The Perfect Server - Fedora 10 [ISPConfig 3] - Page 5

14 Set MySQL Passwords And Configure phpMyAdmin

Start MySQL:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

Then set passwords for the MySQL root account:

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

If the last command throws an error at you...

[root@server1 i386]# mysqladmin -h server1.example.com -u root password howtoforge
mysqladmin: connect to server at 'server1.example.com' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
[root@server1 i386]#

... we can set the password as follows: connect to MySQL:

mysql -u root -p

Type in the password for the MySQL root user. Then, on the MySQL shell, do this:

mysql> USE mysql;

mysql> UPDATE user SET Password = password('yourrootsqlpassword') WHERE Host = 'server1.example.com' AND User = 'root';

mysql> UPDATE user SET Password = password('yourrootsqlpassword') WHERE Host = '127.0.0.1' AND User = 'root';

Run

mysql> SELECT * FROM user;

to make sure that all rows where the user is root have a password.

If everything is looking ok, run

mysql> FLUSH PRIVILEGES;

... and leave the MySQL shell:

mysql> quit;

Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the <Directory /usr/share/phpmyadmin> stanza):

vi /etc/httpd/conf.d/phpMyAdmin.conf

# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
#<Directory /usr/share/phpMyAdmin/>
#   order deny,allow
#   deny from all
#   allow from 127.0.0.1
#</Directory>

# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries>
    Order Deny,Allow
    Deny from All
    Allow from None
</Directory>

# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc.  This may break your mod_security implementation.
#
#<IfModule mod_security.c>
#    <Directory /usr/share/phpMyAdmin>
#        SecRuleInheritance Off
#    </Directory>
#</IfModule>

Then we create the system startup links for Apache and start it:

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

Now you can direct your browser to http://server1.example.com/phpmyadmin/ or http://192.168.0.100/phpmyadmin/ and log in with the user name root and your new root MySQL password.

 

15 Install Amavisd-new, SpamAssassin And ClamAV

To install amavisd-new, spamassassin and clamav, run the following command:

yum install amavisd-new spamassassin clamav clamav-data clamav-server clamav-update unzip bzip2 perl-DBD-mysql

When we installed ClamAV, a cron job got installed that tries to update the ClamAV virus database every three hours. But this works only if we enable it in /etc/sysconfig/freshclam and /etc/freshclam.conf:

vi /etc/sysconfig/freshclam

Comment out the FRESHCLAM_DELAY line at the end:

## When changing the periodicity of freshclam runs in the crontab,
## this value must be adjusted also. Its value is the timespan between
## two subsequent freshclam runs in minutes. E.g. for the default
##
## | 0 */3 * * *  ...
##
## crontab line, the value is 180 (minutes).
# FRESHCLAM_MOD=

## A predefined value for the delay in seconds. By default, the value is
## calculated by the 'hostid' program. This predefined value guarantees
## constant timespans of 3 hours between two subsequent freshclam runs.
##
## This option accepts two special values:
## 'disabled-warn'  ...  disables the automatic freshclam update and
##                         gives out a warning
## 'disabled'       ...  disables the automatic freshclam silently
# FRESHCLAM_DELAY=


### !!!!! REMOVE ME !!!!!!
### REMOVE ME: By default, the freshclam update is disabled to avoid
### REMOVE ME: network access without prior activation
#FRESHCLAM_DELAY=disabled-warn  # REMOVE ME

vi /etc/freshclam.conf

Comment out the Example line:

[...]
# Comment or remove the line below.
#Example
[...]

Then we start freshclam, amavisd, and clamd...

chkconfig --levels 235 amavisd on
chkconfig --levels 235 clamd.amavisd on
/usr/bin/freshclam
/etc/init.d/amavisd start
/etc/init.d/clamd.amavisd start

... and change the ownership of some directories:

chown amavis /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db

 

16 Installing Apache2 With mod_php, mod_fcgi/PHP5, And suPHP

ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis.

We can install Apache2with mod_php5, mod_fcgid, and PHP5 as follows:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-mbstring php-mcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel

Next we open /etc/php.ini...

vi /etc/php.ini

... and change the error reporting (so that notices aren't shown any longer) and add cgi.fix_pathinfo = 1 at the end of the file:

[...]
;error_reporting  =  E_ALL
error_reporting = E_ALL & ~E_NOTICE
[...]
cgi.fix_pathinfo = 1

Next we install suPHP:

cd /tmp
wget http://www.suphp.org/download/suphp-0.7.0.tar.gz
tar xvfz suphp-0.7.0.tar.gz
cd suphp-0.7.0/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install

Then we add the suPHP module to our Apache configuration...

vi /etc/httpd/conf.d/suphp.conf

LoadModule suphp_module modules/mod_suphp.so

... and create the file /etc/suphp.conf as follows:

vi /etc/suphp.conf

[global]
;Path to logfile
logfile=/var/log/httpd/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=apache

;Path all scripts have to be in
docroot=/

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=100

; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/usr/bin/php-cgi"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

Finally we restart Apache:

/etc/init.d/httpd restart

 

17 Install PureFTPd

PureFTPd can be installed with the following command:

yum install pure-ftpd

Then create the system startup links and start PureFTPd:

chkconfig --levels 235 pure-ftpd on
/etc/init.d/pure-ftpd start

 

18 Install MyDNS

We can install MyDNS as follows:

wget http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm
rpm -ivh mydns-mysql-1.1.0-1.i386.rpm

When the system boots, MyDNS must be started after MySQL. The MySQL startup link has the priority 64 on Fedora 10, so the MyDNS startup link must have a priority between 65 and 99. Therefore we open the MyDNS init script...

vi /etc/init.d/mydns

... and change

[...]
# chkconfig: 345 52 50
[...]

to

[...]
# chkconfig: 345 65 50
[...]

