The Perfect Server + ispconfig by ashrafp

VIEWS: 1,015 PAGES: 80

									Perintah penting
Mencari perbedaan isi sebuah file dengan file lainnya :
      diff -i

Mengganti tulisan dengan tulisan lainnya pada sebuah file :
     replace apt-get apt1-get1 --

Mencari sebuah tulisan di manual/dokumentasi
      man -k replace | less

Mengecek keberadaan aplikasi di daftar program
      apt-get -s install ISPConfig

Mencari tulisan user_add pada file
      grep 'user_add' *

The Perfect Server - Ubuntu Hardy Heron (Ubuntu
8.04 LTS Server)
Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 04/24/2008

This tutorial shows how to set up an Ubuntu Hardy Heron (Ubuntu 8.04 LTS) based
server that offers all services needed by ISPs and hosters: Apache web server (SSL-
capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd
FTP server, MySQL server, Courier POP3/IMAP, Quota, Firewall, etc. This tutorial is
written for the 32-bit version of Ubuntu 8.04 LTS, but should apply to the 64-bit version
with very little modifications as well.

I will use the following software:

      Web Server: Apache 2.2 with PHP 5.2.4 and Ruby
      Database Server: MySQL 5.0
      Mail Server: Postfix
      DNS Server: BIND9
      FTP Server: proftpd
      POP3/IMAP: I will use Maildir format and therefore install Courier-
      Webalizer for web site statistics
In the end you should have a system that works reliably, and if you like you can install
the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are
many ways of achieving this goal but this is the way I take. I do not issue any guarantee
that this will work for you!

1 Requirements

To install such a system you will need the following:

      the Ubuntu 8.04 LTS server CD, available here:
      a fast internet connection.

2 Preliminary Note

In this tutorial I use the hostname with the IP address and the gateway These settings might differ for you, so you
have to replace them where appropriate.

3 The Base System

Insert your Ubuntu install CD into your system and boot from it. Select your language:
Then select Install Ubuntu Server:
Choose your language again (?):
Then select your location:
Choose a keyboard layout (you will be asked to press a few keys, and the installer will try
to detect your keyboard layout based on the keys you pressed):
The installer checks the installation CD, your hardware, and configures the network with
DHCP if there is a DHCP server in the network:
Enter the hostname. In this example, my system is called, so I enter
Now you have to partition your hard disk. For simplicity's sake I will create one big
partition (with the mount point /) and a little swap partition so I select Guided - use entire
disk (of course, the partitioning is totally up to you - if you like, you can create more than
just one big partition, and you can also use LVM):
Select the disk that you want to partition:
When you're finished, hit Yes when you're asked Write the changes to disks?:
Afterwards, your new partitions are being created and formatted.

Now the base system is being installed:
Create a user, for example the user Administrator with the user name administrator (don't
use the user name admin as it is a reserved name on Ubuntu 8.04):
Next the package manager apt gets configured. Leave the HTTP proxy line empty unless
you're using a proxy server to connect to the Internet:
We need a DNS, mail, and LAMP server, but nevertheless I don't select any of them now
because I like to have full control over what gets installed on my system. We will install
the needed packages manually later on. The only item I select here is OpenSSH server so
that I can immediately connect to the system with an SSH client such as PuTTY after the
installation has finished:

The installation continues:
The GRUB boot loader gets installed:
The base system installation is now finished. Remove the installation CD from the CD
drive and hit Continue to reboot the system:
On to the next step...

4 Enable The root Account

After the reboot you can login with your previously created username (e.g.
administrator). Because we must run all the steps from this tutorial as root user, we must
enable the root account now.


sudo passwd root

and give root a password. Afterwards we become root by running


5 Install The SSH Server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it

apt-get install ssh openssh-server
From now on you can use an SSH client such as PuTTY and connect from your
workstation to your Ubuntu 8.04 LTS server and follow the remaining steps from this

6 Install vim-full (Optional)

I'll use vi as my text editor in this tutorial. The default vi program has some strange
behaviour on Ubuntu and Debian; to fix this, we install vim-full:

apt-get install vim-full

(You don't have to do this if you use a different text editor such as joe or nano.)

7 Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via
DHCP, we have to change that now because a server should have a static IP address. Edit
/etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP

vi /etc/network/interfaces

    # This file describes the network interfaces available on your
    # and how to activate them. For more information, see
    # The loopback network interface
    auto lo
    iface lo inet loopback
    # The primary network interface
    auto eth0
    iface eth0 inet static

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts            localhost.localdomain          localhost     server1
    # The following lines are desirable for IPv6 capable hosts
    ::1     ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts

Now run

echo > /etc/hostname
/etc/init.d/ start

Afterwards, run

hostname -f

Both should show now.

