BUILD THE PERFECT SERVER WITH UBUNTU 9.10

full circle magazine #31 contents ^

full circle

BBUUIILLDD TTHHEE PPEERRFFEECCTTSSEERRVVEERR WWIITTHHUUBBUUNNTTUU 99..1100

Full Circle Magazine Specials

Full Circle Magazine

The articles contained in this magazine are released under the Creative Commons Attribution-Share Alike 3.0Unported license. This means you can adapt, copy, distribute and transmit the articles but only under the following conditions:

You must attribute the work to the original author in some way (at least a name, email or URL) and to this magazine by name ('full circle magazine') and the URL www.fullcirclemagazine.org (but not attribute the article(s) in any way that suggests that they endorse you or your use of the work). If you alter, transform, or build upon this work, you must distribute the resulting work under the same, similar or a compatible license.Full Circle Magazine is entirely independent of Canonical, the sponsor of Ubuntu projects and the views and opinions in the magazine should in no way be assumed to have Canonical endorsement.

Please note: this Special Edition is provided with absolutely no warranty whatsoever; neither the contributors nor Full Circle Magazine accept any responsibility or liability for loss or damage resulting from readers choosing to apply this content to theirs or others computers and equipment.

About Full Circle

Full Circle is a free, independent, magazine dedicated to the Ubuntu family of Linux operating systems. Each month, it contains helpful how-to articles and reader- submitted stories.

Full Circle also features a companion podcast, the Full Circle Podcast which covers the magazine, along with other news of interest.

Welcome to another 'single-topic special'In response to reader requests, we are assembling the content of some of our serialised articles into dedicated editions.

For now, this is a straight reprint of the series 'The Perfect Server' from issues 31 through 34; nothing fancy, just the facts.

Please bear in mind the original publication date; current versions of hardware and software may differ from those illustrated, so check your hardware and software versions before attempting to emulate the tutorials in these special editions. You may have later versions of software installed or available in your distributions' repositories.

Enjoy!

Find Us

Website: http://www.fullcirclemagazine.org/

Forums: http://ubuntuforums.org/forumdisplay.php?f=270

IRC: #fullcirclemagazine on chat.freenode.net

Editorial Team

Editor: Ronnie Tucker (aka: RonnieTucker) [email protected]

Webmaster: Rob Kerfia (aka: admin / linuxgeekery- [email protected]

Podcaster: Robin Catling (aka RobinCatling) [email protected]

Communications Manager: Robert Clipsham (aka: mrmonday) - [email protected]

http://www.fullcirclemagazine.org/

http://ubuntuforums.org/forumdisplay.php?f=270

http://ubuntuforums.org/forumdisplay.php?f=270

mailto:[email protected]





HOW-TO The Perfect Server - Part 1

This tutorial shows howto prepare an Ubuntu9.10 (Karmic Koala)server for ISPConfig 3,

and how to install ISPConfig 3on it. ISPConfig 3 is awebhosting control panel thatallows you to configure thefollowing services through aweb browser: Apache webserver, Postfix mail server,MySQL, MyDNS name server,PureFTPd, SpamAssassin,ClamAV, and many more.

FCM09 - 16 : Server Series 1 - 8FCM28 - 29 : LAMP Server 1 - 2

GraphicsDev Internet M/media System

HDDCD/DVD USB Drive Laptop Wireless

Please note that this setupdoes not work for ISPConfig 2.It is valid for ISPConfig 3 only!

RequirementsTo install such a system you

will need the Ubuntu 9.10server CD, available here:http://releases.ubuntu.com/releases/9.10/ubuntu-9.10-server-i386.iso (32-bit) or:http://releases.ubuntu.com/releases/9.10/ubuntu-9.10-server-amd64.iso (64-bit)

Preliminary NoteIn this tutorial, I use the host

name ,with IP addressand gateway .These settings might differ foryou, so you have to replacethem where appropriate.

The Base SystemInsert your Ubuntu install

CD into your system and bootfrom it. Select your language

then select Install UbuntuServer:

Choose your language(again), location, and keyboardlayout.

