The Perfect Server - CentOS 6.3 x86_64 (Apache2, Dovecot, ISPConfig 3) - Page 4

13 Set MySQL Passwords And Configure phpMyAdmin

Set passwords for the MySQL root account:


[root@server1 tmp]# mysql_secure_installation


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n]
 <-- ENTER
New password: <-- yourrootsqlpassword
Re-enter new password: <-- yourrootsqlpassword
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
 <-- ENTER
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
 <-- ENTER
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
 <-- ENTER
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
 <-- ENTER
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

[root@server1 tmp]#

Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the <Directory "/usr/share/phpmyadmin"> stanza):

vi /etc/httpd/conf.d/phpmyadmin.conf

#  Web application to manage MySQL

#<Directory "/usr/share/phpmyadmin">
#  Order Deny,Allow
#  Deny from all
#  Allow from

Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /mysqladmin /usr/share/phpmyadmin

Next we change the authentication in phpMyAdmin from cookie to http:

vi /usr/share/phpmyadmin/

/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';

Then we create the system startup links for Apache and start it:

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

Now you can direct your browser to or and log in with the user name root and your new root MySQL password.


14 Install Amavisd-new, SpamAssassin And ClamAV

To install amavisd-new, spamassassin and clamav, run the following command:

yum install amavisd-new spamassassin clamav clamd unzip bzip2 unrar perl-DBD-mysql

Then we start freshclam, amavisd, and clamd.amavisd:

chkconfig --levels 235 amavisd on
chkconfig --del clamd
chkconfig --levels 235 clamd.amavisd on
/etc/init.d/amavisd start
/etc/init.d/clamd.amavisd start


15 Installing Apache2 With mod_php, mod_fcgi/PHP5, And suPHP

ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis.

We can install Apache2with mod_php5, mod_fcgid, and PHP5 as follows:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel

Next we open /etc/php.ini...

vi /etc/php.ini

... and change the error reporting (so that notices aren't shown any longer) and uncomment cgi.fix_pathinfo=1:

;error_reporting = E_ALL & ~E_DEPRECATED
error_reporting = E_ALL & ~E_NOTICE
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts

Next we install suPHP (there is a mod_suphp package available in the repositories, but unfortunately it isn't compatible with ISPConfig, therefore we have to build suPHP ourselves):

cd /tmp
tar xvfz suphp-0.7.1.tar.gz
cd suphp-0.7.1/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make install

Then we add the suPHP module to our Apache configuration...

vi /etc/httpd/conf.d/suphp.conf

LoadModule suphp_module modules/

... and create the file /etc/suphp.conf as follows:

vi /etc/suphp.conf

;Path to logfile
;User Apache is running as
;Path all scripts have to be in
;Path to chroot() to before executing script
; Security options
;Check wheter script is within DOCUMENT_ROOT
;Send minor error messages to browser
;PATH environment variable
;Umask to set, specify in octal notation
; Minimum UID
; Minimum GID

;Handler for php-scripts
;Handler for CGI-scripts

Finally we restart Apache:

/etc/init.d/httpd restart


15.1 Ruby

Starting with version 3.0.3, ISPConfig 3 has built-in support for Ruby. Instead of using CGI/FastCGI, ISPConfig depends on mod_ruby being available in the server's Apache.

For CentOS 6.3, there's no mod_ruby package available, so we must compile it ourselves. First we install some prerequisites:

yum install httpd-devel ruby ruby-devel

Next we download and install mod_ruby as follows:

cd /tmp
tar zxvf mod_ruby-1.3.0.tar.gz
cd mod_ruby-1.3.0/
./configure.rb --with-apr-includes=/usr/include/apr-1
make install

Finally we must add the mod_ruby module to the Apache configuration, so we create the file /etc/httpd/conf.d/ruby.conf...

vi /etc/httpd/conf.d/ruby.conf

LoadModule ruby_module modules/
RubyAddPath /1.8

... and restart Apache:

/etc/init.d/httpd restart

(If you leave out the RubyAddPath /1.8 directive, you will see errors like the following ones in Apache's error log when you call Ruby files:

[Thu May 26 02:05:05 2011] [error] mod_ruby: ruby:0:in `require': no such file to load -- apache/ruby-run (LoadError)
[Thu May 26 02:05:05 2011] [error] mod_ruby: failed to require apache/ruby-run
[Thu May 26 02:05:05 2011] [error] mod_ruby: error in ruby



15.2 Python

To install mod_python, we simply run...

yum install mod_python

... and restart Apache afterwards:

/etc/init.d/httpd restart


15.3 WebDAV

WebDAV should already be enabled, but to check this, open /etc/httpd/conf/httpd.conf and make sure that the following three modules are active:

vi /etc/httpd/conf/httpd.conf

LoadModule auth_digest_module modules/
LoadModule dav_module modules/
LoadModule dav_fs_module modules/

If you have to modify /etc/httpd/conf/httpd.conf, don't forget to restart Apache afterwards:

/etc/init.d/httpd restart


16 Install PureFTPd

PureFTPd can be installed with the following command:

yum install pure-ftpd

Then create the system startup links and start PureFTPd:

chkconfig --levels 235 pure-ftpd on
/etc/init.d/pure-ftpd start

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

yum install openssl

Open /etc/pure-ftpd/pure-ftpd.conf...

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [XX]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) []:
<-- Enter your State or Province Name.
Locality Name (eg, city) [Default City]:
<-- Enter your City.
Organization Name (eg, company) [Default Company Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, your name or your server's hostname) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

/etc/init.d/pure-ftpd restart

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS.