8 Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and
make sure that the universe and multiverse repositories are enabled. It should look like

vi /etc/apt/sources.list

    # deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386
    (20080423.2)]/ hardy main restricted
    #deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386
    (20080423.2)]/ hardy main restricted
    # See for how to
    upgrade to
    # newer versions of the distribution.
    deb hardy main restricted
    deb-src hardy main
    ## Major bug fix updates produced after the final release of the
    ## distribution.
    deb hardy-updates main
    deb-src hardy-updates main
    ## N.B. software from this repository is ENTIRELY UNSUPPORTED by
    the Ubuntu
    ## team, and may not be under a free licence. Please satisfy
    yourself as to
## your rights to use the software. Also, please note that
software in
## universe WILL NOT receive any review or updates from the
Ubuntu security
## team.
deb hardy universe
deb-src hardy universe
deb hardy-updates universe
deb-src hardy-updates
## N.B. software from this repository is ENTIRELY UNSUPPORTED by
the Ubuntu
## team, and may not be under a free licence. Please satisfy
yourself as to
## your rights to use the software. Also, please note that
software in
## multiverse WILL NOT receive any review or updates from the
## security team.
deb hardy multiverse
deb-src hardy multiverse
deb hardy-updates
deb-src hardy-updates
## Uncomment the following two lines to add software from the
## repository.
## N.B. software from this repository may not have been tested
## extensively as that contained in the main release, although
it includes
## newer versions of some applications which may provide useful
## Also, please note that software in backports WILL NOT receive
any review
## or updates from the Ubuntu security team.
# deb hardy-backports main
restricted universe multiverse
# deb-src hardy-backports
main restricted universe multiverse
## Uncomment the following two lines to add software from
## 'partner' repository. This software is not part of Ubuntu,
but is
## offered by Canonical and the respective vendors as a service
to Ubuntu
## users.
# deb hardy partner
# deb-src hardy partner
deb hardy-security main
deb-src hardy-security main
deb hardy-security universe
deb-src hardy-security
    deb hardy-security multiverse
    deb-src hardy-security

Then run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).

9 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we
do this:

ln -sf /bin/bash /bin/sh

If you don't do this, the ISPConfig installation will fail.

10 Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended
security. In my opinion you don't need it to configure a secure system, and it usually
causes more problems than advantages (think of it after you have done a week of trouble-
shooting because some service wasn't working as expected, and then you find out that
everything was ok, only AppArmor was causing the problem). Therefore I disable it (this
is a must if you want to install ISPConfig later on).

We can disable it like this:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove

Till told me that he also had to do this step (which was not necessary on my installation),
so if you want to go sure, do this on your system as well:

apt-get remove apparmor apparmor-utils
11 Install Some Software

Now we install a few packages that are needed later on. Run

apt-get install binutils cpp fetchmail flex gcc libarchive-
zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev
libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl
perl-modules unzip zip zlib1g-dev autoconf automake1.9
libtool bison autotools-dev g++ build-essential

(This command must go into one line!)

12 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this
chapter so that quota applies to the partitions where you need it.)

To install quota, run

apt-get install quota

Edit /etc/fstab. Mine looks like this (I added ,usrquota,grpquota to the partition with the
mount point /):

vi /etc/fstab

    # /etc/fstab: static file system information.
    # <file system> <mount point>   <type> <options>        <dump>
    proc            /proc           proc    defaults        0
    # /dev/sda1
    UUID=6af53069-0d51-49be-b275-aeaea8d780c5 /               ext3
    relatime,errors=remount-ro,usrquota,grpquota 0       1
    # /dev/sda5
    UUID=d8e1f66c-1442-423e-b442-8ae66eded9d7 none            swap
    sw              0       0
    /dev/scd0       /media/cdrom0   udf,iso9660
    user,noauto,exec,utf8 0       0
    /dev/fd0        /media/floppy0 auto     rw,user,noauto,exec,utf8
    0        0

To enable quota, run these commands:

touch /quota.user /
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

13 DNS Server


apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind,
chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads
OPTIONS="-u bind -t /var/lib/named":

vi /etc/default/bind9

      OPTIONS="-u bind -t /var/lib/named"
      # Set RESOLVCONF=no to not run resolvconf

Create the necessary directories under /var/lib:

mkdir    -p /var/lib/named/etc
mkdir    /var/lib/named/dev
mkdir    -p /var/lib/named/var/cache/bind
mkdir    -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems
when bind gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify /etc/default/syslogd so that we can still get important messages
logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-
a /var/lib/named/dev/log":

vi /etc/default/syslogd

    # Top configuration file for syslogd

    # Full documentation of possible arguments are found in the
    # syslogd(8).

    # For remote UDP logging use SYSLOGD="-r"
    SYSLOGD="-a /var/lib/named/dev/log"

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

14 MySQL

In order to install MySQL, we run

apt-get install mysql-server mysql-client libmysqlclient15-

You will be asked to provide a password for the MySQL root user - this password is valid
for the user root@localhost as well as, so we don't have to
specify a MySQL root password manually later on (as was the case with previous Ubuntu

New password for the MySQL "root" user: <--
Repeat password for the MySQL "root" user: <--

We want MySQL to listen on all interfaces, not just localhost, therefore we edit
/etc/mysql/my.cnf and comment out the line bind-address =

vi /etc/mysql/my.cnf

    # Instead of skip-networking the default is now to listen only
    # localhost which is more compatible and is not less secure.
    #bind-address           =

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp 0    0 *:mysql *:*          LISTEN                 5869/mysqld

15 Postfix With SMTP-AUTH And TLS

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix libsasl2-2 sasl2-bin libsasl2-
modules procmail

You will be asked two questions. Answer as follows:

General type of mail configuration: <-- Internet Site
System mail name: <--

Then run

dpkg-reconfigure postfix

Again, you'll be asked some questions:
General type of mail configuration: <-- Internet Site
System mail name: <--
Root and postmaster mail recipient: <-- [blank]
Other destinations to accept mail for (blank for none): <--,,
localhost.localdomain, localhost
Force synchronous updates on mail queue? <-- No
Local networks: <--
Use procmail for local delivery? <-- Yes
Mailbox size limit (bytes): <-- 0
Local address extension character: <-- +
Internet protocols to use: <-- all

Next, do this:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions =
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >>
echo 'mech_list: plain login' >>

