This tutorial shows you how to prepare a CentOS 5.5 x86_64 (ve) Server for the installation of ISPConfig 3. ISPConfig is an open source hosting control panel for Linux which is licensed under the BSD license. It allows you to configure the following services through a web browser: Apache web server, Postfix mail server, MySQL, BIND nameserver, vsftpd, SpamAssassin, ClamAV, and many more through an easy to use interface for administrators, resellers and clients.
Please keep in mind that your (ve) Server is very much a blank slate when provisioned. It is your responsibility to administer your server from Day 1. Following the information below will definitely help you on your way, but is not supported in any way by (mt) Media Temple.
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings will differ for you, so you have to replace them where appropriate.
Getting around 'noexec' issues with /tmp
Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. As a security precaution, /tmp is mounted with noexec. This is a good thing and should generally stay this way. There are some circumstances where you may need to have /tmp executable.
mkdir ~/tmp
mount --bind ~/tmp /tmp
Keep in mind that if you reboot your (ve) after you've done this, /tmp and /var/tmp will return to 'noexec'.
Logging in as root
By default, all of the distributions offered with your (ve) Server have only the root user installed. For security reasons we do not include the root password in your Service Activation Letter. To obtain the root user password, you will need to visit the "SSH Access" section of your (ve) Control Panel in the AccountCenter. Then you can change the password to one you know.
After you change the password, you can simply use a ssh client to connect to your server using your new password and root as the user. If you do not have a domain name that is currently resolving to your server, you can use the IP address that has been assigned.
ssh root@xxx.xxx.xxx.xxx
Using YUM
In most of this article you will be using YUM (Yellow dog Updater, Modified), which is the default package manager used in CentOS ( all versions ). It is used to install and update packages from CentOS (and 3rd party) Repositories. After running a command, you will be prompted with "Is this ok [y/N]:", this will usually be yes, so type "y" and hit enter.
Using vi
vi is a family of screen-oriented text editors which share certain characteristics, such as methods of invocation from the operating system command interpreter, and characteristic user interface features. If you are not familiar with vi, you can refer to the article Mastering the VI editor.
Install Some Software
First we import the GPG keys for software packages:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
Next we exclude postfix from base and updates, include postfix in centosplus, then enable the contrib and centosplus repositories:
vi /etc/yum.repos.d/CentOS-Base.repo
Edit the lines below:
[base]
[...]
exclude=postfix
[...]
[updates]
[...]
exclude=postfix
[...]
[centosplus]
[...]
enabled=1
includepkgs=postfix
[...]
[contrib]
[...]
enabled=1
[...]
Then we update our existing packages on the system:
yum update
Now we install some software packages that are needed later on:
yum groupinstall 'Development Tools'
yum groupinstall 'Development Libraries'
Install Apache, MySQL, phpMyAdmin
First we enable the RPMforge repository on our CentOS system as lots of the packages that we are going to install in the course of this tutorial are not available in the official CentOS 5.5 repositories:
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
cd /tmp
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
rpm -ivh rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
(If the above link doesn't work anymore, you can find the current version of rpmforge-release here: http://packages.sw.be/rpmforge-release/)
Afterwards, we can install the needed packages with one single command:
yum install ntp httpd mysql-server php php-mysql php-mbstring php-mcrypt phpmyadmin
Install Dovecot
There's a Dovecot package in the CentOS repository, but unfortunately it doesn't support MySQL. Therefore we must we install the Dovecot package (from ATrpms) which comes with MySQL support:
rpm -ivh http://dl.atrpms.net/all/dovecot-1.2.11-3_108.el5.x86_64.rpm
rpm -ivh http://dl.atrpms.net/all/dovecot-sieve-0.1.15-4.el5.x86_64.rpm
rm -fr /usr/lib/dovecot/
ln -s /usr/lib64/dovecot/ /usr/lib/dovecot
Now we create the system startup links for Dovecot:
chkconfig --levels 235 dovecot on
/etc/init.d/dovecot start
Install Postfix With MySQL Support
The "normal" Postfix package from the CentOS repository doesn't have MySQL, but the Postfix package from the CentOS Plus repository does. Therefore we install it from the CentOS Plus repository:
yum install postfix
Then we start Postfix and MySQL:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
chkconfig --levels 235 postfix on
/etc/init.d/postfix start
Install Getmail
Getmail can be installed as follows:
yum install getmail
Set MySQL Passwords And Configure phpMyAdmin
Set passwords for the MySQL root account:
mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorization.
