Servidor Perfecto en Ubuntu 9.10
-
Upload
gonzalo-montes-de-oca -
Category
Technology
-
view
5.629 -
download
4
Transcript of Servidor Perfecto en Ubuntu 9.10
full circle magazine #31 contents ^
full circle
BBUUIILLDD TTHHEE PPEERRFFEECCTTSSEERRVVEERR WWIITTHHUUBBUUNNTTUU 99..1100
Full Circle Magazine Specials
Full Circle Magazine
The articles contained in this magazine are released under the Creative Commons Attribution-Share Alike 3.0Unported license. This means you can adapt, copy, distribute and transmit the articles but only under the following conditions:
You must attribute the work to the original author in some way (at least a name, email or URL) and to this magazine by name ('full circle magazine') and the URL www.fullcirclemagazine.org (but not attribute the article(s) in any way that suggests that they endorse you or your use of the work). If you alter, transform, or build upon this work, you must distribute the resulting work under the same, similar or a compatible license.Full Circle Magazine is entirely independent of Canonical, the sponsor of Ubuntu projects and the views and opinions in the magazine should in no way be assumed to have Canonical endorsement.
Please note: this Special Edition is provided with absolutely no warranty whatsoever; neither the contributors nor Full Circle Magazine accept any responsibility or liability for loss or damage resulting from readers choosing to apply this content to theirs or others computers and equipment.
About Full Circle
Full Circle is a free, independent, magazine dedicated to the Ubuntu family of Linux operating systems. Each month, it contains helpful how-to articles and reader- submitted stories.
Full Circle also features a companion podcast, the Full Circle Podcast which covers the magazine, along with other news of interest.
Welcome to another 'single-topic special'In response to reader requests, we are assembling the content of some of our serialised articles into dedicated editions.
For now, this is a straight reprint of the series 'The Perfect Server' from issues 31 through 34; nothing fancy, just the facts.
Please bear in mind the original publication date; current versions of hardware and software may differ from those illustrated, so check your hardware and software versions before attempting to emulate the tutorials in these special editions. You may have later versions of software installed or available in your distributions' repositories.
Enjoy!
Find Us
Website: http://www.fullcirclemagazine.org/
Forums: http://ubuntuforums.org/forumdisplay.php?f=270
IRC: #fullcirclemagazine on chat.freenode.net
Editorial Team
Editor: Ronnie Tucker (aka: RonnieTucker) [email protected]
Webmaster: Rob Kerfia (aka: admin / linuxgeekery- [email protected]
Podcaster: Robin Catling (aka RobinCatling) [email protected]
Communications Manager: Robert Clipsham (aka: mrmonday) - [email protected]
full circle magazine #31 contents ^
HOW-TO The Perfect Server - Part 1
This tutorial shows howto prepare an Ubuntu9.10 (Karmic Koala)server for ISPConfig 3,
and how to install ISPConfig 3on it. ISPConfig 3 is awebhosting control panel thatallows you to configure thefollowing services through aweb browser: Apache webserver, Postfix mail server,MySQL, MyDNS name server,PureFTPd, SpamAssassin,ClamAV, and many more.
FCM09 - 16 : Server Series 1 - 8FCM28 - 29 : LAMP Server 1 - 2
GraphicsDev Internet M/media System
HDDCD/DVD USB Drive Laptop Wireless
Please note that this setupdoes not work for ISPConfig 2.It is valid for ISPConfig 3 only!
RequirementsTo install such a system you
will need the Ubuntu 9.10server CD, available here:http://releases.ubuntu.com/releases/9.10/ubuntu-9.10-server-i386.iso (32-bit) or:http://releases.ubuntu.com/releases/9.10/ubuntu-9.10-server-amd64.iso (64-bit)
Preliminary NoteIn this tutorial, I use the host
name ,with IP addressand gateway .These settings might differ foryou, so you have to replacethem where appropriate.
The Base SystemInsert your Ubuntu install
CD into your system and bootfrom it. Select your language
then select Install UbuntuServer:
Choose your language(again), location, and keyboardlayout.
