The Perfect Server - OpenSUSE 12.1 x86_64 With Apache2 [ISPConfig 3] - Page 5
11 Mailman
Since version 3.0.4, ISPConfig also allows you to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:
yast2 -i mailman
Before we can start Mailman, a first mailing list called mailman must be created:
/usr/lib/mailman/bin/newlist mailman
server1:~ # /usr/lib/mailman/bin/newlist mailman
Enter the email of the person running the list: <-- admin email address, e.g. [email protected]
Initial mailman password: <-- admin password for the mailman list
Hit enter to notify mailman owner... <-- ENTER
server1:~ #
Create the system startup links for Mailman...
systemctl enable mailman.service
... and start it:
systemctl start mailman.service
Next restart Postfix:
systemctl restart postfix.service
To enable the Mailman Apache configuration, run...
a2enflag MAILMAN
... and restart Apache:
systemctl restart apache2.service
After you have installed ISPConfig 3, you can access Mailman as follows:
You can use the alias /mailman for all Apache vhosts (please note that suExec must be disabled for all vhosts from which you want to access Mailman!), which means you can access the Mailman admin interface for a list at http://<vhost>/mailman/admin/<listname>, and the web page for users of a mailing list can be found at http://<vhost>/mailman/listinfo/<listname>.
Under http://<vhost>/pipermail/<listname> you can find the mailing list archives.
12 Install PureFTPd
Install the pure-ftpd FTP daemon. Run:
yast2 -i pure-ftpd
systemctl enable pure-ftpd.service
systemctl start pure-ftpd.service
Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.
OpenSSL is needed by TLS; to install OpenSSL, we simply run:
yast2 -i openssl
Open /etc/pure-ftpd/pure-ftpd.conf...
vi /etc/pure-ftpd/pure-ftpd.conf
If you want to allow FTP and TLS sessions, set TLS to 1:
[...] # This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 1 [...] |
If you want to accept TLS sessions only (no FTP), set TLS to 2:
[...] # This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 2 [...] |
To not allow TLS at all (only FTP), set TLS to 0:
[...] # This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 0 [...] |
In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:
mkdir -p /etc/ssl/private/
Afterwards, we can generate the SSL certificate as follows:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []: <-- Enter your Email Address.
Change the permissions of the SSL certificate:
chmod 600 /etc/ssl/private/pure-ftpd.pem
Finally restart PureFTPd:
systemctl restart pure-ftpd.service
That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS - see the next chapter how to do this with FileZilla.
13 Install BIND
The BIND nameserver can be installed as follows:
yast2 -i bind
Create the BIND system startup links and start it:
systemctl enable named.service
systemctl start named.service
14 Install Webalizer And AWStats
Since ISPConfig 3 lets you choose if you want to use Webalizer or AWStats to create your web site statistics, we install both (at the time of this writing, there was no AWStats package for OpenSUSE 12.1, therefore I install the one for OpenSUSE 11.4):
yast2 -i webalizer perl-DateManip
zypper install http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.4/noarch/awstats-7.0-14.1.noarch.rpm
15 Install fail2ban
fail2ban can be installed as follows:
yast2 -i fail2ban
16 Install Jailkit
Jailkit can be installed like this:
zypper install http://download.opensuse.org/repositories/security/openSUSE_12.1/x86_64/jailkit-2.13-1.1.x86_64.rpm
17 Synchronize The System Clock
If you want to have the system clock synchronized with an NTP server do the following:
yast2 -i xntp
Then add system startup links for ntp and start ntp:
systemctl enable ntp.service
systemctl start ntp.service
18 Install rkhunter
rkhunter can be installed as follows:
yast2 -i rkhunter