The installer checks theinstallation CD and yourhardware, and configures thenetwork with DHCP if there is aDHCP server on the network:

Enter the host name. In thisexample, my system is calledserver1.example.com, so Ienter server1:

Now you have to partitionyour hard disk. For simplicity'ssake, I select Guided, useentire disk and set up LVM. Thiswill create one volume groupwith two logical volumes—onefor the / file system, andanother one for swap. Ofcourse, the partitioning istotally up to you—if you knowwhat you're doing, you canalso set up your partitionsmanually. You may find ithelpful in future months if youset up separate /home and /varpartitions.


THE PERFECT SERVER - PART 1Select the disk that you

want to partition, and, whenyou're asked 'Write thechanges to disk and configureLVM?', select Yes.

If you have selected Guided,use entire disk and set up LVM,the partitioner will create onebig volume group that uses allthe disk space. You can nowspecify how much of that diskspace should be used by thelogical volumes for / and swap.It makes sense to leave somespace unused, so later on youcan expand your existinglogical volumes, or create newones. This gives you moreflexibility.

When you're finished, hit Yeswhen asked "Write the changesto disks?":

Your new partitions arecreated and formatted:

Then the base system isinstalled:

Create a user, for examplethe user Administrator, withthe user name administrator.Don't use the user name adminas it is a reserved name onUbuntu 9.10.

I don't need an encryptedprivate directory, so I chooseNo here:

Next, the package managerapt gets configured. Leave theHTTP proxy line empty unlessyou're using a proxy server toconnect to the Internet:

I'm a little bit old-fashioned,and I like to update my serversmanually to have more control,therefore I select No automaticupdates. Of course, it's up toyou what you select there.

We need DNS, mail, andLAMP servers, but,nevertheless, I don't select anyof them now because I like tohave full control over what getsinstalled on my system. We willinstall the needed packages

manually later on. The onlyitem I select here is OpenSSHserver, so that I canimmediately connect to thesystem with an SSH client suchas PuTTY after the installationhas finished:

The installation continues,then the GRUB boot loadergets installed.

The base system installationis now finished. Remove theinstallation CD from the CDdrive and select Continue toreboot the system:



Last month, we did thebasic Ubuntu Serverinstallation from CD,and got to the point of

rebooting into the installedsystem.

Get Root PrivilegesAfter the reboot you can

login with your previouslycreated username (e.g.administrator). Because wemust run all the steps from this

FCM09 - 16 : Server Series 1 - 8FCM28 - 29 : LAMP Server 1 - 2FCM31 : The Perfect Server 1



tutorial with root privileges, wecan either prepend allcommands in this tutorial withthe string sudo, or we becomeroot right now by typing:

sudo su

You can also enable the rootlogin by running:

sudo passwd root

and giving root a password.You can then directly log in asroot, but this is frowned uponby the Ubuntu developers andcommunity for various reasons.(Seehttp://ubuntuforums.org/showthread.php?t=765414)

Install The SSH Server(Optional)

If you did not install theOpenSSH server during thesystem installation, you can doit now:

aptitude install ssh openssh-server

From now on, you can usean SSH client such as PuTTYand connect from yourworkstation to your Ubuntu9.10 server and follow theremaining steps in this tutorial.

Install vim-nox (Optional)I'll use vi as my text editor

in this tutorial. The default viprogram has some strangebehaviour on Ubuntu andDebian; to fix this, we installvim-nox:

aptitude install vim-nox

You don't have to do this ifyou use a different text editorsuch as joe or nano.

Configure The NetworkBecause the Ubuntu

installer has configured oursystem to get its networksettings via DHCP, we have tochange that now because aserver should have a static IPaddress. Edit

/etc/network/interfaces andadjust it to your needs (in thisexample setup I will use the IPaddress 192.168.0.100):

vi /etc/network/interfaces

# This file describes thenetwork interfaces availableon your system# and how to activate them.For more information, seeinterfaces(5).

# The loopback networkinterfaceauto loiface lo inet loopback

# The primary networkinterfaceauto eth0iface eth0 inet static

address 192.168.0.100netmask 255.255.255.0network 192.168.0.0broadcast 192.168.0.255gateway 192.168.0.1

Restart your network with:

/etc/init.d/networkingrestart

Then edit /etc/hosts:

vi /etc/hosts


THE PERFECT SERVER - PART 2and make it look like the textshown in Fig.1.

