There is a new revision of this tutorial available for Ubuntu 16.10 (Yakkety Yak).

The Perfect Server - Ubuntu 14.04 (Apache2, PHP, MySQL, PureFTPD, BIND, Dovecot, ISPConfig 3) - Page 5

16. Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

service pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/server1--vg-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=9b8299f1-b2a2-4231-9ba1-4540fad76b0f /boot           ext2    defaults        0       2
/dev/mapper/server1--vg-swap_1 none            swap    sw              0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

 

17. Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

 

18. Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out everything in that file:

#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 

19. Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz
tar xvfz jailkit-2.17.tar.gz
cd jailkit-2.17
./debian/rules binary

You can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.17-1_*.deb
rm -rf jailkit-2.17*

20. Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban

To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

vi /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled  = true
port     = smtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 3

Then create the following two filter files:

vi /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Add the missing ignoreregex line in the postfix-sasl file:

echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf

Restart fail2ban afterwards:

service fail2ban restart

 

Share this page:

17 Comment(s)

Add comment

Comments

From:

[email protected]:/tmp# /etc/init.d/fail2ban restart

* Restarting authentication failure monitor fail2ban ERROR Found no accessible config files for 'filter.d/sasl' under /etc/fail2ban ERROR Unable to read the filter ERROR Errors in jail 'sasl'. Skipping... [fail]

[email protected]:/tmp#

From:

The missing sasl fail2ban config file has been added to the guide.

From: yashx1

while restarting fail2ban, i am getting this error -


 

ERROR  NOK: ("No 'host' group in '(?i): warning: [-._\\w]+\\[\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'",)          [ OK ]


From:

Fail2ban starts fine with the above config file on my test server. Please check that you do not have any typos in the sasl file.

From: Dom

I get the same errror :

 

 * Restarting authentication failure monitor fail2ban                                                                                                                   ERROR  NOK: ("No 'host' group in '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'",)

From:

Added the sasl.conf file and restarted fail2ban but get error: * Restarting authentication failure monitor fail2ban ERROR NOK: ("No 'host' group in '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel : \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix /smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?: ?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0, 2})?\\s*$'",)

From:

I've rewritten the fail2ban section of the guide now and published an update. Please change the jail.local conf to the new version and then execute the "echo" command at the end of the fail2ban section if you followed the first version of the tutorial.

From: Dom

That seems to have sorted it - thanks :)

 

Dom

From: James

exact code transcription of your code, what am I missing? It seems like the files are not connected, but I'm still learning.. 
 
 
service fail2ban restart
 * Restarting authentication failure monitor fail2ban                                                                                                                                                                             WARNING 'logpath' not defined in 'dovecot-pop3imap'. Using default one: '/var/log/messages'
ERROR  No file(s) found for glob /var/log/messages
ERROR  Failed during configuration: Have not found any log file for dovecot-pop3imap jail

From: admin

I've setup a server with the code from the guide, exact copy&paste of the guide and it worked without an arror. So you must have a typo somehere in your transcription. Better copy&paste the comands and filecontents instead of typing them to ensure that you get a error free Setup. I guess the issue is in the logpath of the jail,local files as the Errors says that it uses the Default '/var/log/messages' instaed of the one from the file in the tutorial (/var/log/mail.log).

And a cite from the yellow box above the omment section: "Please do not use the comment function to ask for help! If you need help, please use our Forum." So please use the Forum if you Need help with yout install!

From: nik

 Using VPS at DigitalOcean

Kernel  - Ubuntu 14.04 x64 vmlinuz -3.13.0-24 generic

any ideas  why Quota format not supported in kernel.?

 

 [email protected]:~# quotacheck -avugm
quotacheck: Scanning /dev/disk/by-label/DOROOT [/] done
quotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.
quotacheck: Checked 10616 directories and 80413 files
quotacheck: Old file not found.
quotacheck: Old file not found.
[email protected]:~# quotaon -avug
quotaon: using //quota.group on /dev/disk/by-label/DOROOT [/]: No such process
quotaon: Quota format not supported in kernel.
quotaon: using //quota.user on /dev/disk/by-label/DOROOT [/]: No such process
quotaon: Quota format not supported in kernel.

 

From: Neil

I also got the same error. Did this ever get resolved for you. Thanks

From: Raheel

Hi guys, I would like to know 

16. Install PureFTPd And Quota

is necessary because I'm setting up this server on windows server and everything is virtual even IP. If I restarted my server then IP will also change on next reboot.

How can I get required information  for vi /etc/fstab? Please guide me.

Thanks

From: Brainski

I was using this tutorial for a machine on Amazon AWS. Quota was not working:

"Quota format not supported in kernel."

Solution:

apt-get install linux-image-extra-virtual

reboot system

After that run modprobe quota_v2 and modprobe quota_v1 in order to get ready to run quotas. Also remember to put the modules on /etc/modules.

 

From: Curtis

Jailkit-2.17 when unpacked has no debian binary file.  you have to run configure, make, make install which breaks your script because apt doesn't show jailkit as being installed.

 

From:

Off course not, as you compile jailkit with the command 

./debian/rules binary

and this command created the .deb file. Just follow the tutorial step by step and dont leave out any commands, then you get a working Server like thousands of users before.

 

From: deltonos

Reading state information... DoneYou might want to run 'apt-get -f install' to correct these.The following packages have unmet dependencies: mysql-community-client : Depends: libaio1 (>= 0.3.93) but it is not installed mysql-community-server : Depends: apparmor but it is not installed                          Depends: libaio1 (>= 0.3.93) but it is not installed

 

Solution, install BUT disable apparmor...