The Perfect Server - OpenSUSE 12.3 x86_64 (Apache2, Dovecot, ISPConfig 3) - Page 2
Now log in with the username root and the password that you selected during the installation.
4 Configure The Network Settings
We use Yast, the OpenSuSE system management tool to reconfigure the network card settings. After the first boot, the system is configured to get the IP address with DHCP. For a server we will switch it to a static IP address.
Run
yast2
Select Network Devices > Network Settings:
Select your network card and then Edit:
Select Statically assigned IP Address and enter the IP address, subnet mask and hostname and save the changes by selecting Next:
Now select Hostname/DNS and enter the hostname (e.g. server1.example.com) and nameservers (e.g. 192.168.1.200 and 8.8.8.8):
Now select Routing and enter the default gateway and hit OK:
To configure the firewall (in case you didn't configure it during the basic installation), select Security and Users > Firewall in Yast:
I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default OpenSUSE firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the OpenSUSE firewall).
Select Disable Firewall Automatic Starting and Stop Firewall Now, then hit Next:
Hit Finish and leave Yast:
Afterwards, you should check with
ifconfig
if your network configuration is correct. If it isn't (for example, if eth0 is missing), reboot the system...
reboot
... and check your network configuration again afterwards - it should now be correct.
5 Install Updates
Now we install the latest updates from the openSUSE repositories. Run
zypper update
And then reboot the server as you most likely installed some kernel updates, too:
reboot
6 Install Some Basic Packages
Run
zypper install findutils readline glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico sudo perl-TimeDate
7 Journaled Quota
To install quota, run
zypper install quota
Edit /etc/fstab to look like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the mountpoints / and /srv):
vi /etc/fstab
/dev/disk/by-id/ata-VBOX_HARDDISK_VB1d06c935-e9b5de19-part1 swap swap defaults 0 0 /dev/disk/by-id/ata-VBOX_HARDDISK_VB1d06c935-e9b5de19-part2 / ext4 acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 1 1 /dev/disk/by-id/ata-VBOX_HARDDISK_VB1d06c935-e9b5de19-part3 /srv ext4 acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 1 2 proc /proc proc defaults 0 0 sysfs /sys sysfs noauto 0 0 debugfs /sys/kernel/debug debugfs noauto 0 0 usbfs /proc/bus/usb usbfs noauto 0 0 devpts /dev/pts devpts mode=0620,gid=5 0 0 |
Then run:
mount -o remount /
mount -o remount /srv
quotacheck -avugm
quotaon -avug
Dont be worried if you see these error messages - they are normal when you run quotacheck for the first time:
server1:~ # quotacheck -avugm
quotacheck: Scanning /dev/sda2 [/] done
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Checked 3872 directories and 32991 files
quotacheck: Old file not found.
quotacheck: Old file not found.
quotacheck: Scanning /dev/sda3 [/srv] done
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Checked 6 directories and 0 files
quotacheck: Old file not found.
quotacheck: Old file not found.
server1:~ #
8 Install Postfix, Dovecot, MySQL
Run
zypper install postfix postfix-mysql mysql-community-server libmysqlclient-devel dovecot21 dovecot21-backend-mysql pwgen cron python
If you get the following message, please select to uninstall exim:
Problem: sendmail-8.14.5-85.1.2.x86_64 conflicts with postfix provided by postfix-2.9.6-1.2.1.x86_64
Solution 1: Following actions will be done:
do not install postfix-2.9.6-1.2.1.x86_64
do not install postfix-mysql-2.9.6-1.2.1.x86_64
Solution 2: deinstallation of sendmail-8.14.5-85.1.2.x86_64
Choose from above solutions by number or cancel [1/2/c] (c): <-- 2
Create the following symlink:
ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot
At this point I had to reboot because otherwise MySQL refused to start with the error:
Failed to issue method call: Unit mysql.service failed to load: No such file or directory. See system logs and 'systemctl status mysql.service' for details.
