The Perfect Setup - Fedora Core 5 (64-bit)
Version 1.1 Author: Falko Timme Last edited 12/01/2006 This is a detailed description how to set up a Fedora Core 5 based server that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.). This tutorial is written for the 64-bit version of Fedora Core 5, but should apply to the 32-bit version with very little modifications as well. I will use the following software:
Web Server: Apache 2.0.x Database Server: MySQL 5.0 Mail Server: Postfix (easier to configure than sendmail; has a shorter history of security holes than sendmail) DNS Server: BIND9 (chrooted!) FTP Server: proftpd POP3/IMAP server: dovecot Webalizer for web site statistics
In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box). I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
Requirements
To install such a system you will need the following:
Download the Fedora Core 5 DVD iso image or the 5 CD iso images from a mirror near you (the list of mirrors can be found here: http://fedora.redhat.com/download/mirrors.html), e.g. ftp://ftp.tu-chemnitz.de/pub/linux/fedora-core/5/x86_64/iso/FC-5-x86_64-DVD.iso
an internet connection...
1 Install The Base System
Boot from your Fedora Core 5 DVD or CD (CD 1).
�It can take a long time to test the installation media so we skip this test here:
The welcome screen of the Fedora installer appears. Click on Next:
�Choose your language next:
Select your keyboard layout:
�I'm installing Fedora Core 5 on a fresh system, so I answer Yes to the question Would you like to initialize this drive, erasing ALL DATA?
Next we do the partitioning. Select Remove linux partitions on selected drives and create default layout. This will give you a smalll /boot partition and a large / partition which is fine for our purposes:
�We want to remove all Linux partitions (remember, this is a fresh system), so we answer Yes to the following question:
devamı
�On to the network settings. The default setting here is to configure the network interfaces with DHCP, but we are installing a server, so static IP addresses are not a bad idea... Click on the Edit button at the top right. In the window that pops up uncheck Configure using DHCP and give your network card a static IP address (in this tutorial I'm using the IP address 192.168.0.100 for demonstration purposes):
�Set the hostname manually, e.g. server1.example.com, and enter a gateway (e.g. 192.168.0.1) and up to three DNS servers (e.g. 145.253.2.75, 193.174.32.18, and 194.25.0.60):
Choose your time zone:
Give root a password:
�Now we select the software we want to install. Uncheck Office and Productivity and check Software Development and Web server instead. Also check Customize now, then click on Next:
Now we must select the package groups we want to install. Select Editors, Text-based Internet, Development Libraries, Development Tools, DNS Name Server, FTP Server, Mail Server, MySQL Database, Server Configuration Tools, Web Server, Administration Tools, Base, Java, and System Tools and click on Next:
�Click on Next to start the installation:
The installation begins. This will take a few minutes:
�Finally, the installation is complete, and you can remove your DVD or CD from the computer and reboot it:
�Now, on to the configuration...
2 Configure Additional IP Addresses
(This section is totally optional. It just shows how to add additional IP addresses to your network interface eth0 if you need more than one IP address. If you're fine with one IP address, you can skip this section.) Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfgeth0 which looks like this: vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.0.255 HWADDR=00:0C:29:46:19:D3 IPADDR=192.168.0.100 NETMASK=255.255.255.0 NETWORK=192.168.0.0
�ONBOOT=yes
Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this (we can leave out the HWADDR line as it is the same physical network card): vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0 BOOTPROTO=static BROADCAST=192.168.0.255 IPADDR=192.168.0.101 NETMASK=255.255.255.0 NETWORK=192.168.0.0 ONBOOT=yes
Afterwards we have to restart the network:
/etc/init.d/network restart
3 Configure The Firewall
I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall). Run
system-config-securitylevel
�Select Disabled and press OK. To check that the firewall has really been disabled, you can run
iptables -L afterwards. The output should look like this:
[root@server1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
4 Disable SELinux
�SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on). Edit /etc/selinux/config and set SELINUX=disabled: vi /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # # # enforcing - SELinux security policy is permissive - SELinux prints warnings disabled - SELinux is fully disabled. enforced. instead of enforcing. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # # targeted - Only targeted network daemons strict - Full SELinux protection. are protected. SELINUXTYPE=targeted
Afterwards we must reboot the system:
shutdown -r now
5 Install Some Software
Now we install some software packages that are needed later on:
yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++
�6 Quota
To install quota, we run this command:
yum install quota Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00): vi /etc/fstab
/dev/VolGroup00/LogVol00 / ext3 ext3 devpts devpts tmpfs tmpfs proc proc sysfs sysfs swap
Then run
defaults,usrquota,grpquota /boot 1 2 /dev/pts gid=5,mode=620 defaults defaults defaults defaults 0 0 /dev/shm 0 0 /proc 0 0 /sys 0 0 0 0 defaults
1 1
LABEL=/boot
/dev/VolGroup00/LogVol01 swap
touch /aquota.user /aquota.group chmod 600 /aquota.* mount -o remount / quotacheck -avugm quotaon -avug to enable quota.