The installer checks theinstallation CD and yourhardware, and configures thenetwork with DHCP if there is aDHCP server on the network:
Enter the host name. In thisexample, my system is calledserver1.example.com, so Ienter server1:
Now you have to partitionyour hard disk. For simplicity'ssake, I select Guided, useentire disk and set up LVM. Thiswill create one volume groupwith two logical volumes—onefor the / file system, andanother one for swap. Ofcourse, the partitioning istotally up to you—if you knowwhat you're doing, you canalso set up your partitionsmanually. You may find ithelpful in future months if youset up separate /home and /varpartitions.
full circle magazine #31 contents ^
THE PERFECT SERVER - PART 1Select the disk that you
want to partition, and, whenyou're asked 'Write thechanges to disk and configureLVM?', select Yes.
If you have selected Guided,use entire disk and set up LVM,the partitioner will create onebig volume group that uses allthe disk space. You can nowspecify how much of that diskspace should be used by thelogical volumes for / and swap.It makes sense to leave somespace unused, so later on youcan expand your existinglogical volumes, or create newones. This gives you moreflexibility.
When you're finished, hit Yeswhen asked "Write the changesto disks?":
Your new partitions arecreated and formatted:
Then the base system isinstalled:
Create a user, for examplethe user Administrator, withthe user name administrator.Don't use the user name adminas it is a reserved name onUbuntu 9.10.
I don't need an encryptedprivate directory, so I chooseNo here:
Next, the package managerapt gets configured. Leave theHTTP proxy line empty unlessyou're using a proxy server toconnect to the Internet:
I'm a little bit old-fashioned,and I like to update my serversmanually to have more control,therefore I select No automaticupdates. Of course, it's up toyou what you select there.
We need DNS, mail, andLAMP servers, but,nevertheless, I don't select anyof them now because I like tohave full control over what getsinstalled on my system. We willinstall the needed packages
manually later on. The onlyitem I select here is OpenSSHserver, so that I canimmediately connect to thesystem with an SSH client suchas PuTTY after the installationhas finished:
The installation continues,then the GRUB boot loadergets installed.
The base system installationis now finished. Remove theinstallation CD from the CDdrive and select Continue toreboot the system:
full circle magazine #32 contents ^
HOW-TO The Perfect Server - Part 2
Last month, we did thebasic Ubuntu Serverinstallation from CD,and got to the point of
rebooting into the installedsystem.
Get Root PrivilegesAfter the reboot you can
login with your previouslycreated username (e.g.administrator). Because wemust run all the steps from this
FCM09 - 16 : Server Series 1 - 8FCM28 - 29 : LAMP Server 1 - 2FCM31 : The Perfect Server 1
GraphicsDev Internet M/media System
HDDCD/DVD USB Drive Laptop Wireless
tutorial with root privileges, wecan either prepend allcommands in this tutorial withthe string sudo, or we becomeroot right now by typing:
sudo su
You can also enable the rootlogin by running:
sudo passwd root
and giving root a password.You can then directly log in asroot, but this is frowned uponby the Ubuntu developers andcommunity for various reasons.(Seehttp://ubuntuforums.org/showthread.php?t=765414)
Install The SSH Server(Optional)
If you did not install theOpenSSH server during thesystem installation, you can doit now:
aptitude install ssh openssh-server
From now on, you can usean SSH client such as PuTTYand connect from yourworkstation to your Ubuntu9.10 server and follow theremaining steps in this tutorial.
Install vim-nox (Optional)I'll use vi as my text editor
in this tutorial. The default viprogram has some strangebehaviour on Ubuntu andDebian; to fix this, we installvim-nox:
aptitude install vim-nox
You don't have to do this ifyou use a different text editorsuch as joe or nano.
Configure The NetworkBecause the Ubuntu
installer has configured oursystem to get its networksettings via DHCP, we have tochange that now because aserver should have a static IPaddress. Edit
/etc/network/interfaces andadjust it to your needs (in thisexample setup I will use the IPaddress 192.168.0.100):
vi /etc/network/interfaces
# This file describes thenetwork interfaces availableon your system# and how to activate them.For more information, seeinterfaces(5).
# The loopback networkinterfaceauto loiface lo inet loopback
# The primary networkinterfaceauto eth0iface eth0 inet static
address 192.168.0.100netmask 255.255.255.0network 192.168.0.0broadcast 192.168.0.255gateway 192.168.0.1
Restart your network with:
/etc/init.d/networkingrestart
Then edit /etc/hosts:
vi /etc/hosts
full circle magazine #32 contents ^
THE PERFECT SERVER - PART 2and make it look like the textshown in Fig.1.
