ICO wiki - User contributions [en]

ISPconfig

2015-01-12T16:43:56Z

Mtammepo: /* Sissejuhatus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist. [1]

Sellel tarkvaral on 3 sisselogimise taset: administraatori, edasimüüja ja kliendi tase. [1]
==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’ga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’le taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas võrgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>
See on vajalik sisukontrolliks, et ei tuleks viiruseid või rämpsposti.

*ISPConfig 3 kasutab amavisd, mis laeb SpamAssassin filtri jooksvalt, seepärast on parem, kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2015-01-12T16:25:26Z

Mtammepo: /* Sissejuhatus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist. [1]

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’ga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’le taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas võrgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>
See on vajalik sisukontrolliks, et ei tuleks viiruseid või rämpsposti.

*ISPConfig 3 kasutab amavisd, mis laeb SpamAssassin filtri jooksvalt, seepärast on parem, kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2015-01-12T16:23:33Z

Mtammepo: /* SquirrelMail’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’ga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’le taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas võrgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>
See on vajalik sisukontrolliks, et ei tuleks viiruseid või rämpsposti.

*ISPConfig 3 kasutab amavisd, mis laeb SpamAssassin filtri jooksvalt, seepärast on parem, kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2015-01-12T16:22:39Z

Mtammepo: /* Paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’ga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’le taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas võrgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>
See on vajalik sisukontrolliks, et ei tuleks viiruseid või rämpsposti.

*ISPConfig 3 kasutab amavisd, mis laeb SpamAssassin filtri jooksvalt, seepärast on parem, kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-17T16:33:06Z

Mtammepo: /* Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’ga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’le taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas võrgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>
See on vajalik sisukontrolliks, et ei tuleks viiruseid või rämpsposti.

*ISPConfig 3 kasutab amavisd, mis laeb SpamAssassin filtri jooksvalt, seepärast on parem, kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-17T16:26:44Z

Mtammepo: /* Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’ga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’le taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas võrgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd, mis laeb SpamAssassin filtri jooksvalt, seepärast on parem, kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-17T16:25:18Z

Mtammepo: /* Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’ga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’le taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas võrgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:25:21Z

Mtammepo: /* Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’i, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:20:55Z

Mtammepo: /* SquirrelMail’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki e-poste, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:20:31Z

Mtammepo: /* SquirrelMail’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

Selle kaudu on võimalik hiljem otse näha kõiki meile, mis tuleb veebilehtede kaudu.

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:16:19Z

Mtammepo: /* Kokkuvõte */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma erinevaid servereid ja teostada virtualiseerimist. Selle kaudu saab kergelt luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:13:09Z

Mtammepo: /* Kokkuvõte */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma servereid ja teostada virtualiseerimist. Selle kaudu on lihtne luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne. Sobib ka algajale.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:12:28Z

Mtammepo: /* Kokkuvõte */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

ISPconfig on väga hea tööriist, mille kaudu on võimalik kiirelt ja lihtsalt hallata oma servereid ja teostada virtualiseerimist. Selle kaudu on lihtne luua uusi kasutajaid ja neile vastavaid õigusi anda. ISPconfig toetab väga erinevaid teenuseid ning on mitmekülgne.

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:02:19Z

Mtammepo: /* ISPConfig 3 paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/

[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:02:02Z

Mtammepo: /* SquirrelMail’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:01:40Z

Mtammepo: /* SquirrelMail’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.
[6]

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:00:52Z

Mtammepo: /* Vlogger’i, Webalizer’i ja AWstats’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>
[5]

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:00:39Z

Mtammepo: /* BIND DNS Serveri paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>
[5]

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T18:00:21Z

Mtammepo: /* PureFTPd ja Quota paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>
[5]

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:59:31Z

Mtammepo: /* Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>
[4]

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:59:10Z

Mtammepo: /* Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
[4]

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:55:39Z

Mtammepo: /* Sissejuhatus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.

Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:54:45Z

Mtammepo: /* ISPConfig 3 paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt ENTER: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:54:12Z

Mtammepo: /* ISPConfig 3 paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelile, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:53:24Z

Mtammepo: /* ISPConfig 3 paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne ISPConfig’le sobivaks automaatselt. Küsimutele võib lihtsalt ENTER vajutada.

Kui paigaldamine on lõpuni viidud, siis on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga, mis on vaikimisi kasutaja ja parool, võiks turvalisuse huvides parooli ära vahetada.

Sinna saab nüüd sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:46:10Z

Mtammepo: /* SquirrelMail’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii, et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:43:36Z

Mtammepo: /* SquirrelMail’i paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

[...]

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:40:40Z

Mtammepo: /* Fail2ban’i paigaldamine */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua kaks filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:39:36Z

Mtammepo: /* PureFTPd ja Quota paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter
State or Province Name (full name) [Some-State]: <-- Enter
Locality Name (eg, city) []: <-- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter
Organizational Unit Name (eg, section) []: <-- Enter
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:38:11Z

Mtammepo: /* Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failid jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter your Email Address.
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:35:20Z

Mtammepo: /* Paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud
<source lang="bash">
apt-cache policy openssh-server
</source>
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failed jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter your Email Address.
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:30:20Z

Mtammepo:

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud apt-cache policy openssh-server
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failed jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter your Email Address.
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kokkuvõte=

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:23:07Z

Mtammepo: /* Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud apt-cache policy openssh-server
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failed jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]

==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter your Email Address.
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:16:29Z

Mtammepo: /* ISPConfig 3 paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud apt-cache policy openssh-server
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failed jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]
==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter your Email Address.
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.

Sinna saab sisse logida lehelt:

http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:14:23Z

Mtammepo: /* ISPConfig 3 paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud apt-cache policy openssh-server
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failed jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]
==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter your Email Address.
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.

Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.
Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.
Sinna saab sisse logida lehelt:
http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:12:56Z

Mtammepo: /* Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’I paigaldus */

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud apt-cache policy openssh-server
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’i paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>

== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failed jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]
==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter your Email Address.
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.
Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.
Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.
Sinna saab sisse logida lehelt:
http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

ISPconfig

2014-12-13T17:12:04Z

Mtammepo:

Autor: Maarja-Liisa Tammepõld

Rühm: A31

=Sissejuhatus=
ISPConfig on vabavaraline sisumajutuse juhtpaneel Linuxile. Sellega on võimalik hallata mitmeid servereid ühest juhtpaneelist. Võimaldab veebiserveri, meiliserveri, DNS serveri haldamist, virtualiseerimist ja andmete sünkroonse dubleerimise konfiguratsiooni (andmete peegeldamist) arvutivõrgus ning klasterdamist.
Sellel tarkvaral on 4 sisselogimise taset: administraatori, edasimüüja, kliendi ja e-maili kasutaja tase.

==Millele on ISPconfig toetatud?==
Toetatud tarkvara:
*HTTP: Apache2 and nginx
*SMTP: Postfix
*POP3/IMAP: Courier and Dovecot
*FTP: PureFTPd
*DNS: BIND ja MyDNS
*Andmebaas: MySQL
*Statistika: Webalizer ja AWStats
*Virtualiseerimine: OpenVZ

Toetatud Linuxi Operatsioonisüsteemidele:
*Debian 5 – 7 ja Debian Testing
*Ubuntu 8.10 – 14.10
*CentOS 5.2 – 7.0
*Fedora 10 and 12 - 15
*OpenSuSE 11.1 – 13.2
[2]

=Paigaldus=
Oma ülesannet lahendasin Puppeti kaudu, kasutades kooliserverit elab.itcollege.ee keskkonnas. Tegin kindlaks, et paigaldatud oli Ubuntu 14.04 versioon ja sellest lähtuvalt teen oma dokumentatsiooni.

*Veendu, et oled administraatori õigustes sudo –i
*Tee kindlaks, kas OpenSSH on paigaldatud apt-cache policy openssh-server
Kui ei ole, siis
<source lang="bash">
apt-get install ssh openssh-server
</source>
*Serverile tuleb määrata staatiline IP aadress. Selleks tuleb minna nano /etc/network/interfaces
<source lang="bash">
auto eth0
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
network 192.168.56.200
broadcast 192.168.56.255
gateway 192.168.56.254
dns-nameservers 192.168.1.254 8.8.8.8
</source>

*Nüüd tuleb võrgule tuleb teha restart
<source lang="bash">
service networking restart
</source>

*Nano /etc/hosts failis tuleb ära määrata server
<source lang="bash">
127.0.0.1 localhost
127.0.1.1 puppet.planet.zz server
192.168.56.200 uppet.planet.zz puppet
</source>

*Käsureal käivitada , et määrata serverile õige nimi
<source lang="bash">
echo puppet > /etc/hostname
service hostname restart
</source>

*Näitab serveri nime ja serverit.
<source lang="bash">
hostname
hostname –f
</source>

*Operatsioonisüsteemi tarkvaravaramu nimekirja uuendamine
<source lang="bash">
apt-get update
</source>

*Olemasoleva (juba paigaldatud) tarkvara uuendamine
<source lang="bash">
apt-get upgrade
</source>

*Seejärel võiks süsteemile reboot teha
<source lang="bash">
reboot
</source>

*Vaikimisi olev shell (default shell) tuleks ära muuta
/bin/sh on sümlink /bin/dash’ile, kuigi vaja on /bin/bash’i, mitte /bin/dash’i. Seepärast tuleb teha nii:
<source lang="bash">

dpkg-reconfigure dash
</source>

Ja valikuks tuleb panna:
<source lang="bash">
Use dash as the default system shell (/bin/sh)? <-- No
</source>

Vastasel juhul ISPConfig’i paigaldus ei lähe tööle.
*AppArmor’i võiks välja lülitada. See on turvalisuse laiendus, kuid hakkab hiljem probleeme tekitama ISPConfig’i töö toimimisele.
<source lang="bash">
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
</source>

*Süsteemi kell oleks vaja ära sünkroniseerida. Selleks on vaja paigaldada ntp ntpdate.
<source lang="bash">
apt-get install ntp ntpdate
</source>

[3]

==Postfix’i, Dovecot’o, MySQL’i, phpMyAdmin’i, rkhunter’i, binutils’I paigaldus==
*Postfix’i paigalduseks on vaja peatada ja eemaldada sendmail
<source lang="bash">
service sendmail stop; update-rc.d -f sendmail remove
</source>

*Nüüd saab paigaldada Postfix’i, Dovecot’i, MySQL’i, rkhunter’I ja binutils’i selle käsureaga:
<source lang="bash">
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
</source>

*Seejärel tulevad sellised küsimused:
<source lang="bash">
New password for the MySQL "root" user: <--student
Repeat password for the MySQL "root" user: <-- student
General type of mail configuration: <-- Internet Site
Self-signed SSL sertificate: yes
Hostname: localhost
System mail name: <-- puppet.planet.zz
</source>
*Järgmisena on vaja avada TLS/SSL ja määrata õiged pordid Postfix’is.
*Selleks nano /etc/postfix/master.cf
Seal on vaja submission ja smtps sektsioonid välja kommenteerida ja lisada rida -o smtpd_client_restrictions=permit_sasl_authenticated,reject mõlemasse sektsiooni.
Teha nii:
<source lang="bash">
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
</source>

*Seejärel taaskäivitada Postfix
<source lang="bash">
service postfix restart
</source>

