ISP-Server Setup - Ubuntu 5.0.4 "The Hoary Hedgehog" - Page 3

2 Installing And Configuring The Rest Of The System

Enable root user

Now I can login with the username and password I entered above. First I enable the root user for ease of installation. You can disable it later if you want.

sudo passwd root
su

Now we are logged in as root user.

Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth0

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

If you want to add the IP address 192.168.0.101 to the interface eth0 you should change the file to look like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth0

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

auto eth0:0
iface eth0:0 inet static
address 192.168.0.101
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Edit /etc/hosts and add your new IP addresses:

127.0.0.1       localhost.localdomain   localhost       server1
192.168.0.100 server1.example.com server1
192.168.0.101 virtual-ip1.example.com virtual-ip1


# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Setting The Hostname

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. It should look like this:

#deb cdrom:[Ubuntu 5.04 _Hoary Hedgehog_ - Release i386 (20050407)]/ hoary main restricted


deb http://de.archive.ubuntu.com/ubuntu hoary main restricted
deb-src http://de.archive.ubuntu.com/ubuntu hoary main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu hoary-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu hoary-updates main restricted

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://de.archive.ubuntu.com/ubuntu hoary universe
deb-src http://de.archive.ubuntu.com/ubuntu hoary universe

deb http://security.ubuntu.com/ubuntu hoary-security main restricted
deb-src http://security.ubuntu.com/ubuntu hoary-security main restricted

deb http://security.ubuntu.com/ubuntu hoary-security universe
deb-src http://security.ubuntu.com/ubuntu hoary-security universe

apt-get update
apt-get upgrade

Install SSH Daemon

apt-get install ssh

Install/Remove Some Software

Now let's install some software we need later on and remove some packages that we do not need:

apt-get install fetchmail unzip zip libarchive-zip-perl zlib1g-dev libpopt-dev nmap openssl lynx gcc flex make ncftp libdb4.3-dev

update-inetd --remove daytime
update-inetd --remove telnet
update-inetd --remove time
update-inetd --remove finger
update-inetd --remove talk
update-inetd --remove ntalk
update-inetd --remove ftp
update-inetd --remove discard

/etc/init.d/inetd reload


Quota

apt-get install quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the partitions with the mount point / and /var):

# /etc/fstab: static file system information.
#
# proc /proc proc defaults 0 0 /dev/sda3 / ext3 defaults,errors=remount-ro,usrquota,grpquota 0 1 /dev/sda1 /boot ext3 defaults 0 2 /dev/sda4 /var ext3 defaults,usrquota,grpquota 0 2 /dev/sda2 none swap sw 0 0 /dev/hdc /media/cdrom0 udf,iso9660 ro,user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0

Then run:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
touch /var/quota.user /var/quota.group
chmod 600 /var/quota.*
mount -o remount /var
quotacheck -avugm
quotaon -avug


DNS-Server

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user 'bind', chrooted to /var/lib/named. Modify the line: OPTS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

OPTIONS="-u bind -t /var/lib/named"

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="-u syslog" so that it reads: SYSLOGD="-u syslog -a /var/lib/named/dev/log":

#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd

test -x $binpath || exit 0
. /lib/lsb/init-functions

# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-u syslog -a /var/lib/named/dev/log"

create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640 /dev/xconsole
fi
chown root:adm /dev/xconsole
}

running()
{
# No pidfile, probably no daemon present
#
if [ ! -f $pidfile ]
then
return 1
fi

pid=`cat $pidfile`

# No pid, probably no daemon present
#
if [ -z "$pid" ]
then
return 1
fi

if [ ! -d /proc/$pid ]
then
return 1
fi

cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1`

# No syslogd?
#
if [ "$cmd" != "$binpath" ]
then
return 1
fi

return 0
}

case "$1" in
start)
log_begin_msg "Starting system log daemon..."
create_xconsole
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
log_end_msg $?
;;
stop)
log_begin_msg "Stopping system log daemon..."
start-stop-daemon --stop --quiet --oknodo --exec $binpath --pidfile $pidfile
log_end_msg $?
;;
restart|force-reload|reload-or-restart|reload)
log_begin_msg "Restarting system log daemon..."
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
sleep 1
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
log_end_msg $?
;;
*)
log_success_msg "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
exit 1
esac

exit 0

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for any errors:

