Servidor Perfecto en Ubuntu 9.10

  • 5,331 views
Uploaded on

Aspectos básicos para una buena configuración en servidores GNU/Linux con ambientes Debian

Aspectos básicos para una buena configuración en servidores GNU/Linux con ambientes Debian

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
5,331
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
17
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. full circleBUILD THE PERFECTSERVER WITHUBUNTU 9. 01 full circle magazine #31 contents ^
  • 2. Full Circle Magazine SpecialsAbout Full CircleFull Circle is a free, Find Usindependent, magazine Website:dedicated to the Ubuntu http://www.fullcirclemagazine.org/family of Linux operatingsystems. Each month, it Forums:contains helpful how-to http://ubuntuforums.org/articles and reader- forumdisplay.php?f=270submitted stories. Welcome to another single-topic special IRC: #fullcirclemagazine onFull Circle also features a chat.freenode.net In response to reader requests, we are assembling thecompanion podcast, the Full content of some of our serialised articles into dedicated Editorial TeamCircle Podcast which covers editions. Editor: Ronnie Tuckerthe magazine, along withother news of interest. For now, this is a straight reprint of the series The Perfect (aka: RonnieTucker) Server from issues 31 through 34; nothing fancy, just the ronnie@fullcirclemagazine.org facts. Webmaster: Rob KerfiaPlease note: this Special (aka: admin / linuxgeekery-Edition is provided with Please bear in mind the original publication date; current admin@fullcirclemagazine.orgabsolutely no warranty versions of hardware and software may differ from thosewhatsoever; neither the illustrated, so check your hardware and software versions Podcaster: Robin Catlingcontributors nor Full Circle (aka RobinCatling)Magazine accept any before attempting to emulate the tutorials in these special podcast@fullcirclemagazine.orgresponsibility or liability for editions. You may have later versions of software installedloss or damage resulting from or available in your distributions repositories. Communications Manager:readers choosing to apply this Robert Clipshamcontent to theirs or others Enjoy! (aka: mrmonday) -computers and equipment. mrmonday@fullcirclemagazine.org The articles contained in this magazine are released under the Creative Commons Attribution-Share Alike 3.0 Unported license. This means you can adapt, copy, distribute and transmit the articles but only under the following conditions:You must attribute the work to the original author in some way (at least a name, email or URL) and to this magazine by name (full circle magazine) andthe URL www.fullcirclemagazine.org (but not attribute the article(s) in any way that suggests that they endorse you or your use of the work). If you alter,transform, or build upon this work, you must distribute the resulting work under the same, similar or a compatible license.Full Circle Magazine is entirely independent of Canonical, the sponsor of Ubuntu projects and the views and opinions in the magazine should in noway be assumed to have Canonical endorsement. Full Circle Magazine
  • 3. HOW-TO The Perfect Server - Part 1 Please note that this setup then select Install Ubuntu does not work for ISPConfig 2. Server: FCM09 - 16 : Server Series 1 - 8 FCM28 - 29 : LAMP Server 1 - 2 It is valid for ISPConfig 3 only! Requirements To install such a system you will need the Ubuntu 9.10 Now you have to partition server CD, available here: your hard disk. For simplicitys http://releases.ubuntu.com/rele sake, I select Guided, use Dev Graphics Internet M/media System ases/9.10/ubuntu-9.10-server- entire disk and set up LVM. This i386.iso (32-bit) or: will create one volume group http://releases.ubuntu.com/rele with two logical volumes—one ases/9.10/ubuntu-9.10-server- Choose your language for the / file system, and CD/DVD HDD USB Drive Laptop Wireless amd64.iso (64-bit) (again), location, and keyboard another one for swap. Of layout. course, the partitioning is Preliminary Note totally up to you—if you knowT The installer checks the what youre doing, you can his tutorial shows how installation CD and your also set up your partitions to prepare an Ubuntu In this tutorial, I use the host hardware, and configures the manually. You may find it 9.10 (Karmic Koala) name , network with DHCP if there is a helpful in future months if you server for ISPConfig 3, with IP