Now run
echo server1.example.com >/etc/hostname
and reboot the server with:
reboot
Afterwards, run:
hostnamehostname -f
Both should shownow.
Edit sources.list AndUpdate Your LinuxInstallation
Edit /etc/apt/sources.list:
vi /etc/apt/sources.list
Comment out or remove theinstallation CD from the file,and make sure that theuniverse and multiverserepositories are enabled.
Then run
aptitude update
to update the apt packagedatabase, and
aptitude safe-upgrade
to install the latest updates (ifthere are any). If you see thata new kernel gets installed aspart of the updates, you shouldreboot the system afterwardswith:
reboot
Change The Default Shell/bin/sh is a symlink to
/bin/dash, however we need/bin/bash, not /bin/dash.Therefore we do this:
dpkg-reconfigure dash
Install dash as /bin/sh?,Choose: No
If you don't do this, theISPConfig installation will fail.
Disable AppArmorAppArmor is a security
extension (similar to SELinux)that should provide extended
security. In my opinion, youdon't need it to configure asecure system, and it usuallycauses more problems than ithas advantages (think of this -after you have done a week oftrouble-shooting because someservice wasn't working asexpected, and then you findout that everything was OK,only AppArmor was causing theproblem). Therefore, I disable it(this is a must if you want toinstall ISPConfig later on).
We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmorremove
aptitude remove apparmorapparmor-utils
Synchronize the SystemClock
It is a good idea tosynchronize the system clockwith an NTP (network timeprotocol) server over theInternet. Simply run
aptitude install ntp ntpdate
and your system time willalways be in sync.
127.0.0.1 localhost.localdomain localhost192.168.0.100 server1.example.com server1
# The following lines are desirable for IPv6 capablehosts::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts
full circle magazine #33 contents ^
HOW-TO The Perfect Server - Part 3
We can installPostfix, Courier,Saslauthd, MySQL,rkhunter, and
binutils - with a singlecommand:
(Prefix each command withsudo, if appropriate).
aptitude install postfixpostfix-mysql postfix-docmysql-client mysql-servercourier-authdaemon courier-authlib-mysql courier-popcourier-pop-ssl courier-imap
FCM09 - 16 : Server Series 1 - 8FCM28 - 29 : LAMP Server 1 - 2FCM31 - 32 : The Perfect Server 1 - 2
GraphicsDev Internet M/media System
HDDCD/DVD USB Drive Laptop Wireless
courier-imap-ssl libsasl2-2libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl getmail4rkhunter binutils
You will be asked thefollowing questions:
New password for the MySQL"root" user
Repeat password for theMySQL "root" user
Create directories for web-based administration?Enter:
General type of mailconfiguration:Enter:
System mail name:Enter:(but using your .com)
SSL certificate requiredEnter:
Next we install maildrop asfollows:
update-alternatives --remove-all maildir.5
update-alternatives --remove-all maildirquota.7
aptitude install maildrop
You will ask yourself why wedidn't install maildrop togetherwith all the other packages.The reason for this is a bug inthe courier-base package - ifyou install maildrop togetherwith courier-pop, courier-pop-ssl, courier-imap, and courier-imap-ssl, you will get thefollowing error:
update-alternatives: error:alternative link/usr/share/man/man5/maildir.5.gz is already managed bymaildir.5.gz.
We want MySQL to listen onall interfaces, not justlocalhost. Therefore we edit/etc/mysql/my.cnf andcomment out the line bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf
[...]
# Instead of skip-networkingthe default is now to listenonly on
# localhost which is morecompatible and is not lesssecure.
#bind-address =127.0.0.1[...]
Then we restart MySQL:
/etc/init.d/mysql restart
Now check that networkingis enabled. Run:
netstat -tap | grep mysql
The output should look likethis:
root@server1:~# netstat -tap| grep mysql
tcp 0 0 *:mysql *:* LISTEN6267/mysqld
root@server1:~#
During the installation, theSSL certificates for IMAP-SSLand POP3-SSL are created withthe hostname localhost. To
full circle magazine #33 contents ^
THE PERFECT SERVER - PART 3change this to the correcthostname(server1.example.com in thistutorial), delete thecertificates...
cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem
and modify the following twofiles - replacing CN=localhostwith''CN=server1.example.com'(and you can also modify theother values, if necessary):
vi /etc/courier/imapd.cnf
[...]CN=server1.example.com[...]
vi /etc/courier/pop3d.cnf
[...]CN=server1.example.com[...]