*Kuna on vaja, et MySql oleks ühenduses kõikide sisenditega, mitte ainult localhost’iga, seepärast on vajalik nano /etc/mysql/my.cnf välja kommenteerida bind-address = 127.0.0.1
<source lang="bash">
nano /etc/mysql/my.cnf
</source>
<source lang="bash">
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
</source>

*Seejärel on vaja MySQL’ile taaskäivitus teha:
<source lang="bash">
service mysql restart
</source>

*Nüüd tuleb kindlaks teha, kas värgundus on lubatud.
<source lang="bash">
netstat -tap | grep mysql
</source>
Tulem peaks välja nägema selline:
<source lang="bash">
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 21298/mysqld
root@server1:~#
</source>

==Amavisd-new, SpamAssassin ja Clamav paigaldus ==

*Et käivitada amavisd-new, SpamAssassin, and ClamAV, on vaja käsureale lisada:
<source lang="bash">
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
</source>

*ISPConfig 3 kasutab amavisd mis laeb SpamAssassin filtri jooksvalt, seepärast on parem kui SpamAssassin oleks peatatud, et RAM’i ruumi vabastada.
<source lang="bash">
service spamassassin stop
update-rc.d -f spamassassin remove
</source>
== Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt paigaldus==
*Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear ja mcrypt on võimalik paigaldada sisestades käsureale:
<source lang="bash">
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp
</source>

* PHP5 mcrypt’I moodul tuleb lubada manuaalselt, selleks:
<source lang="bash">
php5enmod mcrypt
</source>
Ja tuleb vastata järgmisetele küsimustele nii:
<source lang="bash">
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
</source>
*Seejärel käivitada käsuteal järgmised käsklused, et lubada Apache mooduleid suexec, rewrite, ssl, actions ja ka (dav, dav_fs, ja auth_digest kui on soov kasutada WebDAV’i):
<source lang="bash">
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
</source>

Seejärel avada nano /etc/apache2/mods-available/suphp.conf...
<source lang="bash">

nano /etc/apache2/mods-available/suphp.conf
</source>

ja välja kommenteerida <FilesMatch "\.ph(p3?|tml)$"> sektsioon ja lisada rida AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – vastasel korral kõik PHP failed jooksevad SuPHP kaudu:
<source lang="bash">
<IfModule mod_suphp.c>
#<FilesMatch "\.ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp

<Directory />
suPHP_Engine on
</Directory>

# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
# suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>
</IfModule>
</source>

*Seejärel teha apache2’le taaskäivitus.
<source lang="bash">
service apache2 restart
</source>

*Kui on vajadus Ruby faile .rb laiendusega hoiustada oma loodud veebilehtedele läbi ISPConfig’i, siis on vajalik välja kommenteerida rida application/x-ruby rb failis /etc/mime.types:
<source lang="bash">
nano /etc/mime.types
</source>
<source lang="bash">
[...]
#application/x-ruby rb
[...]
</source>

*Seejärel taaskäivitada apache2
<source lang="bash">
service apache2 restart
</source>

==Xcache==

Xcache on PHP opcode püüdja, püüdmaks ja optimeerimaks PHP vahekoodi.

*Selle paigaldamiseks
<source lang="bash">
apt-get install php5-xcache
</source>

*Ja seejärel on vaja jällegi apache2’le taaskäivitus teha
<source lang="bash">

service apache2 restart
</source>
[4]
==PureFTPd ja Quota paigaldus==

*Selle paigaldus käib järgmiselt:
<source lang="bash">
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
</source>

*Ja tuleb jälgida, et algolek oleks seatud sandalone’ks ja VIRTUALCHROOT=true:
<source lang="bash">
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
</source>

FTP on väga ebakindel protokoll, sest kõik paroolid ja andmed on edastatud selge tekstina. TLS-iga on võimalik kogu see suhtlus ära krüpteerida, mis teeb FTP turvalisemaks.
*FTP ja TLS sessiooni lubamiseks, on vaja teha järgmist:
<source lang="bash">
echo 1 > /etc/pure-ftpd/conf/TLS
</source>

*TLS’i kasutamiseks on vaja genereerida SSL sertifikaat. Seda võib teha siin /etc/ssl/private/ , kuid esmalt on vaja see asukoht luua.
<source lang="bash">
mkdir -p /etc/ssl/private/
</source>

*SSL-i genereerimine:
<source lang="bash">
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
</source>
<source lang="bash">
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- puppet.planet.zz
Email Address []: <-- Enter your Email Address.
</source>

*Õiguste muutmine SSL sertifikaadi puhul:
<source lang="bash">
chmod 600 /etc/ssl/private/pure-ftpd.pem
</source>

*Seejärel on vaja teha PureFTP-le taaskäivitus
<source lang="bash">
service pure-ftpd-mysql restart
</source>
*Seejärel on vaja muuta /etc/fstab’i sisu.
<source lang="bash">

nano /etc/fstab
</source>

<source lang="bash">
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/puppet--vg-root / ext4 errors=remount-ro,usrjquota$
# / was on /dev/sda1 during installation
UUID=07114cfb-f3f8-4a00-bd9a-184357062b78 / ext4 noatime,error$
</source>

*Quota lubamiseks:
<source lang="bash">
mount -o remount /

quotacheck -avugm
quotaon –avug
</source>

==BIND DNS Serveri paigaldus==

*BIND’i on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install bind9 dnsutils
</source>

==Vlogger’i, Webalizer’i ja AWstats’i paigaldus==

*Seda on võimalik paigaldada järgmiselt:
<source lang="bash">
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
Seejärel tuleb avada/etc/cron.d/awstats ja välja kommenteerida kogu faili sisu:
nano /etc/cron.d/awstats
</source>
<source lang="bash">
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</source>

==Fail2ban’i paigaldamine==

See pole kohustuslik, kuid soovitatav ISPConfi logide näitamiseks.
<source lang="bash">
apt-get install fail2ban
</source>

Selleks, et fail2ban monitooriks PureFTPd ja Dovecot’i, on vaja luua fail /etc/fail2ban/jail.local:
<source lang="bash">
nano /etc/fail2ban/jail.local
</source>
<source lang="bash">
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
</source>

Seejärel on vaja luua 2 filtri faili:
<source lang="bash">
nano /etc/fail2ban/filter.d/pureftpd.conf
</source>
<source lang="bash">
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
</source>
<source lang="bash">
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
</source>
<source lang="bash">
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</source>

postfix-sasl faili on vaja lisada veel:
<source lang="bash">
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
</source>

Pärast seda on vaja fail2ban’ile teha taaskäivitus:
<source lang="bash">
service fail2ban restart
</source>
[5]

==SquirrelMail’i paigaldus==

*Käsureal paigaldada
<source lang="bash">
apt-get install squirrelmail
</source>
*Konfigureerida SquirrelMail
<source lang="bash">
squirrelmail-configure
</source>
*SquirrelMail’ile tuleb öelda, et me kasutame Dovevecot-IMAP/-POP3:
<source lang="bash">
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> <-- dovecot

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- S

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on
S Save data
Q Quit

Command >> <-- Q
</source>

*Nüüd kofigureerin SquirrelMail’i nii et seda saaks kasutada oma veebilehes, mis on loodud läbi ISPConfig’i kasutades /squirrelmail või /webmail aliasi.
*SquirrelMail'i Apache konfiguratsioon on failis /etc/squirrelmail/apache.conf, aga see fail pole laetud Apache poolt, sest see pole /etc/apache2/conf-available/ kaustas. Seepärast loome symlingi nimega squirrelmail.conf kausta /etc/apache2/conf-available/ mis viitab /etc/squirrelmail/apache.conf ja seejärel teen Apachele uuesti laadimise:
<source lang="bash">
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
</source>

*Nüüd tuleb avada /etc/apache2/conf-available/squirrelmail.conf
<source lang="bash">
Nano /etc/apache2/conf-available/squirrelmail.conf
</source>
Ja lisada järgmised read <Directory/usr/share/squirrelmail></Directory> konteinerisse, mis teeb kindlaks, et mod_php on kasutusel SquirrelMail’i pääsemiseks.
<source lang="bash">
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
</source>
*Loon kausta mkdir /var/lib/squirrelmail/tmp
*Määran omanikuks www-data:
<source lang="bash">
chown www-data /var/lib/squirrelmail/tmp
</source>
*Luban squirrelmail’i koos apache2-ga
<source lang="bash">
a2enconf squirrelmail
</source>
*Laen apache2 uuesti
<source lang="bash">
service apache2 reload
</source>
Nüüd /etc/apache2/conf-available/squirrelmail.conf defineerib aliase nimega /squirrelmail mis viitab SquirrelMail'i paigaldamise asukohale /usr/share/squirrelmail.

==ISPConfig 3 paigaldus==

Kui eeltöö tehtud, siis saan ISPConfig 3 paigalduse juurde asuda.
Selleks:
<source lang="bash">
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
</source>
Ja seejärel:
<source lang="bash">
php -q install.php
</source>
See alustab ISPConfig 3 paigaldust. Paigaldaja konfigureerib kõik teenused nagu Postfix’i, Dovecot’i, jne. ISPConfig’le sobivaks automaatselt.
<source lang="bash">
>> Initial configuration

Operating System: 14.04 UNKNOWN

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- student

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 4096 bit RSA private key
............................................................................++
.....................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
..........++
......++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2817
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3962
* Restarting web server apache2
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
Installation completed.
</source>

Nüüd on võimalik paigaldajal lasta SSL vhost tekitada ISPConfig’i juhtpaneelilel, nii et ISPConfig’i on võimalik minna kasutades https:// -i http:// asemel. Selleks on vaja järgmisele küsimusele panna lihtsalt enter: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.
Pärast esimest sisselogimist ISPConfig’i admin admin’iga võiks parooli ära vahetada.
Sinna saab sisse logida lehelt:
http(s)://puppet.planet.zz:8080/ või http(s):// 192.168.56.200:8080/
[6]

=Kasutatud materjalid=
[1] http://www.ispconfig.org/page/en/ispconfig.html

[2] http://www.ispconfig.org/page/en/ispconfig/services-and-functions.html

[3] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

[4] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

[5] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5

[6] http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

Linuxi administreerimine

2014-11-20T10:19:30Z

Mtammepo: /* Esseede teemad 2014 */

=Üldinfo=
ECTS: 4
Hindamisviis: Eksam

==Õppejõud==
Margus Ernits

Katrin Loodus

=Eeldused ja sihtgrupp=

Operatsioonisüsteemide administreerimine ja sidumine (Rangelt soovituslik). Osadmin aines loetava oskamine on antud aine õppimise eelduseks. ÕISis on see eeldus märgitud soovituslikuks, kuna igal aastal on paar inimest, kes suudavad mõlemad ained korraga läbida ja on antud vallas väga pädevad.
Linuxi administraatori kursus on mõeldud tugeva infotehnoloogilise põhjaga arvuti-spetsialistile.
Kursuse rõhk on eelkõige võrguhalduril, kelle tööülesannete hulka kuulub igapäevane serverite, võrgu jms hooldus, konfigureerimine ja uute seadmete installatsioon.

=Eesmärk ja sisu=

Kursuse esimeses osas õpitakse tundma Linux süsteemi toimimist, antakse ülevaade administreerimistoimingute automatiseerimisest shelli skriptide abil ja omandatakse praktiline käsufailide koostamise kogemus.