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey
smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem
-out cacert.pem -days 3650

Next we configure Postfix for TLS (make sure that you use the correct hostname for
postconf -e 'myhostname ='
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file =
postconf -e 'smtpd_tls_cert_file =
postconf -e 'smtpd_tls_CAfile =
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

The file /etc/postfix/ should now look like this:

cat /etc/postfix/

 # See /usr/share/postfix/ for a commented, more complete

 # Debian specific: Specifying a file name will cause the first
 # line of that file to be used as the name. The Debian default
 # is /etc/mailname.
 #myorigin = /etc/mailname

 smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
 biff = no

 # appending .domain is the MUA's job.
 append_dot_mydomain = no

 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h

 readme_directory = no

 # TLS parameters
 smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
 smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
 smtpd_use_tls = yes
 smtpd_tls_session_cache_database =
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package
 # information on enabling SSL in the smtp client.
 myhostname =
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination =,,
 localhost.localdomain, localhost
 relayhost =
 mynetworks =
 mailbox_command = procmail -a "$EXTENSION"
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all
 smtpd_sasl_local_domain =
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_security_options = noanonymous
 broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_recipient_restrictions =
 smtpd_tls_auth_only = no
 smtp_use_tls = yes
 smtp_tls_note_starttls_offer = yes
 smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_received_header = yes
 smtpd_tls_session_cache_timeout = 3600s
 tls_random_source = dev:/dev/urandom

Authentication will be done by saslauthd. We have to change a few things to make it
work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to
yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m
/var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

    # Settings for saslauthd daemon
    # Please read /usr/share/doc/sasl2-bin/README.Debian for

    # Should saslauthd run automatically on startup? (default: no)

    # Description of this saslauthd instance. Recommended.
    # (suggestion: SASL Authentication Daemon)
    DESC="SASL Authentication Daemon"

    # Short name of this saslauthd instance. Strongly recommended.
    # (suggestion: saslauthd)

    # Which authentication mechanisms should saslauthd use?
    (default: pam)
    # Available options in this Debian package:
    # getpwent -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in
    # Only one option may be used at a time. See the saslauthd man
    # for more information.
    # Example: MECHANISMS="pam"

    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific

    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.

    # Other options (default: -c -m /var/run/saslauthd)
    # Note: You MUST specify the -m option or saslauthd won't run!
    # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific
    # See the saslauthd man page for general information about these
    # Example for postfix users: "-c -m
    #OPTIONS="-c -m /var/run/saslauthd"
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Next add the postfix user to the sasl group (this makes sure that Postfix has the
permission to access saslauthd):

adduser postfix sasl

Now restart Postfix and start saslauthd:
/etc/init.d/postfix restart
/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines




everything is fine.

The output on my system looks like this:

root@server1:/etc/postfix/ssl# telnet localhost 25
Connected to localhost.localdomain.
Escape character is '^]'.
220 ESMTP Postfix (Ubuntu)
ehlo localhost
250-SIZE 10240000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.


to return to the system's shell.

16 Courier-IMAP/Courier-POP3

Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and
Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):

apt-get install courier-authdaemon courier-base courier-
imap courier-imap-ssl courier-pop courier-pop-ssl courier-
ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration? <-- No
SSL certificate required <-- Ok

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system
as ISPConfig does the necessary configuration using procmail recipes. But please go sure
to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig
web interface.

17 Apache/PHP5/Ruby

Now we install Apache:

apt-get install apache2 apache2-doc apache2-mpm-prefork
apache2-utils libexpat1 ssl-cert

Next we install PHP5 and Ruby (both as Apache modules):

apt-get install libapache2-mod-php5 libapache2-mod-ruby
php5 php5-common php5-curl php5-dev php5-gd php5-idn php-
pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-
mhash php5-ming php5-mysql php5-pspell php5-recode php5-
snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Next we edit /etc/apache2/mods-available/dir.conf:

vi /etc/apache2/mods-available/dir.conf

and change the DirectoryIndex line:

    <IfModule mod_dir.c>

              #DirectoryIndex index.html index.cgi
    index.php index.xhtml index.htm
              DirectoryIndex index.html index.htm index.shtml
    index.cgi index.php index.php3 index.xhtml


Now we have to enable some Apache modules (SSL, rewrite, suexec, and include):

a2enmod     ssl
a2enmod     rewrite
a2enmod     suexec
a2enmod     include

Reload the Apache configuration:

/etc/init.d/apache2 force-reload

In the next chapter (17.1) we are going to disable PHP (this is necessary only if you want
to install ISPConfig on this server). Unlike PHP, Ruby is disabled by default, therefore
we don't have to do it.

17.1 Disable PHP Globally
(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which
website can run PHP scripts and which one cannot. This can only work if PHP is disabled
globally because otherwise all websites would be able to run PHP scripts, no matter what
you specify in ISPConfig.

To disable PHP globally, we edit /etc/mime.types and comment out the application/x-
httpd-php lines:

vi /etc/mime.types
    #application/x-httpd-php                                     phtml pht php
    #application/x-httpd-php-source                              phps
    #application/x-httpd-php3                                    php3
    #application/x-httpd-php3-preprocessed                       php3p
    #application/x-httpd-php4                                    php4

Edit /etc/apache2/mods-enabled/php5.conf and comment out the following lines:

vi /etc/apache2/mods-enabled/php5.conf

    <IfModule mod_php5.c>
      #AddType application/x-httpd-php .php .phtml .php3
      #AddType application/x-httpd-php-source .phps

Then restart Apache:

/etc/init.d/apache2 restart

18 Proftpd

In order to install Proftpd, run

apt-get install proftpd ucf

You will be asked a question:

Run proftpd: <-- standalone

For security reasons add the following lines to /etc/proftpd/proftpd.conf (thanks to
Reinaldo Carvalho; more information can be found here:

vi /etc/proftpd/proftpd.conf

    DefaultRoot ~
    IdentLookups off
    ServerIdent on "FTP Server ready."

