[...]
[kbs-CentOS-Testing]
name=CentOS.Karan.Org-EL$releasever - Testing
gpgcheck=0
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/

Afterwards we can install Apache2with mod_php5, mod_fcgid, and PHP5:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-mbstring php-mcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel

Next we open /etc/php.ini...

vi /etc/php.ini

... and change the error reporting (so that notices aren't shown any longer) and add cgi.fix_pathinfo = 1 at the end of the file:

[...]
;error_reporting  =  E_ALL
error_reporting = E_ALL & ~E_NOTICE
[...]
cgi.fix_pathinfo = 1

Next we install suPHP:

cd /tmp
wget http://suphp.org/download/suphp-0.7.1.tar.gz
tar xvfz suphp-0.7.1.tar.gz
cd suphp-0.7.1/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install

Then we add the suPHP module to our Apache configuration...

vi /etc/httpd/conf.d/suphp.conf
LoadModule suphp_module modules/mod_suphp.so

... and create the file /etc/suphp.conf as follows:

vi /etc/suphp.conf
[global]
;Path to logfile
logfile=/var/log/httpd/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=apache

;Path all scripts have to be in
docroot=/

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=100

; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/usr/bin/php-cgi"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

Finally we restart Apache:

/etc/init.d/httpd restart

 

17 Install PureFTPd

PureFTPd can be installed with the following command:

yum install pure-ftpd

Then create the system startup links and start PureFTPd:

chkconfig --levels 235 pure-ftpd on
/etc/init.d/pure-ftpd start

 

18 Install MyDNS

There's no MyDNS rpm package for the x86_64 architecture, and building MyDNS from the sources on CentOS 5.4 x86_64 fails because of some incompatibilities with the mysql-devel package. Therefore we install the MyDNS rpm package for i386 which works on x86_64 as well:

wget http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm
rpm -ivh mydns-mysql-1.1.0-1.i386.rpm

When the system boots, MyDNS must be started after MySQL. The MySQL startup link has the priority 64 on CentOS, so the MyDNS startup link must have a priority between 65 and 99. Therefore we open the MyDNS init script...

vi /etc/init.d/mydns

... and change

[...]
# chkconfig: 345 52 50
[...]

to

[...]
# chkconfig: 345 65 50
[...]

Then we create the startup links:

chkconfig --levels 235 mydns on

We don't start MyDNS now because it must be configured first - this will be done automatically by the ISPConfig 3 installer later on.

 

19 Install Vlogger And Webalizer

Vlogger and webalizer can be installed as follows:

yum install webalizer perl-DateTime-Format-HTTP perl-DateTime-Format-Builder

cd /tmp
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*

 

20 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.10.tar.gz
tar xvfz jailkit-2.10.tar.gz
cd jailkit-2.10
./configure
make
make install
rm -rf jailkit-2.10*

 

21 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

yum install fail2ban

chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start

 

22 Install rkhunter

rkhunter can be installed as follows:

yum install rkhunter
Share this page:

Suggested articles

9 Comment(s)

Add comment

Comments

By: Anonymous
Reply  

http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz check your input or your internet connection, works for me.

By:
Reply  

when I issue commands ./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes make make install make[4]: Leaving directory `/tmp/suphp-0.7.1/src' make[3]: Nothing to be done for `install-data-am'. i don't see file suphp.conf file in /etc/httpd/conf.d/suphp.conf I have i386 system. I'm stuck at this step Please advise

By: SCM
Reply  

http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz is a dead link, can not find any other links. what a waste of 2 days worth of installing for ISPConfig :/

By: Anonymous
Reply  

This tutorial is seriously jacked up. I've spent over 8 hours, and half of this does not work. Find another route to take for ISPConfig!

By: JcOaCrO
Reply  

Great tutorial and all worked from first!!! For everyone having troubles just read carefully and check your typo :) Big THANKS to the auhor

By: Anonymous
Reply  

I've come across this tutorial a number of times because it looks like a great potential solution and finally took some time to walk through it on a test server.

Although the functionality looks great I'm rather concerned with the general lack of security and long term stability concern these instructions seem to have. True lots of people like to turn off SELINUX and GPG checks and you'll probably be fine, but more importantly the major reliance on disparate third party (and largely unaccountable) repositories and patches could make long term security and stability a serious issue.  To start, the instructions are already giving paths to out of date software packages, but what happens when a serious security update is released?  I could easily see running yum updates from official and third party repos, plus manual rpmbuilds could get things out of sync alone, but what happens when a patch or repo provider stops supplying updates?  Do you realize this before or after you've tried to apply updates?  And what services have you lost in the meantime without a clear path for resolution?

True a more experienced admin can pick and choose or modify aspects of the instructions to better suit their security and stability needs, but a lot of less experienced admins could be opening themselves up to the ticking time bomb of non-updatable system likely running production data for potentially paying customers.

As always with other people's "prefect build" instructions, be very cautious of what you are running and educate yourself on the finer details of how it all works.  Remember it's going to fall on you to fix things when they break, so make sure you have a good path to CYA. ;)

By:
Reply  

This line:

                mysqladmin -h server1.example.com -u root password yourrootsqlpassword

should probably look like this:

                mysqladmin -h server1.example.com -u root -p password yourrootsqlpassword

By:
Reply  

Please,

The link for download this "broken" http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm.

Can where get the file mydns-mysql-1.1.0-1.i386.rpm
There is some other option?

By: ksc133
Reply  

hi folks,

 is it possible to

Install Amavisd-new, SpamAssassin And ClamAV

on ISPconfig2 centos 5.4 x64?

 thanks a lot