Share this page:

19 Comment(s)

Add comment


From: Dylan Myers at: 2012-08-11 06:32:05

Anyone who uses this tutorial should be aware of this bug with the changes ISPConfig3 makes to dovecot on Fedora/CentOS installs:

From: Anonymous at: 2012-07-16 15:11:18

You'll also need to install php-common

 yum install php-common

From: Jack at: 2013-01-05 16:55:42

EPEL name has been upgraded to:

From: at: 2013-01-20 16:21:31

Yum installed dovecot 2.0.9.el6_1.1

and  dovecot-mysql 2.0.9-2.el6_1.1

 This seems to cause a failure in amavis:

amavis[8819]: (08819-01-10) Blocked MTA-BLOCKED in maillog

I have tried 

mv /etc/dovecot/dovecot.conf /etc/dovecot/

cp /etc/dovecot.conf /etc/dovecot/dovecot.conf


service dovecot restart

service amavisd restart

service postfix restart


# this seems to have worked ok for me - mail now being sent out.

From: at: 2013-01-29 20:31:31

I was having errors in my maillog as follows;

Jan 29 20:18:45 centos postfix/smtpd[25440]: warning: SASL: Connect to private/auth failed: No such file or directory
Jan 29 20:18:45 centos postfix/smtpd[25440]: fatal: no SASL authentication mechanisms

The comment above from DFen;

mv /etc/dovecot/dovecot.conf /etc/dovecot/
cp /etc/dovecot.conf /etc/dovecot/dovecot.conf
This fixed my issues

From: noro at: 2012-10-02 18:26:04

pureftp dont use certificat in /etc/ssl/private/
but in /etc/pki/pure-ftpd

commnad for generate certificate:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/pki/pure-ftpd/pure-ftpd.pem -out /etc/pki/pure-ftpd/pure-ftpd.pem

thanks for this tutorial

From: MLK Dual Production at: 2012-12-16 15:53:37

Thank you for the helpful and well explained tutorial.
For some reason the link to download mod_ruby (wget is not working.

Here is one that works


From: Anonymous at: 2012-12-19 09:45:54


Thank for walkthrough

From: Anonymous at: 2013-03-31 00:04:26

I found that on some setups phpmyadmin and squirrelmail can't load. By editing the "squirrelmail.conf" and "phpmyadmin.conf" file in "/etc/httpd/conf" and adding

<Directory "/usr/share/phpmyadmin">

  <IfModule prefork.c>

LoadModule php5_module modules/


<IfModule !prefork.c>

  LoadModule php5_module modules/



# Cause the PHP interpreter to handle files with a .php extension.


<FilesMatch \.php$>

    SetHandler application/x-httpd-php


  Order Allow,Deny

  Allow from all


From: CanaDave at: 2012-07-14 23:37:56 should mention that when you start named:

/etc/init.d/named start takes a few minutes to generate a key...I thought it was crashed so I Ctrl-C'd it a couple of times then eventually I found how to generate the key manually:

]# rndc-confgen -a

]# chmod 666 /etc/rndc.key


]# chkconfig --levels 235 named on
]# /etc/init.d/named start

...I don't know if it would have generated the key on its own, it did say 'Generate Key': but seemed to be waiting for input from me.

Anyway, cool walkthrough...I set it up in a VM in Hyper-V...


From: Pedro Rocha at: 2012-09-27 10:15:18

Vlogger seems no longer available, is there any alternative or does ispconfig really need this?

From: life_watcher at: 2013-01-10 03:54:29

Great tutorial! Thank you!

a little addition - fail2ban seems to conflict with bastille and disable firewall set by ISPConfig (with uses bastille to manage iptables). As result no active firewall except fail2ban rules... I had to remove fail2ban to make it working...

Thank you! 


From: at: 2013-01-11 12:17:30

i will sugest fail2ban + APF  and just disable the ispconfig firewall ( only if you have CLI access )

From: Anonymous at: 2012-09-22 02:36:42

Thank you !

 Best TUTORIAL I'v found online, up-to-date everything just works, unlike many other - half-finished tutorials!!!!

Thanks for your time. 


From: Mike at: 2012-09-29 23:56:03

Simply awesome. Thank you. Only wish I would have come across this information 3 days ago.

From: Anonymous at: 2013-02-07 04:55:07


From: Gijsbert at: 2012-10-21 18:02:48

It's a good tutorial, but I found 2 things that doesn't seem to be right:

1) During the installation of webalizer and awstats an error occurs "No package awstats available". I have no idea where to get it, I checked the art, dag and epel repositories, but no awstats (anymore) :(

2) On a 64-bits Centos 6.3 OS, when installing mod_python the apache error log shows:

[Sun Oct 21 17:48:08 2012] [error] python_init: Python version mismatch, expected '2.6.5', found '2.6.6'.
[Sun Oct 21 17:48:08 2012] [error] python_init: Python executable found '/usr/bin/python'.
[Sun Oct 21 17:48:08 2012] [error] python_init: Python path being used '/usr/lib64/'.

I heard that it's better to remove mod_python and use mod_wsgi instead. I tried this and the errors are gone. However it does show a warning in the error_log:

[Sun Oct 21 20:00:08 2012] [warn] mod_wsgi: Compiled for Python/2.6.2.
[Sun Oct 21 20:00:08 2012] [warn] mod_wsgi: Runtime using Python/2.6.6.

Maybe you can rewrite the manual for these 2 issues so it will be even better in the (near) future!

From: Anonymous at: 2013-02-26 19:30:04

After Install ISPCONFIG 3 ,admin painel show apache test

From: at: 2013-03-30 17:45:19