Teises osas õpitakse paigaldama ja konfigureerima erinevaid võrguteenuseid. Kursuse teise osa alguses korratakse taseme ühtlustamiseks TCP/IP võrgu põhialuseid.

=Õpiväljundid=

=Loengud=
2014 - Kaugõppe loengute ja praktikumide videosalvestused: https://echo360.e-ope.ee/ess/portal/section/167195da-3461-4415-b633-189e00ac1ee9

[https://echo360.e-ope.ee/ess/echo/presentation/847883e5-78b3-4c99-9ea9-327ff16636c6?ec=true Kaguõppe esimene loeng 17.oktoober.2014.a. 18:00]

[https://echo360.e-ope.ee/ess/echo/presentation/f14263b1-f8e9-425f-a4a8-a98b864a0a22 Videoloeng Puppet paigaldamisest 17.oktoober.2014.a. ]

1. Sissejuhatav loeng eeldustest [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng01%20-%20Sissejuhatus%20ainesse%20Linux%20administreerimine%20-%202014.pdf Sissejuhatus Loeng 1]

1.1. Kordamine Osadmin [http://elab.itcollege.ee:8000/Linux-Basics.mm]

2. Linux süsteemi põhilised komponendid [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/2014/loeng02%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202014.pdf Linux haldamine Loeng 2]

3. Linux süsteemi haldamine puppet abil I [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng03%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202014.pdf Linux haldamine Loeng 3]

4. Linux süsteemi haldamine puppet abil II [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng04%20-%20Linux%20s%c3%bcsteemide%20haldamine%20II%20-%202013%20.pdf Linux haldamine Loeng 4]

5. Linux süsteemi haldamine puppet abil III [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng05%20-%20Linux%20s%c3%bcsteemide%20haldamine%20III%20-%202013%20.pdf Linux haldamine Loeng 5]

5.1 Puppeti seadistamine passenger mooduli abil [[Puppet - passenger]]

5.2 Puppet tüübid [http://docs.puppetlabs.com/references/latest/type.html]

5.3 [[Puppet näited]]

Puppeti teise loengu video: http://elab.itcollege.ee:8000/linux-admin/pupppet-algus.ogv

=Praktikumid=

==Esimene praktikum - Ubuntu Serveri ja kliendi paigaldamine ning kordamine==
* Paigaldage '''Ubuntu Linux Server''' süsteem VirtualBox abil
**RAM 512MB
**HDD dynamicly allocated 8GB
**2 Võrgukaarti NIC1 - NAT (eth0 - Ubuntus) ja NIC2 - HostOnly (eth1 - Ubuntus)
**Logige serverisse sisse ja seadistage võrk failis /etc/network/interfaces (liidese eth1 ip aadress 192.168.56.200).
***Abiinfo [[Ubuntu server võrgu seadistamine]] ja [[VirtualBoxi võrgud]]

<source lang="bash">
auto eth1
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
</source>

*Paigaldage openssh server, kui te seda installi käigus ei teinud (apt-get update && apt-get install ssh)

Ubuntu Server 12.04.1 LTS ISO (64bit) http://elab.itcollege.ee:8000/ubuntu-12.04.1-server-amd64.iso

Eelduste kontrollimise test harjutamiseks: http://goo.gl/73xBZ
Kes tunneb, et test on '''liiga keeruline''', peab '''kaaluma''' aine deklareerimise asemel '''Osadmin aine (mis on soovituslik eeldus) läbimist'''.

* '''Ubuntu Desktop Linux''' paigaldamine (Võib paigaldada ka mõne muu disrtibutsiooni desktop masina, kuna seda läheb meil niikuinii hiljem vaja)
**Memory 1024MB
**HDD 16GB (või 8GB) Dynamic disk
**Network
**Video Memory 64MB 3D acceleration sisse

'''NB! Kasutamiseks valmis masinad: [http://elab.itcollege.ee:8000/ubuntu-server-64.ova server 64bit] ja [http://elab.itcollege.ee:8000/ubuntu-desktop-64.ova klient 64bit], [http://elab.itcollege.ee:8000/UbuntuServer32bit.ova server 32bit] ja [http://elab.itcollege.ee:8000/UbuntuDesktop32bit.ova klient 32bit]''' (Kõigil masinatel on user:student password:student)

Pärast paigaldamist seadistada [https://wiki.itcollege.ee/index.php/OpenSSH:_v%C3%B5tmetega_autentimine key based autentimisega] serverisse sisenemine. (tööjaamast saab serveris käske käivitada)

==Teine ja kolmas praktikum - Eeldustetest ja kordamine==

Kordamiseks leiate vajalikku infot [https://wiki.itcollege.ee/index.php/Category:Operatsioonis%C3%BCsteemide_administreerimine_ja_sidumine Operatsioonisüsteemide administreerimise ja sidumise] aine vikist.

[http://goo.gl/AFGfoV Eeldustetest 1]

[http://goo.gl/F0PiWK Eeldustetest 2]

==Linux keskhaldus puppet baasil (ÕISis LABOR 1)==

Praktikumis paigaldame puppet serveri (master) ja kliendi.

Näiteülesanded kaitsmiseks

1. Loo puppet abil fail /etc/issue sisuga KALA

2. Loo puppet abil kasutaja polekala, kodukaustaga /home/polekala, shelliga /bin/zsh ( tee ka paki zsh paigaldus)

3. Lisa nodele class tarkvara, mis paigaldab htop, bpython pakid

4. Loo nodele class eemalda, mis eemaldab paki cowsay

5. Viimane ülesanne on igal ühel erinev.

5.1 Loo serverisse kasutaja kala ja tee talle ssh key. Seadista kliendiarvuti selliselt, et paigaldataks pakk ssh ja lisataks root kasutajale kliendis loodud ssh public key.

5.2 Paigalda kliendi arvutisse ntp server ja määra ntp serveriteks ntp.eenet.ee ja ntp.ut.ee

5.3 Lisa kliendi arvutisse apache2 veebiserver koos virtualhostiga www.planet.zz, (failis /var/www/www.planet.zz/index.html on rida www.planet.zz)
Apache konfis peab olema ServerName www.planet.zz ja sites-enabled all sait www.planet.zz

6. Kaitsmiseks ülesanne

* Paigalda pakk zsh
* Loo kasutaja SINUKAJUTAJANIMI EIK-s ja lisa ta users gruppi (loo grupp) ja säti tema shelliks zsh
* Lisa server rak.planet.zz puppetiga hallatavate masinate nimekirja
* Loo rak.planet.zz serverisse veebileht, mis reageerib nimele www.planet.zz ja väljastab esilehel phpinfo. <?php phpinfo(); ?> faili index.php (seda kõike puppet abil)
* Loo rak.planet.zz serverisse veebileht, mis reageerib nimele sales.planet.zz ja väljastab intex.html sisuga sales.planet.zz
* Loo manifest, mis paigaldab rak.planet.zz serverisse webmin tarkvara (puppet abil)

[[Puppet Examples]]

==Keskne logiserver (ÕISis LABOR 2)==
Labor 2 teema valib tudeng ise. Kui endale ühtegi ideed pähe ei tule, siis soovitan teha logiserveri laborit.
Labor 2 üheks võimalikuks teemaks on keskse logihalduse lahenduse loomine

[[Keskse logilahenduse rakendamine]]

[http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf Lõputöö logihalduse teemal]

http://rdstash.blogspot.com/2013/01/installing-logstash-as-syslog-server-on.html

==Probleemide lahendamise hindid==
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=www.itcollege.ee

=Esseede teemad 2014=

[[ISPconfig]] - Maarja-Liisa Tammepõld

[[Ajenti]]

[[OpenPanel]]

[[ispCP]]

[[VHCS]]

[[Logihaldus V2]] - Kristjan Indlo

Muu Open Source panel/server config software.

[[pidstat]] http://www.thegeekstuff.com/2014/11/pidstat-examples/

=Esseede teemad 2012=

Võib valida keerulisemaid teemasid ka [[Osadmin referaadi teemad]] lehelt.

[[zsh]] - pole algajale

Mida uurida

Prompt

http://zshwiki.org/home/config/prompt

http://stevelosh.com/blog/2010/02/my-extravagant-zsh-prompt/

.zshrc

for

if

[[while]] HN AK-31

jne

[[exFAT vs Linux]] - Kalju Hõbemäe

[[CentOS Server]] --- teeb Oliver Naaris

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Superb Mini Server]] --- Mark-Erik Mogom, Andrus Dei

Paigaldamine

DNS, samba, LDAP, e-post seadistamine

[[Oracle Linux]]

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Suse Linux]]

Paigaldamine

Teenuste DNS, apache2, samba seadistamine

[[OpenLDAP Ubuntu Serveril]] - Tarmo Suurmägi, Taavi Sannik, Harri Uljas

[[Zentyal SAMBA4]] --- Lang & Lihten A31

Samba4 domeenikontrolleri seadistamine ja ubuntu/fedora/muu süsteem autentimise seadistamine kasutades uusi vahendeid

[[Apt-yum/dpkg-rpm käskude lühivõrdlus]] - Teet Saar A32

[[Ophcrack]] - teeb Kristo Kapten

[[rancid]] - Meelis Kurnikov, Aive Haavel AK31

[[zenoss]] - Kristjan Vaik

[[Apache autentimine LDAP'iga]] - Rauno Lehiste

=Esseede teemad 2013=

[[Linux failisüsteemi jõudluse mõõtmine]]

[[passenger]]

[[NFTables]]

[[Ipcop]] - saab kaasajastada

[[suricata]] http://www.openinfosecfoundation.org/index.php/download-suricata - Martin Leppik ja Randel Raidmets 12.12.2013

[[snort]] http://www.snort.org/ - võib kaasajastada

[[Owncloud]] - Tõnu Erm AK31

[[Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll]] - Sten Aus 28.11.2013

[[Keskse logilahenduse rakendamine Rsyslog näitel]] - Kimmo Lillipuu, Kaarel Kuurmann, Heigo Punapart 18.12.2013

[[Keskse logihalduse tarvis kliendile Rsyslogi paigladmaine ja seadistamine puppeti abil ]] - Indrek Mitt, Priidu Niit 19.12.2013

[[Nagios 3.5]] - Piia Ploovits, Sandra Sirel, Kristian Kivimägi, Grete Maisla 19.12.2013

[[MySecureShell - SecureFTP]] - Kalle Kadakas 20.12.2013

[[Keskne logiserver]] - Tauri Jaanus 25.12.2013

[[ISPConf 3 Ubuntu serverile 13.04]] - Ülo Vardja ja Aare Uibomäe 04.01.2014

[[Bind9 nimeserver (puppet baasil)]] - Liis Mironova, Tarmo Tüür 06.01.2014

[[Pure-FTPd]] - Maris Kuusik 07.01.2014

[[Logiserver, mis kogub võrgust kokku mikrotik ruuteri logid ]] - Lauri Rüütli ja Tõnu Ruut 07.01.14

[[PHORONIX TEST SUITE]] - Tammo Oolup 08.01.2013

[[Conky]] - Kristjan Karu 09.01.2013

[[Keskse logihalduse süsteem Splunk baasil]] - Veiko Virk 10.01.2014

[[Keskne logihaldus Rsyslog ja SEC näitel]] - Kristjan Rõõm, Viljar Rooda 10.01.2014

[[SaltStack]] - Vjatšeslav Jertsalov 11.01.2014

[[Zabbix 2.2]] - Dineta Mahno 12.01.2014

[[Labor 2: Keskne logiserver (Nxlog)]] - Kaarel Väinaste ja Rasmus Tetsmann 13.01.2014

=Eksamist=

Eksami ajal saab veel kaitsta laboreid, kuid soovitav on need enne eksamit ära kaitsta, kuna eksam on päris pingeline.

