Professional Documents
Culture Documents
This is a detailed description about how to set up a Fedora 14 server that offers all services needed by ISPs
and hosters: Apache web server (SSL-capable) with PHP5/Ruby/Python, Postfix mail server with SMTP-
AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota,
Firewall, etc. This tutorial is written for the 64-bit version of Fedora 14, but should apply to the 32-bit version
with very little modifications as well. In the end you should have a system that works reliably, and if you like
you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).
I will use the following software:
1 Requirements
To install such a system you will need the following:
Download the Fedora 14 DVD iso image from a mirror near you (the list of mirrors can be found
here: http://mirrors.fedoraproject.org/publiclist/Fedora/14/), e.g. http://ftp.tu-
chemnitz.de/pub/linux/fedora/linux/releases/14/Fedora/x86_64/iso/Fedora-14-x86_64-DVD.iso
an Internet connection...
2 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the
gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.
I assume that you use a locally attached hard drive, so you should select Basic Storage Devices here:
If you see the following message (Error processing drive: [...] This device may need to be reinitialized.
REINITIALIZING WILL CAUSE ALL DATA TO BE LOST!), please click onRe-initialize:
Next we do the partitioning. Select Replace Existing Linux System(s). This will give you a
small /boot partition and a large / partition which is fine for our purposes:
Select Write Changes to Disk:
Go to the IPv4 Settings tab and select Manual in the Method drop-down menu. Fill in one, two, or three
nameservers (separated by comma) in the DNS servers field (e.g.145.253.2.75,8.8.8.8), then click on
the Add button next to the Addresses area:
Now give your network card a static IP address and netmask (in this tutorial I'm using the IP
address 192.168.0.100 and netmask 255.255.255.0 for demonstration purposes; if you are not sure about
the right values, http://www.subnetmask.info might help you). Also fill in your gateway (e.g. 192.168.0.1);
check the Connect automatically box and then click on theApply... button:
Next click on Close in the Network Connections window:
The details for the last two repositories should now be retrieved, and the checkboxes in front of them should
be marked. Click on Next:
Now we must select the package groups we want to install. Select Editors, Text-based
Internet, Development Libraries, Development Tools, DNS Name Server, FTP Server, Mail Server, MySQL
Database, Server Configuration Tools, Web Server, Administration Tools, Base, Hardware
Support, Java, System Tools (unselect all other package groups) and click onNext:
The installation begins. This will take a few minutes:
Finally, the installation is complete, and you can remove your DVD from the computer and reboot it:
After the reboot, you will see this screen. Select Firewall configuration and hit Run Tool:
I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable
the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then
you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall).
Hit OK afterwards:
ifconfig
Now I disable Fedora's NetworkManager and enable "normal" networking. NetworkManager is good for
desktops where network connections can change (e.g. LAN vs. WLAN), but on a server you usually don't
change network connections:
Check your /etc/resolv.conf if it lists all nameservers that you've previously configured:
cat /etc/resolv.conf
system-config-network
vi /etc/hosts
5 Disable SELinux
SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't
need it to configure a secure system, and it usually causes more problems than advantages (think of it after
you have done a week of trouble-shooting because some service wasn't working as expected, and then you
find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must
if you want to install ISPConfig later on).
vi /etc/selinux/config
reboot
Now we install some software packages that are needed later on:
yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++
7 Journaled Quota
(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota
applies to the partitions where you need it.)
To install quota, we run this command:
vi /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu Nov 4 01:49:41 2010
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/vg_server1-lv_root / ext4
defaults,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 11
UUID=1b6ac184-dcd8-4cc9-829f-d5fca50df46f /boot ext4 defaults 12
/dev/mapper/vg_server1-lv_swap swap swap defaults 00
tmpfs /dev/shm tmpfs defaults 00
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 00
proc /proc proc defaults 00
Then run
Then we open /etc/sysconfig/named and make sure that it has the following line to tell BIND that it's running
chrooted in /var/named/chroot:
vi /etc/sysconfig/named
[...]
