- Change The Default Shell
- Disable AppArmor
- Install Postfix, Dovecot, MariaDB, Rkhunter, And Binutils
- Install Amavisd-New, SpamAssassin, And Clamav
- Install Apache, PHP, PhpMyAdmin, FCGI, SuExec, Pear
- Install Let's Encrypt
- Install PureFTPd And Quota
- Install Jailkit
- 15. Install Fail2ban And UFW
- Install ISPConfig 3.2
Change The Default Shell #
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore, we do this:
dpkg-reconfigure dash
Use dash as the default system shell (/bin/sh)? <– No
If you don’t do this, the ISPConfig installation will fail.
Disable AppArmor #
service apparmor stop update-rc.d -f apparmor remove apt-get remove apparmor apparmor-utils
Install Postfix, Dovecot, MariaDB, Rkhunter, And Binutils #
service sendmail stop; update-rc.d -f sendmail remove
apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo patch
General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com
nano /etc/postfix/master.cf
Uncomment the submission and smtps sections as follows – add the line -o smtpd_client_restrictions=permit_sasl_authenticated,reject to both sections and leave everything thereafter commented:
[...] submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING [...]
service postfix restart
nano /etc/mysql/mariadb.conf.d/50-server.cnf
[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 [...]
Now we set a root password in MariaDB. Run:
mysql_secure_installation
You will be asked these questions:
Enter current password for root (enter for none): <-- press enter Set root password? [Y/n] <-- y New password: <-- Enter the new MariaDB root password here Re-enter new password: <-- Repeat the password Remove anonymous users? [Y/n] <-- y Disallow root login remotely? [Y/n] <-- y Reload privilege tables now? [Y/n] <-- y
Set the password authentication method in MariaDB to native so we can use PHPMyAdmin later to connect as root user:
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
Edit the file /etc/mysql/debian.cnf and set the MYSQL / MariaDB root password there twice in the rows that start with password.
nano /etc/mysql/debian.cnf
The MySQL root password that needs to be added is shown in red. In this example, the password is „howtoforge”. Replace the word „howtoforge” with the password that you have set for the MySQL root user with the mysql_secure_installation command.
# Automatically generated for Debian scripts. DO NOT TOUCH! [client] host = localhost user = root password = howtoforge socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = root password = howtoforge socket = /var/run/mysqld/mysqld.sock basedir = /usr
Open the file /etc/security/limits.conf with an editor:
nano /etc/security/limits.conf
and add these lines at the end of the file.
mysql soft nofile 65535 mysql hard nofile 65535
Next, create a new directory /etc/systemd/system/mysql.service.d/ with the mkdir command.
mkdir /etc/systemd/system/mysql.service.d/
and add a new file inside:
nano /etc/systemd/system/mysql.service.d/limits.conf
paste the following lines into that file:
[Service] LimitNOFILE=infinity
Save the file and close the nano editor.
Then we reload systemd and restart MariaDB:
systemctl daemon-reload service mariadb restart
Install Amavisd-New, SpamAssassin, And Clamav #
To install amavisd-new, SpamAssassin, and ClamAV, we run
apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey
The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:
service spamassassin stop update-rc.d -f spamassassin remove
To start ClamAV use:
freshclam service clamav-daemon start
The following error can be ignored on the first run of freshclam.
ERROR: /var/log/clamav/freshclam.log is locked by another process ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
Install Apache, PHP, PhpMyAdmin, FCGI, SuExec, Pear #
apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.4 php7.4-common php7.4-gd php7.4-mysql php7.4-imap phpmyadmin php7.4-cli php7.4-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear libruby libapache2-mod-python php7.4-curl php7.4-intl php7.4-pspell php7.4-sqlite3 php7.4-tidy php7.4-xmlrpc php7.4-xsl memcached php-memcache php-imagick php7.4-zip php7.4-mbstring php-soap php7.4-soap php7.4-opcache php-apcu php7.4-fpm libapache2-reload-perl
a2enmod suexec rewrite ssl actions include cgi alias proxy_fcgi
Install Let’s Encrypt #
apt-get install certbot
Install PureFTPd And Quota #
apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool
Edit the file /etc/default/pure-ftpd-common…
nano /etc/default/pure-ftpd-common
… and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:
[...] STANDALONE_OR_INETD=standalone [...] VIRTUALCHROOT=true [...]
Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.
If you want to allow FTP and TLS sessions, run
echo 1 > /etc/pure-ftpd/conf/TLS
In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:
mkdir -p /etc/ssl/private/
Afterwards, we can generate the SSL certificate as follows:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., „DE”).
State or Province Name (full name) [Some-State]:<– Enter your State or Province Name.
Locality Name (eg, city) []:<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:<– Enter your Organizational Unit Name (e.g. „IT Department”).
Common Name (eg, YOUR name) []:<– Enter the Fully Qualified Domain Name of the system (e.g. „server1.example.com”).
Email Address []:<– Enter your Email Address.
Change the permissions of the SSL certificate:
chmod 600 /etc/ssl/private/pure-ftpd.pem
Then restart PureFTPd:
service pure-ftpd-mysql restart
Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):
nano /etc/fstab
# /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/server1--vg-root / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1 /dev/mapper/server1--vg-swap_1 none swap sw 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
To enable quota, run these commands:
mount -o remount /
quotacheck -avugm quotaon -avug
Install Jailkit #
Jailkit is used to jailed shell users and cronjobs in ISPConfig. Install jailkit with apt:
apt-get -y install jailkit
15. Install Fail2ban And UFW #
This is optional but recommended because the ISPConfig monitor tries to show the log:
apt-get -y install fail2ban
To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:
nano /etc/fail2ban/jail.local
[pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3
Restart fail2ban afterwards:
service fail2ban restart
To install the UFW firewall, run this apt command:
apt-get install ufw
Install ISPConfig 3.2 #
We will use the ISPConfig 3.2 stable build here.
cd /tmp wget -O ispconfig.tar.gz https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xfz ispconfig.tar.gz cd ispconfig3*/install/
The next step is to run
php -q install.php
This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you.
# php -q install.php