address DHCP server on the network: set up separate /home and /varand how to install ISPConfig 3 and gateway .on it. ISPConfig 3 is a partitions. These settings might differ forwebhosting control panel that you, so you have to replaceallows you to configure the them where appropriate.following services through aweb browser: Apache webserver, Postfix mail server, The Base System Enter the host name. In thisMySQL, MyDNS name server, Insert your Ubuntu install example, my system is calledPureFTPd, SpamAssassin, CD into your system and boot server1.example.com, so IClamAV, and many more. from it. Select your language enter server1: full circle magazine #31 contents ^
  • 4. THE PERFECT SERVER - PART 1 Select the disk that you I dont need an encrypted manually later on. The onlywant to partition, and, when private directory, so I choose item I select here is OpenSSHyoure asked Write the No here: server, so that I canchanges to disk and configure immediately connect to theLVM?, select Yes. system with an SSH client such as PuTTY after the installation If you have selected Guided, has finished:use entire disk and set up LVM,the partitioner will create onebig volume group that uses allthe disk space. You can now Next, the package managerspecify how much of that disk Your new partitions are apt gets configured. Leave thespace should be used by the created and formatted: HTTP proxy line empty unlesslogical volumes for / and swap. youre using a proxy server toIt makes sense to leave some connect to the Internet: The installation continues,space unused, so later on you then the GRUB boot loadercan expand your existing gets installed.logical volumes, or create newones. This gives you more The base system installationflexibility. is now finished. Remove the Then the base system is installation CD from the CD installed: drive and select Continue to Im a little bit old-fashioned, reboot the system: and I like to update my servers manually to have more control, therefore I select No automatic updates. Of course, its up to you what you select there. Create a user, for example We need DNS, mail, and the user Administrator, with LAMP servers, but, the user name administrator. nevertheless, I dont select any When youre finished, hit Yes Dont use the user name admin of them now because I like towhen asked "Write the changes as it is a reserved name on have full control over what getsto disks?": Ubuntu 9.10. installed on my system. We will install the needed packages full circle magazine #31 contents ^
  • 5. HOW-TO The Perfect Server - Part 2 tutorial with root privileges, we /etc/network/interfaces and can either prepend all From now on, you can use adjust it to your needs (in this FCM09 - 16 : Server Series 1 - 8 FCM28 - 29 : LAMP Server 1 - 2 commands in this tutorial with an SSH client such as PuTTY example setup I will use the IP FCM31 : The Perfect Server 1 the string sudo, or we become and connect from your address 192.168.0.100): root right now by typing: workstation to your Ubuntu 9.10 server and follow the vi /etc/network/interfaces sudo su remaining steps in this tutorial. # This file describes the network interfaces available Install vim-nox (Optional) You can also enable the root on your system login by running: # and how to activate them. Dev Graphics Internet M/media System For more information, see sudo passwd root Ill use vi as my text editor interfaces(5). in this tutorial. The default vi and giving root a password. program has some strange # The loopback network behaviour on Ubuntu and interface You can then directly log in as auto lo CD/DVD HDD USB Drive Laptop Wireless root, but this is frowned upon Debian; to fix this, we install iface lo inet loopback by the Ubuntu developers and vim-nox:L community for various reasons. # The primary network ast month, we did the (See aptitude install vim-nox interface basic Ubuntu Server auto eth0 http://ubuntuforums.org/showth iface eth0 inet static installation from CD, read.php?t=765414) You dont have to do this if address 192.168.0.100 and got to the point of you use a different text editor netmask 255.255.255.0 Install The SSH Serverrebooting into the installed such as joe or nano. network 192.168.0.0system. broadcast 192.168.0.255 (Optional) Configure The Network gateway 192.168.0.1Get Root Privileges If you did not install the Restart your network with: Because the Ubuntu OpenSSH server during the installer has configured our After the reboot you can /etc/init.d/networking system installation, you can do system to get its network restartlogin with your previously it now: settings via DHCP, we have tocreated username (e.g.administrator). Because we change that now because a Then edit /etc/hosts: aptitude install ssh openssh-must run all the steps from this server server should have a static IP address. Edit vi /etc/hosts full circle magazine #32 contents ^