Now run

echo server1.example.com >/etc/hostname

and reboot the server with:

reboot

Afterwards, run:

hostnamehostname -f

Both should shownow.

Edit sources.list AndUpdate Your LinuxInstallation

Edit /etc/apt/sources.list:

vi /etc/apt/sources.list

Comment out or remove theinstallation CD from the file,and make sure that theuniverse and multiverserepositories are enabled.

Then run

aptitude update

to update the apt packagedatabase, and

aptitude safe-upgrade

to install the latest updates (ifthere are any). If you see thata new kernel gets installed aspart of the updates, you shouldreboot the system afterwardswith:

reboot

Change The Default Shell/bin/sh is a symlink to

/bin/dash, however we need/bin/bash, not /bin/dash.Therefore we do this:

dpkg-reconfigure dash

Install dash as /bin/sh?,Choose: No

If you don't do this, theISPConfig installation will fail.

Disable AppArmorAppArmor is a security

extension (similar to SELinux)that should provide extended

security. In my opinion, youdon't need it to configure asecure system, and it usuallycauses more problems than ithas advantages (think of this -after you have done a week oftrouble-shooting because someservice wasn't working asexpected, and then you findout that everything was OK,only AppArmor was causing theproblem). Therefore, I disable it(this is a must if you want toinstall ISPConfig later on).

We can disable it like this:

/etc/init.d/apparmor stop

update-rc.d -f apparmorremove

aptitude remove apparmorapparmor-utils

Synchronize the SystemClock

It is a good idea tosynchronize the system clockwith an NTP (network timeprotocol) server over theInternet. Simply run

aptitude install ntp ntpdate

and your system time willalways be in sync.

127.0.0.1 localhost.localdomain localhost192.168.0.100 server1.example.com server1

# The following lines are desirable for IPv6 capablehosts::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts



We can installPostfix, Courier,Saslauthd, MySQL,rkhunter, and

binutils - with a singlecommand:

(Prefix each command withsudo, if appropriate).

aptitude install postfixpostfix-mysql postfix-docmysql-client mysql-servercourier-authdaemon courier-authlib-mysql courier-popcourier-pop-ssl courier-imap

FCM09 - 16 : Server Series 1 - 8FCM28 - 29 : LAMP Server 1 - 2FCM31 - 32 : The Perfect Server 1 - 2



courier-imap-ssl libsasl2-2libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl getmail4rkhunter binutils

You will be asked thefollowing questions:

New password for the MySQL"root" user

Repeat password for theMySQL "root" user

Create directories for web-based administration?Enter:

General type of mailconfiguration:Enter:

System mail name:Enter:(but using your .com)

SSL certificate requiredEnter:

Next we install maildrop asfollows:

update-alternatives --remove-all maildir.5

update-alternatives --remove-all maildirquota.7

aptitude install maildrop

You will ask yourself why wedidn't install maildrop togetherwith all the other packages.The reason for this is a bug inthe courier-base package - ifyou install maildrop togetherwith courier-pop, courier-pop-ssl, courier-imap, and courier-imap-ssl, you will get thefollowing error:

update-alternatives: error:alternative link/usr/share/man/man5/maildir.5.gz is already managed bymaildir.5.gz.

We want MySQL to listen onall interfaces, not justlocalhost. Therefore we edit/etc/mysql/my.cnf andcomment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]

# Instead of skip-networkingthe default is now to listenonly on

# localhost which is morecompatible and is not lesssecure.

#bind-address =127.0.0.1[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networkingis enabled. Run:

netstat -tap | grep mysql

The output should look likethis:

root@server1:~# netstat -tap| grep mysql

tcp 0 0 *:mysql *:* LISTEN6267/mysqld

root@server1:~#

During the installation, theSSL certificates for IMAP-SSLand POP3-SSL are created withthe hostname localhost. To


THE PERFECT SERVER - PART 3change this to the correcthostname(server1.example.com in thistutorial), delete thecertificates...

cd /etc/courier

rm -f /etc/courier/imapd.pem

rm -f /etc/courier/pop3d.pem

and modify the following twofiles - replacing CN=localhostwith''CN=server1.example.com'(and you can also modify theother values, if necessary):

vi /etc/courier/imapd.cnf

[...]CN=server1.example.com[...]

vi /etc/courier/pop3d.cnf

[...]CN=server1.example.com[...]

