ISPConfig 3

CentOS 5 基本安裝

必要的套件

• Applications -> Editors, Text-based Internet
• Development -> Development Libraries, Development Tools
• Servers -> DNS Name Server, FTP Server, Mail Server, MySQL Database, Server Configuration Tools, Web Server
• Base System -> Administration Tools, Base, System Tools
   

關閉防火牆及 SELinux

設定網路及防火牆

編輯 /etc/hosts

127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1

關閉防火牆及 SELinux

system-config-securitylevel

安裝其他軟體

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

編輯 /etc/yum.repos.d/CentOS-Base.repo

[base]
[...]
exclude=postfix
[...]
[updates]
[...]
exclude=postfix
[...]
[centosplus]
[...]
enabled=1
includepkgs=postfix
[...]
[contrib]
[...]
enabled=1
[...]

更新目前系統

yum update
yum groupinstall 'Development Tools'
yum groupinstall 'Development Libraries' 

Quota

yum install quota 

編輯 /etc/fstab

/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1
....

然後執行

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

安裝 Apache, MySQL, phpmyadmin

設定 RPMforge 套件庫

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.5.2-2.el5.rf.i386.rpm 

開始安裝

yum install ntp httpd mysql-server php php-mysql php-mbstring php-mcrypt phpmyadmin

安裝 Dovecot

預設的 Dovecot 不支援 MySQL，所以要先移除這，然後再安裝另一個版本的 Dovecot。

yum remove dovecot

設定 ATrpms 套件庫
新增 /etc/yum.repos.d/atrpms.repo：

[atrpms]
name=Red Hat Enterprise Linux 5 - $basearch - ATrpms
baseurl=http://dl.atrpms.net/el5-$basearch/atrpms/stable
failovermethod=priority
exclude=dovecot-2*
includepkgs=dovecot dovecot-sieve

#
# requires stable
#
[atrpms-testing]
name=Red Hat Enterprise Linux 5 - $basearch - ATrpms testing
baseurl=http://dl.atrpms.net/el5-$basearch/atrpms/testing
failovermethod=priority
enabled=1
exclude=dovecot-2*
includepkgs=dovecot dovecot-sieve

#
# requires stable and testing
#
[atrpms-bleeding]
name=Red Hat Enterprise Linux 5 - $basearch - ATrpms bleeding
baseurl=http://dl.atrpms.net/el5-$basearch/atrpms/bleeding
failovermethod=priority
enabled=0

wget http://ATrpms.net/RPM-GPG-KEY.atrpms
rpm --import RPM-GPG-KEY.atrpms

安裝 Dovecot

yum install dovecot dovecot-sieve

設定自動啟動

chkconfig --levels 235 dovecot on
/etc/init.d/dovecot start

如果出現錯誤：
Fatal: listen(::, 143) failed: Address family not supported by protocol

編輯 /etc/dovecot.conf：

[...]
#listen = *, [::]
listen = *   <== 增加這行
[...]

再啟動服務一次。

安裝 postfix 支援 MySQL

預設的 postfix 不支援 MySQL，但從 CentOS Plus 套件庫安裝的則有，所以先移除再重新安裝。

yum remove postfix
yum install postfix 

設定 sendmail 停用及 postfix, MySQL 自動啟動

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

chkconfig sendmail off
chkconfig --levels 235 postfix on
/etc/init.d/sendmail stop
/etc/init.d/postfix start

安裝 Getmail

yum install getmail

設定 MySQL 管理密碼及安全性，phpmyadmin

設定 mysql 管理密碼

mysql_secure_installation

Enter current password for root (enter for none): 按 Enter

Change the root password? [Y/n] Y

New password: 輸入密碼
Re-enter new password: 確認密碼

Remove anonymous users? [Y/n] 按 Enter

Disallow root login remotely? [Y/n] 按 Enter

Remove test database and access to it? [Y/n] 按 Enter

Reload privilege tables now? [Y/n] 按 Enter

設定 phpmyadmin
編輯 /etc/httpd/conf.d/phpmyadmin.conf：(註解 <Directory>......</Directory>)

#
#  Web application to manage MySQL
#

#<Directory "/usr/share/phpmyadmin">
#  Order Deny,Allow
#  Deny from all
#  Allow from 127.0.0.1
#</Directory>

Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /mysqladmin /usr/share/phpmyadmin

設定 phpmyadmin 的認證方式
編輯 /usr/share/phpmyadmin/config.inc.php：

[...]
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';
[...]

