ISPConfig unter Debian installieren

  • Debian als Netinstall installiert (Standard Tools, SSH)
  • # nano /etc/ssh/sshd_config – PermitRootLogin yes
  • # nano /etc/apt/sources.list hier contrib non-free hinzufügen
deb http://deb.debian.org/debian/ buster main contrib non-free
deb-src http://deb.debian.org/debian/ buster main contrib non-free

deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb-src http://security.debian.org/debian-security buster/updates main contrib non-free

deb http://deb.debian.org/debian/ buster-updates main contrib non-free
deb-src http://deb.debian.org/debian/ buster-updates main contrib non-free
# apt update & apt upgrade
  • Kontrolle des Hostnamen (# nano /etc/hostname) : # hostname -> websrv01
  • Kontrolle des FQDN (# nano /etc/hosts): # hostname -f -> websrv01.domain.tld
  • Default Shell setzen: # dpkg-reconfigure dash -> hier bei /bin/sh no auswählen
  • Zeit synchronisieren: # apt install ntp
  • Postfix, Dovecot, MariaDB, rkhunterund Binutils installieren:
# apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo curl
  • Postfix als Internet-Site und als E-Mail Name den FQDN websrv01.domain.tld installieren
  • MySQL absichern:
# mysql_secure_installation
Enter current password for root (enter for none):
Change the root password? [Y/n] <-- y
New password: <-- Enter a new MariaDB root password
Re-enter new password: <-- Repeat the MariaDB root password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Remove test database and access to it? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y
  • Postfix konfigurieren und folgende Zeilen aktivieren bzw. abändern:
# nano /etc/postfix/master.cf
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

smtps inet n - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# systemctl restart postfix
  • MySQL lasse ich auf localhost lauschen ansonsten: # nano /etc/mysql/mariadb.conf.d/50-server.cnf und dort auskommentieren -> # bind-address = 127.0.0.1
  • Damit phpMyAdmin sich mit der Datenbank verbinden kann muss folgendes ausgeführt werden:
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
  • Nun das Passwort für die MySQL setzen:
# nano /etc/mysql/debian.cnf

[client]
host = localhost
user = root
password = <MySQL-PW-hier>
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = >MySQL-PW-hier>
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
  • den Fehler Error in accept: Too many open files in MariaDB entgegenwirken: # nano /etc/security/limits.conf und folgende Zeilen an das Ende hinzufügen:
mysql soft nofile 65535
mysql hard nofile 65535
  • Nun einen Service erstellen:
  • und folgendes Eintragen
# mkdir -p /etc/systemd/system/mysql.service.d/
# nano /etc/systemd/system/mysql.service.d/limits.conf

[Service]
LimitNOFILE=infinity

Dienste neustarten:

# systemctl daemon-reload && systemctl restart mariadb
  • überprüfen ob MySQL läuft:
# netstat -tap | grep mysql
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN 26294/mysqld
  • Amavisd-New, Spamassasin und ClamAV installieren:
# apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract p7zip p7zip-full unrar lrzip apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey
  • ISPConfig läd SpamAssassin über amavisd welches dann SpamAssassin und die Bibliotheken lädt. So können wir RAM freigeben:
# systemctl stop spamassassin && systemctl disable spamassassin
  • den Webserver Apache und PHP installieren:
# apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.3 php7.3-common php7.3-gd php7.3-mysql php7.3-imap php7.3-cli php7.3-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt  imagemagick libruby libapache2-mod-python php7.3-curl php7.3-intl php7.3-pspell php7.3-recode php7.3-sqlite3 php7.3-tidy php7.3-xmlrpc php7.3-xsl memcached php-memcache php-imagick php-gettext php7.3-zip php7.3-mbstring memcached libapache2-mod-passenger php7.3-soap php7.3-fpm php7.3-opcache php-apcu libapache2-reload-perl
  • nun benötigte Module aktivieren:
# a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers actions proxy_fcgi alias
  • Webserver gegen die HTTPPoxy Lücke absichern:
# nano /etc/apache2/conf-available/httpoxy.conf

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

# a2enconf httpoxy
# systemctl restart apache2
  • Lets Encrypt Client installieren:
# curl https://get.acme.sh | sh -s
Good, bash is found, so change the shebang to use bash as preferred.
OK
Install success!
  • PureFTPd und Quota installieren:
# apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool
  • nun die dhparam Datei für PureFTPd erstellen:
# openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