Linux eksam on praktiline, koosneb neljast osast:

1. Puppet abil tuleb teha lihtsaid asju (kasutaja, kaust/fail teatud sisu ja õigustega, paigaldada pakke) 10p 10min

2. Puppet abil teenuse seadistamine keerulisem 15p 15min (kui apache seadistamine, siis eemaldage paki apache kirjeldus)

3. Linux paigalduse parandamine (lihtne) 15p 10min

4. Linux paigalduse parandamine (raske) 9p 25min

1. Näiteülesanded: 10min
* Loo kasutaja kjk212 koos kodukasutaga
* Paigalda pakk apache2
* Paigalda pakk htop
* Tekita fail, mille sisu on selle ülesande tekst asukohta /var/eksam/yl1.txt
* Sea loodud faili omanikuks eespool loodud kasutaja ja grupiks audio. Sea õigused selliselt, et kasutaja saab kõike teha ja grupp lugeda/kirjutada. Teised ei saa midagi teha.

2. Näiteküsimused 15min
* Paigalda www.planet.zz virtualhost (nagu aine wikis kirjas)
* Paigalda ntp teenus (aine wikist)
* Paigalda BIND teenus (aine wikist) http://enos.itcollege.ee/~mernits/Linux%20administreerimine/bind.ogv [[Nimeserveri seadistamine BIND9 näitel]]

3. Linux paigalduse parandamine (lihtne) 10min
* Teil ununes root parool ära ja student kasutaja pole administraatorite grupis. (vana admin läks töölt ära ja parooli keegi ei mäleta)
* Teie server tõsteti valesse VLANi (virtualboxis teise võrku)
* Teie server tõsteti teise võrku, mille IP on teine ja võrgu administraator unustas teile seda öelda ja läks puhkusele (tehke nii, et töötaks)
* Praktikal olev tudeng rikkus ära faili, kus määratakse alglaadimisel ühendatavad kettajaod ja failisüsteemid
* Praktikal olev tudeng tegi katki puppet paigalduse (ja on endaga täitsa rahul) Tehke korda ja selgitage, mida ta valesti tegi.

4. Linux paigalduse parandamine (raske) 25min
* Praktikal olev tudeng rikkus ära kõvaketta kettajagude tabeli. Taastage süsteem.
* Praktikal olev tudeng kustustas ühelt kettalt palju pilte ja kettajagude tabeli. Taastage pildid. http://enos.itcollege.ee/~mernits/Linux%20administreerimine/linux-eksam.vmdk
* Praktikal olev tudeng "konfigureeris" ehk saboteeris teie labor 2 teenuse ära - Tehke korda ja selgitage, mida ta valesti tegi.

https://wiki.itcollege.ee/index.php/Linuxi_administreerimine_eksamiabi_2014
-----

=Laborimaterjalid 201 NB See on ajalooline info!=

Teha apt - yum ja dpkg - rpm vastavustabel. dpkg ja apt korraldused leiab [http://elab.itcollege.ee:8000/Linux-Basics.mm Linux-Basics mindmapist]

Parim töö annab 7p, järgmised 5p (piisavalt põhjalikud ja erinevad)

Ebapiisavad vastavustabelid, mis sarnanevad üksteisele punkte ei saa.

Kui su tabel on ilma vigadeta, kuid mitte parimate sead siis saad 1-2p.

'''Praks 4'''

Nimeserveri BIND9 paigaldamine.

*Mõtle välja domeenimini
*Paigalda nimeserver bind9
*Seadista oma domeen
**www.domeen
**ns.domeen
**sales.domeen
**seadista oma kliendimasin kasutama uut nimeserverit

NB: enne kaitsmist lugeda läbi http://kuutorvaja.eenet.ee/wiki/DNS

Labori üks näide [[Nimeserveri seadistamine BIND9 näitel]]

Praktikumi salvestus http://echo360.e-uni.ee/ess/echo/presentation/a828b6af-8caf-4319-b594-5d6bfed04a70

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama nii nimede lahendamine läbi teie nimeserveri kui ka reverse lookup.

'''Praks 5'''

Veebiserveri apache2 paigaldamine

*Loo veebisaidid www.domeen ja sales.domeen (ehk oma DNS labori nimedele vastavad veebisaidid)
Praktikumi salvestus: http://echo360.e-uni.ee/ess/echo/presentation/0945a764-0305-48ec-8082-4e57a23cc536
*Seadist HTTPS nendele saitidele (vajadusel loo uus ip alias ja muuda nimeserveris olevat kirjet, et TLS nimed viitaks erinevatele IP aadressidele)
*Abiks on loeng: http://enos.itcollege.ee/~mernits/infrastruktuur/loeng04%20-%20Veebiserver.odp ja labor: https://wiki.itcollege.ee/index.php/Veebiserveri_labor_v.2
*Paigalda WordPress vastavalt juhendile: http://goo.gl/6XQ0U

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama veebiserververi apache2 pealt 2 veebilehte ning wordpress. Wordpressile peab olema paigaldatud super cache ning lisaks peab töötama varnish. Seejuures wordpress on seadistatud pordile 80 ja wordpress pordil 8080. Lehe toimivust testige enne kaitsmist ab vahendiga, kus -n 1000 ja -t 10.

'''Praks 7'''
Samba share-i välja jagamine.

*Loo share, mis on ligipääsetav vaid kasutajatele, kes kuuluvad lab gruppi. Vajalik on ka share-ile kirjutamisõigus (saab kausta luua).
* Seadista samba abil kasutajate kodukaustadele ligipääsemine. Iga kasutaja peab ligi pääsema enda kodukaustale.

*Abiks on viki artiklid : https://wiki.itcollege.ee/index.php/Failiserver_Samba_labor_2 ja https://wiki.itcollege.ee/index.php/Lihtne_samba_install

'''Punktide''' (5p) '''kirja saamiseks''' on vajalik share-i olemasolu, mis on ligipääsetav ning kirjutatav (võimalik luua kataloogi) ainult lab gruppi kuuluvatele kasutajatele ning lab gruppi mitte kuuluvad kasutajad ei tohi sinna ligi pääseda.
Lisaks peavad kasutajad pääsema ligi oma kodukaustale, sõltumata sellest, kas ta kuulub lab gruppi või mitte.

'''Labor 1'''
*Veebiserver ja virtualhostid
*DNS
*e-post
*iptables
*samba

'''Labor 2'''
*LDAP või Samba4 - LDAP Teet Saar, Kullo-Kalev Aru
*Puppet või chef
*PAM
*Puppet (Ubuntus) - Kristo Kapten
*[[Samba(windows domeenis fileserver)]] - Marko Kurs
*[[TLS termineerimine nginx abil]] - Sander Arnus, Sander Saveli

ISPconfig

2014-11-20T10:03:33Z

Mtammepo:

Autor: Maarja-Liisa Tammepõld

Rühm: A31

Kuupäev: 20.11.2014

ISPconfig

2014-11-20T10:03:19Z

Mtammepo: Created page with "Autor: Maarja-Liisa Tammepõld Rühm: A31 Kuupäev: 20.11.2013"

Autor: Maarja-Liisa Tammepõld

Rühm: A31

Kuupäev: 20.11.2013

Linuxi administreerimine

2014-11-20T10:01:26Z

Mtammepo: /* Esseede teemad 2014 */

=Üldinfo=
ECTS: 4
Hindamisviis: Eksam

==Õppejõud==
Margus Ernits

Katrin Loodus

=Eeldused ja sihtgrupp=

Operatsioonisüsteemide administreerimine ja sidumine (Rangelt soovituslik). Osadmin aines loetava oskamine on antud aine õppimise eelduseks. ÕISis on see eeldus märgitud soovituslikuks, kuna igal aastal on paar inimest, kes suudavad mõlemad ained korraga läbida ja on antud vallas väga pädevad.
Linuxi administraatori kursus on mõeldud tugeva infotehnoloogilise põhjaga arvuti-spetsialistile.
Kursuse rõhk on eelkõige võrguhalduril, kelle tööülesannete hulka kuulub igapäevane serverite, võrgu jms hooldus, konfigureerimine ja uute seadmete installatsioon.

=Eesmärk ja sisu=

Kursuse esimeses osas õpitakse tundma Linux süsteemi toimimist, antakse ülevaade administreerimistoimingute automatiseerimisest shelli skriptide abil ja omandatakse praktiline käsufailide koostamise kogemus.

Teises osas õpitakse paigaldama ja konfigureerima erinevaid võrguteenuseid. Kursuse teise osa alguses korratakse taseme ühtlustamiseks TCP/IP võrgu põhialuseid.

=Õpiväljundid=

=Loengud=
2014 - Kaugõppe loengute ja praktikumide videosalvestused: https://echo360.e-ope.ee/ess/portal/section/167195da-3461-4415-b633-189e00ac1ee9

[https://echo360.e-ope.ee/ess/echo/presentation/847883e5-78b3-4c99-9ea9-327ff16636c6?ec=true Kaguõppe esimene loeng 17.oktoober.2014.a. 18:00]

[https://echo360.e-ope.ee/ess/echo/presentation/f14263b1-f8e9-425f-a4a8-a98b864a0a22 Videoloeng Puppet paigaldamisest 17.oktoober.2014.a. ]

1. Sissejuhatav loeng eeldustest [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng01%20-%20Sissejuhatus%20ainesse%20Linux%20administreerimine%20-%202014.pdf Sissejuhatus Loeng 1]

1.1. Kordamine Osadmin [http://elab.itcollege.ee:8000/Linux-Basics.mm]

2. Linux süsteemi põhilised komponendid [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/2014/loeng02%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202014.pdf Linux haldamine Loeng 2]

3. Linux süsteemi haldamine puppet abil I [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng03%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202014.pdf Linux haldamine Loeng 3]

4. Linux süsteemi haldamine puppet abil II [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng04%20-%20Linux%20s%c3%bcsteemide%20haldamine%20II%20-%202013%20.pdf Linux haldamine Loeng 4]

5. Linux süsteemi haldamine puppet abil III [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng05%20-%20Linux%20s%c3%bcsteemide%20haldamine%20III%20-%202013%20.pdf Linux haldamine Loeng 5]

5.1 Puppeti seadistamine passenger mooduli abil [[Puppet - passenger]]

5.2 Puppet tüübid [http://docs.puppetlabs.com/references/latest/type.html]

5.3 [[Puppet näited]]

Puppeti teise loengu video: http://elab.itcollege.ee:8000/linux-admin/pupppet-algus.ogv

=Praktikumid=

==Esimene praktikum - Ubuntu Serveri ja kliendi paigaldamine ning kordamine==
* Paigaldage '''Ubuntu Linux Server''' süsteem VirtualBox abil
**RAM 512MB
**HDD dynamicly allocated 8GB
**2 Võrgukaarti NIC1 - NAT (eth0 - Ubuntus) ja NIC2 - HostOnly (eth1 - Ubuntus)
**Logige serverisse sisse ja seadistage võrk failis /etc/network/interfaces (liidese eth1 ip aadress 192.168.56.200).
***Abiinfo [[Ubuntu server võrgu seadistamine]] ja [[VirtualBoxi võrgud]]

<source lang="bash">
auto eth1
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
</source>

*Paigaldage openssh server, kui te seda installi käigus ei teinud (apt-get update && apt-get install ssh)

Ubuntu Server 12.04.1 LTS ISO (64bit) http://elab.itcollege.ee:8000/ubuntu-12.04.1-server-amd64.iso

Eelduste kontrollimise test harjutamiseks: http://goo.gl/73xBZ
Kes tunneb, et test on '''liiga keeruline''', peab '''kaaluma''' aine deklareerimise asemel '''Osadmin aine (mis on soovituslik eeldus) läbimist'''.