Then recreate thecertificates:
mkimapdcert
mkpop3dcert
and restart Courier-IMAP-SSL
and Courier-POP3-SSL:
/etc/init.d/courier-imap-sslrestart
/etc/init.d/courier-pop-sslrestart
Install Amavisd-new,SpamAssassin, AndClamav
To install amavisd-new,SpamAssassin, and ClamAV,we run:
aptitude install amavisd-newspamassassin clamav clamav-daemon zoo unzip bzip2 arjnomarch lzop cabextract apt-listchanges libnet-ldap-perllibauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perllibnet-ident-perl zip libnet-dns-perl
Install Apache2, PHP5,phpMyAdmin, FCGI,suExec, Pear, Andmcrypt
Apache2, PHP5,phpMyAdmin, FCGI, suExec,Pear, and mcrypt can beinstalled as follows:
aptitude install apache2apache2.2-common apache2-docapache2-mpm-prefork apache2-utils libexpat1 ssl-certlibapache2-mod-php5 php5php5-common php5-gd php5-mysql php5-imap phpmyadminphp5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcryptmcrypt php5-imagickimagemagick libapache2-mod-suphp
You will see the followingquestion:
Web server to reconfigureautomatically:Enter:
Configure database forphpmyadmin with dbconfig-common?Enter:
Then run the followingcommand to enable theApache modules suexec,rewrite, ssl, actions, andinclude:
a2enmod suexec rewrite sslactions include
Restart Apache afterwards:
/etc/init.d/apache2 restart
Install PureFTPd AndQuota
PureFTPd and quota can beinstalled with the followingcommand:
aptitude install pure-ftpd-common pure-ftpd-mysql quotaquotatool
Edit the file /etc/default/pure-ftpd-common:
vi /etc/default/pure-ftpd-common
and make sure that the startmode is set to standalone andset VIRTUALCHROOT=true:
[...]STANDALONE_OR_INETD=standalone[...]VIRTUALCHROOT=true[...]
Then restart PureFTPd:
/etc/init.d/pure-ftpd-mysqlrestart
Edit /etc/fstab. Mine lookslike Fig.1 on the following page(I added
full circle magazine #33 contents ^
,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0to the partition with the mountpoint /):
vi /etc/fstab
To enable quota, run thesecommands:
touch /aquota.user/aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
Install MyDNSBefore we install MyDNS, we
need to install a fewprerequisites:
aptitude install g++ libc6gcc gawk make texinfolibmysqlclient15-dev
MyDNS is not available inthe Ubuntu 9.10 repositories,therefore we have to build itourselves as follows:
cd /tmp
wgethttp://heanet.dl.sourceforge.net/sourceforge/mydns-ng/mydns-1.2.8.27.tar.gz
tar xvfz mydns-1.2.8.27.tar.gz
cd mydns-1.2.8
./configure
make
make install
Next, we create thestart/stop script (shown on thefollowing page) for MyDNS:
vi /etc/init.d/mydns
Then we make the scriptexecutable, and create thesystem startup links for it:
chmod +x /etc/init.d/mydns
update-rc.d mydns defaults
Install Vlogger AndWebalizer
Vlogger and webalizer canbe installed as follows:
aptitude install vloggerwebalizer
Install Jailkit
Jailkit is needed only if youwant to chroot SSH users. Itcan be installed as follows(important: Jailkit must beinstalled before ISPConfig - itcannot be installedafterwards!):
aptitude install build-essential autoconfautomake1.9 libtool flexbison
cd /tmp
wgethttp://olivier.sessink.nl/jailkit/jailkit-2.10.tar.gz
tar xvfz jailkit-2.10.tar.gz
THE PERFECT SERVER - PART 3
# /etc/fstab: static file system information.## Use 'blkid -o value -s UUID' to print the universally unique identifier# for a device; this may be used with UUID= as a more robust way to name# devices that works even if disks are added and removed. See fstab(5).## <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc defaults 0 0/dev/mapper/server1-root / ext4 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1# /boot was on /dev/sda5 during installationUUID=9ea34148-31b7-4d5c-baee-c2e2022562ea /boot ext2 defaults 0
2/dev/mapper/server1-swap_1 none swap sw 0 0/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