# nano /etc/default/pure-ftpd-common
STANDALONE_OR_INETD=standalone
VIRTUALCHROOT=true
  • PureFTPd mit TLS konfigurieren:
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Land eintragen z.B. DE
State or Province Name (full name) [Some-State]: <-- Bundesland eintragen
Locality Name (eg, city) []: <-- Stadt eintragen
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Firmenname eintragen
Organizational Unit Name (eg, section) []: <-- Abteilung eintragen
Common Name (eg, YOUR name) []: <-- FQDN eintragen
Email Address []: <-- die Mailadresse des Systems eintragen

# chmod 600 /etc/ssl/private/pure-ftpd.pem
# systemctl restart pure-ftpd-mysql
  • Quota konfigurieren:
# nano /etc/fstab
UUID=45576b38-39e8-4994-b8c1-ea4870e2e614 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1

# mount -o remount /
# quotacheck -avugm
# quotaon -avug
  • Bind Server instalieren:
# apt-get -y install bind9 dnsutils
  • wenn der Server ein virtueller ist dann sollte der daemon haveged installiert werden da dadurch eine höhere Entropy für DNSSEC erreicht wird:
# apt install haveged
  • AWStas und WebAlizer installieren:
# apt-get install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl
  • Cron für AWStats deaktivieren:
# nano /etc/cron.d/awstats

#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
  • Jailkit für die Nutzung von chroot SSH installieren
# apt-get -y install build-essential autoconf automake libtool flex bison debhelper binutils
# cd /tmp
# wget http://olivier.sessink.nl/jailkit/jailkit-2.20.tar.gz
# tar xvfz jailkit-2.20.tar.gz
# cd jailkit-2.20
# echo 5 > debian/compat./debian/rules binary
  • und installieren:
# cd ..
# dpkg -i jailkit_2.20-1_*.deb
# rm -rf jailkit-2.20*
  • Fail2Ban installieren:
# apt-get -y install fail2ban
  • um Fail2Ban PureFTPd und Dovecot zu monitoren:
# nano /etc/fail2ban/jail.local

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix[mode=auth]
logpath = /var/log/mail.log
maxretry = 3
  • restart:
# systemctl restart fail2ban
  • UFW Firewall installieren:
# apt-get -y install ufw
  • PHPMyAdmin von Source installieren:
# mkdir /usr/share/phpmyadmin
# mkdir /etc/phpmyadmin
# mkdir -p /var/lib/phpmyadmin/tmp
# chown -R www-data:www-data /var/lib/phpmyadmin
# touch /etc/phpmyadmin/htpasswd.setup

# cd /tmp
# wget https://files.phpmyadmin.net/phpMyAdmin/5.0.4/phpMyAdmin-5.0.4-all-languages.tar.gz

# tar xfz phpMyAdmin-5.0.4-all-languages.tar.gz
# mv phpMyAdmin-5.0.4-all-languages/* /usr/share/phpmyadmin/
# rm phpMyAdmin-5.0.4-all-languages.tar.gz
# rm -rf phpMyAdmin-5.0.4-all-languages
  • PHPMyAdmin Konfig:
# cp /usr/share/phpmyadmin/config.sample.inc.php  /usr/share/phpmyadmin/config.inc.php

$cfg['blowfish_secret'] = 'bD3e6wva9fnd93jVsb7SDgeiBCd452Dh'; /* Eigenes BLOWFISH PW mit 32 Zeichen erstellen*/
# Zeile hinzufügen:
$cfg['TempDir'] = '/var/lib/phpmyadmin/tmp';
  • Apache für PHPMyAdmin konfigurieren:
# nano /etc/apache2/conf-available/phpmyadmin.conf
# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
 Options FollowSymLinks
 DirectoryIndex index.php

 <IfModule mod_php7.c>
 AddType application/x-httpd-php .php

 php_flag magic_quotes_gpc Off
 php_flag track_vars On
 php_flag register_globals Off
 php_value include_path .
 </IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
 <IfModule mod_authn_file.c>
 AuthType Basic
 AuthName "phpMyAdmin Setup"
 AuthUserFile /etc/phpmyadmin/htpasswd.setup
 </IfModule>
 Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
 Order Deny,Allow
 Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
 Order Deny,Allow
 Deny from All
</Directory>