設定 Apache 自動啟動

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

現在可以瀏覽 http://your.ip.address/phpmyadmin/。

安裝 Amavisd-new, SpamAssassin, ClamAV

yum install amavisd-new spamassassin clamav clamd unzip bzip2 unrar perl-DBD-mysql

編輯 /etc/sysconfig/amavisd：(移除註解 CONFIG_FILE="/etc/amavisd.conf")

### Uncomment this if you want to use amavis with sendmail milter interface.
### See README.milter for details.
#
#MILTER_SOCKET="local:/var/amavis/amavis-milter.sock"
#MILTER_SOCKET="10024@127.0.0.1"

### These are other defaults.
#AMAVIS_ACCOUNT="amavis"
CONFIG_FILE="/etc/amavisd.conf"
#MILTER_FLAGS=""

設定自動啟動

sa-update
chkconfig --levels 235 amavisd on
chkconfig --levels 235 clamd on
/usr/bin/freshclam
/etc/init.d/amavisd start
/etc/init.d/clamd start

建立一些必要的目錄

mkdir /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db
chown amavis /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db
ln -s /var/run/clamav/clamd.sock /var/spool/amavisd/clamd.sock

安裝 Apache 模組 mod_php, mod_fcgi/PHP5, suPHP

模組 mod_fcgid 無法從官方的套件庫安裝，但有一個套件庫 centos.karan.org 可以安裝。

設定套件庫

cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo

編輯 /etc/yum.repos.d/kbsingh-CentOS-Extras.repo：(將 [kbs-CentOS-Testing] 的 gpgcheck=0, enabled=1)

[...]
# pkgs in the -Testing repo are not gpg signed
[kbs-CentOS-Testing]
name=CentOS.Karan.Org-EL$releasever - Testing
gpgcheck=0
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/

開始安裝

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-mbstring php-mcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel

編輯 /etc/php.ini：(修改 error_reporting 及 最後一行增加 cgi.fix_pathinfo)

[...]
;error_reporting  =  E_ALL
error_reporting = E_ALL & ~E_NOTICE
[...]
cgi.fix_pathinfo = 1

接著安裝 suPHP

cd /usr/src
wget http://suphp.org/download/suphp-0.7.1.tar.gz
tar xvfz suphp-0.7.1.tar.gz
cd suphp-0.7.1/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install

增加 suPHP 模組支援在 Apache
新增 /etc/httpd/conf.d/suphp.conf：

LoadModule suphp_module modules/mod_suphp.so

新增 /etc/suphp.conf：

[global]
;Path to logfile
logfile=/var/log/httpd/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=100
; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

重啟 Apache 服務

Ruby

從 ISPConfig 3 起，內建支援 ruby 這用來取代 CGI/FastCGI。在 CentOS 5.7 沒有 mod_ruby 套件，所以必須自己編譯。

yum install httpd-devel ruby ruby-devel

編譯安裝 mod_ruby

cd /usr/src
wget http://modruby.net/archive/mod_ruby-1.3.0.tar.gz
tar zxvf mod_ruby-1.3.0.tar.gz
cd mod_ruby-1.3.0/
./configure.rb --with-apr-includes=/usr/include/apr-1
make
make install

增加模組 mod_ruby 的支援在 Apache
新增 /etc/httpd/conf.d/ruby.conf：

LoadModule ruby_module modules/mod_ruby.so

重啟 Apache 服務

WebDAV

WebDAV 應該已經啟用，開啟 /etc/httpd/conf/httpd.conf 確認有這三個模組

[...]
LoadModule auth_digest_module modules/mod_auth_digest.so
[...]
LoadModule dav_module modules/mod_dav.so
[...]
LoadModule dav_fs_module modules/mod_dav_fs.so
[...]

安裝 PureFTPd

yum install pure-ftpd

設定自動啟動

chkconfig --levels 235 pure-ftpd on
/etc/init.d/pure-ftpd start

設定 PureFTPd 可使用 FTP 及 TLS 連接，OpenSSL 是 TLS 需要的。

yum install openssl

編輯 /etc/pure-ftpd/pure-ftpd.conf：(設定 TLS 為 1)

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1
[...]