* '''Ubuntu Desktop Linux''' paigaldamine (Võib paigaldada ka mõne muu disrtibutsiooni desktop masina, kuna seda läheb meil niikuinii hiljem vaja)
**Memory 1024MB
**HDD 16GB (või 8GB) Dynamic disk
**Network
**Video Memory 64MB 3D acceleration sisse

'''NB! Kasutamiseks valmis masinad: [http://elab.itcollege.ee:8000/ubuntu-server-64.ova server 64bit] ja [http://elab.itcollege.ee:8000/ubuntu-desktop-64.ova klient 64bit], [http://elab.itcollege.ee:8000/UbuntuServer32bit.ova server 32bit] ja [http://elab.itcollege.ee:8000/UbuntuDesktop32bit.ova klient 32bit]''' (Kõigil masinatel on user:student password:student)

Pärast paigaldamist seadistada [https://wiki.itcollege.ee/index.php/OpenSSH:_v%C3%B5tmetega_autentimine key based autentimisega] serverisse sisenemine. (tööjaamast saab serveris käske käivitada)

==Teine ja kolmas praktikum - Eeldustetest ja kordamine==

Kordamiseks leiate vajalikku infot [https://wiki.itcollege.ee/index.php/Category:Operatsioonis%C3%BCsteemide_administreerimine_ja_sidumine Operatsioonisüsteemide administreerimise ja sidumise] aine vikist.

[http://goo.gl/AFGfoV Eeldustetest 1]

[http://goo.gl/F0PiWK Eeldustetest 2]

==Linux keskhaldus puppet baasil (ÕISis LABOR 1)==

Praktikumis paigaldame puppet serveri (master) ja kliendi.

Näiteülesanded kaitsmiseks

1. Loo puppet abil fail /etc/issue sisuga KALA

2. Loo puppet abil kasutaja polekala, kodukaustaga /home/polekala, shelliga /bin/zsh ( tee ka paki zsh paigaldus)

3. Lisa nodele class tarkvara, mis paigaldab htop, bpython pakid

4. Loo nodele class eemalda, mis eemaldab paki cowsay

5. Viimane ülesanne on igal ühel erinev.

5.1 Loo serverisse kasutaja kala ja tee talle ssh key. Seadista kliendiarvuti selliselt, et paigaldataks pakk ssh ja lisataks root kasutajale kliendis loodud ssh public key.

5.2 Paigalda kliendi arvutisse ntp server ja määra ntp serveriteks ntp.eenet.ee ja ntp.ut.ee

5.3 Lisa kliendi arvutisse apache2 veebiserver koos virtualhostiga www.planet.zz, (failis /var/www/www.planet.zz/index.html on rida www.planet.zz)
Apache konfis peab olema ServerName www.planet.zz ja sites-enabled all sait www.planet.zz

6. Kaitsmiseks ülesanne

* Paigalda pakk zsh
* Loo kasutaja SINUKAJUTAJANIMI EIK-s ja lisa ta users gruppi (loo grupp) ja säti tema shelliks zsh
* Lisa server rak.planet.zz puppetiga hallatavate masinate nimekirja
* Loo rak.planet.zz serverisse veebileht, mis reageerib nimele www.planet.zz ja väljastab esilehel phpinfo. <?php phpinfo(); ?> faili index.php (seda kõike puppet abil)
* Loo rak.planet.zz serverisse veebileht, mis reageerib nimele sales.planet.zz ja väljastab intex.html sisuga sales.planet.zz
* Loo manifest, mis paigaldab rak.planet.zz serverisse webmin tarkvara (puppet abil)

[[Puppet Examples]]

==Keskne logiserver (ÕISis LABOR 2)==
Labor 2 teema valib tudeng ise. Kui endale ühtegi ideed pähe ei tule, siis soovitan teha logiserveri laborit.
Labor 2 üheks võimalikuks teemaks on keskse logihalduse lahenduse loomine

[[Keskse logilahenduse rakendamine]]

[http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf Lõputöö logihalduse teemal]

http://rdstash.blogspot.com/2013/01/installing-logstash-as-syslog-server-on.html

==Probleemide lahendamise hindid==
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=www.itcollege.ee

=Esseede teemad 2014=

[[ISPconfig]] -- Maarja-Liisa Tammepõld

[[Ajenti]]

[[OpenPanel]]

[[ispCP]]

[[VHCS]]

Muu Open Source panel/server config software.

[[pidstat]] http://www.thegeekstuff.com/2014/11/pidstat-examples/

=Esseede teemad 2012=

Võib valida keerulisemaid teemasid ka [[Osadmin referaadi teemad]] lehelt.

[[zsh]] - pole algajale

Mida uurida

Prompt

http://zshwiki.org/home/config/prompt

http://stevelosh.com/blog/2010/02/my-extravagant-zsh-prompt/

.zshrc

for

if

[[while]] HN AK-31

jne

[[exFAT vs Linux]] - Kalju Hõbemäe

[[CentOS Server]] --- teeb Oliver Naaris

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Superb Mini Server]] --- Mark-Erik Mogom, Andrus Dei

Paigaldamine

DNS, samba, LDAP, e-post seadistamine

[[Oracle Linux]]

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Suse Linux]]

Paigaldamine

Teenuste DNS, apache2, samba seadistamine

[[OpenLDAP Ubuntu Serveril]] - Tarmo Suurmägi, Taavi Sannik, Harri Uljas

[[Zentyal SAMBA4]] --- Lang & Lihten A31

Samba4 domeenikontrolleri seadistamine ja ubuntu/fedora/muu süsteem autentimise seadistamine kasutades uusi vahendeid

[[Apt-yum/dpkg-rpm käskude lühivõrdlus]] - Teet Saar A32

[[Ophcrack]] - teeb Kristo Kapten

[[rancid]] - Meelis Kurnikov, Aive Haavel AK31

[[zenoss]] - Kristjan Vaik

[[Apache autentimine LDAP'iga]] - Rauno Lehiste

=Esseede teemad 2013=

[[Linux failisüsteemi jõudluse mõõtmine]]

[[passenger]]

[[NFTables]]

[[Ipcop]] - saab kaasajastada

[[suricata]] http://www.openinfosecfoundation.org/index.php/download-suricata - Martin Leppik ja Randel Raidmets 12.12.2013

[[snort]] http://www.snort.org/ - võib kaasajastada

[[Owncloud]] - Tõnu Erm AK31

[[Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll]] - Sten Aus 28.11.2013

[[Keskse logilahenduse rakendamine Rsyslog näitel]] - Kimmo Lillipuu, Kaarel Kuurmann, Heigo Punapart 18.12.2013

[[Keskse logihalduse tarvis kliendile Rsyslogi paigladmaine ja seadistamine puppeti abil ]] - Indrek Mitt, Priidu Niit 19.12.2013

[[Nagios 3.5]] - Piia Ploovits, Sandra Sirel, Kristian Kivimägi, Grete Maisla 19.12.2013

[[MySecureShell - SecureFTP]] - Kalle Kadakas 20.12.2013

[[Keskne logiserver]] - Tauri Jaanus 25.12.2013

[[ISPConf 3 Ubuntu serverile 13.04]] - Ülo Vardja ja Aare Uibomäe 04.01.2014

[[Bind9 nimeserver (puppet baasil)]] - Liis Mironova, Tarmo Tüür 06.01.2014

[[Pure-FTPd]] - Maris Kuusik 07.01.2014

[[Logiserver, mis kogub võrgust kokku mikrotik ruuteri logid ]] - Lauri Rüütli ja Tõnu Ruut 07.01.14

[[PHORONIX TEST SUITE]] - Tammo Oolup 08.01.2013

[[Conky]] - Kristjan Karu 09.01.2013

[[Keskse logihalduse süsteem Splunk baasil]] - Veiko Virk 10.01.2014

[[Keskne logihaldus Rsyslog ja SEC näitel]] - Kristjan Rõõm, Viljar Rooda 10.01.2014

[[SaltStack]] - Vjatšeslav Jertsalov 11.01.2014

[[Zabbix 2.2]] - Dineta Mahno 12.01.2014

[[Labor 2: Keskne logiserver (Nxlog)]] - Kaarel Väinaste ja Rasmus Tetsmann 13.01.2014

=Eksamist=

Eksami ajal saab veel kaitsta laboreid, kuid soovitav on need enne eksamit ära kaitsta, kuna eksam on päris pingeline.

Linux eksam on praktiline, koosneb neljast osast:

1. Puppet abil tuleb teha lihtsaid asju (kasutaja, kaust/fail teatud sisu ja õigustega, paigaldada pakke) 10p 10min

2. Puppet abil teenuse seadistamine keerulisem 15p 15min (kui apache seadistamine, siis eemaldage paki apache kirjeldus)

3. Linux paigalduse parandamine (lihtne) 15p 10min

4. Linux paigalduse parandamine (raske) 9p 25min

1. Näiteülesanded: 10min
* Loo kasutaja kjk212 koos kodukasutaga
* Paigalda pakk apache2
* Paigalda pakk htop
* Tekita fail, mille sisu on selle ülesande tekst asukohta /var/eksam/yl1.txt
* Sea loodud faili omanikuks eespool loodud kasutaja ja grupiks audio. Sea õigused selliselt, et kasutaja saab kõike teha ja grupp lugeda/kirjutada. Teised ei saa midagi teha.

2. Näiteküsimused 15min
* Paigalda www.planet.zz virtualhost (nagu aine wikis kirjas)
* Paigalda ntp teenus (aine wikist)
* Paigalda BIND teenus (aine wikist) http://enos.itcollege.ee/~mernits/Linux%20administreerimine/bind.ogv [[Nimeserveri seadistamine BIND9 näitel]]

3. Linux paigalduse parandamine (lihtne) 10min
* Teil ununes root parool ära ja student kasutaja pole administraatorite grupis. (vana admin läks töölt ära ja parooli keegi ei mäleta)
* Teie server tõsteti valesse VLANi (virtualboxis teise võrku)
* Teie server tõsteti teise võrku, mille IP on teine ja võrgu administraator unustas teile seda öelda ja läks puhkusele (tehke nii, et töötaks)
* Praktikal olev tudeng rikkus ära faili, kus määratakse alglaadimisel ühendatavad kettajaod ja failisüsteemid
* Praktikal olev tudeng tegi katki puppet paigalduse (ja on endaga täitsa rahul) Tehke korda ja selgitage, mida ta valesti tegi.

