The Perfect Server - CentOS 6.3 x86_64 (Apache2, Courier, ISPConfig 3) - Page 5

14 Install Amavisd-new, SpamAssassin And ClamAV

To install amavisd-new, spamassassin and clamav, run the following command:

yum install amavisd-new spamassassin clamav clamd unzip bzip2 unrar perl-DBD-mysql

Then we start freshclam, amavisd, and clamd.amavisd:

sa-update
chkconfig --levels 235 amavisd on
chkconfig --del clamd
chkconfig --levels 235 clamd.amavisd on
/usr/bin/freshclam
/etc/init.d/amavisd start
/etc/init.d/clamd.amavisd start

 

15 Installing Apache2 With mod_php, mod_fcgi/PHP5, And suPHP

ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis.

We can install Apache2with mod_php5, mod_fcgid, and PHP5 as follows:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel

Next we open /etc/php.ini...

vi /etc/php.ini

... and change the error reporting (so that notices aren't shown any longer) and uncomment cgi.fix_pathinfo=1:

[...]
;error_reporting = E_ALL & ~E_DEPRECATED
error_reporting = E_ALL & ~E_NOTICE
[...]
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://www.php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo
cgi.fix_pathinfo=1
[...]

Next we install suPHP (there is a mod_suphp package available in the repositories, but unfortunately it isn't compatible with ISPConfig, therefore we have to build suPHP ourselves):

cd /tmp
wget http://suphp.org/download/suphp-0.7.1.tar.gz
tar xvfz suphp-0.7.1.tar.gz
cd suphp-0.7.1/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install

Then we add the suPHP module to our Apache configuration...

vi /etc/httpd/conf.d/suphp.conf

LoadModule suphp_module modules/mod_suphp.so

... and create the file /etc/suphp.conf as follows:

vi /etc/suphp.conf

[global]
;Path to logfile
logfile=/var/log/httpd/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=100
; Minimum GID
min_gid=100
[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

Finally we restart Apache:

/etc/init.d/httpd restart

 

15.1 Ruby

Starting with version 3.0.3, ISPConfig 3 has built-in support for Ruby. Instead of using CGI/FastCGI, ISPConfig depends on mod_ruby being available in the server's Apache.

For CentOS 6.3, there's no mod_ruby package available, so we must compile it ourselves. First we install some prerequisites:

yum install httpd-devel ruby ruby-devel

Next we download and install mod_ruby as follows:

cd /tmp
wget http://modruby.net/archive/mod_ruby-1.3.0.tar.gz
tar zxvf mod_ruby-1.3.0.tar.gz
cd mod_ruby-1.3.0/
./configure.rb --with-apr-includes=/usr/include/apr-1
make
make install

Finally we must add the mod_ruby module to the Apache configuration, so we create the file /etc/httpd/conf.d/ruby.conf...

vi /etc/httpd/conf.d/ruby.conf

LoadModule ruby_module modules/mod_ruby.so
RubyAddPath /1.8

... and restart Apache:

/etc/init.d/httpd restart

(If you leave out the RubyAddPath /1.8 directive, you will see errors like the following ones in Apache's error log when you call Ruby files:

[Thu May 26 02:05:05 2011] [error] mod_ruby: ruby:0:in `require': no such file to load -- apache/ruby-run (LoadError)
[Thu May 26 02:05:05 2011] [error] mod_ruby: failed to require apache/ruby-run
[Thu May 26 02:05:05 2011] [error] mod_ruby: error in ruby

)

 

15.2 Python

To install mod_python, we simply run...

yum install mod_python

... and restart Apache afterwards:

/etc/init.d/httpd restart

 

15.3 WebDAV

WebDAV should already be enabled, but to check this, open /etc/httpd/conf/httpd.conf and make sure that the following three modules are active:

vi /etc/httpd/conf/httpd.conf

[...]
LoadModule auth_digest_module modules/mod_auth_digest.so
[...]
LoadModule dav_module modules/mod_dav.so
[...]
LoadModule dav_fs_module modules/mod_dav_fs.so
[...]