Set root password? [Y/n] <-- ENTER
New password: <-- yourrootsqlpassword
Re-enter new password: <-- yourrootsqlpassword
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] <-- ENTER
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] <-- ENTER
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] <-- ENTER
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] <-- ENTER
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the
vi /etc/httpd/conf.d/phpmyadmin.conf
#
# Web application to manage MySQL
#
#
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.1
#
Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /mysqladmin /usr/share/phpmyadmin
Next we change the authentication in phpMyAdmin from cookie to http:
vi /usr/share/phpmyadmin/config.inc.php
[...]
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';
[...]
Then we create the system startup links for Apache and start it:
chkconfig --levels 235 httpd on
/etc/init.d/httpd start
Now you can direct your browser to http://server1.example.com/phpmyadmin/ or http://192.168.0.100/phpmyadmin/ and log in with the user name root and your new root MySQL password.
Install Amavisd-new, SpamAssassin And ClamAV
To install amavisd-new, spamassassin and clamav, run the following command:
yum install amavisd-new spamassassin clamav clamd unzip bzip2 unrar perl-DBD-mysql
Open /etc/sysconfig/amavisd...
vi /etc/sysconfig/amavisd
... and add the line CONFIG_FILE="/etc/amavisd/amavisd.conf":
### Uncomment this if you want to use amavis with sendmail milter interface.
### See README.milter for details.
#
#MILTER_SOCKET="local:/var/amavis/amavis-milter.sock"
#MILTER_SOCKET="10024@127.0.0.1"
### These are other defaults.
#AMAVIS_ACCOUNT="amavis"
#CONFIG_FILE="/etc/amavisd.conf"
#MILTER_FLAGS=""
CONFIG_FILE="/etc/amavisd/amavisd.conf"
Then we start freshclam, amavisd, and clamd...
It is OK if you see errors during next command.
sa-update
chkconfig --levels 235 amavisd on
chkconfig --levels 235 clamd on
/usr/bin/freshclam
/etc/init.d/amavisd start
/etc/init.d/clamd start
... and create some necessary directories:
mkdir /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db
chown amavis /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db
ln -s /var/run/clamav/clamd.sock /var/spool/amavisd/clamd.sock
Installing Apache2 With mod_php, mod_fcgi/PHP5, And suPHP
ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis. mod_fcgid is not available in the official CentOS repositories, but there's a package for CentOS 5.x in the centos.karan.org testing repository. We enable the repository as follows:
cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
Next we open /etc/yum.repos.d/kbsingh-CentOS-Extras.repo...
vi /etc/yum.repos.d/kbsingh-CentOS-Extras.repo
... and set enabled to 1 in the [kbs-CentOS-Testing] section:
[...]
[kbs-CentOS-Testing]
name=CentOS.Karan.Org-EL$releasever - Testing
gpgcheck=0
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/
Afterwards we can install Apache2with mod_php5, mod_fcgid, and PHP5:
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-mbstring php-mcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel
Next we open /etc/php.ini...
vi /etc/php.ini
... and change the error reporting (so that notices aren't shown any longer). Uncomment "error_reporting = E_ALL & ~E_NOTICE" and comment out ;error_reporting = E_ALL. Then add cgi.fix_pathinfo = 1 at the end of the file:
[...]
error_reporting = E_ALL & ~E_NOTICE
;error_reporting = E_ALL
[...]
cgi.fix_pathinfo = 1
Next we install suPHP:
mkdir ~/tmp
mount --bind ~/tmp /tmp
cd /tmp
wget http://suphp.org/download/suphp-0.7.1.tar.gz
tar xvfz suphp-0.7.1.tar.gz
cd suphp-0.7.1/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install
Then we add the suPHP module to our Apache configuration...
vi /etc/httpd/conf.d/suphp.conf
LoadModule suphp_module modules/mod_suphp.so
... and create the file /etc/suphp.conf as follows:
vi /etc/suphp.conf
[global]
;Path to logfile
logfile=/var/log/httpd/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=100
; Minimum GID
min_gid=100
[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"
Finally we restart Apache:
/etc/init.d/httpd restart
Install vsftpd
yum install vsftpd
After installing, make sure that the service is running by doing:
chkconfig vsftpd on
Last, turn on the service itself:
service vsftpd start
Install A Chrooted DNS Server (BIND9)
To install a chrooted BIND9, we do this:
yum install bind-chroot
Then do this:
chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
touch /var/named/chroot/etc/named.conf.local
We now copy the contents below into the named.conf file.
vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named/chroot/var/named";
dump-file "/var/named/chroot/var/named/data/cache_dump.db";
statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.root";
};
include "/var/named/chroot/etc/named.conf.local";
chkconfig --levels 235 named on
/etc/init.d/named start
BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).
