ISPConfig unter Debian installieren

JARVIS

vor 3 Jahren

Debian als Netinstall installiert (Standard Tools, SSH)
# nano /etc/ssh/sshd_config – PermitRootLogin yes
# nano /etc/apt/sources.list hier contrib non-free hinzufügen

deb http://deb.debian.org/debian/ buster main contrib non-free
deb-src http://deb.debian.org/debian/ buster main contrib non-free

deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb-src http://security.debian.org/debian-security buster/updates main contrib non-free

deb http://deb.debian.org/debian/ buster-updates main contrib non-free
deb-src http://deb.debian.org/debian/ buster-updates main contrib non-free

# apt update & apt upgrade

Kontrolle des Hostnamen (# nano /etc/hostname) : # hostname -> websrv01
Kontrolle des FQDN (# nano /etc/hosts): # hostname -f -> websrv01.domain.tld
Default Shell setzen: # dpkg-reconfigure dash -> hier bei /bin/sh no auswählen
Zeit synchronisieren: # apt install ntp
Postfix, Dovecot, MariaDB, rkhunterund Binutils installieren:

# apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo curl

Postfix als Internet-Site und als E-Mail Name den FQDN websrv01.domain.tld installieren
MySQL absichern:

# mysql_secure_installation
Enter current password for root (enter for none):
Change the root password? [Y/n] <-- y
New password: <-- Enter a new MariaDB root password
Re-enter new password: <-- Repeat the MariaDB root password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Remove test database and access to it? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Postfix konfigurieren und folgende Zeilen aktivieren bzw. abändern:

# nano /etc/postfix/master.cf
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

smtps inet n - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

# systemctl restart postfix

MySQL lasse ich auf localhost lauschen ansonsten: # nano /etc/mysql/mariadb.conf.d/50-server.cnf und dort auskommentieren -> # bind-address = 127.0.0.1
Damit phpMyAdmin sich mit der Datenbank verbinden kann muss folgendes ausgeführt werden:

echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root

Nun das Passwort für die MySQL setzen:

# nano /etc/mysql/debian.cnf

[client]
host = localhost
user = root
password = <MySQL-PW-hier>
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = >MySQL-PW-hier>
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

den Fehler Error in accept: Too many open files in MariaDB entgegenwirken: # nano /etc/security/limits.conf und folgende Zeilen an das Ende hinzufügen:

mysql soft nofile 65535
mysql hard nofile 65535

Nun einen Service erstellen:
und folgendes Eintragen

# mkdir -p /etc/systemd/system/mysql.service.d/
# nano /etc/systemd/system/mysql.service.d/limits.conf

[Service]
LimitNOFILE=infinity

Dienste neustarten:

# systemctl daemon-reload && systemctl restart mariadb

überprüfen ob MySQL läuft:

# netstat -tap | grep mysql
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN 26294/mysqld

Amavisd-New, Spamassasin und ClamAV installieren:

# apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract p7zip p7zip-full unrar lrzip apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey

ISPConfig läd SpamAssassin über amavisd welches dann SpamAssassin und die Bibliotheken lädt. So können wir RAM freigeben:

# systemctl stop spamassassin && systemctl disable spamassassin

den Webserver Apache und PHP installieren:

# apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.3 php7.3-common php7.3-gd php7.3-mysql php7.3-imap php7.3-cli php7.3-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt  imagemagick libruby libapache2-mod-python php7.3-curl php7.3-intl php7.3-pspell php7.3-recode php7.3-sqlite3 php7.3-tidy php7.3-xmlrpc php7.3-xsl memcached php-memcache php-imagick php-gettext php7.3-zip php7.3-mbstring memcached libapache2-mod-passenger php7.3-soap php7.3-fpm php7.3-opcache php-apcu libapache2-reload-perl

nun benötigte Module aktivieren:

# a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers actions proxy_fcgi alias

Webserver gegen die HTTPPoxy Lücke absichern:

# nano /etc/apache2/conf-available/httpoxy.conf

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

# a2enconf httpoxy
# systemctl restart apache2

Lets Encrypt Client installieren:

# curl https://get.acme.sh | sh -s
Good, bash is found, so change the shebang to use bash as preferred.
OK
Install success!

