The Perfect Server, aka ISPConfig based web mail dns and ... production level server

[LaKing]

So you want to have a real server, I mean REAL server right? ...

* Intro

Okay, we gonna make one out of open source software FC13 - ISPConfig 3 ...

Well, first you will need is some hardware.Depending on your budget and your expected traffic, go and buy some. You can start small. ..
You probably don't need a good graphic card, but what you need is good cooling in a stable system. If you need raid, I suggest to use hardware raid, don't spare on memory, go with more then 4GB to the x64 platform. In my setup currently I use 2 SSD's and about 10 disks, on a quad core with 8GB ram.
You will have to place the server somewhere. Here again, for a real server I suggest you go to a server farm. The line there should be good enough, power, temperature, clean air, .. placing a server to a farm extends your and your server's life. 100Mbps Ethernet at least, on a good network to the world is a must. You will also need to have your own domain name, and access to it.

After the hardware is put together, ...
The first things you have to set up are bios and raid bios.
In the bios, set quick boot. Disable all controllers that you don't need, after you have verified that all disks are okay. Set up your RAID and disks. Keep in mind that you will need a certain level of speed and a certain level of redundancy. My personal opinion is that mirrored raid makes not too much sense. What if there is some sort of problem that's not on hardware level, ... You will need your backups complete, and 'delayed', so in case of a disaster you can go and recover for example the last day's state. ...

Boot your FC13 live CD or DVD or USB stick. On your desktop you will have the icon to start the final installation. I suggest to have some second computer, a notebook or something that you will use as client machine.

We will rely on the ISPConfig3 Documentation, which starts somewhere here.
http://www.howtoforge.com/perfect-se...64-ispconfig-3
Name your computer in your domain, use some good and easy to type and memorize but hard to guess user and root passwords.
I personally don't use LVM. When it comes to partitions, with 8GB or even more ram, SWAP partitions are not really needed.

To do the partitioning manually:
It is safe to delete all partitions, first inside the LVM, then the LVM itself, in your custom layout a boot partition is needed, 500MB ext3 file-system, mounted at /boot, a root file-system, ext4 mounted on / and your drives. I mounted my disks on a 'new system folder' called /srv so I have disks like /srv/www, /srv/vmail, /srv/ftp, /srv/mysql, .. for example, and this will 'come handy' later. You can align your disks to your services. A stripe for large FTP data, a single disk for logs, an SSD for mysql and another one for your seeds, and so on ...
As for log files, if you have a separate disk for it, you can remove /var/log and create a symbolic link to your log disk. Hint:

Code:

ln -s your_symbolic_link_target_path

If you did a live CD install, and the package manager or the network setup didn't show up, as in the ISPConfig guide, no problem. ..

After your installation is done, you log in as a user and have your desktop.

* Cosmetics

Put the terminal and the system monitor to the tray, we will need it frequently.
Start a terminal, In the menu Edit -> Profiles -> Edit [Default] -> Colors -> Built in Schemes ... select Green on black .. to get the matrix look. This is much better for your eye and your nerves then Black on White.

* Get the Network running

The network manager is damn good setting up the network, but as the guide suggests, we will likely have a very static network. You might do the setup in a different environment then your production. My suggestion is that you set up a static IP, even on your home LAN for this pc. In the terminal, grain root access ...

Code:

su

.. and then enter your root password. In future, "as root ..."
Linux commands are case sensitive, therefore, best is to copy-paste the following commands. :

Code:

service NetworkManager stop
chkconfig NetworkManager off
service network status
system-config-network

gedit /etc/hosts
gedit /etc/sysconfig/networking/devices/ifcfg-eth0

Most important: IPADDR, GATEWAY, NETMASK, DNS1 ONBOOT=on and "It is important that you add a line for server1.example.com and remove server1.example.com and server1 from the 127.0.0.1 line."

As the guide suggests, and I agree, SELinux is not needed, at least for now.

Code:

gedit /etc/selinux/config

and set

Code:

SELINUX=disabled

Reboot, and check if you have the network right.
I hope you have a firewall for your LAN, on a trusted network you can disable your firewall temporary too if you wish. For some reason, maybe a bug in FC13, the firewall Gui needs to be started from the console. As root

Code:

system-config-firewall

ISPConfig has its own Bastille-firewall, feel free to decide which one you want to use later.