  • 6. THE PERFECT SERVER - PART 2and make it look like the text aptitude update 127.0.0.1 localhost.localdomain localhostshown in Fig.1. 192.168.0.100 server1.example.com server1 to update the apt package Now run database, and # The following lines are desirable for IPv6 capable hostsecho server1.example.com > aptitude safe-upgrade ::1 localhost ip6-localhost ip6-loopback/etc/hostname fe00::0 ip6-localnet ff00::0 ip6-mcastprefix to install the latest updates (if ff02::1 ip6-allnodesand reboot the server with: there are any). If you see that ff02::2 ip6-allrouters a new kernel gets installed as ff02::3 ip6-allhostsreboot part of the updates, you should reboot the system afterwards Afterwards, run: with: security. In my opinion, you dont need it to configure a Synchronize the System Clockhostname reboot secure system, and it usuallyhostname -f causes more problems than it Both should show Change The Default Shell has advantages (think of this - after you have done a week of It is a good idea to now. synchronize the system clock trouble-shooting because some /bin/sh is a symlink to with an NTP (network time service wasnt working asEdit sources.list And /bin/dash, however we need /bin/bash, not /bin/dash. expected, and then you find protocol) server over the Internet. Simply runUpdate Your Linux Therefore we do this: out that everything was OK, only AppArmor was causing theInstallation dpkg-reconfigure dash problem). Therefore, I disable it aptitude install ntp ntpdate (this is a must if you want to and your system time will Edit /etc/apt/sources.list: Install dash as /bin/sh?, install ISPConfig later on). always be in sync. Choose: Novi /etc/apt/sources.list We can disable it like this: If you dont do this, the Comment out or remove the ISPConfig installation will fail. /etc/init.d/apparmor stopinstallation CD from the file,and make sure that the update-rc.d -f apparmoruniverse and multiverse Disable AppArmor removerepositories are enabled. aptitude remove apparmor AppArmor is a security apparmor-utils Then run extension (similar to SELinux) that should provide extended full circle magazine #32 contents ^
  • 7. HOW-TO The Perfect Server - Part 3 courier-imap-ssl libsasl2-2 update-alternatives --remove- # Instead of skip-networking libsasl2-modules libsasl2- all maildir.5 the default is now to listen FCM09 - 16 : Server Series 1 - 8 modules-sql sasl2-bin libpam- only on FCM28 - 29 : LAMP Server 1 - 2 mysql openssl getmail4 update-alternatives --remove- FCM31 - 32 : The Perfect Server 1 - 2 rkhunter binutils all maildirquota.7 # localhost which is more compatible and is not less aptitude install maildrop secure. You will be asked the following questions: #bind-address = You will ask yourself why we 127.0.0.1 didnt install maildrop together [...] New password for the MySQL with all the other packages. "root" user Dev Graphics Internet M/media System The reason for this is a bug in Then we restart MySQL: the courier-base package - if Repeat password for the you install maildrop together /etc/init.d/mysql restart MySQL "root" user with courier-pop, courier-pop- ssl, courier-imap, and courier- Now check that networking CD/DVD HDD USB Drive Laptop Wireless Create directories for web- imap-ssl, you will get the is enabled. Run: based administration? following error: Enter:W netstat -tap | grep mysql e can install update-alternatives: error: General type of mail alternative link Postfix, Courier, The output should look like configuration: /usr/share/man/man5/maildir.5 Saslauthd, MySQL, .gz is already managed by this: Enter: rkhunter, and maildir.5.gz.binutils - with a single root@server1:~# netstat -tap System mail name: | grep mysqlcommand: We want MySQL to listen on Enter: all interfaces, not just tcp 0 0 *:mysql *:* LISTEN (but using your .com) (Prefix each command with localhost. Therefore we edit 6267/mysqldsudo, if appropriate). /etc/mysql/my.cnf and SSL certificate required root@server1:~# comment out the line bind-aptitude install postfix Enter: address = 127.0.0.1:postfix-mysql postfix-doc During the installation, themysql-client mysql-server Next we install maildrop as SSL certificates for IMAP-SSLcourier-authdaemon courier- vi /etc/mysql/my.cnf follows: and POP3-SSL are created withauthlib-mysql courier-popcourier-pop-ssl courier-imap [...] the hostname localhost. To full circle magazine #33 contents ^