If you have to modify /etc/httpd/conf/httpd.conf, don't forget to restart Apache afterwards:

/etc/init.d/httpd restart

 

16 Install PureFTPd

PureFTPd can be installed with the following command:

yum install pure-ftpd

Then create the system startup links and start PureFTPd:

chkconfig --levels 235 pure-ftpd on
/etc/init.d/pure-ftpd start

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

yum install openssl

Open /etc/pure-ftpd/pure-ftpd.conf...

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
TLS                      1
[...]

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [XX]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) []:
<-- Enter your State or Province Name.
Locality Name (eg, city) [Default City]:
<-- Enter your City.
Organization Name (eg, company) [Default Company Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, your name or your server's hostname) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

/etc/init.d/pure-ftpd restart

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS.

 

17 Install BIND

We can install BIND as follows:

yum install bind bind-utils

Next open /etc/sysconfig/named...

vi /etc/sysconfig/named

... and make sure that the ROOTDIR=/var/named/chroot line is comment out:

# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
# Currently, you can use the following options:
#
# ROOTDIR="/var/named/chroot"  --  will run named in a chroot environment.
#                            you must set up the chroot environment
#                            (install the bind-chroot package) before
#                            doing this.
#       NOTE:
#         Those directories are automatically mounted to chroot if they are
#         empty in the ROOTDIR directory. It will simplify maintenance of your
#         chroot environment.
#          - /var/named
#          - /etc/pki/dnssec-keys
#          - /etc/named
#          - /usr/lib64/bind or /usr/lib/bind (architecture dependent)
#
#         Those files are mounted as well if target file doesn't exist in
#         chroot.
#          - /etc/named.conf
#          - /etc/rndc.conf
#          - /etc/rndc.key
#          - /etc/named.rfc1912.zones
#          - /etc/named.dnssec.keys
#          - /etc/named.iscdlv.key
#
#       Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
#       line to your /etc/rsyslog.conf file. Otherwise your logging becomes
#       broken when rsyslogd daemon is restarted (due update, for example).
#
# OPTIONS="whatever"     --  These additional options will be passed to named
#                            at startup. Don't add -t here, use ROOTDIR instead.
#
# KEYTAB_FILE="/dir/file"    --  Specify named service keytab file (for GSS-TSIG)
#
# DISABLE_ZONE_CHECKING  -- By default, initscript calls named-checkzone
#                           utility for every zone to ensure all zones are
#                           valid before named starts. If you set this option
#                           to 'yes' then initscript doesn't perform those
#                           checks.

Make a backup of the existing /etc/named.conf file and create a new one as follows:

cp /etc/named.conf /etc/named.conf_bak
cat /dev/null > /etc/named.conf
vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion no;
        allow-recursion { none; };
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.conf.local";

Create the file /etc/named.conf.local that is included at the end of /etc/named.conf (/etc/named.conf.local will later on get populated by ISPConfig if you create DNS zones in ISPConfig):

touch /etc/named.conf.local

Then we create the startup links and start BIND:

chkconfig --levels 235 named on
/etc/init.d/named start

 

18 Install Webalizer And AWStats

Webalizer and AWStats can be installed as follows:

yum install webalizer awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder

 

19 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz
tar xvfz jailkit-2.15.tar.gz
cd jailkit-2.15
./configure
make
make install
cd ..
rm -rf jailkit-2.15*

 

20 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

yum install fail2ban

We must configure fail2ban to log to the log file /var/log/fail2ban.log because this is the log file that is monitored by the ISPConfig Monitor module. Open /etc/fail2ban/fail2ban.conf...

vi /etc/fail2ban/fail2ban.conf

... and comment out the logtarget = SYSLOG line and add logtarget = /var/log/fail2ban.log:

[...]
# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
#logtarget = SYSLOG
logtarget = /var/log/fail2ban.log
[...]

Then create the system startup links for fail2ban and start it:

chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start

 

21 Install rkhunter

rkhunter can be installed as follows:

yum install rkhunter

Share this page:

23 Comment(s)

Add comment

Comments

From: at: 2013-01-17 18:01:28

Can this process be used to install ISPConfig 3 on CentOS 6 32bit versions?

Please Reply!