Then recreate thecertificates:

mkimapdcert

mkpop3dcert

and restart Courier-IMAP-SSL

and Courier-POP3-SSL:

/etc/init.d/courier-imap-sslrestart

/etc/init.d/courier-pop-sslrestart

Install Amavisd-new,SpamAssassin, AndClamav

To install amavisd-new,SpamAssassin, and ClamAV,we run:

aptitude install amavisd-newspamassassin clamav clamav-daemon zoo unzip bzip2 arjnomarch lzop cabextract apt-listchanges libnet-ldap-perllibauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perllibnet-ident-perl zip libnet-dns-perl

Install Apache2, PHP5,phpMyAdmin, FCGI,suExec, Pear, Andmcrypt

Apache2, PHP5,phpMyAdmin, FCGI, suExec,Pear, and mcrypt can beinstalled as follows:

aptitude install apache2apache2.2-common apache2-docapache2-mpm-prefork apache2-utils libexpat1 ssl-certlibapache2-mod-php5 php5php5-common php5-gd php5-mysql php5-imap phpmyadminphp5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcryptmcrypt php5-imagickimagemagick libapache2-mod-suphp

You will see the followingquestion:

Web server to reconfigureautomatically:Enter:

Configure database forphpmyadmin with dbconfig-common?Enter:

Then run the followingcommand to enable theApache modules suexec,rewrite, ssl, actions, andinclude:

a2enmod suexec rewrite sslactions include

Restart Apache afterwards:

/etc/init.d/apache2 restart

Install PureFTPd AndQuota

PureFTPd and quota can beinstalled with the followingcommand:

aptitude install pure-ftpd-common pure-ftpd-mysql quotaquotatool

Edit the file /etc/default/pure-ftpd-common:

vi /etc/default/pure-ftpd-common

and make sure that the startmode is set to standalone andset VIRTUALCHROOT=true:

[...]STANDALONE_OR_INETD=standalone[...]VIRTUALCHROOT=true[...]

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysqlrestart

Edit /etc/fstab. Mine lookslike Fig.1 on the following page(I added


,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0to the partition with the mountpoint /):

vi /etc/fstab

To enable quota, run thesecommands:

touch /aquota.user/aquota.group

chmod 600 /aquota.*

mount -o remount /

quotacheck -avugm

quotaon -avug

Install MyDNSBefore we install MyDNS, we

need to install a fewprerequisites:

aptitude install g++ libc6gcc gawk make texinfolibmysqlclient15-dev

MyDNS is not available inthe Ubuntu 9.10 repositories,therefore we have to build itourselves as follows:

cd /tmp

wgethttp://heanet.dl.sourceforge.net/sourceforge/mydns-ng/mydns-1.2.8.27.tar.gz

tar xvfz mydns-1.2.8.27.tar.gz

cd mydns-1.2.8

./configure

make

make install

Next, we create thestart/stop script (shown on thefollowing page) for MyDNS:

vi /etc/init.d/mydns

Then we make the scriptexecutable, and create thesystem startup links for it:

chmod +x /etc/init.d/mydns

update-rc.d mydns defaults

Install Vlogger AndWebalizer

Vlogger and webalizer canbe installed as follows:

aptitude install vloggerwebalizer

Install Jailkit

Jailkit is needed only if youwant to chroot SSH users. Itcan be installed as follows(important: Jailkit must beinstalled before ISPConfig - itcannot be installedafterwards!):

aptitude install build-essential autoconfautomake1.9 libtool flexbison

cd /tmp

wgethttp://olivier.sessink.nl/jailkit/jailkit-2.10.tar.gz

tar xvfz jailkit-2.10.tar.gz

THE PERFECT SERVER - PART 3

# /etc/fstab: static file system information.## Use 'blkid -o value -s UUID' to print the universally unique identifier# for a device; this may be used with UUID= as a more robust way to name# devices that works even if disks are added and removed. See fstab(5).## <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc defaults 0 0/dev/mapper/server1-root / ext4 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1# /boot was on /dev/sda5 during installationUUID=9ea34148-31b7-4d5c-baee-c2e2022562ea /boot ext2 defaults 0

2/dev/mapper/server1-swap_1 none swap sw 0 0/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0