PureFTPd und Quota installieren:

# apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool

nun die dhparam Datei für PureFTPd erstellen:

# openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

# nano /etc/default/pure-ftpd-common
STANDALONE_OR_INETD=standalone
VIRTUALCHROOT=true

PureFTPd mit TLS konfigurieren:

# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Land eintragen z.B. DE
State or Province Name (full name) [Some-State]: <-- Bundesland eintragen
Locality Name (eg, city) []: <-- Stadt eintragen
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Firmenname eintragen
Organizational Unit Name (eg, section) []: <-- Abteilung eintragen
Common Name (eg, YOUR name) []: <-- FQDN eintragen
Email Address []: <-- die Mailadresse des Systems eintragen

# chmod 600 /etc/ssl/private/pure-ftpd.pem
# systemctl restart pure-ftpd-mysql

Quota konfigurieren:

# nano /etc/fstab
UUID=45576b38-39e8-4994-b8c1-ea4870e2e614 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1

# mount -o remount /
# quotacheck -avugm
# quotaon -avug

Bind Server instalieren:

# apt-get -y install bind9 dnsutils

wenn der Server ein virtueller ist dann sollte der daemon haveged installiert werden da dadurch eine höhere Entropy für DNSSEC erreicht wird:

# apt install haveged

AWStas und WebAlizer installieren:

# apt-get install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl

Cron für AWStats deaktivieren:

# nano /etc/cron.d/awstats

#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

Jailkit für die Nutzung von chroot SSH installieren

# apt-get -y install build-essential autoconf automake libtool flex bison debhelper binutils

# cd /tmp
# wget http://olivier.sessink.nl/jailkit/jailkit-2.20.tar.gz
# tar xvfz jailkit-2.20.tar.gz
# cd jailkit-2.20
# echo 5 > debian/compat./debian/rules binary

und installieren:

# cd ..
# dpkg -i jailkit_2.20-1_*.deb
# rm -rf jailkit-2.20*

Fail2Ban installieren:

# apt-get -y install fail2ban

um Fail2Ban PureFTPd und Dovecot zu monitoren:

# nano /etc/fail2ban/jail.local

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix[mode=auth]
logpath = /var/log/mail.log
maxretry = 3

restart:

# systemctl restart fail2ban

UFW Firewall installieren:

# apt-get -y install ufw

PHPMyAdmin von Source installieren:

# mkdir /usr/share/phpmyadmin
# mkdir /etc/phpmyadmin
# mkdir -p /var/lib/phpmyadmin/tmp
# chown -R www-data:www-data /var/lib/phpmyadmin
# touch /etc/phpmyadmin/htpasswd.setup

# cd /tmp
# wget https://files.phpmyadmin.net/phpMyAdmin/5.0.4/phpMyAdmin-5.0.4-all-languages.tar.gz

# tar xfz phpMyAdmin-5.0.4-all-languages.tar.gz
# mv phpMyAdmin-5.0.4-all-languages/* /usr/share/phpmyadmin/
# rm phpMyAdmin-5.0.4-all-languages.tar.gz
# rm -rf phpMyAdmin-5.0.4-all-languages

PHPMyAdmin Konfig:

# cp /usr/share/phpmyadmin/config.sample.inc.php  /usr/share/phpmyadmin/config.inc.php

$cfg['blowfish_secret'] = 'bD3e6wva9fnd93jVsb7SDgeiBCd452Dh'; /* Eigenes BLOWFISH PW mit 32 Zeichen erstellen*/
# Zeile hinzufügen:
$cfg['TempDir'] = '/var/lib/phpmyadmin/tmp';

Apache für PHPMyAdmin konfigurieren:

# nano /etc/apache2/conf-available/phpmyadmin.conf
# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
 Options FollowSymLinks
 DirectoryIndex index.php

 <IfModule mod_php7.c>
 AddType application/x-httpd-php .php

 php_flag magic_quotes_gpc Off
 php_flag track_vars On
 php_flag register_globals Off
 php_value include_path .
 </IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
 <IfModule mod_authn_file.c>
 AuthType Basic
 AuthName "phpMyAdmin Setup"
 AuthUserFile /etc/phpmyadmin/htpasswd.setup
 </IfModule>
 Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
 Order Deny,Allow
 Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
 Order Deny,Allow
 Deny from All
</Directory>