ISPConfig expects the configuration to be in /etc/proftpd.conf instead of
/etc/proftpd/proftpd.conf, therefore we create a symlink (you can skip this command if
you don't want to install ISPConfig):
ln -s /etc/proftpd/proftpd.conf /etc/proftpd.conf

Then restart Proftpd:

/etc/init.d/proftpd restart

19 Webalizer

To install webalizer, just run

apt-get install webalizer

20 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol)
server over the internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

21 Install Some Perl Modules Needed By SpamAssassin (Comes With


apt-get install libhtml-parser-perl libdb-file-lock-perl

22 ISPConfig

The configuration of the server is now finished, and if you wish you can now install
ISPConfig on it. Please check out the ISPConfig installation manual:

22.1 A Note On SuExec
If you want to run CGI scripts under suExec, you should specify /var/www as the home
directory for websites created by ISPConfig as Ubuntu's suExec is compiled with
/var/www as Doc_Root. Run
/usr/lib/apache2/suexec -V

and the output should look like this:

root@server1:~# /usr/lib/apache2/suexec -V
 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www-data"
 -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"

So if you want to use suExec with ISPconfig, don't change the default web root (which is
/var/www) if you use expert mode during the ISPConfig installation (in standard mode
you can't change the web root anyway so you'll be able to use suExec in any case).

23 Links

      Ubuntu:
      ISPConfig:
ISPConfig Installation

Hint: With the system installation, some system files are replaced where adjustments
were made.
This can lead to loss of entries in named.conf as well as in the Sendmail/Postfix

Important: ISPConfig is meant to be installed on new Linux installations with no web
sites, so if you run a server with hundreds of web sites and need a control panel that can
take care of those existing web sites, then ISPConfig is not for you!

Make sure you have the c and c++ compilers installed on your server (gcc and cpp).

Log in to your shell as root.
Unpack the ISPConfig-archive

tar xvfz ISPConfig*.tar.gz

and change to the directory install_ispconfig:

cd install_ispconfig

In this directory please check the file dist.txt and see if the values given there suit to your
Linux installation (they should be suitable for standard installations). If you change any
values please be sure not to change the format of the file.
Then start the setup-script from there:


The installer will now compile an Apache with PHP5 that will run on port 81 and is
needed by the ISPConfig system itself. It will not interfere with your existing Apache
installation so you can go on unworried.

Important: Be sure to have installed gcc, flex and all the other tools neded for compiling
sources before you run ./setup! You also need to install the MySQL header files which
normally come in a package called mysql-devel, mysql-dev, libmysql-devel or something
similar. Otherwise PHP5 will not compile, and the installation of ISPConfig stops!

When the ISPConfig Apache is built, a custom SSL certificate is built. Therefore you are
asked a few questions. You can accept the default values, or you can enter new values
there, this does not matter:
In step 7 ("Encrypting RSA private key of CA with a pass phrase for security
[ca.key]")and step 8 ("Encrypting RSA private key of SERVER with a pass phrase for
security [server.key]") of the certificate creation process you are asked if you want to
encrypt the respective key now. Choose n there because otherwise you will always be
asked for a password whenever you want to restart the ISPConfig system which means it
cannot be restarted without human interaction!

If the compilation fails, the setup is stopped and all compiled files are removed. From the
error message you get you should be able to see the reason for the failure (in most cases a
package (like the MySQL header files) is missing). Try to solve the problem and the re-
run ./setup.

In case of success the setup goes on:

Please choose your language. This is the language of the ISPConfig interface.
Afterwards you are shown the ISPConfig licence (BSD licence). Please read it carefully!
You accept it by typing
"y”. If you do not want to accept the ISPConfig licence, type “n”, and the installation
routine stops.

Installation Mode. Please select the installation mode afterwards. You can choose
between the
standard and the expert mode.

In standard mode the installation routine takes standard settings for your Linux
distribution and writes them to the ISPConfig system.
In expert mode the installation routine proposes standard settings to you (e.g. location of
the config
file of your FTP server or log file of your mail server) which you can confirm or edit.

In normal circumstances the standard mode should meet your requirements. Select the
mode if you are familiar with your system.

The installation sript checks if the following software is installed:

      Apache webserver,
      Mail Transport Agent (MTA): Sendmail or Postfix,
      Procmail,
      Quota,
      MySQL,
      ProFTP or vsftpd,
      OpenSSL,
      Bind8 / Bind9,
      iptables or ipchains.

If any of the packages is not present, the installation routine stops. Install the missing
package, delete the directoy install_ispconfig, unpack ISPConfig again and start from
the beginning.
In addition to that the syntax of your existing Apache configuration files is checked. If
any error is
found the installation routine stops.
If all conditions are fulfilled, you are asked a few questions, whose answers are necessary
for the
installation of ISPConfig.
In case not all conditions are fulfilled the setup script stops. Install the missing software,
delete the directoy install_ispconfig, unpack ISPConfig again and start from the

Afterwards the following information has to be provided:
Please enter your MySQL server: E.G. localhost
Please enter your MySQL user: E.G. root
Please enter your MySQL password: Your MySQL password
Please enter a name for the ISPConfig database: E.g. ispconfigdb
Please enter the IP address of the ISPConfig web: E.g.
Please enter the host name: E.g. www
Please enter the domain: E.g.
Please select the protocol (http or https (SSL encryption)) to use to access the
ISPConfig system: If you want to use your control panel with SSL, select 1. You can
then access it under If you want to access it under, choose 2.