# a2enconf phpmyadmin
# systemctl restart apache2
  • nun die DB für PHPMyAdmin konfigurieren:
# mysql -u root -p

MariaDB [(none)]> CREATE DATABASE phpmyadmin;
MariaDB [(none)]> CREATE USER 'pma'@'localhost' IDENTIFIED BY 'DeinPassword';

MariaDB [(none)]> GRANT ALL PRIVILEGES ON phpmyadmin.* TO 'pma'@'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;
  • nun die Datenbank importieren:
# mysql -u root -p phpmyadmin < /usr/share/phpmyadmin/sql/create_tables.sql
  • PHPMyAdmin konfigurieren:
# nano /usr/share/phpmyadmin/config.inc.php
# so anpassen:

/* User used to manipulate with storage */
$cfg['Servers'][$i]['controlhost'] = 'localhost';
$cfg['Servers'][$i]['controlport'] = '';
$cfg['Servers'][$i]['controluser'] = 'pma';
$cfg['Servers'][$i]['controlpass'] = 'PHPMyAdmin-Passwort';

/* Storage database and tables */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
  • als Webmailer Roundcube installieren:
# echo "CREATE DATABASE roundcube;" | mysql --defaults-file=/etc/mysql/debian.cnf

# apt-get -y install roundcube roundcube-core roundcube-mysql roundcube-plugins
Configure database for roundcube with dbconfig.common? <-- yes
MySQL application password for roundcube: <-- press enter
  • Roundcube konfigurieren:
# nano /etc/roundcube/config.inc.php

$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';
  • nun die Apache Konfiguration anpassen:
# nano /etc/apache2/conf-enabled/roundcube.conf

# direkt an den Anfang der Datei - darf nicht mail als Alias verwendet werden
Alias /roundcube /var/lib/roundcube
Alias /webmail /var/lib/roundcube

# systemctl reload apache2
  • Zugriff auf Roundcube per: http://IP-Adresse/webmail oder http://websrv01.domain.tld/webmail oder wenn ISPConfig installiert ist http://servername.domain.tld:8080/webmail
  • ISPConfig installieren:
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install/

# php -q install.php

Select language (en,de) [en]: <-- Hit Enter
Installation mode (standard,expert) [standard]: <-- Hit Enter
Full qualified hostname (FQDN) of the server, eg websrv01.domain.tld [websrv01.example.com]: <-- Hit Enter
MySQL server hostname [localhost]: <-- Hit Enter
MySQL server port [3306]: <-- Hit Enter
MySQL root username [root]: <-- Hit Enter
MySQL root password []: <-- MySQL root Passwort
MySQL database to create [dbispconfig]: <-- Hit Enter
MySQL charset [utf8]: <-- Hit Enter
Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
.......................................................................++
........................................................................................................................................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Landercode DE
State or Province Name (full name) [Some-State]: <-- Bundesland
Locality Name (eg, city) []: <-- Stadtname
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Firmenname
Organizational Unit Name (eg, section) []: <-- Abteilung
Common Name (e.g. server FQDN or YOUR name) []: <-- websrv01.domain.tld
Email Address []: <-- Hit Enter
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Jailkit
Configuring Pureftpd
Configuring Apache
Configuring vlogger
[INFO] service Metronome XMPP Server not detected
Configuring Ubuntu Firewall
Configuring Fail2ban
[INFO] service OpenVZ not detected
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:
Admin password [admin]: <-- Admin Passwort für ISPConfig Panel eingeben
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter
Generating RSA private key, 4096 bit long modulus
.......................++
................................................................................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- 2 Zeichen für das Land DE
State or Province Name (full name) [Some-State]: <-- Bundesland
Locality Name (eg, city) []: <-- Stadtname
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Firmenname
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <-- websrv01.domain.tld
Email Address []: <-- Hit Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- Hit Enter
An optional company name []: <-- Hit Enter
writing RSA key

Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.
  • nun ist das Panel unter http(s)://IP-Adresse:8080 oder http(s)://servername.domain.tld:8080 erreichbar

Thats it .. Have Fun

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.