The Perfect Server - Ubuntu 12.04 LTS (nginx, BIND, Dovecot, ISPConfig 3) - Page 5

16 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=4b58d345-1c55-4ac5-940e-7245938656a6 /boot           ext2    defaults        0       2
/dev/mapper/server1-swap_1 none            swap    sw              0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

 

17 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

 

18 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out everything in that file:

#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 

19 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary

You can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

 

20 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban

To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

vi /etc/fail2ban/jail.local

[pureftpd]

enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3


[dovecot-pop3imap]

enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

Then create the following two filter files:

vi /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

Share this page:

12 Comment(s)

Add comment

Comments

From: at: 2012-07-10 23:37:00

This server was problematic as far as configuration goes. There needs to be more detail into preparing the cfg files. I'm an Apache2 user normally and this install was just hassle loaded for me.

From: Senthil at: 2012-08-21 12:20:09

If you want to setup a mail server with following on Ubuntu 12.04 Precise Pangolin:

  • Dovecot 2.0.19
  • Postfix 2.9.3-2
  • Postfix Admin 2.3.5
  • Squirrel Mail 1.4.21
  • MySQL 5.5.24
  • PHP 5.3.10
  • Then lookup this page: http://tech.snathan.org/tech/linux/mail_server_setup

     

    From: Razooloo at: 2012-07-02 20:27:02

    hi

    this is a great manual big thank to Falko

    im trying to install dovecot-mysql dovecot-sieve

    and getting 

     E: Unable to locate package dovecot-mysql
    E: Unable to locate package dovecot-sieve
    if any one can help

    ' be real appreciated

    From: Imam86 at: 2012-08-01 00:50:27

    07-06-2012: Jailkit 2.15 released

    They resolved the issues:

    insserv: warning: script 'K01jailkit' missing LSB tags and overrides
    insserv: warning: script 'jailkit' missing LSB tags and overrides

     So the revision:

    cd /tmp
    wget http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz
    tar xvfz jailkit-2.15.tar.gz
    cd jailkit-2.15
    ./debian/rules binary

    cd ..
    dpkg -i jailkit_2.15-1_*.deb
    rm -rf jailkit-2.15*

    From: Mateusz J?drasik at: 2012-09-19 12:23:24

    Fail2Ban already has a pureftpd.conf file which looks like this:

    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    # Modified: Yaroslav Halchenko for pure-ftpd
    #
    # $Revision$
    #
    [Definition]
    # Error message specified in multiple languages
    __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
    #
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #         host must be matched by a group named "host". The tag "<HOST>" can
    #         be used for standard IP/hostname matching and is only an alias for
    #         (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex = 



    Dovecot also seems covered:
     
    # Fail2Ban configuration file for dovcot
    #
    # Author: Martin Waschbuesch
    #
    # $Revision$
    #
    
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values:  TEXT
    #
    failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =   
     This is on Ubuntu Server 12.04.1 LTS on 19.08.2012.

    From: at: 2013-01-23 22:22:12

    Where is this file?

    From: ababneh at: 2013-03-08 16:15:40

    Hello,

     I followed this tutorial and get everything working, thank you. Just have one question. I have a folder with 15k files but the there is only 9998 files show in filezilla. I tried to locate the config file for pureftpd that contains the limit but I couldn't.  Could you please point that out?

     Thanks

    From: Andreas at: 2012-09-11 15:45:38

    I tried reinstalling ISP Config 3 two times, and im still unable to login as admin/admin.

    Keeps telling me wrong login.

    Any ideas?

    From: Yed at: 2013-05-08 12:44:29

    Exactly same here

    nginx installation

    From: Anonymous at: 2013-07-28 11:42:04

    I also get an error on trying to log in for the first time.

    "Username or password is empty"

    From: Indijus at: 2013-04-20 21:24:15

    Squirrlemail did not work for me. I always get 504 Gateway Time-out. The mail log shows that Apr 21 00:13:34 serveris postfix/smtps/smtpd[23659]: connect from localhost.localdomain[127.0.0.1]
    Apr 21 00:14:03 serveris postfix/smtps/smtpd[23740]: SSL_accept error from localhost.localdomain[127.0.0.1]: Connection timed out
    Apr 21 00:14:03 serveris postfix/smtps/smtpd[23740]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
    Apr 21 00:14:03 serveris postfix/smtps/smtpd[23740]: disconnect from localhost.localdomain[127.0.0.1]
    Apr 21 00:14:03 serveris postfix/smtps/smtpd[23740]: connect from localhost.localdomain[127.0.0.1]
    Apr 21 00:14:34 serveris postfix/smtps/smtpd[23659]: SSL_accept error from localhost.localdomain[127.0.0.1]: -1
    Apr 21 00:14:34 serveris postfix/smtps/smtpd[23659]: warning: TLS library problem: 23659:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:628:
    Apr 21 00:14:34 serveris postfix/smtps/smtpd[23659]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
    Apr 21 00:14:34 serveris postfix/smtps/smtpd[23659]: disconnect from localhost.localdomain[127.0.0.1]
    Apr 21 00:15:01 serveris postfix/smtps/smtpd[23659]: connect from localhost.localdomain[127.0.0.1]
    Apr 21 00:15:01 serveris postfix/smtps/smtpd[23659]: SSL_accept error from localhost.localdomain[127.0.0.1]: lost connection
    Apr 21 00:15:01 serveris postfix/smtps/smtpd[23659]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]

    Apr 21 00:15:01 serveris postfix/smtps/smtpd[23659]: disconnect from localhost.localdomain[127.0.0.1]


    Whats wrong with my server.Please help me

    From: sertaconay at: 2014-01-15 21:07:20

    Hello.

     I think your configuration for Squirrelmail is wrong. It gives 404 error after trying to send email. Because it rewrites url twice like "squirrelmail/src/compose.php/squirrelmail/src/". 

    I tried this configuration and it's OK.

    location /squirrelmail {

           root /usr/share/;

           index index.php index.html index.htm;

           location ~ ^/squirrelmail/(.+\.php)$ {

                   try_files $uri =404;

                   root /usr/share/;

                   include /etc/nginx/fastcgi_params;

                   fastcgi_pass 127.0.0.1:9000;

                   fastcgi_index index.php;

                   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                   fastcgi_buffer_size 128k;

                   fastcgi_buffers 256 4k;

                   fastcgi_busy_buffers_size 256k;

                   fastcgi_temp_file_write_size 256k;

           }

           location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {

                   root /usr/share/;

           }

    }

    location /webmail {

           rewrite ^/* /squirrelmail last;

    }