The Perfect Setup - Debian

The Perfect Setup - Debian Sarge (3.1) Versi 1,9

Pengarang: Falko Timme
Last edited 12/01/2006

Ini adalah deskripsi rinci tentang langkah-langkah yang akan diambil untuk setup server berbasis Debian (Debian Sarge alias Debian 3.1) yang menawarkan semua layanan yang dibutuhkan oleh ISP dan hosters (web server (SSL-capable), mail server (dengan SMTP-auth dan TLS!), server DNS, FTP server, MySQL server, POP3/POP3s/IMAP/IMAPs, Quota, Firewall, dll).

Saya akan menggunakan perangkat lunak berikut ini:
• Web Server: Apache 2.0.x
• Mail Server: Postfix (easier to configure than sendmail; has a shorter history of security holes than sendmail)
• DNS Server: BIND9
• FTP Server: proftpd
• POP3/POP3s/IMAP/IMAPs: in this example you can choose between the traditional UNIX mailbox format (we then use ipopd/uw-imapd) or the Maildir format (in this case we will use Courier-POP3/Courier-IMAP).
• Webalizer for web site statistics

Pada akhirnya Anda harus sudah memiliki sistem yang bekerja terpercaya dan siap untuk bebas WebHosting control panel ISPConfig (ie, ISPConfig runs on it out of the box).

Saya ingin mengatakan bahwa pertama ini bukan satu-satunya cara untuk menyiapkan suatu sistem. Ada banyak cara untuk mencapai tujuan ini, tetapi ini adalah cara yang saya bawa. Saya tidak ada jaminan bahwa masalah ini akan bekerja untuk anda! Persyaratan

Untuk memasang sistem seperti itu Anda akan memerlukan berikut ini:
Debian Sarge Netinstall CD (tersedia di sini:
http://ftp.de.debian.org/debian-cd/3.1_r0a/i386/iso-cd/debian-31r0a-i386-netinst.iso)
Koneksi internet saya akan menjelaskan sebuah jaringan instalasi pada dokumen ini

1 Base Sistem
Sarge Netinstall Anda memasukkan CD ke sistem anda dan boot dari (masukkan linux26 pada prompt boot untuk menginstal 2,6 kernel). Pemasangan dimulai, dan pertama Anda harus memilih bahasa anda:



Pilih Negara :



Pilih jenis keyboard layout :



Deteksi Hardware:


Masukan nama host nya:

Masukan nama domain bebas example.com:


Sekarang anda harus partisi hard disk. Aku akan membuat satu partisi besar (dengan mount point /) dan sebuah partisi swap:


















Dasar sistem yang sekarang sedang terpasang:



Aku memasang boot loader GRUB pada master boot record:


Kemudian keluarkan CD Sarge Netinstall dari sistem anda dan reboot :








Configurasi time zone:




Enter a password for root:


Create a second user admin:





Choose your installation method. Since I want to do an installtion over the network I select http or ftp.





Enter a proxy for the installtion (if necessary). Normally you can leave this field empty.

Under Debian software selection I only choose Mail server. I will install all other services manually later on.

The network installation starts:

Continue installing libc-client without Maildir support. If you want to use Maildir you can install Courier-POP3/Courier-IMAP (explained later on):

Do not configure Exim as we will replace it with Postfix later on:





Congratulations! Your base system is finished now:

Langkah selanjutnya ...

2 Installing And Configuring The Rest Of The System
Configure The Network
Because the Debian Sarge installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0. 1

Jika Anda ingin menambahkan alamat IP 192.168.0.101 ke antarmuka eth0, Anda harus mengubah file agar terlihat seperti ini:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
auto lo
iface lo inet loopback
# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

auto eth0:0
iface eth0:0 inet static
address 192.168.0.101
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

hen restart your network:
/etc/init.d/networking restart
Edit /etc/resolv.conf and add some nameservers:
search server
nameserver 145.253.2.75
nameserver 193.174.32.18
nameserver 194.25.0.60