After you have answered the questions ISPConfig should be duly installed. If you
indicated www as host and as the domain during the installation, you will find
the ISPConfig interface under or Here you can login first with the user
name admin and password
admin. It is recommended to change the password immediately! This can be done under
-> Change password.

If your server has more than one IP address, please check if your additional IP addresses
been correctly detected by the installation routine under Management - > Server - >
Properties in the register Server -> IP list.


The ISPConfig comes with SpamAssassin, but without the Perl modules needed by
SpamAssassin. Run the following command after the installation of the ISPConfig:


If errors appear you have to install some Perl modules.

perl -MCPAN -e shell
install HTML::Parser
install DB_File
install Net::DNS (when prompted to enable tests, choose "no")
install Digest::SHA1

To leave the Perl shell type



does not return any error everything is fine. You can then leave SpamAssassin by typing
" CTRL + c".

General References

Linux Quota

If the package Quota is installed during the setup of the ISPConfig system, the following
steps have to be
done after the installation (the example assumes that that you would like to apply Quota
to the
directory /home on the partition /dev/hda6):

Edit the file /etc/fstab and look for the entry, in which the directory /home is mentioned,

/dev/hda6/home ext2 default 1 2

Add the words usrquota and grpquota as follows:

/dev/hda6 /home ext2 defaults,usrquota,grpquota 1 2

Create the files aquota.user and in the directory /home:

touch /home/aquota.user


touch /home/

Change the properties of the new files:

chmod 600 /home/aquota.*

Reboot the server:

shutdown -r now

After the restart you have to do the following:

quotacheck -avugm

quotaon -avug
ISPConfig 2.x - First Steps (Creating Web Sites, Email
Addresses, Etc.)
Version 1.0
Author: Oliver Meyer <o [dot] meyer [at] projektfarm [dot] de>
Last edited 04/08/2008

This document describes the first steps after an ISPConfig 2.x installation. It should allow
new ISPConfig users to get their first web sites, email addresses, FTP accounts etc. up
and running in a few minutes. For an in-depth look at ISPConfig, please refer to the

This howto is a practical guide without any warranty - it doesn't cover the theoretical
backgrounds. There are many ways to set up such a system - this is the way I chose.

1 Preliminary Note

This is not a comprehensive ISPConfig guide - I'll only show you the first steps after the
installation and give you some useful tips. I proceed on the assumption that ISPConfig is
already installed. The installation instruction can be found here: Guides for preparing your server for
ISPConfig can be found on

2 First Steps

Open the ISPConfig webinterface (http://%fqdn_or_IP%:81 respectively https://%fqdn_
or_IP%:81) within your preferred web browser and log in with the username "admin" and
the password "admin".
2.1 ISPConfig Admin Password
First you should change the admin password. Click on "Tools" in the top menu and
choose "Change Password" from the "Tools & Options" menu on the left side. Enter your
old password and the new one into the corresponding fields in the main window and click
on "Save".
2.2 General Settings

2.2.1 Maildir
In order that the emails will be stored in the maildir format instead of the mbox format,
we have to adjust the ISPConfig email settings. Click on "Management" in the top menu
and choose "Server" -> "Settings" from the "Management" menu. Switch to the "EMail"-
tab in the main window and mark the checkbox next to "Maildir:". Afterwards click on
"Save" to apply the settings.
2.2.2 Admin Email
It would be a good idea to use an existing email address as admin email :) Click on
"Management" in the top menu and choose "Server" -> "Settings" from the
"Management" menu. Switch to the "Server" tab in the main window and insert an
existing email address. Afterwards click on "Save" to apply the settings.
Do the same again on the "EMail" tab and on the "DNS" tab.
2.3 Tools & Add-ons
There are a few tools and add-ons available for ISPConfig. The installation is very simple
- click on "Management" in the top menu and choose "Update Manager" -> "Update"
from the "Management" menu on the left side. Mark the radio button "URL" and insert
the URL (e.g. for the Uebimiau webmail
package) of the tool/add-on that you want to install into the corresponding field in the
main window and click on "Install". The packages for the tools and add-ons will be
updated regularly - so please have a look at to
find out if you have the latest version installed. After the installation you'll find a link to
the tool/add-on in the "Tools & Options" menu when you click on "Tools" in the top
Some popular tools and add-ons:

2.3.1 PHPMyAdmin
Taken from the phpMyAdmin page: "phpMyAdmin is a tool written in PHP intended to
handle the administration of MySQL over the Web. Currently it can create and drop
databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement,
manage keys on fields, manage privileges,export data into various formats and is
available in 54 languages."

2.3.2 Uebimiau
Uebimiau is a popular webmail client which supports POP3 and IMAP.

2.3.3 Roundcube Webmail
Taken from the Roundcube page: "RoundCube Webmail is a browser-based multilingual
IMAP client with an application-like user interface. It provides full functionality you
expect from an e-mail client, including MIME support, address book, folder
manipulation, message searching and spell checking. RoundCube Webmail is written in
PHP and requires a MySQL or Postgres database. The user interface is fully skinnable
using XHTML and CSS 2".

