The Perfect Server - OpenSUSE 12.2 x86_64 (Apache2, Dovecot, ISPConfig 3) - Page 5

11 Install PureFTPd

Install the pure-ftpd FTP daemon. Run:

zypper install  pure-ftpd

systemctl enable pure-ftpd.service
systemctl start pure-ftpd.service

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

zypper install  openssl

Open /etc/pure-ftpd/pure-ftpd.conf...

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1
[...]

If you want to accept TLS sessions only (no FTP), set TLS to 2:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      2
[...]

To not allow TLS at all (only FTP), set TLS to 0:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      0
[...]

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

systemctl restart pure-ftpd.service 

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS - see the next chapter how to do this with FileZilla.

 

12 Install BIND

The BIND nameserver can be installed as follows:

zypper install  bind

Create the BIND system startup links and start it:

systemctl enable named.service
systemctl start named.service

 

13 Install Webalizer And AWStats

Since ISPConfig 3 lets you choose if you want to use Webalizer or AWStats to create your web site statistics, we install both:

zypper install  webalizer perl-DateManip
zypper install http://download.opensuse.org/repositories/network:/utilities/openSUSE_12.2/noarch/awstats-7.0-14.1.noarch.rpm

 

14 Install fail2ban

fail2ban can be installed as follows:

zypper install  fail2ban

 

15 Install Jailkit

Jailkit can be installed like this:

zypper install http://download.opensuse.org/repositories/security/openSUSE_12.2/x86_64/jailkit-2.13-1.3.x86_64.rpm

 

16 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:

zypper install  xntp

Then add system startup links for ntp and start ntp:

systemctl enable ntp.service
systemctl start ntp.service

 

17 Install rkhunter

rkhunter can be installed as follows:

zypper install  rkhunter

 

18 Install SquirrelMail

To install the SquirrelMail webmail client, run:

zypper install  squirrelmail-beta

Next we create the aliases /webmail and /squirrelmail right at the beginning of /etc/apache2/conf.d/squirrelmail.conf so that SquirrelMail can be accessed from any vhost (e.g. http://www.example.com/webmail or http://www.example.com/squirrelmail):

vi /etc/apache2/conf.d/squirrelmail.conf
Alias /squirrelmail /srv/www/htdocs/squirrelmail
Alias /webmail /srv/www/htdocs/squirrelmail
[...]

Next we create the directory /srv/www/htdocs/squirrelmail/data and give it sufficient permissions so that the www group can write to it:

mkdir /srv/www/htdocs/squirrelmail/data
chown root:www /srv/www/htdocs/squirrelmail/data
chmod 770 /srv/www/htdocs/squirrelmail/data

Then restart Apache:

systemctl restart apache2.service

Then configure SquirrelMail:

/srv/www/htdocs/squirrelmail/config/conf.pl

We must tell SquirrelMail that we are using Dovecot:

WARNING:
  The file "config/config.php" was found, but it is for
  an older version of SquirrelMail. It is possible to still
  read the defaults from this file but be warned that many
  preferences change between versions. It is recommended that
  you start with a clean config.php for each upgrade that you
  do. To do this, just move config/config.php out of the way.

Continue loading with the old config.php [y/N]?
 <-- y

Do you want me to stop warning you [y/N]?
 <-- y

SquirrelMail Configuration : Read: config.php (1.5.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  User Interface
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Language settings
11. Tweaks

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>
 <-- D


SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server
    gmail       = IMAP access to Google mail (Gmail) accounts

    quit        = Do not change anything

Command >>
 <-- dovecot


SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server
    gmail       = IMAP access to Google mail (Gmail) accounts

    quit        = Do not change anything

Command >> dovecot

              imap_server_type = dovecot
         default_folder_prefix = <none>
                  trash_folder = Trash
                   sent_folder = Sent
                  draft_folder = Drafts
            show_prefix_option = false
          default_sub_of_inbox = false
show_contain_subfolders_option = false
            optional_delimiter = detect
                 delete_folder = false
      force_username_lowercase = true

Press enter to continue...
 <-- ENTER


SquirrelMail Configuration : Read: config.php (1.5.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  User Interface
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Language settings
11. Tweaks

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>
 <-- S


SquirrelMail Configuration : Read: config.php (1.5.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  User Interface
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Language settings
11. Tweaks

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> S

Data saved in config.php



Done activating plugins; registration data saved in plugin_hooks.php

Press enter to continue...
 <-- ENTER


SquirrelMail Configuration : Read: config.php (1.5.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  User Interface
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Language settings
11. Tweaks

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>
 <-- Q

After you have created a website in ISPConfig, you can access SquirrelMail using the /webmail or /squirrelmail aliases:

Share this page:

0 Comment(s)