Then we create the startup links:

chkconfig --levels 235 mydns on

We don't start MyDNS now because it must be configured first - this will be done automatically by the ISPConfig 3 installer later on.

 

19 Install Vlogger And Webalizer

Vlogger and webalizer can be installed as follows:

yum install webalizer perl-DateTime-Format-HTTP perl-DateTime-Format-Builder

cd /tmp
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*

Share this page:

8 Comment(s)

Add comment

Comments

From: at: 2009-04-18 09:18:37

Make shure alle softwareupdates and fixes are done before installing ISPConfig 3 at the end.

I've had some trouble with the fc10 recommended Postfix update (2.2.5.6-1). After the update the config for Postfix is wrong.

Also, MyDNS is available in a more recent version (1.2.8.25) where the .conf setup is slightly different (but file is at the same location)

From: G. Lohmann at: 2009-05-06 20:24:25

First of all, thanks for the work and the great HowTo for that!

However some remarks:

- 6 Disable SELinux

NOPE ... don't give this as the best advice, especially as some people may run in a virtual server environment where they could not disable it at all. I know the first confrontation with SELinux is harsh and filled with a lot of warnings and errors but it is easy to get around that.

For example:

If you have you freshly install ISPConfig and it is up and running, you may get a lot of warnings about vlogger. It will even not work as expected. The warning:

... vlogger has no access to potential wrong marked files (./localhost.localdomain) ...

sound a bit cryptic but fact is that vlogger can not write to the logging directory to write to e.g. 'localhost.localdomain-access.log', as there are rights missing.

if you do:

/var/log# ls -alZ
drwx------  root      root   system_u:object_r:httpd_log_t:s0 httpd
drwxr-xr-x  root      root   unconfined_u:object_r:var_log_t:s0 ispconfig

The entry for the user 'unconfined_u' (nobody) and for the type 'var_log_t' (inherited logging type) is already not that good. Reason is that it is a perl script like a CGI, called by apache and running with the user rights of httpd and therefore is restricted to write to that folder. As we can see for the log folder of httpd has already a different type 'httpd_log_t'.

But two single lines for changing this control settings already solve all your warnings and errors with vlogger:

/var/log# chcon -R -u system_u ispconfig
/var/log# chcon -R -t httpd_sys_script_rw_t ispconfig

The type 'httpd_sys_script_rw_t' is telling SELinux that scripts called by apache are allowed to (r)ead and (w)rite to that folder.

The example above is the most common reason for errors. That specific programs or scripts called by them and do not have write or read access to unknown folders or files that may even not belong to them.

ISPConfig should not disable but benefit from those rights as it for example would allow to 'jail' Client configurations into their own environment by defining own types for each single Client.

I am even still a beginner in SELinux, but if I find some time I will try to write a list of needed control settings to get ISPConfig completely running without the need to shutting it down.

From: antoine at: 2009-08-17 22:39:11

make sure you also install:

yum install cyrus-sasl-plain

 else you get errors in mail and it won't work

From: G. Lohmann at: 2009-05-06 20:54:27

about "visudo"

I am not a geek with sudo but if I run visudo it already write:

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

Which would mean that:

compileuser ALL=(ALL) ALL

will probably give away all the same rights to this user as like root himself, making a second root user that even not need to type the root password. If that is true I not need sudo at all but can directly act as root. Moreover I created a potential security lack!

Fact is, except of installing an rpm package to the system I normaly not need root rights at all. A default user in Fedora can run tools like 'make', 'gcc', 'rpmbuild' and even 'rpm -Uvh my_package.src.rpm' without any additional rights.

For installing a single package it should be sufficient enough to to a

# su -c 'rpm -Uvh my_package.rpm'

which would ask me for the root password before installing but should not hurt for that single file. If you already work anyway as a root user we can do the install directly and not need to bother about sudo, but then the question is why I use sudo at all.

Also a good idea might be to use on fedora

# yum localinstall my_package.rpm

which does the same as the rpm install but keep track of the package in yum and as well install dependency if necessary.

From: Martin at: 2014-07-01 11:32:41

I tried to install it on CentOS 6.5 but unsuccesfull. I installed
courier-unicode-1.1.tar.bz2 and then I tried to install
courier-authlib-0.66.1.20140114.tar.bz2 but not well.
I got error: 
"The Courier Unicode Library appears not to be installed. You may need to
install a separate development subpackage, in addition to the main package
error: Bad exit status from /var/tmp/rpm-tmp.LecCXX (%prep)". 
 
I don´t know what I can do for now because unicode devel I installed succesfull but still
is missing. Could somebody help me, please?

From: Anonymous at: 2009-04-14 12:06:46

The MyDNS software does not work with this install, the software will not start at boot due to setup problem.

Check http://mydns.bboy.net/ for the solution!

From: klerik at: 2009-08-13 15:32:06

Thanks for this howto ...

From: incubus at: 2009-08-30 14:43:23

Thanks - a very nice how to - it worked perfect!!!