4. Linux paigalduse parandamine (raske) 25min
* Praktikal olev tudeng rikkus ära kõvaketta kettajagude tabeli. Taastage süsteem.
* Praktikal olev tudeng kustustas ühelt kettalt palju pilte ja kettajagude tabeli. Taastage pildid. http://enos.itcollege.ee/~mernits/Linux%20administreerimine/linux-eksam.vmdk
* Praktikal olev tudeng "konfigureeris" ehk saboteeris teie labor 2 teenuse ära - Tehke korda ja selgitage, mida ta valesti tegi.

https://wiki.itcollege.ee/index.php/Linuxi_administreerimine_eksamiabi_2014
-----

=Laborimaterjalid 201 NB See on ajalooline info!=

Teha apt - yum ja dpkg - rpm vastavustabel. dpkg ja apt korraldused leiab [http://elab.itcollege.ee:8000/Linux-Basics.mm Linux-Basics mindmapist]

Parim töö annab 7p, järgmised 5p (piisavalt põhjalikud ja erinevad)

Ebapiisavad vastavustabelid, mis sarnanevad üksteisele punkte ei saa.

Kui su tabel on ilma vigadeta, kuid mitte parimate sead siis saad 1-2p.

'''Praks 4'''

Nimeserveri BIND9 paigaldamine.

*Mõtle välja domeenimini
*Paigalda nimeserver bind9
*Seadista oma domeen
**www.domeen
**ns.domeen
**sales.domeen
**seadista oma kliendimasin kasutama uut nimeserverit

NB: enne kaitsmist lugeda läbi http://kuutorvaja.eenet.ee/wiki/DNS

Labori üks näide [[Nimeserveri seadistamine BIND9 näitel]]

Praktikumi salvestus http://echo360.e-uni.ee/ess/echo/presentation/a828b6af-8caf-4319-b594-5d6bfed04a70

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama nii nimede lahendamine läbi teie nimeserveri kui ka reverse lookup.

'''Praks 5'''

Veebiserveri apache2 paigaldamine

*Loo veebisaidid www.domeen ja sales.domeen (ehk oma DNS labori nimedele vastavad veebisaidid)
Praktikumi salvestus: http://echo360.e-uni.ee/ess/echo/presentation/0945a764-0305-48ec-8082-4e57a23cc536
*Seadist HTTPS nendele saitidele (vajadusel loo uus ip alias ja muuda nimeserveris olevat kirjet, et TLS nimed viitaks erinevatele IP aadressidele)
*Abiks on loeng: http://enos.itcollege.ee/~mernits/infrastruktuur/loeng04%20-%20Veebiserver.odp ja labor: https://wiki.itcollege.ee/index.php/Veebiserveri_labor_v.2
*Paigalda WordPress vastavalt juhendile: http://goo.gl/6XQ0U

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama veebiserververi apache2 pealt 2 veebilehte ning wordpress. Wordpressile peab olema paigaldatud super cache ning lisaks peab töötama varnish. Seejuures wordpress on seadistatud pordile 80 ja wordpress pordil 8080. Lehe toimivust testige enne kaitsmist ab vahendiga, kus -n 1000 ja -t 10.

'''Praks 7'''
Samba share-i välja jagamine.

*Loo share, mis on ligipääsetav vaid kasutajatele, kes kuuluvad lab gruppi. Vajalik on ka share-ile kirjutamisõigus (saab kausta luua).
* Seadista samba abil kasutajate kodukaustadele ligipääsemine. Iga kasutaja peab ligi pääsema enda kodukaustale.

*Abiks on viki artiklid : https://wiki.itcollege.ee/index.php/Failiserver_Samba_labor_2 ja https://wiki.itcollege.ee/index.php/Lihtne_samba_install

'''Punktide''' (5p) '''kirja saamiseks''' on vajalik share-i olemasolu, mis on ligipääsetav ning kirjutatav (võimalik luua kataloogi) ainult lab gruppi kuuluvatele kasutajatele ning lab gruppi mitte kuuluvad kasutajad ei tohi sinna ligi pääseda.
Lisaks peavad kasutajad pääsema ligi oma kodukaustale, sõltumata sellest, kas ta kuulub lab gruppi või mitte.

'''Labor 1'''
*Veebiserver ja virtualhostid
*DNS
*e-post
*iptables
*samba

'''Labor 2'''
*LDAP või Samba4 - LDAP Teet Saar, Kullo-Kalev Aru
*Puppet või chef
*PAM
*Puppet (Ubuntus) - Kristo Kapten
*[[Samba(windows domeenis fileserver)]] - Marko Kurs
*[[TLS termineerimine nginx abil]] - Sander Arnus, Sander Saveli

Category talk:I375/I803/I853 IT Infrastructure services

2014-05-25T20:17:41Z

Mtammepo: moved Category talk:IT infrastruktuuri teenused to Heartbleed

#REDIRECT [[Heartbleed]]

Heartbleed

2014-05-25T20:17:41Z

Mtammepo: moved Category talk:IT infrastruktuuri teenused to Heartbleed

=Heartbleed=

'''Autor:''' Maarja-Liisa Tammepõld

'''Rühm:''' A22

[[File:Heartbleed.png]]
[https://www.owasp.org/images/5/5d/Heartbleed.png]

==Sissejuhatus==

See on tõsine krüptograafilise tarkvara teegi OpenSSL-i nõrkus. See võimaldab SSL-i/TSL-i enkrüpteerimisega kaitstud informatsiooni varastada. SSL/TLS pakuvad erinevate rakenduste turvalist kasutamist üle Interneti nt. emaili teenuste ja mõne VPN-i kasutamisel, võimaldab turvaliselt minna panka, ilma et keegi salajast infot näha saaks. Nüüd on avastatud, aga OpenSSL-i turvaauk nimega Heartbleed, mis võimaldab ligipääseda serveri mälule ja mis hõlmab kogu salajast informatsiooni: kasutajate nimesid, salasõnu ja tegelikku sisu. Seeläbi on ründajatel võimalik pealtkuulata vestlusi, andmeid varastada ja võimaldab kehastada teist kasutajat või teenust. [1]

==Kuidas töötab Heartbleed?==

Internetitoimingutes kontrollivad serveritega ühenduses olevad arvutid teatud ajavahemike järel, kas nad on endiselt samal liinil ühenduses saates üksteisele signaale. Selle sama signaali kaudu ongi võimalik ligi pääseda serveri mälule. [2]

Nõrkus (CVE-2014-0160) on kadunud signaali kontroll enne memcpy()kutsungit, mis kasutab kasutaja sisendit parameetri pikkusena. Ründaja saab OpenSSL-i trikitada paigutades sinna 64KB suuruse puhvri, kopeerib rohkem baite kui vaja puhvrisse, saadab selle buhvri tagasi ja seetõttu lekib ohvri mällu 64KB suurune sisu samal ajal. [3]

==Mida saab selle vastu ette võtta?==

Servereid hallatavatel administraatoritel soovitatakse genereerida serverile uus privaatvõti, hankida kaasnev uus sertifikaat ja paluma kõikidel kasutajatel oma paroolid ära vahetada.

Kuna Heartbleed mõjutab Internetis umbes 18% hulga ulatuses servereid, siis selle turvamiseks on tehtud ka juba avalik tööriist, mis võimaldab näha, kas mõni server on turvaline või mitte: https://filippo.io/Heartbleed/ . [2]

Nüüdseks on loodud OpenSSL-st uuem ja täiustatum versioon, millel puudub see sama haavatav koht, kuid nii kaua, kui kasutatakse nõrkusega olevat OpenSSL-i, senikaua püsib ka oht ründe ohvriks sattuda. [1]

==Mis OpenSSL-i versioonid on haavatavad?==

*OpenSSL 1.0.1 läbi 1.0.1f on haavatav
*OpenSSL 1.0.1g on turvaline
*OpenSSL 1.0.0 laiendus on turvaline
*OpenSSL 0.9.8 laiendus on turvaline

Alates 2012. aasta 14. märtsist OpenSSL versiooniga 1.0.1 levis nõrkus ja 7. aprillil 2014 sai avalikuks versioon 1.0.1g, mis muutus turvaliseks.

[1]

===Mõned operatsioonisüsteemi distributsioonid, mis on haavatava OpenSSL-i versiooniga:===

*Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
*Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
*CentOS 6.5, OpenSSL 1.0.1e-15
*Fedora 18, OpenSSL 1.0.1e-4
*OpenBSD 5.3 (OpenSSL 1.0.1c 10 mai 2012) and 5.4 (OpenSSL 1.0.1c (10 mai 2012))
*FreeBSD 10.0 - OpenSSL 1.0.1e (11 veebruar 2013)
*NetBSD 5.0.2 (OpenSSL 1.0.1e)
*OpenSUSE 12.2 (OpenSSL 1.0.1c)

===Operatsioonisüsteemi distributsioonid, mis on turvalised: ===

*Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
*SUSE Linux Enterprise Server
*FreeBSD 8.4 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 9.2 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 10.0p1 - OpenSSL 1.0.1g (8 aprill 2014)
*FreeBSD Ports - OpenSSL 1.0.1g (7 aprill 2014)
[3]

==Lahendus==

Kood, mis loodi selle vea vastu OpenSSL versioonis 1.0.1g, mis kontrollib signaali õige ajavahemiku tagant SSL3 struktuuris (s3->rrec), mis kirjeldab sissetulevat signaali.
<pre>
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
</pre>
[3]

==Kokkuvõte==

Kasutajad võiksid oma paroole erinevates kohtades hoida erinevatena, juhul kui peaks toimuma rünne mingisuguse lehe vastu, et ründaja sama parooli kuskil mujal kasutada ei saaks. OpenSSL-i versiooni võiks uuendada 1.0.1g vastu, mis hetkel on turvaline ja hankida endale uus sertifikaat.

=Kasutatud materjal=

[1] http://heartbleed.com/

[2] http://forte.delfi.ee/news/tarkvara/viimaste-aegade-tosiseim-turvaauk-heartbleed-millised-salasonad-peaksid-kindlasti-valja-vahetama.d?id=68417681

[3] https://www.owasp.org/index.php/Heartbleed_Bug

[[Category:IT infrastruktuuri teenused]]

Heartbleed

2014-05-25T20:13:17Z

Mtammepo: /* Heartbleed */

File:Heartbleed.png

2014-05-25T20:07:31Z

Mtammepo:

Heartbleed

2014-05-25T20:01:01Z

Mtammepo: /* Heartbleed */

=Heartbleed=

'''Autor:''' Maarja-Liisa Tammepõld

'''Rühm:''' A22

==Sissejuhatus==

See on tõsine krüptograafilise tarkvara teegi OpenSSL-i nõrkus. See võimaldab SSL-i/TSL-i enkrüpteerimisega kaitstud informatsiooni varastada. SSL/TLS pakuvad erinevate rakenduste turvalist kasutamist üle Interneti nt. emaili teenuste ja mõne VPN-i kasutamisel, võimaldab turvaliselt minna panka, ilma et keegi salajast infot näha saaks. Nüüd on avastatud, aga OpenSSL-i turvaauk nimega Heartbleed, mis võimaldab ligipääseda serveri mälule ja mis hõlmab kogu salajast informatsiooni: kasutajate nimesid, salasõnu ja tegelikku sisu. Seeläbi on ründajatel võimalik pealtkuulata vestlusi, andmeid varastada ja võimaldab kehastada teist kasutajat või teenust. [1]

==Kuidas töötab Heartbleed?==

Internetitoimingutes kontrollivad serveritega ühenduses olevad arvutid teatud ajavahemike järel, kas nad on endiselt samal liinil ühenduses saates üksteisele signaale. Selle sama signaali kaudu ongi võimalik ligi pääseda serveri mälule. [2]

Nõrkus (CVE-2014-0160) on kadunud signaali kontroll enne memcpy()kutsungit, mis kasutab kasutaja sisendit parameetri pikkusena. Ründaja saab OpenSSL-i trikitada paigutades sinna 64KB suuruse puhvri, kopeerib rohkem baite kui vaja puhvrisse, saadab selle buhvri tagasi ja seetõttu lekib ohvri mällu 64KB suurune sisu samal ajal. [3]

==Mida saab selle vastu ette võtta?==

Servereid hallatavatel administraatoritel soovitatakse genereerida serverile uus privaatvõti, hankida kaasnev uus sertifikaat ja paluma kõikidel kasutajatel oma paroolid ära vahetada.