Install Vlogger And Webalizer
Vlogger and webalizer can be installed as follows:
yum install webalizer perl-DateTime-Format-HTTP perl-DateTime-Format-Builder
cd /tmp
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*
Install Jailkit
Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):
mount --bind ~/tmp /tmp
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
tar xvfz jailkit-2.11.tar.gz
cd jailkit-2.11
./configure
make
make install
cd ..
rm -rf jailkit-2.11*
Install fail2ban
This is optional but recommended, because the ISPConfig monitor tries to show the log:
yum install fail2ban
chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start
Install rkhunter
rkhunter can be installed as follows:
yum install rkhunter
Install SquirrelMail
To install the SquirrelMail webmail client, run...
yum install squirrelmail
... and restart Apache:
/etc/init.d/httpd restart
Then configure SquirrelMail:
/usr/share/squirrelmail/config/conf.pl
We must tell SquirrelMail that we are using Courier-IMAP/-POP3:
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color off
S Save data
Q Quit
Command >> <-- D
SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.
Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.
Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
quit = Do not change anything
Command >> dovecot
imap_server_type = dovecot
default_folder_prefix =
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false
Press any key to continue... <-- press a key
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color off
S Save data
Q Quit
Command >> <--S
Data saved in config.php
Press enter to continue...
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color off
S Save data
Q Quit
Command >> <--Q
One last thing we need to do is modify the file /etc/squirrelmail/config_local.php and comment out the $default_folder_prefix variable - if you don't do this, you will see the following error message in SquirrelMail after you've logged in: Query: CREATE "Sent" Reason Given: Invalid mailbox name.
vi /etc/squirrelmail/config_local.php
/**
* Local config overrides.
*
* You can override the config.php settings here.
* Don't do it unless you know what you're doing.
* Use standard PHP syntax, see config.php for examples.
*
* @copyright © 2002-2006 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id: config_local.php,v 1.2 2006/07/11 03:33:47 wtogami Exp $
* @package squirrelmail
* @subpackage config
*/
//$default_folder_prefix = '';
?>
Now you can type in http://server1.example.com/webmail or http://192.168.0.100/webmail in your browser to access SquirrelMail.
Install ISPConfig 3
To install ISPConfig 3 from the latest released version, do this:
mount --bind ~/tmp /tmp
cd /tmp
wget http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.2.2.tar.gz?use_mirror=
tar xvfz ISPConfig-3.0.2.2.tar.gz
cd ispconfig3_install/install/
(Replace ISPConfig-3.0.2.1.tar.gz with the latest version.)
The next step is to run
php -q install.php
This will start the ISPConfig 3 installer:
--------------------------------------------------------------------------------
_____ ___________ _____ __ _
|_ _/ ___| ___ \ / __ \ / _(_)
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| |
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, |
__/ |
|___/
--------------------------------------------------------------------------------
>> Initial configuration
Operating System: Redhat or compatible, unknown version.
Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with.
Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]: <-- ENTER
Installation mode (standard,expert) [standard]: <-- ENTER
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER
MySQL server hostname [localhost]: <-- ENTER
MySQL root username [root]: <-- ENTER
MySQL root password []: <-- yourrootsqlpassword
MySQL database to create [dbispconfig]: <-- ENTER
MySQL charset [utf8]: <-- ENTER
Generating a 2048 bit RSA private key
......+++
.................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: <-- ENTER
State or Province Name (full name) [Berkshire]: <-- ENTER
Locality Name (eg, city) [Newbury]: <-- ENTER
Organization Name (eg, company) [My Company Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, your name or your server's hostname) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER
Configuring DBServer
Installing Crontab
no crontab for root
no crontab for getmail
Restarting services ...
Stopping MySQL: [ OK ]
Starting MySQL: [ OK ]
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
Stopping saslauthd: [FAILED]
Starting saslauthd: [ OK ]
Shutting down Mail Virus Scanner (amavisd): [FAILED]
Starting Mail Virus Scanner (amavisd): [ OK ]
Stopping Dovecot Imap: [ OK ]
If you have trouble with authentication failures,
enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
This message goes away after the first successful login.
Starting Dovecot Imap: [ OK ]
Stopping httpd: [ OK ]
[Tue May 25 18:15:57 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
Starting httpd: [ OK ]
Stopping pure-ftpd: [ OK ]
Starting pure-ftpd: [ OK ]
Installation completed.
The installer automatically configures all underlying services, so no manual configuration is needed.
Afterwards you can access ISPConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/. Log in with the username admin and the password admin (you should change the default password after your first login):
Reboot Your Server
Now we reboot your so that /tmp and /var/tmp will return to 'noexec'.
reboot
REFERENCES
http://wiki.mediatemple.net/w/Install_ISPConfig_on_CentOS_5.5