/etc/init.d/bind9 start

Share this page:

24 Comment(s)

Add comment

Comments

From: Anonymous at: 2005-10-10 02:01:05

You mention that Postfix has a shorter list of security vulnerabilities than Sendmail. In the recent times, Sendmail has performed very well. Also keep in mind that Sendmail is over 23 years old -- it's had a lot more time to be tested for these things. If you mentioned that Postfix scales better than Sendmail, I'd have marked that as credable; however, Sendmail's M4 configuration is so easy that even a monkey could do it.

As a software package, Sendmail works great. It is easy to configure. It has proven itself secure in the recent years. Don't knock it for the wrong things.

From: Anonymous at: 2005-11-16 22:54:12

May be you'd check more. Postfix is designed basically to be a secure alternative to Sendmail, check its site. And it does have a better record.

I'd say the worst thing about sendmail is the configuration, by the way. Probably you are a M4 veteran, so you don't know how complicated it is. Frankly, that was the reason I switched from sendmail to postfix, circa redhat 7.3, before it became their default. And I am not really a newbie..

From: Anonymous at: 2005-12-19 16:44:21

thanks for the walk through only had Ubuntu installed (or any type of Linux) for a couple of days and I'm already runing my own server...pure magic

From: Anonymous at: 2006-01-29 17:47:45

would this be a better starting point?

would it change everything in this howto?

http://distrowatch.com/?newsid=02988#0

From: admin at: 2006-01-29 18:26:22

The ubuntu server distribution did not exist at the time I've written this howto. I'am pretty sure that the howto will work fine with Ubuntu Server distribution too, but I've not tested it yet.

Till

From: Anonymous at: 2005-10-28 09:58:33

Bad bad bad!:
0 */2 * * * /etc/init.d/ntpdate restart

Please use an ntp daemon.

From: Anonymous at: 2005-12-03 08:59:49

And if you are already on it use 'crontab -e' to modify cronjobs instead of digging through the file system. You get syntax highlighting and it checks and installs the new cronjob for you afterwards.

From: at: 2005-09-20 02:00:06

There is an error (minor) in the following paragraph on the last page. ...

After you have answered the questions ISPConfig should be duly installed. If you indicated www as host and xyz.com as the domain during the installation, you will find the ISPConfig interface under https://www.xyz.de:81 or http://www.xyz.de:81.


The addresses should have .com instead of .de (or the how should be xyz.de)


thanks for the sweet article!

From: admin at: 2005-09-26 08:11:23

Thanks, I've corrected the error.

From: Anonymous at: 2005-10-09 06:05:23

Why cant a iso of this be available to download all ready to run?

flame away ;-)

From: at: 2005-09-25 21:45:42

Crossposted from OSNews:

This is the worst HOWTO I ever read. There is NO explanation what this setup will create NOR is it secure or suitable other than for kids to play on their homeboxen. Postfix has not disabled plaintext without ssl so every client pointing to server:25 and not issuing STARTTLS will get transmit passwords in cleartext. Did I hear ISP? Where is virtual domain support? Are you supposed to have all your mailaccounts in /etc/passwd. What is that Apache setup meant for? Disabling PHP and running php scripts as CGI with Suexec? Ever heard of suphp?

forget it

From: Anonymous at: 2005-09-26 08:19:04

It seems you have not read the howto at all. The howto prepares a server for the installation of the ispconfig controlpanel. If you do not disable PHP globally you can not manage it on a per vhost basis :-) When you have written your own server howto, you can post it here to show everyone what you think a server setup is. E.g. crossposting is :cool:

From: at: 2005-09-25 22:22:56

Hmm, the other guy needs a slap around the ears, not designed for kids at home, he assumes you have a basic idea if you are going to do it, there's also Articles about Virtual Domains on the site, take a chill pill and relax. Nice Article, you may also want to look into running VHCS as well from www.vhcs.net it's also a Free Opensource Hosting panel, I think it has more features too, plus it's a heck of a lot sexier.