�7 Install A Chrooted DNS Server (BIND9)
To install a chrooted BIND9, we do this:
yum install bind-chroot If you see this error: Transaction Check Error: file /etc/named.conf from install of bind-9.3.212.FC5 conflicts with file from package caching-nameserver-7.3-5.FC5, you can ignore it. chmod 755 /var/named/ chmod 775 /var/named/chroot/ chmod 775 /var/named/chroot/var/ chmod 775 /var/named/chroot/var/named/ chmod 775 /var/named/chroot/var/run/ chmod 777 /var/named/chroot/var/run/named/ cd /var/named/chroot/var/named/ ln -s ../../ chroot chkconfig --levels 235 named on /etc/init.d/named start BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).
8 MySQL (5.0)
To install MySQL, we do this:
yum install mysql mysql-devel mysql-server Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on /etc/init.d/mysqld start Now check that networking is enabled. Run
netstat -tap It should show a line like this:
�tcp *:*
0
0 *:mysql LISTEN
2008/mysqld
If it does not, edit /etc/my.cnf and comment out the option skip-networking: vi /etc/my.cnf
#skip-networking
and restart your MySQL server:
/etc/init.d/mysqld restart Run
mysqladmin -u root password yourrootsqlpassword mysqladmin -h server1.example.com -u root password yourrootsqlpassword to set a password for the user root (otherwise anybody can access your MySQL database!).
9 Postfix With SMTP-AUTH And TLS
Now we install Postfix and dovecot (dovecot will be our POP3/IMAP server):
�yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot Now we configure SMTP-AUTH and TLS:
postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' We must edit /usr/lib64/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. It should look like this: vi /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd mech_list: plain login
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
�postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom' After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it): vi /etc/postfix/main.cf
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.2.8/samples readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
�smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Now start Postfix, saslauthd, and dovecot:
chkconfig --levels 235 sendmail off chkconfig --levels 235 postfix on chkconfig --levels 235 saslauthd on chkconfig --levels 235 dovecot on /etc/init.d/sendmail stop /etc/init.d/postfix start /etc/init.d/saslauthd start /etc/init.d/dovecot start To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25 After you have established the connection to your Postfix mail server type
�ehlo localhost If you see the lines 250-STARTTLS and 250-AUTH everything is fine.
Type
quit to return to the system's shell.
9.1 Maildir
dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration. If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir:
�postconf -e 'home_mailbox = Maildir/' postconf -e 'mailbox_command =' /etc/init.d/postfix restart
10 Apache2 With PHP5
Now we install Apache with PHP5:
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml phpxmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel Then edit /etc/httpd/conf/httpd.conf: vi /etc/httpd/conf/httpd.conf and change DirectoryIndex to
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl
Now configure your system to start Apache at boot time:
chkconfig --levels 235 httpd on Start Apache:
/etc/init.d/httpd start
10.1 Disable PHP Globally
(If you do not plan to install ISPConfig on this server, please skip this section!) In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig. To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddHandler and AddType lines: vi /etc/httpd/conf.d/php.conf
�# # PHP is an HTML-embedded scripting language which attempts to make it # easy for developers to write dynamically generated webpages. # LoadModule php5_module modules/libphp5.so # # Cause the PHP interpreter to handle files with a .php extension. # #AddHandler php5-script .php #AddType text/html .php # # Add index.php to the list of files that will be served as directory # indexes. # DirectoryIndex index.php # # Uncomment the following line to allow PHP to pretty-print .phps # files as PHP source code: # #AddType application/x-httpd-php-source .phps
Afterwards we restart Apache:
�/etc/init.d/httpd restart
11 ProFTPd
ISPConfig has better support for proftpd than vsftpd, so let's remove vsftpd and install proftpd: yum remove vsftpd yum install proftpd chkconfig --levels 235 proftpd on /etc/init.d/proftpd start
12 Webalizer
To install webalizer, just run
yum install webalizer
13 Synchronize The System Clock
If you want to have the system clock synchronized with an NTP server do the following:
yum install ntp chkconfig --levels 235 ntpd on ntpdate 0.pool.ntp.org /etc/init.d/ntpd start
14 Install Some Perl Modules
ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the required Perl modules with a single command:
�yum install perl-HTML-Parser perl-DBI perl-Net-DNS perl-Digest-SHA1
15 The End
The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.
15.1 A Note On SuExec
If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Fedora's suExec is compiled with /var/www as Doc_Root. Run /usr/sbin/suexec -V
and the output should look like this:
To select /var/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.
Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /var/www as the home directory for websites.
��