2.3.4 SquirrelMail
Taken from the SquirrelMail page: "SquirrelMail is a standards-based webmail package
written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum
compatibility across browsers. It has very few requirements and is very easy to configure
and install. SquirrelMail has all the functionality you would want from an email client,
including strong MIME support, address books, and folder manipulation."

RoundCube Webmail On Your ISPConfig Server
Within 10 Easy Steps

Version 2.1
Author: <hans> [at] bb-hosting [dot] org>
Last edited 07/04/2008

There are a nice RoundCube packages available for ISPConfig at

The RoundCube package of your choice can be installed with the ISPConfig update
Manager. However, if you prefer to setup RoundCube on your ISPConfig server in the
webspace of your choice running on port 80, you can use this “How to” as an alternative.

In this how to I will use as an example:
- domainname webmail.myhostingcompany.tld
- MySQL databasename: web_db1
- MySQL username: web1_u1
- MySQL user password: mysqlpassword
- RoundCube version 0.1.1

When you are finished with this “How to”, you have a nice webmail client at URL

Step 2 is not really necessary but can be very practical if you want to upload/download
your website using FTP. This is very useful if you want to customize the RoundCube
website on your local desktop.

Here we go:

Step 1 - Create a website:

In ISPConfig, create a website via “New site” in the main menu.
On the tab called “Basis” use webmail for the hostname and myhostingcompany.tld for
the domain name. Enable MySQL and PHP scripts for this website but disable PHP Safe
Mode. RoundCube makes use of .htaccess files. To allow these files within your website,
add the following lines within the Apache directive field of your website:

<Directory "/var/www/web1/web">
Options FollowSymLinks
AllowOverride All
Step 2 – Create an Administator user for the website:

In ISPConfig, create a Administrator user, so you can upload the website later via FTP:
In the main menu select “ISP Manager”, select your new website called
webmail.myhostingcompany.tld in the structure tree and press the tab “User and Email”.
Press “new” and define a new user and its email address. Give this user administrator
rights and press “Save”.

Step 3 - Create a MySQL database for the website:

Click on the tab called “Options” and create a new database for the website.
ISPConfig will show you:
Database name: web1_db1 (example)
Database user: web1_u1 (example)
Then you define a password for the Database user and press “Save”.

Step 4 – Download/extract the packages and remove some files:

- Login to your server as root.
The most stable release at this moment is version 0.1.1.
Change to the web where you want to download RoundCube by giving the command:

cd /var/www/web1/web/

Extract RoundCube with the command:

tar xzf roundcubemail-0.1.1.tar.gz

Remove the tar.gz files:

rm *.tar.gz

Step 5 - Move the files to the web directory and delete the empty directory:

cd roundcubemail-0.1.1
mv * ../
cd ../
rmdir roundcubemail-0.1.1

Step 6 – making the temp and logs directory read/writeable for Apache:

Whitin your web /var/www/web1/web folder, you give your web server process
read/write privileges to all folders in the temp and logs directory by giving these
chown -R www-data:www-data temp
chown -R www-data:www-data logs

(This is how it workes on Debian Linux, other distros might differ).
It is also possible to chmod the temp and logs directories to 777 but this is not secure.

If you use php5-cgi with suPHP enabled on your ISPConfig server execute the following

cd /var/www/web1/

chown -R -v -f webadmin:web1 web/

(Remember that "web1" and the username "webadmin" are according my example, use
your own webnumber and username instead !)

Step 7 – Configure RoundCube (manually):

With this method, you have more options available!
Navigate to the config folder with the command:

cd config

In here you will find two files, and
Rename and by removing .dist.
You now have two files and

Modifications to make in file

Open in a text editor.
We give RoundCube a way to access our newly created database by changing the line:

$rcmail_config[‟db_dsnw‟]=‟mysql:// roundcube:pass@localhost/roundcubemail‟;


$rcmail_config[‟db_dsnw‟]=‟mysql:// web1_u1:mysqlpassword@localhost/web1_db1‟;

Make sure that you have the follwowing line as well:

$rcmail_config['db_backend'] = 'mdb2';

Modifications to make in file
Open your file with a text editor:

Changes to be made in

Change the line:

$rcmail_config[‟default_host‟] = '‟;


$rcmail_config[‟default_host‟] = „localhost‟;

or into:

$rcmail_config[‟default_host‟] = „‟;

if you prefer to choose a server name at login.

You can keep all the configuration settings as default, but make sure you have the
following lines:

$rcmail_config['default_port'] = 143;

$rcmail_config['virtuser_file'] = '/etc/postfix/virtusertable';

$rcmail_config['smtp_server'] = '';

$rcmail_config['smtp_port'] = 25;

$rcmail_config['create_default_folders'] = TRUE;

$rcmail_config['prefer_html'] = TRUE;

$rcmail_config['htmleditor'] = FALSE;

$rcmail_config['preview_pane'] = TRUE;

$rcmail_config['enable_spellcheck'] = TRUE;

The next line needs extra attention for security reasons:

$rcmail_config['des_key'] = '';

Replace '' with a string of exactly 24 chars!

When a user logs in with the email address for the first time, within RoundCubes the
identities section, the e-mail address will be displayed like: username@www.domain.tld.
As we want the email address to be displayed like username@domain.tld do the

Change the line 709 within /program/include/ file from:

709 $line = trim($line);


709 $line = trim(str_replace("www.", "", $line));

Make sure that you have the following line within your php.ini file:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

If it was necesarry to change the line from

magic_quotes_gpc = On


magic_quotes_gpc = Off

then restart Apache2 afterwards with the command:

/etc/init.d/apache2 restart

Step 8 – Configure RoundCube (alternative way using the installer script):

RoundCube comes with a nice installer script. This alternative method is a very easy way
to configure RoundCube.Within your browser, visit your new RoundCube website at
Read the basic requirements and press the button "START INSTALLATION".
On the screen "Check Environment" the system requirements are verified.