* Update the system

Code:

yum -y update

* Install tools and software

The two most basic tools, 'yumex' the yum Gui, 'mc' the file manager, 'gparted' partition editor, and the webmin sysadmin interface.

Code:

yum -y install yumex mc gparted

* webmin
Webmin is a great sysadmin tool. As root ...

Code:

gedit /etc/yum.repos.d/webmin.repo

paste this in:

Code:

[Webmin]
name=Webmin Distribution Neutral
baseurl=http://download.webmin.com/download/yum
enabled=1

.. and save it.

Code:

rpm --import http://www.webmin.com/jcameron-key.asc
yum -y install webmin

Your webmin-panel is already accessible in the browser https://localhost:10000

* Remote desktop over ssh

Fedora has VNC built in. As root ...

Code:

gedit /etc/sysconfig/vncservers

having a small and a large virtual desktop looks config-wise like this

Code:

VNCSERVERS="1:username 2:username"
VNCSERVERARGS[1]="-geometry 800x600 -nolisten tcp -localhost"
VNCSERVERARGS[2]="-geometry 1600x1000 -nolisten tcp -localhost"

Each VNC server instance listens on port 5900 plus the display number on which the server runs. 5901, 5902, ... replace username with your username. Enter a good password for VNC. As root ..

Code:

vncpasswd
service vncserver restart
chkconfig vncserver on

If you have Windows with VNC-Viewer and putty installed, start a putty session, and set the SSH Tunnel so that ports 5901, 5902, .. are in the tunnel.
If you need more help I suggest to check these VNC and putty guides.

* Install even more

As root ...

Quote:

yum -y groupinstall 'Development Tools'
yum -y groupinstall 'Development Libraries'
yum install ntp httpd mysql-server php php-mysql php-mbstring php-mcrypt phpMyAdmin php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel quota dovecot dovecot-mysql postfix getmail pure-ftpd vsftpd filezilla squirrelmail bind bind-utils webalizer perl-DateTime-Format-HTTP perl-DateTime-Format-Builder fail2ban rkhunter amavisd-new spamassassin clamav clamav-data clamav-server clamav-update unzip bzip2 perl-DBD-mysql mod_suphp mod_geoip

.. I think, that's all needed. We install everything you need in one run, so you can go and drink a tea meanwhile.

* Configure services
8 Journaled Quota

As root

Code:

gedit /etc/fstab

and in another terminal eventually you can start gparted to see UUID's of partitions.
Change

Quote:

defaults 0 0

to

Code:

defaults,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0        1 1

where you want to enable quotas. You might need to replace vfsv0 with xfs if you have XFS partitions. "Then run" ...

Code:

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /

quotacheck -avugm
quotaon -avug

Set some path's and addresses

Code:

gedit /etc/my.conf

You might want to set datadir=/srv/mysql

10-11 Configure email
To use Postfix and dovecot:

Code:

system-switch-mail

rm -fr /usr/lib/dovecot/
ln -s /usr/lib64/dovecot/ /usr/lib/dovecot 

chkconfig --levels 235 dovecot on
chkconfig --levels 235 mysqld on
chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
service dovecot start
service mysqld start
service sendmail stop
service postfix start
mysql_secure_installation

Again, Give a good root password for MySQL. Everywhere else, just press enter.
We don't need phpMyAdmin right now, but the httpd the Apache daemon can get started.

Code:

chkconfig --levels 235 httpd on
service httpd start

14 Mailfilters

Code:

gedit /etc/sysconfig/freshclam

Comment out the FRESHCLAM_DELAY line at the end.

Code:

gedit /etc/freshclam.conf

Comment out the Example line.

Code:

sa-update
chkconfig --levels 235 amavisd on
chkconfig --levels 235 clamd.amavisd on
/usr/bin/freshclam
service amavisd start
service clamd.amavisd start

* 15 Installing mod_php, mod_fcgi/PHP5, And suPHP

Code:

gedit /etc/php.ini

and add cgi.fix_pathinfo = 1 at the end of the file. If you wish change error_reporting = E_ALL & ~E_NOTICE


If you look at the guide, note that su_php is already installed with yum.

... we continue in the next post.

[LaKing]

16 Install PureFTPd - and other ftp services

It is a good idea to distinguish between public and private FTP. Public ftp should be running on the default port, probably with anonymous users and without upload option.
The private FTP can have TLS/SSL, to increasy security. Pure-FTPd is the one ISPConfig uses, and vsftp or another daemon can be used for public ftp. If you need an ftp client on the server for server-to-server copy processes, I think FileZilla is a good choice.