full circle magazine #33 contents ^
#! /bin/sh## mydns Start the MyDNS server## Author: Philipp Kern <[email protected]>.# Based upon skeleton 1.9.4 by Miquel vanSmoorenburg# <[email protected]> and Ian Murdock<[email protected]>.#
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binDAEMON=/usr/local/sbin/mydnsNAME=mydnsDESC="DNS server"
SCRIPTNAME=/etc/init.d/$NAME
# Gracefully exit if the package has been removed.test -x $DAEMON || exit 0
case "$1" instart)
echo -n "Starting $DESC: $NAME"start-stop-daemon --start --quiet \
--exec $DAEMON -- -becho ".";;
stop)echo -n "Stopping $DESC: $NAME"start-stop-daemon --stop --oknodo --quiet \
--exec $DAEMONecho ".";;
reload|force-reload)echo -n "Reloading $DESC configuration..."start-stop-daemon --stop --signal HUP --quiet \
--exec $DAEMONecho "done.";;
restart)echo -n "Restarting $DESC: $NAME"start-stop-daemon --stop --quiet --oknodo \
--exec $DAEMONsleep 1start-stop-daemon --start --quiet \
--exec $DAEMON -- -becho ".";;
*)echo "Usage: $SCRIPTNAME
{start|stop|restart|reload|force-reload}" >&2exit 1;;
esac
exit 0
cd jailkit-2.10
./configure
make
make install
cd ..
rm -rf jailkit-2.10*
Install fail2banThis is optional but
recommended, because theISPConfig monitor tries to showthe fail2ban log:
aptitude install fail2ban
Next month, in the finalinstallment, we will installSquirrelMail and ISPConfig3,giving you the perfect server,ready to go!
full circle magazine #34 contents ^
HOW-TO The Perfect Server - Part 4
Toinstall theSquirrelMail webmailclient, run:
aptitude install squirrelmail
Then, create the followingsymlink...
ln -s/usr/share/squirrelmail//var/www/webmail
... and configure SquirrelMail:
FCM09 - 16 : Server Series 1 - 8FCM28 - 29 : LAMP Server 1 - 2FCM31 - 33 : The Perfect Server 1 - 3
GraphicsDev Internet M/media System
HDDCD/DVD USB Drive Laptop Wireless
squirrelmail-configure
We must tell SquirrelMailthat we are using Courier-IMAP/-POP3:
SquirrelMail Configuration :Read: config.php (1.4.0)Main Menu1. Organization Preferences2. Server Settings3. Folder Defaults4. General Options5. Themes6. Address Books7. Message of the Day (MOTD)8. Plugins9. Database10. Languages
D. Set pre-defined settingsfor specific IMAP serversC Turn color onS Save dataQ Quit
Command >>
Enter:
Now, you will see a list ofIMAP server options entitled:
Please select your IMAPserver:
Enter the word:
imap_server_type = courierdefault_folder_prefix =INBOX.trash_folder = Trashsent_folder = Sentdraft_folder = Draftsshow_prefix_option = falsedefault_sub_of_inbox = falseshow_contain_subfolders_option = falseoptional_delimiter = .delete_folder = true
Press any key to continue...
Next, you will see a list ofoptions and their settings;press the key tocontinue.
Back at the Main Menu,enter: to save data, and youwill see:
Data saved in config.phpPress enter to continue
Back at the Main Menu,enter to quit.
Afterwards you can accessSquirrelMail under:http://server1.example.com/webmail
or:
http://192.168.0.100/webmail
Install ISPConfig 3To install ISPConfig 3 from
the latest released version, dothis (replacing ISPConfig-3.0.1.6.tar.gz with the latestversion) :
cd /tmp
wgethttp://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.1.6.tar.gz?use_mirror=
tar xvfz ISPConfig-3.0.1.6.tar.gz
full circle magazine #34 contents ^
THE PERFECT SERVER - PART 4cdispconfig3_install/install/
The next step is to run:
php -q install.php
This will start the ISPConfig3 installer. Press foreach option - except whenasked for your MySQL rootpassword.
The installer automaticallyconfigures all underlyingservices, so no manualconfiguration is needed.
Afterwards you can accessISPConfig 3 under:
http://server1.example.com:8080/
or:
http://192.168.0.100:8080/
Log in with the usernameand the password(you should change the
default password after yourfirst login):
The system is now ready tobe used.