If one ore more system requirements are displayed within the color red, the configuration
needs to be changed to garanty that RoundCube will function properly.

On a default ISPConfig server, everyhing should be ok, probably you only need to turn
off magic_quotes_gpc within your php.ini file.
If the system requirements for are fine, press the button "NEXT".

On the "Create config" screen you can define the required system configuration.
Define the configuration settings, like we did before under Step 7 of this how to.
Define the database settings according our MySQL database as we have defined within

Finally press the button "CREATE CONFIG".

Two configurations are displayed.
Copy the first configuration within the file and the second configuration
within the file Save these files within the config/ directory of your
RoundCube installation.
Press the button "Continue"
The results are displayed.
Now we test the SMTP and IMAP configuration.
After completing the installation and the final tests please remove the whole installer
folder from the document root of your RoundCube installation.

Finally, change the line 709 within /program/include/ file as described within
step 7 within this howto.

Step 9 – access your new webmail client:

Now you can point to your new webmail client with your favourite browser. The address
according my how to is: http://webmail.myhostingcompany.tld

You can login with any valid username/password or email address/password
combination, as defined within ISPConfig.

After your first login you should make some settings before you start using RoundCube.
Here, the first thing you have to do is define your identity. You can define more than one
identity for an email address but you need at least one. When you create an identity,
change also @localhost within @yourdomain.tld if necessary.

STEP 10 – Customizing RoundCube:

If you like to customize RoundCube webmail, I refer to the how to of Paul Stamatiou at

Before you start to customize RoundCube, I recommend to download it first using your
administrator account as mentioned in STEP 2. Customizing RoundCube webmail on
your local desktop is more comfortable.


More information about RoundCube:
Specials thanks to:

Pauls Stamatiou, who wrote and published a nice how to for setting up RoundCube

   The Howtoforge members for their useful input!
Managing Your Web Server: A Quick Tour Of
Filed under Web Hosting

A couple of days, I made a post on how to install ISPConfig on CentOS Linux. On my
part, the install went great except for a little problem with BIND. The server on which I
installed ISPConfig is mainly used for testing purposes so it didn‟t have BIND (name
server daemon) running properly. To fix this, I had to install and run “system-config-

# yum install system-config-bind

This configuration utility has to be run from a graphical environment. Upon it‟s first
execution, it will create a default /etc/named.conf file. After I‟ve done that, I could start
the “named” service and everything worked perfectly.

Adding A Website With ISPConfig

Start by logging into ISPConfig at http://[yourserver]:81 or https://[yourserver]:81.

 At this point you won‟t be able to add a new site unless you add a reseller or client
account. Click on “New Client”:
Click on “Save” to complete the account creation. Now you can add a new web site by
clicking on “New site”.

Fill in the required fields and specify which functionalities will be active for the new web
Click on “Save”. You will then be taken to the client‟s profile on which you may just
click on “Save” again to complete the new site‟s creation. Your new web site will now
appear under the “Sites” folder (if that‟s how you specified it initially).

Adding A New Email Account

In order to create a new email account, you must have a web site first. From the main
menu, click on “ISP Manager” and open the “Sites” folder.
Click on the web site (or domain) for which you want to add a new email account and
then select the “User & Email” tab. Click on “New” to add an account.

Clicking on “Save” will create the new account. It‟s important to understand that does not
only create an email account, it also creates an FTP account so that the user can publish
documents on the web. If you don‟t want your users to have a web account, enter “0” in
the “WebSpace MB” field.

If you check the “Administrator” option, the user will be able to access the main web site
through FTP.

MySQL Database Creation

To create a MySQL database, select the desired web site from the “Sites” folder. Select
the “Options” tab and click on “New” button.
Note the database username and specify the password for this user.

If you want to access your database remotely (for example, through an ODBC connection
from your workstation), set the “Remote Access” value to “Yes”.

I think that ISPConfig does a great job as a free web hosting control panel. The only
enhancement I would make would be to add the possibility of specifying usernames for
POP3 and FTP accounts as well as the possibility to specify database names instead of
generating them automatically.
ISPConfig Remoting Framework
ISPConfig Remoting Framework 1.0 Beta 3

The ISPConfig Remoting Framework enables the creation and update of resellers, clients,
web sites, email accounts and DNS records from external or third party scripts and
software. The interface is implemented as SOAP calls and can be used remotely by most
programming languages.


- Add new clients and web sites automatically from your company's web site.
- Integrate ISPConfig easier in your existing server setups.
- Integrate ISPConfig in your billing system.
- Synchronize the client data in ISPConfig with your financiel software.


The Remoting Framework has now been released by projektfarm GmbH as OpenSource
software (BSD Licence) and is already included in the daily SVN builds of the
development branch.


Remoting extension 4.1 Beta[Download] (04/23/2008)

Test and example scripts in PHP [Download]

The current ISPConfig release does not have XML enabled by default. You can update
your installation with this ISPConfig version to enable XML Support:

WARNING: You must install the libxml2-devel library for your linux distribution before
you install the update (for DEBIAN and ubuntu the package is libxml2-dev and can be
installed with the command:
apt-get install libxml2-dev ) . Otherwise the installer will fail.