reboot
Start MySQL, Postfix, and Dovecot and enable the services to be started at boot time.
systemctl enable mysql.service
systemctl start mysql.service
systemctl enable postfix.service
systemctl start postfix.service
systemctl enable dovecot.service
systemctl start dovecot.service
Now I install the getmail package:
zypper install getmail
To secure the MySQL installation, run:
mysql_secure_installation
Now you will be asked several questions:
server1:~ # mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): <-- ENTER
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
Set root password? [Y/n] <-- Y
New password: <-- yourrootsqlpassword
Re-enter new password: <-- yourrootsqlpassword
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] <-- Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] <-- Y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] <-- Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] <-- Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
server1:~ #
Now your MySQL setup should be secured.
9 Amavisd-new, Spamassassin And Clamav
Install Amavisd-new, Spamassassin and Clamav antivirus. Run
zypper install amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql
Open /etc/amavisd.conf...
vi /etc/amavisd.conf
... and add the $myhostname line with your correct hostname below the $mydomain line:
[...] $mydomain = 'example.com'; # a convenient default for other settings $myhostname = "server1.$mydomain"; [...] |
Then create a symlink from /var/run/clamav/clamd to /var/lib/clamav/clamd-socket:
mkdir -p /var/run/clamav
ln -s /var/lib/clamav/clamd-socket /var/run/clamav/clamd
OpenSUSE 12.3 has a /run directory for storing runtime data. /run is now a tmpfs, and /var/run is now bind mounted to /run from tmpfs, and hence emptied on reboot.
This means that after a reboot, the directory /var/run/clamav that we have just created will not exist anymore, and therefore clamd will fail to start. Therefore we create the file /etc/tmpfiles.d/clamav.conf now that will create this directory at system startup (see http://0pointer.de/public/systemd-man/tmpfiles.d.html for more details):
vi /etc/tmpfiles.d/clamav.conf
D /var/run/clamav 0755 root root - |
Before we start amavisd and clamd, we must edit the /etc/init.d/amavis init script - I wasn't able to reliably start, stop and restart amavisd with the default init script:
vi /etc/init.d/amavis
Comment out the following lines in the start and stop section:
[...] start) # ZMI 20100428 check for stale pid file #if test -f $AMAVIS_PID ; then # checkproc -p $AMAVIS_PID amavisd # if test $? -ge 1 ; then # # pid file is stale, remove it # echo -n "(stale amavisd pid file $AMAVIS_PID found, removing. Did amavisd crash?)" # rm -f $AMAVIS_PID # fi #fi echo -n "Starting virus-scanner (amavisd-new): " $AMAVISD_BIN start #if ! checkproc amavisd; then # rc_failed 7 #fi rc_status -v #if [ "$AMAVIS_SENDMAIL_MILTER" == "yes" ]; then # rc_reset # echo -n "Starting amavis-milter:" # startproc -u vscan $AMAVIS_MILTER_BIN -p $AMAVIS_MILTER_SOCK > /dev/null 2>&1 # rc_status -v #fi ;; stop) echo -n "Shutting down virus-scanner (amavisd-new): " #if checkproc amavisd; then # rc_reset $AMAVISD_BIN stop #else # rc_reset #fi rc_status -v #if [ "$AMAVIS_SENDMAIL_MILTER" == "yes" ]; then # rc_reset # echo -n "Shutting down amavis-milter: " # killproc -TERM $AMAVIS_MILTER_BIN # rc_status -v #fi ;; [...] |
Because we have changed the init script, we must run
systemctl --system daemon-reload
now.
To start clamav we need to download the database & proceed further with the command
freshclam
Note: It takes a lot of time to download the database, you are advised not to interrupt & do not stop the freshclam update service in between
To enable the services, run:
systemctl enable amavis.service
systemctl enable clamd.service
systemctl start amavis.service
systemctl start clamd.service