The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 2] - Page 3

4 Install The SSH Server

Debian Lenny does not install OpenSSH by default, therefore we do it now. Run

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian Lenny server and follow the remaining steps from this tutorial.

 

5 Install vim-nox (Optional)

I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Debian and Ubuntu; to fix this, we install vim-nox:

apt-get install vim-nox

(You don't have to do this if you use a different text editor such as joe or nano.)

 

6 Configure The Network

Because the Debian Lenny installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100) (please note that I replace allow-hotplug eth0 with auto eth0; otherwise restarting the network doesn't work, and we'd have to reboot the whole system):

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

echo server1.example.com > /etc/hostname
/etc/init.d/hostname.sh start

Afterwards, run

hostname
hostname -f

Both should show server1.example.com.

 

7 Update Your Debian Installation

Run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).

 

8 Install Some Software

Now we install a few packages that are needed later on. Run

apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential

(This command must go into one line!)

 

9 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, run

apt-get install quota

Edit /etc/fstab. Mine looks like this (I added ,usrquota,grpquota to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/sda1       /               ext3    errors=remount-ro,usrquota,grpquota 0       1
/dev/sda5       none            swap    sw              0       0
/dev/hda        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /

quotacheck -avugm
quotaon -avug

 

10 BIND9 DNS Server

Run

apt-get install bind9

to install BIND9.

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

vi /etc/default/bind9

# run resolvconf?
RESOLVCONF=yes

# startup options for the server
OPTIONS="-u bind -t /var/lib/named"

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when BIND gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to open /etc/rsyslog.d/bind-chroot.conf...

vi /etc/rsyslog.d/bind-chroot.conf

... and add the following line so that we can still get important messages logged to the system logs:

$AddUnixListenSocket /var/lib/named/dev/log

Restart the logging daemon:

/etc/init.d/rsyslog restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

Share this page:

25 Comment(s)

Add comment

Comments

From: Tony at: 2009-03-14 06:40:55

As usual, fantastic guide by Falko!
However, chose the extra partitions - /var, /tmp, /usr & /home
Got all the way to end of this guide, went to install ISPConfig & got this error from the installer package -

ERROR: Sie benötigen mind. 512MB Platz im /root-Verzeichnis, um ISPConfig zu installieren! / You need at least 512MB of disk space in the /root directory to install ISPConfig!

Therefore it seems you must be careful when partitioning if using ISPConfig 2. ISPConfig 3 had no problem with same partitioning.

From: Anonymous at: 2009-02-20 22:24:52

From Etch onward, it is recommended that users use aptitude instead of apt-get.  Aptitude has advanced dependency handling that can avoid some serious problems in unusual situations. 

From the official debian documentation http://www.debian.org/releases/stable/i386/release-notes/ch-whats-new.en.html#s-pkgmgmt:

" The preferred program for package management from the command line is aptitude, which can perform the same package management functions as apt-get and has proven to be better at dependency resolution."

From: ree at: 2009-12-31 12:38:38

hi,

plz edit /etc/init.d/bind9 startup script!! 

to do it follow :

nano /etc/init.d/bind9

then find the PIDFILE def. and edit to look lile that:

PIDFILE=/var/lib/named/var/run/bind/run/named.pid

and restart bind9: 

/etc/init.d/bind9 restart

regards

From: Yves at: 2010-01-29 22:26:31

This is not necessary. The correct path inside the jail is /var/run/bind/run/named.pid

From: Yves at: 2010-01-31 13:11:58

To use IPv6, i.e. listen-on-v6, you need to mount proc inside your chroot:

 mkdir /var/lib/named/proc

 mount -t proc proc /var/lib/named/proc

 Don't forget to create a mount that persists after next reboot, i.e. by adding it to /etc/fstab

From: ROk at: 2010-03-18 09:50:34

In file /etc/network/interfaces DO NOT WRITE DNS adressess. ONLY /etc/resolv.conf

If you will need to specify your DNS servers manually in /etc/resolv.conf, which should look something like this:

search mydomain.example

nameserver 192.168.0.1

nameserver 4.2.2.2

Else this will be mistakes.

From: Nokao at: 2010-05-20 21:37:10

Do you think that the DNS step is important even for who don't need a DNS server ?

 

I mean ... is it true that a DNS server only for local software is "a must have" ?

From: Dima at: 2011-06-14 22:49:32

There is no need to manualy create aquota.user and aquota.group files. They are created automatically by using command quotacheck with appropriate keys ( -c -u -g )

From: at: 2009-05-07 18:19:57

I would suggest to setup addional parameters:

 

postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,
reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_rbl_client dnsbl.njabl.org,
reject_rbl_client sbl-xbl.spamhaus.org,reject_rbl_client pbl.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client duinv.aupads.org,
reject_rbl_client ix.dnsbl.manitu.net,reject_rhsbl_sender rhsbl.sorbs.net,reject_unauth_destination'

postconf -e 'smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated, reject_rhsbl_sender dsn.rfc-ignorant.org'

From: Yves at: 2010-02-04 16:21:54

reject_unauth_destination is way to far to the end; it should be before the rbl calls...

reject_unauth_pipelining should be placed under smtpd_data_restrictions for Postfix 2.x!