Edit /etc/hosts and add your new IP addresses:

127.0.0.1 localhost.localdomain localhost server1
192.168.0.100 server1.example.com server1
192.168.0.101 virtual-ip1.example.com virtual-ip1

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Setting The Hostname
echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname
Install/Remove Some Software
Now let's install some software we need later on and remove some packages that we do not need:
apt-get install wget bzip2 rdate fetchmail libdb3++-dev unzip zip ncftp xlispstat libarchive-zip-perl zlib1g-dev libpopt-dev nmap openssl lynx fileutils g++
apt-get remove lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig
update-rc.d -f exim remove
update-inetd --remove daytime
update-inetd --remove telnet
update-inetd --remove time
update-inetd --remove finger
update-inetd --remove talk
update-inetd --remove ntalk
update-inetd --remove ftp
update-inetd --remove discard
<- Yes
/etc/init.d/openbsd-inetd reload

Quota
apt-get install quota quotatool
<- No
Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the partition with the mount point /):
# /etc/fstab: static file system information.
#
#
proc /proc proc defaults 0 0
/dev/sda1 / ext3 defaults,errors=remount-ro,usrquota,grpquota 0 1
/dev/sda5 none swap sw 0 0
/dev/hdc /media/cdrom0 iso9660 ro,user,noauto 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
Then run:
touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

DNS-Server
apt-get install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user 'bind', chrooted to /var/lib/named. Modify the line: OPTS="-u bind" so that it reads OPTS="-u bind -t /var/lib/named":
OPTIONS="-u bind -t /var/lib/named"

Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":
#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd

test -x $binpath || exit 0

# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640 /dev/xconsole
fi
chown root:adm /dev/xconsole
}

running()
{
# No pidfile, probably no daemon present
#
if [ ! -f $pidfile ]
then
return 1
fi

pid=`cat $pidfile`

# No pid, probably no daemon present
#
if [ -z "$pid" ]
then
return 1
fi

if [ ! -d /proc/$pid ]
then
return 1
fi

cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1`

# No syslogd?
#
if [ "$cmd" != "$binpath" ]
then
return 1
fi

return 0
}

case "$1" in
start)
echo -n "Starting system log daemon: syslogd"
create_xconsole
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo "."
;;
stop)
echo -n "Stopping system log daemon: syslogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
echo "."
;;
reload|force-reload)
echo -n "Reloading system log daemon: syslogd"
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
echo "."
;;
restart)
echo -n "Restarting system log daemon: syslogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
sleep 1
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo "."
;;
reload-or-restart)
if running
then
echo -n "Reloading system log daemon: syslogd"
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
else
echo -n "Restarting system log daemon: syslogd"
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
fi
echo "."
;;
*)
echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
exit 1
esac

exit 0
Restart the logging daemon:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for any errors:
/etc/init.d/bind9 start





MySQL
apt-get install mysql-server mysql-client libmysqlclient12-dev
mysqladmin -u root password yourrootsqlpassword
When you run netstat -tap you should now see a line like this:
tcp 0 0 localhost.localdo:mysql *:* LISTEN 2449/mysqld

which means that MySQL is accessible on 127.0.0.1 on port 3306. You can go to the next section (Postfix). If you do not see this line, edit /etc/mysql/my.cnf and comment out skip-networking:

# skip-networking

If you want MySQL to listen on all available IP addresses, edit /etc/mysql/my.cnf and comment out bind-address = 127.0.0.1:

#bind-address = 127.0.0.1

If you had to edit /etc/mysql/my.cnf you have to restart MySQL:
/etc/init.d/mysql restart
If MySQL is listening on all interfaces, you must now also set a MySQL password for server1.example.com because otherwise anybody could access your database:
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