Kuna Heartbleed mõjutab Internetis umbes 18% hulga ulatuses servereid, siis selle turvamiseks on tehtud ka juba avalik tööriist, mis võimaldab näha, kas mõni server on turvaline või mitte: https://filippo.io/Heartbleed/ . [2]

Nüüdseks on loodud OpenSSL-st uuem ja täiustatum versioon, millel puudub see sama haavatav koht, kuid nii kaua, kui kasutatakse nõrkusega olevat OpenSSL-i, senikaua püsib ka oht ründe ohvriks sattuda. [1]

==Mis OpenSSL-i versioonid on haavatavad?==

*OpenSSL 1.0.1 läbi 1.0.1f on haavatav
*OpenSSL 1.0.1g on turvaline
*OpenSSL 1.0.0 laiendus on turvaline
*OpenSSL 0.9.8 laiendus on turvaline

Alates 2012. aasta 14. märtsist OpenSSL versiooniga 1.0.1 levis nõrkus ja 7. aprillil 2014 sai avalikuks versioon 1.0.1g, mis muutus turvaliseks.

[1]

===Mõned operatsioonisüsteemi distributsioonid, mis on haavatava OpenSSL-i versiooniga:===

*Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
*Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
*CentOS 6.5, OpenSSL 1.0.1e-15
*Fedora 18, OpenSSL 1.0.1e-4
*OpenBSD 5.3 (OpenSSL 1.0.1c 10 mai 2012) and 5.4 (OpenSSL 1.0.1c (10 mai 2012))
*FreeBSD 10.0 - OpenSSL 1.0.1e (11 veebruar 2013)
*NetBSD 5.0.2 (OpenSSL 1.0.1e)
*OpenSUSE 12.2 (OpenSSL 1.0.1c)

===Operatsioonisüsteemi distributsioonid, mis on turvalised: ===

*Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
*SUSE Linux Enterprise Server
*FreeBSD 8.4 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 9.2 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 10.0p1 - OpenSSL 1.0.1g (8 aprill 2014)
*FreeBSD Ports - OpenSSL 1.0.1g (7 aprill 2014)
[3]

==Lahendus==

Kood, mis loodi selle vea vastu OpenSSL versioonis 1.0.1g, mis kontrollib signaali õige ajavahemiku tagant SSL3 struktuuris (s3->rrec), mis kirjeldab sissetulevat signaali.
<pre>
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
</pre>
[3]

==Kokkuvõte==

Kasutajad võiksid oma paroole erinevates kohtades hoida erinevatena, juhul kui peaks toimuma rünne mingisuguse lehe vastu, et ründaja sama parooli kuskil mujal kasutada ei saaks. OpenSSL-i versiooni võiks uuendada 1.0.1g vastu, mis hetkel on turvaline ja hankida endale uus sertifikaat.

=Kasutatud materjal=

[1] http://heartbleed.com/

[2] http://forte.delfi.ee/news/tarkvara/viimaste-aegade-tosiseim-turvaauk-heartbleed-millised-salasonad-peaksid-kindlasti-valja-vahetama.d?id=68417681

[3] https://www.owasp.org/index.php/Heartbleed_Bug

[[Category:IT infrastruktuuri teenused]]

Heartbleed

2014-05-25T19:45:36Z

Mtammepo: /* Heartbleed */

=Heartbleed=

'''Autor:''' Maarja-Liisa Tammepõld

'''Rühm:''' A22

==Sissejuhatus==

See on tõsine krüptograafilise tarkvara teegi OpenSSL-i nõrkus. See võimaldab SSL-i/TSL-i enkrüpteerimisega kaitstud informatsiooni varastada. SSL/TLS pakuvad erinevate rakenduste turvalist kasutamist üle Interneti nt. emaili teenuste ja mõne VPN-i kasutamisel, võimaldab turvaliselt minna panka, ilma et keegi salajast infot näha saaks. Nüüd on avastatud, aga OpenSSL-i turvaauk nimega Heartbleed, mis võimaldab ligipääseda serveri mälule ja mis hõlmab kogu salajast informatsiooni: kasutajate nimesid, salasõnu ja tegelikku sisu. Seeläbi on ründajatel võimalik pealtkuulata vestlusi, andmeid varastada ja võimaldab kehastada teist kasutajat või teenust. [1]

==Kuidas töötab Heartbleed?==

Internetitoimingutes kontrollivad serveritega ühenduses olevad arvutid teatud ajavahemike järel, kas nad on endiselt samal liinil ühenduses saates üksteisele signaale. Selle sama signaali kaudu ongi võimalik ligi pääseda serveri mälule. [2]

Nõrkus (CVE-2014-0160) on kadunud signaali kontroll enne memcpy()kutsungit, mis kasutab kasutaja sisendit parameetri pikkusena. Ründaja saab OpenSSL-i trikitada paigutades sinna 64KB suuruse puhvri, kopeerib rohkem baite kui vaja puhvrisse, saadab selle buhvri tagasi ja seetõttu lekib ohvri mällu 64KB suurune sisu samal ajal. [3]

==Mida saab selle vastu ette võtta?==

Servereid hallatavatel administraatoritel soovitatakse genereerida serverile uus privaatvõti, hankida kaasnev uus sertifikaat ja paluma kõikidel kasutajatel oma paroolid ära vahetada.

Kuna Heartbleed mõjutab Internetis umbes 18% hulga ulatuses servereid, siis selle turvamiseks on tehtud ka juba avalik tööriist, mis võimaldab näha, kas mõni server on turvaline või mitte: https://filippo.io/Heartbleed/ . [2]

Nüüdseks on loodud OpenSSL-st uuem ja täiustatum versioon, millel puudub see sama haavatav koht, kuid nii kaua, kui kasutatakse nõrkusega olevat OpenSSL-i, senikaua püsib ka oht ründe ohvriks sattuda. [1]

==Mis OpenSSL-i versioonid on haavatavad?==

*OpenSSL 1.0.1 läbi 1.0.1f on haavatav
*OpenSSL 1.0.1g on turvaline
*OpenSSL 1.0.0 laiendus on turvaline
*OpenSSL 0.9.8 laiendus on turvaline

Alates 2012. aasta 14. märtsist OpenSSL versiooniga 1.0.1 levis nõrkus ja 7. aprillil 2014 sai avalikuks versioon 1.0.1g, mis muutus turvaliseks.

[1]

===Mõned operatsioonisüsteemi distributsioonid, mis on haavatava OpenSSL-i versiooniga:===

*Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
*Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
*CentOS 6.5, OpenSSL 1.0.1e-15
*Fedora 18, OpenSSL 1.0.1e-4
*OpenBSD 5.3 (OpenSSL 1.0.1c 10 mai 2012) and 5.4 (OpenSSL 1.0.1c (10 mai 2012))
*FreeBSD 10.0 - OpenSSL 1.0.1e (11 veebruar 2013)
*NetBSD 5.0.2 (OpenSSL 1.0.1e)
*OpenSUSE 12.2 (OpenSSL 1.0.1c)

===Operatsioonisüsteemi distributsioonid, mis on turvalised: ===

*Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
*SUSE Linux Enterprise Server
*FreeBSD 8.4 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 9.2 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 10.0p1 - OpenSSL 1.0.1g (8 aprill 2014)
*FreeBSD Ports - OpenSSL 1.0.1g (7 aprill 2014)
[3]

==Lahendus==

Kood, mis loodi selle vea vastu OpenSSL versioonis 1.0.1g, mis kontrollib signaali õige ajavahemiku tagant SSL3 struktuuris (s3->rrec), mis kirjeldab sissetulevat signaali.
<pre>
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
</pre>
[3]

=Kasutatud materjal=

[1] http://heartbleed.com/

[2] http://forte.delfi.ee/news/tarkvara/viimaste-aegade-tosiseim-turvaauk-heartbleed-millised-salasonad-peaksid-kindlasti-valja-vahetama.d?id=68417681

[3] https://www.owasp.org/index.php/Heartbleed_Bug

[[Category:IT infrastruktuuri teenused]]

Heartbleed

2014-05-25T19:36:29Z

Mtammepo: /* Heartbleed */

=Heartbleed=

'''Autor:''' Maarja-Liisa Tammepõld

'''Rühm:''' A22

==Sissejuhatus==

See on tõsine krüptograafilise tarkvara teegi OpenSSL-i nõrkus. See võimaldab SSL-i/TSL-i enkrüpteerimisega kaitstud informatsiooni varastada. SSL/TLS pakuvad erinevate rakenduste turvalist kasutamist üle Interneti nt. emaili teenuste ja mõne VPN-i kasutamisel, võimaldab turvaliselt minna panka, ilma et keegi salajast infot näha saaks. Nüüd on avastatud, aga OpenSSL-i turvaauk nimega Heartbleed, mis võimaldab ligipääseda serveri mälule ja mis hõlmab kogu salajast informatsiooni: kasutajate nimesid, salasõnu ja tegelikku sisu. Seeläbi on ründajatel võimalik pealtkuulata vestlusi, andmeid varastada ja võimaldab kehastada teist kasutajat või teenust. [1]

==Kuidas töötab Heartbleed?==

Internetitoimingutes kontrollivad serveritega ühenduses olevad arvutid teatud ajavahemike järel, kas nad on endiselt samal liinil ühenduses saates üksteisele signaale. Selle sama signaali kaudu ongi võimalik ligi pääseda serveri mälule. [2]

Nõrkus (CVE-2014-0160) on kadunud signaali kontroll enne memcpy()kutsungit, mis kasutab kasutaja sisendit parameetri pikkusena. Ründaja saab OpenSSL-i trikitada paigutades sinna 64KB suuruse puhvri, kopeerib rohkem baite kui vaja puhvrisse, saadab selle buhvri tagasi ja seetõttu lekib ohvri mällu 64KB suurune sisu samal ajal. [3]

==Mida saab selle vastu ette võtta?==

Servereid hallatavatel administraatoritel soovitatakse genereerida serverile uus privaatvõti, hankida kaasnev uus sertifikaat ja paluma kõikidel kasutajatel oma paroolid ära vahetada.