# a2enconf phpmyadmin
# systemctl restart apache2

nun die DB für PHPMyAdmin konfigurieren:

# mysql -u root -p

MariaDB [(none)]> CREATE DATABASE phpmyadmin;
MariaDB [(none)]> CREATE USER 'pma'@'localhost' IDENTIFIED BY 'DeinPassword';

MariaDB [(none)]> GRANT ALL PRIVILEGES ON phpmyadmin.* TO 'pma'@'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;

nun die Datenbank importieren:

# mysql -u root -p phpmyadmin < /usr/share/phpmyadmin/sql/create_tables.sql

PHPMyAdmin konfigurieren:

# nano /usr/share/phpmyadmin/config.inc.php
# so anpassen:

/* User used to manipulate with storage */
$cfg['Servers'][$i]['controlhost'] = 'localhost';
$cfg['Servers'][$i]['controlport'] = '';
$cfg['Servers'][$i]['controluser'] = 'pma';
$cfg['Servers'][$i]['controlpass'] = 'PHPMyAdmin-Passwort';

/* Storage database and tables */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';

als Webmailer Roundcube installieren:

# echo "CREATE DATABASE roundcube;" | mysql --defaults-file=/etc/mysql/debian.cnf

# apt-get -y install roundcube roundcube-core roundcube-mysql roundcube-plugins
Configure database for roundcube with dbconfig.common? <-- yes
MySQL application password for roundcube: <-- press enter

Roundcube konfigurieren:

# nano /etc/roundcube/config.inc.php

$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';

nun die Apache Konfiguration anpassen:

# nano /etc/apache2/conf-enabled/roundcube.conf

# direkt an den Anfang der Datei - darf nicht mail als Alias verwendet werden
Alias /roundcube /var/lib/roundcube
Alias /webmail /var/lib/roundcube

# systemctl reload apache2

Zugriff auf Roundcube per: http://IP-Adresse/webmail oder http://websrv01.domain.tld/webmail oder wenn ISPConfig installiert ist http://servername.domain.tld:8080/webmail

ISPConfig installieren:

# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install/

# php -q install.php

Select language (en,de) [en]: <-- Hit Enter
Installation mode (standard,expert) [standard]: <-- Hit Enter
Full qualified hostname (FQDN) of the server, eg websrv01.domain.tld [websrv01.example.com]: <-- Hit Enter
MySQL server hostname [localhost]: <-- Hit Enter
MySQL server port [3306]: <-- Hit Enter
MySQL root username [root]: <-- Hit Enter
MySQL root password []: <-- MySQL root Passwort
MySQL database to create [dbispconfig]: <-- Hit Enter
MySQL charset [utf8]: <-- Hit Enter
Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
.......................................................................++
........................................................................................................................................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Landercode DE
State or Province Name (full name) [Some-State]: <-- Bundesland
Locality Name (eg, city) []: <-- Stadtname
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Firmenname
Organizational Unit Name (eg, section) []: <-- Abteilung
Common Name (e.g. server FQDN or YOUR name) []: <-- websrv01.domain.tld
Email Address []: <-- Hit Enter
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Jailkit
Configuring Pureftpd
Configuring Apache
Configuring vlogger
[INFO] service Metronome XMPP Server not detected
Configuring Ubuntu Firewall
Configuring Fail2ban
[INFO] service OpenVZ not detected
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:
Admin password [admin]: <-- Admin Passwort für ISPConfig Panel eingeben
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter
Generating RSA private key, 4096 bit long modulus
.......................++
................................................................................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- 2 Zeichen für das Land DE
State or Province Name (full name) [Some-State]: <-- Bundesland
Locality Name (eg, city) []: <-- Stadtname
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Firmenname
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <-- websrv01.domain.tld
Email Address []: <-- Hit Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- Hit Enter
An optional company name []: <-- Hit Enter
writing RSA key

Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.

nun ist das Panel unter http(s)://IP-Adresse:8080 oder http(s)://servername.domain.tld:8080 erreichbar

Thats it .. Have Fun

JARVIS

Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.