For public FTP:

Code:

gedit /etc/vsftpd.conf

local_enable = no
write_enable = no
chroot_local_user=YES
log_ftp_protocol= YES
no_anon_password=YES
vsftp_log_file=/var/log/vsftplog
xferlog=/var/log/xferlog
anon_root=/srv/ftppub [.. or similar]

18 Install Vlogger And Webalizer

Code:

cd /tmp
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*

19 Install Jailkit

Jailkit create homes for SSH users. It is very important to install it.
"important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!"

Code:

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
tar xvfz jailkit-2.11.tar.gz
cd jailkit-2.11
./configure
make
make install
cd ..
rm -rf jailkit-2.11*

22 Install SquirrelMail

Code:

/usr/share/squirrelmail/config/conf.pl

D. Set pre-defined settings for specific IMAP servers
select dovecot = Dovecot Secure IMAP server
S Save data .. then quit.

Code:

gedit /etc/squirrelmail/config_local.php

comment out the $default_folder_prefix variable.

23 Install ISPConfig 3
Check for the latest version, then install.

Code:

cd /tmp
wget http://downloads.sourceforge.net/isp...gz?use_mirror=
tar xvfz ISPConfig-3.0.2.1.tar.gz
cd ispconfig3_install/install/
php -q install.php

Just press enter everywhere in the installer, the only thing you need to enter is your MySQL root password.

* Finalize

16 privateFTP
For private FTP, settings will have to be done after ISPConfig install, and eventually all updates.

Code:

gedit /etc/pure-ftpd/pure-ftpd.conf

Bind yourIP,yourPRIVATEPORT
TLS 2
PassivePortRange 30000 50000

Code:

system-config-services
system-config-firewall

Take a look and make sure everything is up and running.
Configure Bastille firewall in ISPConfig and the FC firewall.

Code:

gedit /etc/named.conf

You might want to set
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };

You will not be able to start named before you create a DNS entry in ISPConfig, I suggest to use the wizard on the DNS tab.
/etc/named.conf.local will be missing, you can comment out the include in /etc/named.conf if you want to make sure named starts.

To enter the ISPConfig control panel, in the browser:
http://localhost/8080

User name admin, password admin that you should change after your first login in the tools menu.
Before you create anything, make sure you set all path's right in ISPConfig.

System -> Server Config -> YourServer

Network: no need to change anything.
Mail: Maildir Path, Homedir Path ( /srv/vmail ?)
Web: Website basedir ( /srv/www ?)
Website path, eg: /srv/www/_clients/client_[client_id]/web_[website_id]
Website symlinks, eg: /srv/www/[website_domain]/:/var/www/_clients/client_[client_id]/[website_domain]/

Interface Config:

Database name prefix
Database user prefix
FTP user prefix
Shell user prefix
I suggest you set all to [CLIENTNAME]_

Next is to install the Awstats ISPConfig 3 plugin, to do so look here.
Note, the download that you need first is at the bottom of the page.

Now, you should be at the point where you can move the server to the server farm.
You can access it remotely over: ssh-terminal (secure) webmin (secure) ssh-tunneled VNC (secure). You might need to re-edit network configuration, once the server is at the final place.

You can then from home, install more things you might need.
OpenVPN or OpenSWAN for VPN networking (all in yum).
Opentracker, (not in yum) transmission, ktorrent, ... (all in yum)
A good idea is to install git, and set up a git web development work-flow. Since we have nice SSH access that you can enable for a client, ...

MySql database and users have a limit of 16 characters. You might want to create a client called 'db' where you put most of your databases.

...

---------- Post added at 04:12 PM CDT ---------- Previous post was at 04:08 PM CDT ----------

Play a little bit with ISPConfig, get familiar with it. It is a great tool that simplifies administration.
You might want to:
- set phpMyAdmin secure
- install mod_security
- set hourly or daily mySQL backups, .. that is easy in webmin.
- write a script that does a full backup of everything. /srv /etc /home ...

Security is important if you want your server to be running for years.

You can install some CMS's. Wikimedia, Wordpress, Drupal, ... all in yum.
You can have several instances working from /usr/share that you can update regularly with yum.

Questions, corrections and feedback welcome.