Installation of the Remoting Framework on ISPConfig 2.2.x stable:


Installation of ISPConfig Remoting Plugin

Installation of ISPConfig Remoting Framework Beta
ISPConfig 2.3.0-dev or higher required.

1) Install the remoting extension in ISPConfig with the update manager.

2) Add a new remoting user in your ISPConfig.
The remoting extension adds a new item in Tools > Remoting > User.

The IP address is optional. If the IP address is set, this user can use the remoting
functions only from this IP address.

Then check all checkboxes for functions that should be available for the user.

3) Copy the php scripts to a php enabled Webserver. PHP must be compiled with the
CURL extension, otherwise it will not work!

4) Edit the test.php script.


You will find example calls for all implemented functions in the test.php script. More
detailed developer documentation will be available soon.
Resetting database

mysqldump -u[USERNAME] -p[PASSWORD] --add-drop-table --no-data

tar -O -x install_ispconfig/db_ispconfig.sql -f ISPConfig-2.2.24.tar.gz

setting user
setelah update biasanya ada yang error

# These need to be set in /etc/apache2/envvars

To fix this problem, You can statically define user and group in your apache.conf

User www-data
Group www-data

/etc/init.d/ispconfig_server restart

Uninstall ispconfig
i had to do that once for another customer, and from what i can remember you need to
send this commands from the shell. so make sure you are logged in as root and send this
commands in your linux server:

execute the uninstall script in ispconfig:

after you send this command you will get a prompt to remove all the necessary files and
You chose to uninstall the ISPConfig system! Do you also want to
uninstall the objects (webs, users, databases, DNS entries etc.)
created by the system? [y/n]

after you type Y you will see this message:
Connected successfully
remove the ispconfig directory from /root
rm -fr /root/ispconfig

remove the ispconfig directory from /home
rm -fr /home/admispconfig

thats it.

but if you have any question, i suggest you visit their website for more information.

Script untuk user_add

nano ispconfig_web.lib.php
ISPConfig: 3 tips for safer DNS
by Daniel Davies
On this server I am currently using ISPConfig to provide myself with a simple web interface for managing my
domains, email and DNS etc. As with the majority of web based virtual-hosting interfaces ISPConfig needs a little
tweaking to get running properly. A couple of weeks ago I noticed three possible issues regarding the default
configuration of the DNS server.
By default ISPConfig writes the BIND config file with the bare minimum of options, literally enough to allow you to
serve up information about your domains. This is how the developers intended things to work, and I agree with
them. But I also feel that the majority of ISPConfig users probably don't want anyone to be able to use their DNS
server to perform lookups on any domain, nor would they want their DNS to respond on any IP address that the
server may have.
ISPConfig is relatively simple to understand once you start to poke under the bonnet. Each time you make a
change to a domain, website, email account, etc. the configuration files are rewritten to the file-system from a
default template, or "master file". This means that if you make any adjustments to a domain name then your BIND
config file is going to lose any changes you have made manually.
Open up /etc/bind/named.conf in the text editor of your choice. Scroll all the way to the bottom and notice how
ISPConfig has added the following

Anything you enter here will remain intact when you make changes from the web interface. This is useful for
adding domains that you may not want to control from the web, but not so good if you want to add to the options
section (all the way at the top of the file).
In order to make manual adjustments to this section you'll need to change the actual template that ISPConfig is
using to create the config file. cd to /root/ispconfig/isp/conf/ and have a look at the files in there. These are all the
"master config" files, or templates, used each time a change is made.
apollo:~/ispconfig/isp/conf# ls

antivirus.rc.master                      openssl.cnf.master

autoresponder.rc.master                  pri.domain.master

bastille-firewall.cfg.master             procmailrc.master

check_services.php.master                proftpd_ispconfig.conf.master

customized_templates                     quota.rc.master


forward.master                         spamassassin.rc.master

freebsd_firewall.master                trashscan.master

htaccess.master                        user_prefs.master

html-trap.rc.master                    vacation.msg.master

htpasswd.master                        vhost.conf.master

local-rules.rc.master                  virtusertable.master

mailsize.rc.master                     vsftpd.conf.master


named.conf.master is the file needed for the bind config file, so open that in an editor. Inside the "options" braces
add the following:
allow-recursion {



This means that the DNS server will only provide a resolving service to localhost, allowing your websites and log
parsers to resolve domains, but denying any public access. You could of course enter a private subnet, or a
trusted set of IPs if you do want to allow some resolution.
Next, I added the following to ensure the DNS server was only responding to requests being made on my
designated interface.
listen-on port 53 {;;

As a final good measure I thought I'd also limit which machines can perform an AXFR transfer. Again, inside of the
options braces add the following, replacing the IP address with your slave's address (unless you too are with
Bytemark). Please note: I'm not that familiar with AXFR, if anyone else is able provide a way for me to test that my
DNS truly doesn't allow AXFR transfers to everyone i'd be very grateful/able to sleep at night.
allow-transfer {;


Finally, login to your control panel and make a change to one of your domains. Wait a minute and try out some
changes. Open up your terminal and run some lookups.
rita:~ danieldavies$ nslookup





rita:~ danieldavies$ nslookup



Non-authoritative answer:
*** Can't find No answer

rita:~ danieldavies$ nslookup

;; connection timed out; no servers could be reached

Much better :) I recommend all ISPConfig users take a look through each of the config files. You are free to write
them however you like, enabling or disabling what ever you want. I'll probably write some more about ISPConfig in
the near future, including a report of my experiences making mod_python a hosting package option complete with

To top