From: Anonymous at: 2005-10-06 20:09:48

everyones a noob at some point

From: Anonymous at: 2005-09-27 02:30:55

Hello I am newbie. It's my first time to have handson on linux. Anyway i followed everything in this article except that when I installed ISPConfig, I got the following error:

Warning: main(config.inc.php): failed to open stream: No such file or directory in /tmp/install_ispconfig/install.php on line 624

Warning: main(): Failed opening 'config.inc.php' for inclusion (include_path='.:/root/ispconfig/php/lib/php') in /tmp/install_ispconfig/install.php on line 624

Warning: mysql_connect(): Access denied for user: 'root@localhost' (Using password: NO) in /tmp/install_ispconfig/install.php on line 634

Could not connect to db

Restarting some services...

./setup2: line 883: [:==: unary operator expected

./setup2: line 901: /etc/init.d/ispconfig_server: No such file or directory

If you have anyway of fixing this. I would be very grateful.

mike

From: falko at: 2005-09-28 07:40:54
From: Anonymous at: 2005-10-07 16:22:42

my setup is ok now. can you tell me how to add amasvid-new and clam av to this setup?

From: admin at: 2005-10-07 17:16:33

If you use ISPConfig, mailfiltering with Spamassassin and ClamAV are installed and configured? by the ISPConfig installer.

From: Anonymous at: 2005-10-10 16:38:41

i cannot receive email but i can send using outlook client with smtp authentication. also i cannot login using https://www.mydomain.com:81/mailuser.

From: Anonymous at: 2005-09-28 01:55:51

I tried this but had a dickens of a time testing the email addresses. I put "nameserver 192.168.0.100" on the top of /etc/resolv.conf and to test the DNS, I'd run "host newdomain.com" to see if the virtual address showed up. It did, so I tried setting up email accounts( 2 ) and created the accounts in Thunderbird to send back and forth. They didn't work until I started sending to "userID1@www.domain.com". Creating a Co-Domain with the Hostname cleared worked. It also resulted in /etc/prostfix/local-host-names file showing the domain.com entry( along with the www.domain.com entry ).

Cool HowTo BTW. Now I have to go in and start learning what all is going on. ;-)


I'm thinking this might be nice for a couple of friends who have small biz and need to create temp accounts for customer comm and filesharing.

From: Anonymous at: 2005-09-28 13:37:50

Rather than creating the symlinks manually as you do for the Apache modules you can use the provided tools:

a2enmod include

a2enmod ssl

etc.

From: Anonymous at: 2005-10-06 14:16:36

Is it perfect? Probably not.

Handholding? Some, but you really need to bring your own critical thinking to the table if you're to tackle an unforseen glitch.

Thorough? Absolutely. While I (might) agree there's not a lot of detailed explanations to the tasks, it's all here. You couldn't ask for a better blueprint. You wanna know more about the underpinnings of each step? Start digging. At least you now know what questions to ask!

For all the indignant boo hooing, I would say anyone whining about this article has not had to fend for themselves much and is proably still living with their parents.

Thanks for helping this newbie get a better idea of how work is accomplished in Linux!

From: Anonymous at: 2005-10-09 17:00:47

I created some scripts that are a start to automating this process. You can find them here:

http://www.geekdept.com/1.script

http://www.geekdept.com/2.script

http://www.geekdept.com/3.script

http://www.geekdept.com/4.script

http://www.geekdept.com/5.script

http://www.geekdept.com/6.script

http://www.geekdept.com/7.script

http://www.geekdept.com/8.script

http://www.geekdept.com/9.script

Keep in mind that these scripts are not the cure all it just helps automate a bit. Take a look at each one before you use it. I usually run wget and get them all into the /tmp dir and then call on them as needed.


Hope this helps.

From: SABADBOY at: 2008-11-30 08:41:44

ANYBODY MADE AN ISO YET SO THE INSTALL IS ALL AUTOMATED  SERIOUSLY I NEED IT BAD

GREAT ARTICLE