From: oakleeman at: 2012-09-20 19:00:38

Heads up that if your HDD is bigger than 50GB or so in size the CentOS 6.3 install will create a 45GB or so / partition and then setup the rest as /home. If this isn't what you want then check the box to review the partitioning layout and delete the /home lv and increase the size of the / lv. 

This bites me in the rear every time I follow Falko's guides for CentOS 6 and forget about the partition issue until I get to the step for editing fstab for quota...then I have to delete the VM hard-disk and start over since that is faster for me then extending the lv.  

From: Dizfunkshunal at: 2013-01-10 20:33:03

change

epel-release-6-7.noarch.rpm  all instances

to 

epel-release-6-8.noarch.rpm

From: ally at: 2013-07-20 13:20:18

Also if installing on OpenVZ it's a different process for enabling quotas. Has to be enabled by the sys admin or hardware node admin for  your container.

From: Emo at: 2014-03-08 09:22:15

its now https:// , http:// is not working anymore.

From: Payne at: 2013-10-21 01:26:33

Another note, in order to get the RepoForge repositories to work correctly (in step 7) I had to follow instructions on the following link:

http://wiki.centos.org/AdditionalResources/Repositories/RPMForge#head-f0c3ecee3dbb407e4eed79a56ec0ae92d1398e01

Hope that helps!

 

From: admin at: 2012-07-28 07:54:01

It's no mistake - the tutorial is working for me exactly as written.

From: Anonymous at: 2012-07-27 16:02:29

After the build process, the rpm packages can be found in $HOME/rpm/RPMS/x86_64 ($HOME/rpm/RPMS/i686 if you are on an i686 system):

has to correct in 

After the build process, the rpm packages can be found in $HOME/rpmbuild/RPMS/x86_64 ($HOME/rpmbuild/RPMS/i686 if you are on an i686 system):

Thnx

From: Mike at: 2012-11-24 14:24:13

Postfix would not receive incoming emails or respond to telnet into port 25.  The maillog showed:

fatal : no SASL authentication method available

The fix was to install missing package cyrus-sasl-plain:

yum install cyrus-sasl-plain

After restarting postfix, incoming emails started to arrive.

From: at: 2013-03-03 22:45:47

Just something of note here:

Courier by default will limit the number of connections per ip to 4.  Most email clients use 5 connections per email account.  See the problem?

Make sure to just update this now to get it out of the way so you aren't wondering later why you can't connect to your IMAP account and start blaming ISPConfig for it

What value should you use for max connections per ip?

Generally speaking, for the ip with the most email accounts:

MAXPERIP = MAX_NUMBER_OF_EMAIL_ACCOUNTS * 5

Then you can just update the config and restart courier and you'll never have to worry about this later (unless the max number of email accounts for an ip increases)

TIP:  If you have your mail setup on your phone and ipad and both are using the same internet ip as your laptop you now have 3 email clients per account instead of just 1.  Either turn off your mail at home on your phone/ipad or increase your MAXPERIP to compensate. 

I like to use 105 for my default MAXPERIP (7 accounts per ip, 3 devices per account):

sed -i 's/MAXPERIP=4/MAXPERIP=105/g' /usr/lib/courier-imap/etc/imapd
service courier-imap restart

From: r4faga at: 2012-09-04 23:06:07

when i try to do make on suphp, there is make it a error. And dont install. 
 
g++ -DOPT_CONFIGFILE=\"/etc/suphp.conf\" -g -O2 -o suphp API.o API_Helper.o API_Linux.o API_Linux_Logger.o Application.o CommandLine.o Configuration.o Environment.o Exception.o File.o GroupInfo.o IOException.o IniFile.o IniSection.o KeyNotFoundException.o Logger.o LookupException.o OutOfRangeException.o PathMatcher.o ParsingException.o PointerException.o SecurityException.o SoftException.o SystemException.o UserInfo.o Util.o
make[3]: se sale del directorio `/tmp/suphp-0.7.1/src'
make[2]: se sale del directorio `/tmp/suphp-0.7.1/src'
make[1]: se sale del directorio `/tmp/suphp-0.7.1/src'
make[1]: se ingresa al directorio `/tmp/suphp-0.7.1'
make[1]: No se hace nada para `all-am'.
make[1]: se sale del directorio `/tmp/suphp-0.7.1'