Kuna Heartbleed mõjutab Internetis umbes 18% hulga ulatuses servereid, siis selle turvamiseks on tehtud ka juba avalik tööriist, mis võimaldab näha, kas mõni server on turvaline või mitte: https://filippo.io/Heartbleed/ . [2]

Nüüdseks on loodud OpenSSL-st uuem ja täiustatum versioon, millel puudub see sama haavatav koht, kuid nii kaua, kui kasutatakse nõrkusega olevat OpenSSL-i, senikaua püsib ka oht ründe ohvriks sattuda. [1]

==Mis OpenSSL-i versioonid on haavatavad?==

*OpenSSL 1.0.1 läbi 1.0.1f on haavatav
*OpenSSL 1.0.1g on turvaline
*OpenSSL 1.0.0 laiendus on turvaline
*OpenSSL 0.9.8 laiendus on turvaline

Alates 2012. aasta 14. märtsist OpenSSL versiooniga 1.0.1 levis nõrkus ja 7. aprillil 2014 sai avalikuks versioon 1.0.1g, mis muutus turvaliseks.

[1]

===Mõned operatsioonisüsteemi distributsioonid, mis on haavatava OpenSSL-i versiooniga:===

*Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
*Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
*CentOS 6.5, OpenSSL 1.0.1e-15
*Fedora 18, OpenSSL 1.0.1e-4
*OpenBSD 5.3 (OpenSSL 1.0.1c 10 mai 2012) and 5.4 (OpenSSL 1.0.1c (10 mai 2012))
*FreeBSD 10.0 - OpenSSL 1.0.1e (11 veebruar 2013)
*NetBSD 5.0.2 (OpenSSL 1.0.1e)
*OpenSUSE 12.2 (OpenSSL 1.0.1c)

===Operatsioonisüsteemi distributsioonid, mis on turvalised: ===

*Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
*SUSE Linux Enterprise Server
*FreeBSD 8.4 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 9.2 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 10.0p1 - OpenSSL 1.0.1g (8 aprill 2014)
*FreeBSD Ports - OpenSSL 1.0.1g (7 aprill 2014)
[3]

=Kasutatud materjal=

[1] http://heartbleed.com/

[2] http://forte.delfi.ee/news/tarkvara/viimaste-aegade-tosiseim-turvaauk-heartbleed-millised-salasonad-peaksid-kindlasti-valja-vahetama.d?id=68417681

[3] https://www.owasp.org/index.php/Heartbleed_Bug

[[Category:IT infrastruktuuri teenused]]

Heartbleed

2014-05-25T19:35:55Z

Mtammepo: /* Operatsioonisüsteemi distributsioonid, mis on turvalised: */

=Heartbleed=

'''Autor:''' Maarja-Liisa Tammepõld

'''Rühm:''' A22

==Sissejuhatus==

See on tõsine krüptograafilise tarkvara teegi OpenSSL-i nõrkus. See võimaldab SSL-i/TSL-i enkrüpteerimisega kaitstud informatsiooni varastada. SSL/TLS pakuvad erinevate rakenduste turvalist kasutamist üle Interneti nt. emaili teenuste ja mõne VPN-i kasutamisel, võimaldab turvaliselt minna panka, ilma et keegi salajast infot näha saaks. Nüüd on avastatud, aga OpenSSL-i turvaauk nimega Heartbleed, mis võimaldab ligipääseda serveri mälule ja mis hõlmab kogu salajast informatsiooni: kasutajate nimesid, salasõnu ja tegelikku sisu. Seeläbi on ründajatel võimalik pealtkuulata vestlusi, andmeid varastada ja võimaldab kehastada teist kasutajat või teenust. [1]

==Kuidas töötab Heartbleed?==

Internetitoimingutes kontrollivad serveritega ühenduses olevad arvutid teatud ajavahemike järel, kas nad on endiselt samal liinil ühenduses saates üksteisele signaale. Selle sama signaali kaudu ongi võimalik ligi pääseda serveri mälule. [2]

Nõrkus (CVE-2014-0160) on kadunud signaali kontroll enne memcpy()kutsungit, mis kasutab kasutaja sisendit parameetri pikkusena. Ründaja saab OpenSSL-i trikitada paigutades sinna 64KB suuruse puhvri, kopeerib rohkem baite kui vaja puhvrisse, saadab selle buhvri tagasi ja seetõttu lekib ohvri mällu 64KB suurune sisu samal ajal. [3]

==Mida saab selle vastu ette võtta?==

Servereid hallatavatel administraatoritel soovitatakse genereerida serverile uus privaatvõti, hankida kaasnev uus sertifikaat ja paluma kõikidel kasutajatel oma paroolid ära vahetada.

Kuna Heartbleed mõjutab Internetis umbes 18% hulga ulatuses servereid, siis selle turvamiseks on tehtud ka juba avalik tööriist, mis võimaldab näha, kas mõni server on turvaline või mitte: https://filippo.io/Heartbleed/ . [2]

Nüüdseks on loodud OpenSSL-st uuem ja täiustatum versioon, millel puudub see sama haavatav koht, kuid nii kaua, kui kasutatakse nõrkusega olevat OpenSSL-i, senikaua püsib ka oht ründe ohvriks sattuda. [1]

==Mis OpenSSL-i versioonid on haavatavad?==

*OpenSSL 1.0.1 läbi 1.0.1f on haavatav
*OpenSSL 1.0.1g on turvaline
*OpenSSL 1.0.0 laiendus on turvaline
*OpenSSL 0.9.8 laiendus on turvaline

Alates 2012. aasta 14. märtsist OpenSSL versiooniga 1.0.1 levis nõrkus ja 7. aprillil 2014 sai avalikuks versioon 1.0.1g, mis muutus turvaliseks.

[1]

===Mõned operatsioonisüsteemi distributsioonid, mis on haavatava OpenSSL-i versiooniga:===

*Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
*Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
*CentOS 6.5, OpenSSL 1.0.1e-15
*Fedora 18, OpenSSL 1.0.1e-4
*OpenBSD 5.3 (OpenSSL 1.0.1c 10 mai 2012) and 5.4 (OpenSSL 1.0.1c (10 mai 2012))
*FreeBSD 10.0 - OpenSSL 1.0.1e (11 veebruar 2013)
*NetBSD 5.0.2 (OpenSSL 1.0.1e)
*OpenSUSE 12.2 (OpenSSL 1.0.1c)

===Operatsioonisüsteemi distributsioonid, mis on turvalised: ===

*Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
*SUSE Linux Enterprise Server
*FreeBSD 8.4 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 9.2 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 10.0p1 - OpenSSL 1.0.1g (8 aprill 2014)
*FreeBSD Ports - OpenSSL 1.0.1g (7 aprill 2014)

=Kasutatud materjal=

[1] http://heartbleed.com/

[2] http://forte.delfi.ee/news/tarkvara/viimaste-aegade-tosiseim-turvaauk-heartbleed-millised-salasonad-peaksid-kindlasti-valja-vahetama.d?id=68417681

[3] https://www.owasp.org/index.php/Heartbleed_Bug

[[Category:IT infrastruktuuri teenused]]

Heartbleed

2014-05-25T19:35:41Z

Mtammepo: /* Heartbleed */

=Heartbleed=

'''Autor:''' Maarja-Liisa Tammepõld

'''Rühm:''' A22

==Sissejuhatus==

See on tõsine krüptograafilise tarkvara teegi OpenSSL-i nõrkus. See võimaldab SSL-i/TSL-i enkrüpteerimisega kaitstud informatsiooni varastada. SSL/TLS pakuvad erinevate rakenduste turvalist kasutamist üle Interneti nt. emaili teenuste ja mõne VPN-i kasutamisel, võimaldab turvaliselt minna panka, ilma et keegi salajast infot näha saaks. Nüüd on avastatud, aga OpenSSL-i turvaauk nimega Heartbleed, mis võimaldab ligipääseda serveri mälule ja mis hõlmab kogu salajast informatsiooni: kasutajate nimesid, salasõnu ja tegelikku sisu. Seeläbi on ründajatel võimalik pealtkuulata vestlusi, andmeid varastada ja võimaldab kehastada teist kasutajat või teenust. [1]

==Kuidas töötab Heartbleed?==

Internetitoimingutes kontrollivad serveritega ühenduses olevad arvutid teatud ajavahemike järel, kas nad on endiselt samal liinil ühenduses saates üksteisele signaale. Selle sama signaali kaudu ongi võimalik ligi pääseda serveri mälule. [2]

Nõrkus (CVE-2014-0160) on kadunud signaali kontroll enne memcpy()kutsungit, mis kasutab kasutaja sisendit parameetri pikkusena. Ründaja saab OpenSSL-i trikitada paigutades sinna 64KB suuruse puhvri, kopeerib rohkem baite kui vaja puhvrisse, saadab selle buhvri tagasi ja seetõttu lekib ohvri mällu 64KB suurune sisu samal ajal. [3]

==Mida saab selle vastu ette võtta?==

Servereid hallatavatel administraatoritel soovitatakse genereerida serverile uus privaatvõti, hankida kaasnev uus sertifikaat ja paluma kõikidel kasutajatel oma paroolid ära vahetada.

Kuna Heartbleed mõjutab Internetis umbes 18% hulga ulatuses servereid, siis selle turvamiseks on tehtud ka juba avalik tööriist, mis võimaldab näha, kas mõni server on turvaline või mitte: https://filippo.io/Heartbleed/ . [2]

Nüüdseks on loodud OpenSSL-st uuem ja täiustatum versioon, millel puudub see sama haavatav koht, kuid nii kaua, kui kasutatakse nõrkusega olevat OpenSSL-i, senikaua püsib ka oht ründe ohvriks sattuda. [1]

==Mis OpenSSL-i versioonid on haavatavad?==

*OpenSSL 1.0.1 läbi 1.0.1f on haavatav
*OpenSSL 1.0.1g on turvaline
*OpenSSL 1.0.0 laiendus on turvaline
*OpenSSL 0.9.8 laiendus on turvaline

Alates 2012. aasta 14. märtsist OpenSSL versiooniga 1.0.1 levis nõrkus ja 7. aprillil 2014 sai avalikuks versioon 1.0.1g, mis muutus turvaliseks.

[1]

===Mõned operatsioonisüsteemi distributsioonid, mis on haavatava OpenSSL-i versiooniga:===

*Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
*Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
*CentOS 6.5, OpenSSL 1.0.1e-15
*Fedora 18, OpenSSL 1.0.1e-4
*OpenBSD 5.3 (OpenSSL 1.0.1c 10 mai 2012) and 5.4 (OpenSSL 1.0.1c (10 mai 2012))
*FreeBSD 10.0 - OpenSSL 1.0.1e (11 veebruar 2013)
*NetBSD 5.0.2 (OpenSSL 1.0.1e)
*OpenSUSE 12.2 (OpenSSL 1.0.1c)

===Operatsioonisüsteemi distributsioonid, mis on turvalised: ===

*Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
*SUSE Linux Enterprise Server
*FreeBSD 8.4 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 9.2 - OpenSSL 0.9.8y (5 veebruar 2013)
*FreeBSD 10.0p1 - OpenSSL 1.0.1g (8 aprill 2014)
*FreeBSD Ports - OpenSSL 1.0.1g (7 aprill 2014

=Kasutatud materjal=

[1] http://heartbleed.com/

[2] http://forte.delfi.ee/news/tarkvara/viimaste-aegade-tosiseim-turvaauk-heartbleed-millised-salasonad-peaksid-kindlasti-valja-vahetama.d?id=68417681

[3] https://www.owasp.org/index.php/Heartbleed_Bug

[[Category:IT infrastruktuuri teenused]]