The Perfect Server - Ubuntu 11.10 With Nginx [ISPConfig 3] - Page 5

16 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=6fbce377-c3d6-4eb3-8299-88797d4ad18d /boot           ext2    defaults        0       2
/dev/mapper/server1-swap_1 none            swap    sw              0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

 

17 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

 

18 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 

19 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary

You can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

 

20 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the fail2ban log:

apt-get install fail2ban

To make fail2ban monitor PureFTPd, SASL, and Courier, create the file /etc/fail2ban/jail.local:

vi /etc/fail2ban/jail.local

[pureftpd]

enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3


[sasl]

enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled  = true
port     = pop3
filter   = courierpop3
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3s]

enabled  = true
port     = pop3s
filter   = courierpop3s
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierimap
logpath  = /var/log/mail.log
maxretry = 5


[courierimaps]

enabled  = true
port     = imaps
filter   = courierimaps
logpath  = /var/log/mail.log
maxretry = 5

Then create the following five filter files:

vi /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

vi /etc/fail2ban/filter.d/courierpop3.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

vi /etc/fail2ban/filter.d/courierpop3s.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = pop3d-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

vi /etc/fail2ban/filter.d/courierimap.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

vi /etc/fail2ban/filter.d/courierimaps.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = imapd-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

Share this page:

4 Comment(s)

Add comment

Comments

From: Anonymous at: 2011-11-15 21:55:23

Please note that you cannot use this tutorial for Debian Squeeze because Squeeze comes with an older nginx version (0.7.67.) and does not have a PHP-FPM package!

you mean lenny? what about if using custom/recompile (for example dotdeb) repository? i see there's no problem in my dev server (at least, until now).

From: at: 2011-11-23 17:15:13

+1 With this /etc/apt/sources.list.d/dotdeb.list file, I running ispconfig in squeeze following this how to.

/etc/apt/sources.list.d/dotdeb.list

Another tip: this is my nginx default file. I catch all lost URL, deactivated domains, and hostname direct to panel in :80 and :443 ports

#/etc/nginx/sites-available/default

# -----------------------------------------------------

# everything goes to panel

# -----------------------------------------------------


server {

        listen 80 default_server;

        server_name _;


        access_log /var/log/nginx/ispconfig.log;


## Default location

        location / {

                proxy_pass https://127.0.0.1:8080/;

        }

    index index.html index.php;

    server_name_in_redirect off;

}

server {

        listen 443 ssl;

        server_name _;


        ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;

        ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;


        access_log /var/log/nginx/ispconfig.log;


## Default location

        location / {

                proxy_pass https://127.0.0.1:8080/;

        }

 

From: Anonymous at: 2012-02-01 20:15:03

ip6_tables: (C) 2000-2006 Netfilter Core Team                                                       
IPv6 over IPv4 tunneling driver                                                                     
NET: Registered protocol family 17                                                                  
NET: Registered protocol family 15                                                                  
Bridge firewalling registered                                                                       
Ebtables v2.0 registered                                                                            
8021q: 802.1Q VLAN Support v1.8                                                                     
sctp: Hash tables configured (established 16384 bind 16384)                                         
Registering the dns_resolver key type                                                               
Using IPI No-Shortcut mode                                                                          
registered taskstats version 1                                                                      
blkfront: xvda: barrier: enabled                                                                    
 xvda: unknown partition table                                                                      
blkfront: xvdb: barrier: enabled                                                                    
 xvdb: unknown partition table                                                                      
XENBUS: Device with no driver: device/console/0                                                     
md: Waiting for all devices to be available before autodetect                                       
md: If you don't use raid, use raid=noautodetect                                                    
md: Autodetecting RAID arrays.                                                                      
md: Scanned 0 and added 0 devices.                                                                  
md: autorun ...                                                                                     
md: ... autorun DONE.                                                                               
EXT3-fs: barriers not enabled                                                                       
kjournald starting.  Commit interval 5 seconds                                                      
EXT3-fs (xvda): mounted filesystem with writeback data mode                                         
VFS: Mounted root (ext3 filesystem) readonly on device 202:0.                                       
devtmpfs: mounted                                                                                   
Freeing unused kernel memory: 388k freed                                                            
Write protecting the kernel text: 6008k                                                             
Write protecting the kernel read-only data: 1436k                                                   
NX-protecting the kernel data: 3208k

after: SYSTEM HALT

please help me..

From: me at: 2013-12-05 00:33:58

http://mailman.nginx.org/pipermail/nginx/2010-November/023635.html please look here to got work mailman