From: Martin at: 2012-09-27 09:33:22

You ask us to remove original init script from rc.* and add

clamd.amavisd

 however there is no such file included (Centos 5.3 following every step to my knowledge)

 

From: at: 2012-12-05 19:02:04

i had 2 installations were i had to

 cp /etc/awstats/awstats.model.conf /etc/awstats/awstats.conf

for awstats to work. info @ http://www.howtoforge.com/forums/showthread.php?t=35485&page=8

From: JNPerez at: 2013-04-25 15:46:24

the link for the mod_ruby-1.3.0.tar.gz is down... Use this mirror http://ftp.riken.go.jp/pub/FreeBSD/distfiles/ruby/mod_ruby-1.3.0.tar.gz


 :D

 

From: at: 2013-05-27 23:04:36

Make sure you do not leave /etc/named.conf unconfigured.   By default you are offering recursive name service to the whole world.   You'll notice this one day when you run top and see named using up 50%+ CPU because some bots are using your Bind for DNS DDoS attacks.   Rather than leave the configuration file as the default, at very least update it to the following to protect yourself, your clients, and the victims:

include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

//
// named.conf for Red Hat caching-nameserver
//

acl "trusted" {
        127.0.0.1;
};

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
        forwarders { 127.0.0.1; };
};

Above config found at: http://forum.codecall.net/topic/47953-check-etcnamedconf-for-recursion-restrictions/

From: Alex at: 2012-10-11 16:05:11

Hi

I am in  vi   /etc/aliases file and try to add what it says , but I can't write pipe key  after 

 

mailman:    " 

 

could anyone can tell me how to enter pipe key  in vi editor?

 

thanks

Alex

 

From: at: 2013-06-19 08:24:34

Hello,

I get this error when I try to login to webmail;  ERROR: Connection dropped by IMAP server.. 

 

The problem is resolved.  I had not installed ISPConfig yet when I tried to access and check the mail server.  After I installed the ISPConfig, I was able to connect, send and receive mail.  

From: sth at: 2014-06-15 06:14:16

I have followed the instructions as per the instructions for  "Perfect Server - Centros 6.3 x 86_64...:

Apart from a hiccup in find in the  "mod_ruby" file (eventually found one at another site) all appears to have gone well except that I do not appear to be able to run Firefox.

It seems that Firefox was not installed as part of the "Basic Server" set up when Centros was installed and indicated on page two of the instructions.  ANy way Firefox is easy enough to install.  However, when I try to start Firefox either as root or the user I get a message

cannot open display: :0

 Have tried    export DISPLAY=:0   with no result

Have installed xorg.x11-server-utils     An sill get no result.

 

Any one any ideas as to how to fix this and be able to run Fix so I can check the Webmail asn WEB Admis screens as shown in the instructions?

 

Thanks


From: at: 2012-07-31 15:44:13

After all check, if bastille-firewall works:

iptables -L

If not, You can start it by typing:

/etc/init.d/bastille-firewall start

and configure: 

chkconfig --levels 235 bastille-firewall on

Now, You can check firewall again:

iptables -L

On all of my servers configured with the articles "CentOS/ISPC3 Perfect Server": 5.7, 6.0, 6.2, 6.3 from howtoforge.com, never Bastille firewall start automatically. 

From: hb at: 2012-10-11 15:37:41

we just us one, so why should be download two DVDs ?

From: at: 2013-03-19 03:42:45

in the end when this is all set up and working for the most part, I have one problem.

 

Basically ftp into the correct area, then when trying to browse to the page it runs some cached version rather than the actual file that's been uploaded.  This has nothing to do with the client side cache as I've tried it on at least 5-10 machines which have never even been to the domain :(

 ANY help would be sincerely appreciated.

From: Anonymous at: 2013-08-06 18:52:54

after a fair bit of prodding I fixed this myself.

basically in ispconfig 3 it was a small tweak.

From: Ergec at: 2013-06-26 16:30:12

Let say we have a solid network, only one website on the server and we ignore the security weakness of the php code.

 How secure is this particulat setup for direct attacks? Of course there is no immune system but is it solid enough to serve an important website?