Postfix/POP3/IMAP
In order to install Postfix with SMTP-AUTH and TLS as well as a POP3 server that also does POP3s (port 995) and an IMAP server that is also capable of IMAPs (port 993) do the following steps:
apt-get install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules ipopd-ssl uw-imapd-ssl (1 line!)
<- pop3 and pop3s
<- No
<- Internet Site
<- NONE
<- server1.example.com
<- server1.example.com, localhost.example.com, localhost
<- No
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
The file /etc/postfix/main.cf should now look like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/init.d/postfix restart
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/run/saslauthd -r":
# This needs to be uncommented before saslauthd will be run automatically
START=yes

PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

We must also edit /etc/init.d/saslauthd and change the location of saslauthd's PID file. Change the value of PIDFILE to /var/spool/postfix/var/run/${NAME}/saslauthd.pid:
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"

Now start saslauthd:
/etc/init.d/saslauthd start

Next we create the file /etc/c-client.cf with the following contents:
I accept the risk
set disable-plaintext 0

and restart inetd:
/etc/init.d/openbsd-inetd restart
If we don't do this, then our POP3/IMAP logins will fail.

To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH
everything is fine.

Type
quit
to return to the system's shell.

Courier-IMAP/Courier-POP3
If you want to use a POP3/IMAP daemon that has Maildir support (if you do not want to use the traditional Unix mailbox format) you can install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995). Otherwise you can proceed with the Apache configuration.
apt-get install courier-imap courier-imap-ssl courier-pop courier-pop-ssl
<- No
ipopd and UW-IMAP will then be replaced.
Then configure Postfix to deliver emails to a user's Maildir*:
postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart
*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.
Apache
Run
apt-get install apache2 apache2-doc
apt-get install libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl imagemagick (1 line!)
Edit /etc/apache2/apache2.conf. Change
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml
to
DirectoryIndex index.html index.htm index.shtml index.cgi ind
Edit /etc/mime.types and comment out the following lines:
#application/x-httpd-php phtml pht php
#application/x-httpd-php-source phps
#application/x-httpd-php3 php3
#application/x-httpd-php3-preprocessed php3p
#application/x-httpd-php4 php4

Edit /etc/apache2/mods-enabled/php4.conf and comment out the following lines:

# AddType application/x-httpd-php .php .phtml .php3
# AddType application/x-httpd-php-source .phps


Edit /etc/apache2/ports.conf and add Listen 443:
Listen 80
Listen 443

Now we have to enable some Apache modules (SSL, rewrite and suexec):
a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
Restart Apache:
/etc/init.d/apache2 restart

Proftpd
apt-get install proftpd
<- standalone
For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.linux.co.uk/localsite/Userguide/linked/userguide.html):
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
and restart Proftpd:
/etc/init.d/proftpd restart

Webalizer
apt-get install webalizer
<- /var/www/webalizer
<- Usage Statistics for
<- /var/log/apache/access.log.1

Synchronize the System Clock
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet. Simply run
apt-get install ntp ntpdate
and your system time will always be in sync.

Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)
Installation using the Perl Shell
Login to your command line as root and run the following command to start the Perl shell:
perl -MCPAN -e shell
If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok.
Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.
The big advantage of the Perl shell compared to the two other methods described here is that it cares about dependencies when installing new modules. I.e., if it turns out that a prerequisite Perl module is missing when you install another module the Perl shell asks you if it should install the prerequisite module for you. You should answer that question with "Yes".
Run the following commands to install the modules needed by SpamAssassin:
install HTML::Parser
install DB_File
install Net::DNS (when prompted to enable tests, choose no)
q (to leave the Perl shell)
If a module is already installed on your system you will get a message similar to this one:
HTML::Parser is up to date.
Successful installation of a module looks like this:
/usr/bin/make install -- OK

Compile a Custom Kernel
If you need to compile a new kernel for some reason (e.g. because you want to use the latest bleeding-edge kernel or need a feature that the standard Debian kernel does not offer), you can find more information here: Debian-Kernel-Compile-Howto.

The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.
A Note On SuExec
If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian's suExec is compiled with /var/www as Doc_Root. Run /usr/lib/apache2/suexec2 -V, and the output should look like this:

To select /var/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.

Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /var/www as the home directory for websites.