建立 SSL 憑證

mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [GB]: TW

State or Province Name (full name) [Berkshire] 隨便

Locality Name (eg, city) [Newbury]: 隨便

Organization Name (eg, company) [My Company Ltd]: 隨便

Organizational Unit Name (eg, section) []: 隨便

Common Name (eg, your name or your server's hostname) []: 你的主機域名
Email Address []: 按 Enter

 chmod 600 /etc/ssl/private/pure-ftpd.pem

重啟 pure-ftpd 服務

安裝 DNS 主機

yum install bind-chroot

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
touch /var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
touch /var/named/chroot/etc/named.conf.local

編輯 /var/named/chroot/etc/named.conf：

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named/chroot/var/named";
        dump-file       "/var/named/chroot/var/named/data/cache_dump.db";
        statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.root";
};
include "/var/named/chroot/var/named/named.local";

設定自動啟動

chkconfig --levels 235 named on
/etc/init.d/named start

安裝 Vlogger, Webalizer, AWstats

yum install webalizer awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder

cd /usr/src
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*

安裝 Jailkit

Jailkit 可以 chroot SSH users (這個必須在 ISPConfig 安裝之前完成)。

cd /usr/src
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./configure
make
make install

安裝 fail2ban

yum install fail2ban

設定 fail2ban
編輯 /etc/fail2ban/jail.conf：(加上本地端的網段)

...
ignoreip = 127.0.0.1 192.168.0.0/16
... 

chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start

安裝 rkhunter

yum install rkhunter

安裝 SquirreMail

yum install squirrelmail

重啟 Apache 服務

設定 SquirreMail

/usr/share/squirrelmail/config/conf.pl

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >> 輸入 D

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server

    quit        = Do not change anything
Command >> 輸入 dovecot

              imap_server_type = dovecot
         default_folder_prefix = <none>
                  trash_folder = Trash
                   sent_folder = Sent
                  draft_folder = Drafts
            show_prefix_option = false
          default_sub_of_inbox = false
show_contain_subfolders_option = false
            optional_delimiter = detect
                 delete_folder = false

Press any key to continue... 按 Enter

Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >> 輸入 S

Data saved in config.php
Press enter to continue... 按 Enter

Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >> 輸入 Q

編輯 /etc/squirrelmail/config_local.php：(註解 $default_folder_prefix，如果沒修改這，在登入網頁後會出現錯誤Query: CREATE "Sent" Reason Given: Invalid mailbox name)

//$default_folder_prefix                = '';

瀏覽網址 http://your.ip.address/webmail/。

安裝 ISPConfig 3

cd /usr/src
wget http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.4.1.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php

Select language (en,de) [en]: 按 Enter

Installation mode (standard,expert) [standard]: 按 Enter

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [this.is.your.FQDN]: 如果預設是正確的 FQDN，按下 Enter；否則輸入正確的 FQDN。

MySQL server hostname [localhost]: 按 Enter

MySQL root username [root]: 按 Enter

MySQL root password []: 輸入 DB 管理密碼

MySQL database to create [dbispconfig]: 按 Enter

MySQL charset [utf8]: 按 Enter

Generating a 2048 bit RSA private key
................................................................................................+++
....+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: 輸入 TW

State or Province Name (full name) [Berkshire]: 輸入 Planet
Locality Name (eg, city) [Newbury]: 輸入 Earth
Organization Name (eg, company) [My Company Ltd]: 輸入 OSSLab
Organizational Unit Name (eg, section) []: 輸入 ADMIN
Common Name (eg, your name or your server's hostname) []: 輸入主機的 FQDN
Email Address []: 按 Enter

ISPConfig Port [8080]: 按 Enter

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: 按 Enter

Country Name (2 letter code) [GB]: 輸入TW
State or Province Name (full name) [Berkshire]: 輸入 Planet
Locality Name (eg, city) [Newbury]: 輸入 Earth
Organization Name (eg, company) [My Company Ltd]: 輸入OSSLab VPS
Organizational Unit Name (eg, section) []:ADMIN
Common Name (eg, your name or your server's hostname) []: 輸入主機的 FQDN
Email Address []: 按 Enter

 Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 按 Enter
An optional company name []: 按 Enter

Stopping Dovecot Imap:                                     [  OK  ]
If you have trouble with authentication failures,
enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork
This message goes away after the first successful login.
Error: socket() failed: Address family not supported by protocol
Fatal: listen(::, 143) failed: Address family not supported by protocol
Starting Dovecot Imap:                                     [FAILED]
Stopping httpd:                                            [  OK  ]
[Sun Nov 27 03:03:54 2011] [warn] NameVirtualHost *:80 has no VirtualHosts
Starting httpd:                                            [  OK  ]
Stopping pure-ftpd:                                        [  OK  ]
Starting pure-ftpd:                                        [  OK  ]
Installation completed.

如果出現 Dovecot 服務啟動失敗，可以修改 /etc/dovecot.conf：

[...]
#listen = *, [::]
listen = *
[...]

重啟 Dovecot 服務

瀏覽網址 https://this.is.your.ip:8080/，登入 admin : admin。