#! /bin/sh## mydns Start the MyDNS server## Author: Philipp Kern <[email protected]>.# Based upon skeleton 1.9.4 by Miquel vanSmoorenburg# <[email protected]> and Ian Murdock<[email protected]>.#

set -e

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binDAEMON=/usr/local/sbin/mydnsNAME=mydnsDESC="DNS server"

SCRIPTNAME=/etc/init.d/$NAME

# Gracefully exit if the package has been removed.test -x $DAEMON || exit 0

case "$1" instart)

echo -n "Starting $DESC: $NAME"start-stop-daemon --start --quiet \

--exec $DAEMON -- -becho ".";;

stop)echo -n "Stopping $DESC: $NAME"start-stop-daemon --stop --oknodo --quiet \

--exec $DAEMONecho ".";;

reload|force-reload)echo -n "Reloading $DESC configuration..."start-stop-daemon --stop --signal HUP --quiet \

--exec $DAEMONecho "done.";;

restart)echo -n "Restarting $DESC: $NAME"start-stop-daemon --stop --quiet --oknodo \

--exec $DAEMONsleep 1start-stop-daemon --start --quiet \

--exec $DAEMON -- -becho ".";;

*)echo "Usage: $SCRIPTNAME

{start|stop|restart|reload|force-reload}" >&2exit 1;;

esac

exit 0

cd jailkit-2.10

./configure

make

make install

cd ..

rm -rf jailkit-2.10*

Install fail2banThis is optional but

recommended, because theISPConfig monitor tries to showthe fail2ban log:

aptitude install fail2ban

Next month, in the finalinstallment, we will installSquirrelMail and ISPConfig3,giving you the perfect server,ready to go!



Toinstall theSquirrelMail webmailclient, run:

aptitude install squirrelmail

Then, create the followingsymlink...

ln -s/usr/share/squirrelmail//var/www/webmail

... and configure SquirrelMail:

FCM09 - 16 : Server Series 1 - 8FCM28 - 29 : LAMP Server 1 - 2FCM31 - 33 : The Perfect Server 1 - 3



squirrelmail-configure

We must tell SquirrelMailthat we are using Courier-IMAP/-POP3:

SquirrelMail Configuration :Read: config.php (1.4.0)Main Menu1. Organization Preferences2. Server Settings3. Folder Defaults4. General Options5. Themes6. Address Books7. Message of the Day (MOTD)8. Plugins9. Database10. Languages

D. Set pre-defined settingsfor specific IMAP serversC Turn color onS Save dataQ Quit

Command >>

Enter:

Now, you will see a list ofIMAP server options entitled:

Please select your IMAPserver:

Enter the word:

imap_server_type = courierdefault_folder_prefix =INBOX.trash_folder = Trashsent_folder = Sentdraft_folder = Draftsshow_prefix_option = falsedefault_sub_of_inbox = falseshow_contain_subfolders_option = falseoptional_delimiter = .delete_folder = true

Press any key to continue...

Next, you will see a list ofoptions and their settings;press the key tocontinue.

Back at the Main Menu,enter: to save data, and youwill see:

Data saved in config.phpPress enter to continue

Back at the Main Menu,enter to quit.

Afterwards you can accessSquirrelMail under:http://server1.example.com/webmail

or:

http://192.168.0.100/webmail

Install ISPConfig 3To install ISPConfig 3 from

the latest released version, dothis (replacing ISPConfig-3.0.1.6.tar.gz with the latestversion) :

cd /tmp

wgethttp://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.1.6.tar.gz?use_mirror=

tar xvfz ISPConfig-3.0.1.6.tar.gz


THE PERFECT SERVER - PART 4cdispconfig3_install/install/

The next step is to run:

php -q install.php

This will start the ISPConfig3 installer. Press foreach option - except whenasked for your MySQL rootpassword.

The installer automaticallyconfigures all underlyingservices, so no manualconfiguration is needed.

Afterwards you can accessISPConfig 3 under:

http://server1.example.com:8080/

or:

http://192.168.0.100:8080/

Log in with the usernameand the password(you should change the

default password after yourfirst login):

The system is now ready tobe used.

Documents

BUILD THE PERFECT SERVER WITH UBUNTU 9.10