From: Jerry at: 2010-08-18 19:44:38

I discovered in my /var/log/mail.log file that the aliases db hadn't yet been created.

I recommend that the reader be instructed to execute the # newaliases command before trying to # telnet localhost 25

 The aliases db wasn't there, in my case, because the system had just been installed and no other mail related foo had been done.

 cheers.

From: Jerry at: 2010-08-20 06:48:35

My experiments with the SMTPD showed that with the setup you recommend the relay wasn't "open"  i.e. it at least required a valid user name and password.  But what's the point of a password if it's sent in the clear??  You should strongly recommend that the
smtpd_tls_auth_only keyword be set to "Yes" to require that the client use the TLS feature when sending the password.

Also, I found that setting MECHANISMS to shadow  (for my tiny server) got me away from depending on /etc/courier/userdb.dat;  I now use the systems shadow password file. That minimizes my management overhead. I'm supposed to be productive at the job I trained for, not spending all my time being a sysadmin. :-)

j

From: Edgar at: 2010-10-31 21:45:59

correct this error:

postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
instead of

postconf -e 'smtpd_tls CAfile = /etc/postfix/ssl/cacert.pem'

 

Awesome article

From: Edgar at: 2010-10-31 21:48:46

never mind my last comment. it was the stupid HIGHLIGHT that was hiding the '_'

 

 

From: at: 2009-05-07 18:22:13

To secure php you should edit

 

/etc/php5/apache2/php.ini

 

edit this line:

 

disable_functions = exec,system,passthru,shell_exec,popen,escapeshellcmd,proc_open,proc_nice,ini_restore

From: Emil at: 2009-05-07 10:13:57

i have sucessfully install ispconfig2, but how to change home directory for user example /home/username/public_html/ in ispconfig.

and i have recompile apache with suexec in /home

please advise

thanks

 

 

From: Sanjay K at: 2009-04-18 00:30:49

The tutorial is great.

I did have a few glitches along the way, much of which was due to php5-idn not being installed properly. Eventually I decided not to install it. (Don't know if that would cause other problems down the line). 

I also found aptitude to be marginally better than apt-get especially aptitude purge as a great help to uninstall the failing packages.

And I am absolutely delighted to see the ISPConfig screen. Thanks a lot Falko!

Regards

Sanjay

 

From: light-blue at: 2009-04-01 04:42:57

So that you don't spend 14 hours confused and frustrated like me, be sure that you are NOT submitting forms with lots of data (e.g. 100 form items--yes, I know they're huge by design) when using this setup. Suhosin won't allow that, and submits may FAIL SILENTLY.

after playing with standard php.ini POST settings for WAY too long, /var/log/apache2/error.log was the clue that solved this problem...

ALERT - configured POST variable limit exceeded - dropped variable 'field_agreement[0][value]' (attacker '192.168.10.13', file '/var/www/drupal/index.php'), referer: https://server.mycompany.com/node/add/agreement

The solution is simple ...

#vi /etc/php5/conf.d/suhosin.ini

set these values:

suhosin.post.max_vars = 1000

suhosin.request.max_vars = 1000

From: Anonymous at: 2009-02-20 23:29:32

Is there some reason why you've chosen Courier and not Dovecot for the IMAP server?

From: Pat Foley at: 2009-03-04 22:01:00

Falko. Thanks for all the tutorials! When creating the server (www) behind a router, is it still necessary to use a real tld when ispconfig is going to be added?

From: Leslie at: 2009-06-11 20:11:29

Hi all!

I am starter in perfect server configuration... even server configuration...but with this wonderful manual I did the impossible... :-)

Thanks Falko !

But this is not the end:

ISP is runninig I logged in and changed the login name from admin to other and the password and started to study ISP, and then logged out...

Now I can't log in with my new user name and password, I get the error code: 1002 or 1004

 Please help

From: Anonymous at: 2009-10-03 05:00:43

How do I change the domain.tld from .com to .net!?!?!?! LoL... The setup was PERFECT. Just had to change the ISPConfig to reflect 5.0.3 but other than that, this server is running and working! I just need to change the domain TLD from .com to .net for obvious reasons... Thanks in Advance for your assistance... I tried to change it in hosts and apache wouldnt restart... I need to change ALL instances BTW, from Start to Finish... Im pretty savvy, but this is above me ATM and Im not finding everything I need via google searches. Again Thank You in Advance for your Help. Mike

From: at: 2010-02-17 21:05:09

Falko,

 This How-To is on point; however, I do have a question.  How secure is this setup as it is described here?  By following all of these steps, we are opening a lot of ports on the server and I believe it opens us up to a lot of liability.  Anyone have any pointers or suggestions?  Am I being overly paranoid?  Any input would be appreciated. 

 KaBarsEdge

From: Bernard at: 2010-02-27 13:47:40

To enable usage of FTP username of an admin user for particular ISPConfig domain you have to disable ProFTP check for valid shell (as /dev/null isn't and this one gets added to ISPConfig users with disabled shell access). You have to uncomment this to /etc/proftpd/proftpd.conf :

[...]
 RequireValidShell           off
[...]

From: metoo at: 2010-07-21 20:50:59

thanks for great howto

i have choose (server1) as my host name as described in the tuto.

but when i nstall ispconfig 2 it tell :

Please enter the host name: E.g. www

what to write  in this case ? www or server1 ?

thanks