  • 8. THE PERFECT SERVER - PART 3change this to the correct and Courier-POP3-SSL:hostname(server1.example.com in this /etc/init.d/courier-imap-ssl aptitude install apache2 apache2.2-common apache2-doc Install PureFTPd Andtutorial), delete the restart apache2-mpm-prefork apache2- utils libexpat1 ssl-cert Quotacertificates... /etc/init.d/courier-pop-ssl libapache2-mod-php5 php5 restart php5-common php5-gd php5- PureFTPd and quota can becd /etc/courier mysql php5-imap phpmyadmin installed with the following php5-cli php5-cgi libapache2-rm -f /etc/courier/imapd.pem Install Amavisd-new, mod-fcgid apache2-suexec php- command: SpamAssassin, And pear php-auth php5-mcryptrm -f /etc/courier/pop3d.pem mcrypt php5-imagick aptitude install pure-ftpd- Clamav imagemagick libapache2-mod- common pure-ftpd-mysql quota suphp quotatooland modify the following twofiles - replacing CN=localhost To install amavisd-new, Edit the file /etc/default/pure- You will see the followingwith SpamAssassin, and ClamAV, ftpd-common: question:CN=server1.example.com we run:(and you can also modify the vi /etc/default/pure-ftpd- aptitude install amavisd-new Web server to reconfigure commonother values, if necessary): spamassassin clamav clamav- automatically:vi /etc/courier/imapd.cnf daemon zoo unzip bzip2 arj Enter: and make sure that the start nomarch lzop cabextract apt- listchanges libnet-ldap-perl mode is set to standalone and[...] Configure database forCN=server1.example.com libauthen-sasl-perl clamav- set VIRTUALCHROOT=true: docs daemon libio-string- phpmyadmin with dbconfig-[...] perl libio-socket-ssl-perl common? [...]vi /etc/courier/pop3d.cnf libnet-ident-perl zip libnet- Enter: STANDALONE_OR_INETD=standalon dns-perl e[...] [...] Then run the following Install Apache2, PHP5,CN=server1.example.com VIRTUALCHROOT=true[...] command to enable the [...] phpMyAdmin, FCGI, Apache modules suexec, suExec, Pear, And Then recreate the rewrite, ssl, actions, and Then restart PureFTPd:certificates: include: mcrypt /etc/init.d/pure-ftpd-mysqlmkimapdcert a2enmod suexec rewrite ssl restart actions include Apache2, PHP5,mkpop3dcert phpMyAdmin, FCGI, suExec, Edit /etc/fstab. Mine looks Pear, and mcrypt can be Restart Apache afterwards: like Fig.1 on the following pageand restart Courier-IMAP-SSL installed as follows: (I added /etc/init.d/apache2 restart full circle magazine #33 contents ^
  • 9. THE PERFECT SERVER - PART 3,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0to the partition with the mount # /etc/fstab: static file system information. #point /): # Use blkid -o value -s UUID to print the universally unique identifier # for a device; this may be used with UUID= as a more robust way to namevi /etc/fstab # devices that works even if disks are added and removed. See fstab(5). # To enable quota, run these # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0commands: /dev/mapper/server1-root / ext4 errors=remount- ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1touch /aquota.user # /boot was on /dev/sda5 during installation/aquota.group UUID=9ea34148-31b7-4d5c-baee-c2e2022562ea /boot ext2 defaults 0 2chmod 600 /aquota.* /dev/mapper/server1-swap_1 none swap sw 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0mount -o remount / /dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0quotacheck -avugmquotaon -avug wget Then we make the script Jailkit is needed only if you http://heanet.dl.sourceforge. executable, and create the want to chroot SSH users. It net/sourceforge/mydns-Install MyDNS ng/mydns-1.2.8.27.tar.gz system startup links for it: can be installed as follows (important: Jailkit must be tar xvfz mydns- chmod +x /etc/init.d/mydns Before we install MyDNS, we installed before ISPConfig - it 1.2.8.27.tar.gzneed to install a few update-rc.d mydns defaults cannot be installedprerequisites: cd mydns-1.2.8 afterwards!): ./configure Install Vlogger And aptitude install build- Webalizeraptitude install g++ libc6gcc gawk make texinfo essential autoconflibmysqlclient15-dev make automake1.9 libtool flex bison make install Vlogger and webalizer can MyDNS is not available in be installed as follows: cd /tmpthe Ubuntu 9.10 repositories, Next, we create thetherefore we have to build it start/stop script (shown on the aptitude install vlogger wgetourselves as follows: webalizer http://olivier.sessink.nl/jai following page) for MyDNS: lkit/jailkit-2.10.tar.gzcd /tmp vi /etc/init.d/mydns Install Jailkit tar xvfz jailkit-2.10.tar.gz full circle magazine #33 contents ^