ROOTDIR=/var/named/chroot
vi /etc/rsyslog.conf
[...]
$AddUnixListenSocket /var/named/chroot/dev/log
Restart rsyslog:
/etc/init.d/rsyslog restart
9 MySQL 5
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the
system boots) and start the MySQL server:
vi /etc/my.cnf
[...]
#skip-networking
[...]
/etc/init.d/mysqld restart
Run
mysql_secure_installation
to set a password for the user root (otherwise anybody can access your MySQL database!).
[root@server1 ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): <-- ENTER
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
[root@server1 ~]#
We must edit /usr/lib64/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins (on 32bit systems,
this file is in /usr/lib/sasl2/smtpd.conf). It should look like this:
vi /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your
own hostname):
After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have
removed all comments from it):
cat /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.7.1/samples
readme_directory = /usr/share/doc/postfix-2.7.1/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks = 127.0.0.0/8 [::1]/128
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server1.example.com
vi /etc/dovecot/conf.d/10-auth.conf
... and add the line disable_plaintext_auth = no:
[...]
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes
disable_plaintext_auth = no
[...]
/etc/init.d/dovecot start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type
ehlo localhost
250-STARTTLS
and
everything is fine.
quit
10.1 Maildir
Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you
enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary
configuration.
If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir
(you can also do this if you use ISPConfig - it doesn't hurt ;-)):
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc
php-eaccelerator php-magickwand php-magpierss php-mapserver php-mbstring php-mcrypt php-mssql php-
shout php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel
vi /etc/httpd/conf/httpd.conf
[...]
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl
[...]
Start Apache:
/etc/init.d/httpd start
In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP
scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites
would be able to run PHP scripts, no matter what you specify in ISPConfig.
vi /etc/httpd/conf.d/php.conf
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
LoadModule php5_module modules/libphp5-zts.so
</IfModule>
#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddHandler php5-script .php
#AddType text/html .php
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps
/etc/init.d/httpd restart
11.2 Ruby
Starting with version 2.2.20, ISPConfig has built-in support for Ruby. Instead of using CGI/FastCGI,
ISPConfig depends on mod_ruby being available in the server's Apache.
For Fedora 14, there's no mod_ruby package available, so we must compile it ourselves. First we install
some prerequisites:
cd /tmp
wget http://www.modruby.net/archive/mod_ruby-1.3.0.tar.gz
tar zxvf mod_ruby-1.3.0.tar.gz
cd mod_ruby-1.3.0/
./configure.rb --with-apr-includes=/usr/include/apr-1
make
make install
Finally we must add the mod_ruby module to the Apache configuration, so we create the
file /etc/httpd/conf.d/ruby.conf...
vi /etc/httpd/conf.d/ruby.conf
/etc/init.d/httpd restart
You can find more details about mod_ruby in this article.
/etc/init.d/httpd restart
11.4 WebDAV
WebDAV should already be enabled, but to check this, open /etc/httpd/conf/httpd.conf and make sure that
the following three modules are active:
vi /etc/httpd/conf/httpd.conf
[...]
LoadModule auth_digest_module modules/mod_auth_digest.so
[...]
LoadModule dav_module modules/mod_dav.so
[...]
LoadModule dav_fs_module modules/mod_dav_fs.so
[...]
/etc/init.d/httpd restart
12 ProFTPd
ISPConfig has better support for proftpd than vsftpd, so let's remove vsftpd and install proftpd:
Now we can create the system startup links for Proftpd and start it:
chkconfig --levels 235 proftpd on
/etc/init.d/proftpd start
13 Webalizer
To install webalizer, just run
16 ISPConfig
The configuration of the server is now finished. You can now install ISPConfig on it, following these
instructions: http://www.ispconfig.org/manual_installation.htm
Before you install ISPConfig, there's one important thing you must do. Open /usr/include/stdio.h and
replace getline with parseline in line 673:
vim /usr/include/stdio.h
[...]
/* Like `getdelim', but reads up to a newline.
If you don't do this, the installation will fail because of the following error:
/usr/sbin/suexec -V