  • 10. #! /bin/sh restart)# echo -n "Restarting $DESC: $NAME"# mydns Start the MyDNS server start-stop-daemon --stop --quiet --oknodo # --exec $DAEMON# Author: Philipp Kern <phil@philkern.de>. sleep 1# Based upon skeleton 1.9.4 by Miquel van start-stop-daemon --start --quiet Smoorenburg --exec $DAEMON -- -b# <miquels@cistron.nl> and Ian Murdock echo "."<imurdock@gnu.ai.mit.edu>. ;;# *) echo "Usage: $SCRIPTNAMEset -e {start|stop|restart|reload|force-reload}" >&2 exit 1PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin: ;;/usr/bin esacDAEMON=/usr/local/sbin/mydnsNAME=mydns exit 0DESC="DNS server"SCRIPTNAME=/etc/init.d/$NAME cd jailkit-2.10 Next month, in the final# Gracefully exit if the package has been removed. installment, we will installtest -x $DAEMON || exit 0 ./configure SquirrelMail and ISPConfig3,case "$1" in make giving you the perfect server, start) ready to go! echo -n "Starting $DESC: $NAME" make install start-stop-daemon --start --quiet --exec $DAEMON -- -b cd .. echo "." ;; rm -rf jailkit-2.10* stop) Install fail2ban echo -n "Stopping $DESC: $NAME" start-stop-daemon --stop --oknodo --quiet --exec $DAEMON echo "." This is optional but ;; reload|force-reload) recommended, because the echo -n "Reloading $DESC configuration..." ISPConfig monitor tries to show start-stop-daemon --stop --signal HUP --quiet the fail2ban log: --exec $DAEMON echo "done." aptitude install fail2ban ;; full circle magazine #33 contents ^
  • 11. HOW-TO The Perfect Server - Part 4 squirrelmail-configure or: FCM09 - 16 : Server Series 1 - 8 imap_server_type = courier FCM28 - 29 : LAMP Server 1 - 2 We must tell SquirrelMail default_folder_prefix = http://192.168.0.100/webmail FCM31 - 33 : The Perfect Server 1 - 3 that we are using Courier-IMAP/- INBOX. trash_folder = Trash POP3: sent_folder = Sent draft_folder = Drafts SquirrelMail Configuration : show_prefix_option = false Read: config.php (1.4.0) default_sub_of_inbox = false Main Menu show_contain_subfolders_optio 1. Organization Preferences n = false 2. Server Settings optional_delimiter = . Dev Graphics Internet M/media System 3. Folder Defaults delete_folder = true 4. General Options 5. Themes Press any key to continue... 6. Address Books 7. Message of the Day (MOTD) 8. Plugins Next, you will see a list of CD/DVD HDD USB Drive Laptop Wireless 9. Database options and their settings; 10. Languages press the key to Install ISPConfig 3T continue. o install the D. Set pre-defined settings for specific IMAP servers SquirrelMail webmail C Turn color on Back at the Main Menu, To install ISPConfig 3 from client, run: S Save data enter: to save data, and you the latest released version, do Q Quit will see: this (replacing ISPConfig- 3.0.1.6.tar.gz with the latestaptitude install squirrelmail Command >> Data saved in config.php version) : Press enter to continue Then, create the following Enter: cd /tmpsymlink... Back at the Main Menu, Now, you will see a list of enter to quit. wgetln -s IMAP server options entitled: http://downloads.sourceforge./usr/share/squirrelmail/ Afterwards you can access net/ispconfig/ISPConfig-/var/www/webmail Please select your IMAP 3.0.1.6.tar.gz?use_mirror= SquirrelMail under: server: http://server1.example.com/we tar xvfz ISPConfig-... and configure SquirrelMail: Enter the word: bmail 3.0.1.6.tar.gz full circle magazine #34 contents ^
  • 12. THE PERFECT SERVER - PART 4cdispconfig3_install/install/ The next step is to run:php -q install.php This will start the ISPConfig3 installer. Press foreach option - except whenasked for your MySQL rootpassword. The installer automaticallyconfigures all underlyingservices, so no manualconfiguration is needed. Afterwards you can accessISPConfig 3 under:http://server1.example.com:8080/ or:http://192.168.0.100:8080/ Log in with the username and the password (you should change thedefault password after yourfirst login): The system is now ready tobe used. full circle magazine #34 contents ^