Loading...
 

Servidor r.dimensis.com - 2014

1.1. 2014 - ease the tiki instance creation process in the r.tiki.org server

After a phone call with amette in skype on April 25, 2014.

dev.t.o/ -> 2 pages about show. Concept is described.

doc/devtools/tim
Tiki Instance Manager

user "control" ("ctrl")

scripts located in:
/usr/local/sbin/


Tracker field type show.t.o:
open that and set it up to use localhost

1.2. Introducció

Virtual server to have a test ground for the workshops on Tiki & PluginR during "MEIO SummeR School" (June-July 2013) and "UseR!2013 in Albacete, Spain" (July 2013)

1.3. Domain

http://r.dimensis.com

usuari: root
contrasenya: (demanar al xavi)

S.O: Ubuntu 12.04 server 64 bit (from an initial 64bit desktop version)
6Gb RAM (aprox), 1 cpu, 50 Gb disc dur.

1.3.1. Initial Configuration

1.3.1.1. Locale Configuration

You get these messages Awhen installing any package:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "ca_ES.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").


You need to add the locale for your language:

Comanda a executar en un terminal
sudo apt-get install language-pack-ca-base


And setup the server to use that local language (locale):

export LANGUAGE=ca_ES.UTF-8
export LANG=ca_ES.UTF-8
export LC_ALL=ca_ES.UTF-8
sudo locale-gen ca_ES.UTF-8
sudo dpkg-reconfigure locales


In Ubuntu 12.04, it seems that the command export LC_ALL=ca_ES.UTF-8 fails, showing this message:

-bash: warning: setlocale: LC_ALL: cannot change locale (ca_ES.UTF-8)


Pending how to add this to bash.rc or /etc/environment, etc. (in case it's needed)

1.3.2. Convert Ubuntru desktop into Ubuntu server

Followed this steps:
http://www.darrinhodges.com/converting-ubuntu-12-04-lts-desktop-to-server/

The required steps are:

sudo apt-get install tasksel
sudo tasksel remove ubuntu-desktop (Note: this may take a few minutes to complete)
sudo tasksel install server
apt-get install linux-server linux-image-server
apt-get --purge remove lightdm


Providing all that went well, you can edit your /etc/default/grub configuration file to update the following settings:

  • GRUB_TIMEOUT=5
  • ( Comment out ‘GRUB_HIDDEN_TIMEOUT’ )
  • GRUB_CMDLINE_LINUX_DEFAULT=”"
  • GRUB_TERMINAL=console ( only for PC )
  • sudo update-grub


When the grub update has finished, you can reboot into Ubuntu 12.04 LTS server! You might also want to give your server a static IP and remove that pesky network-manager as well.

Howevr, in our case at r.dimensis.com, update-grub complained with:

root@r:~# update-grub
/usr/sbin/grub-probe: error: cannot find a device for / (is /dev mounted?).


There is some issue with linux-image-server not configured, etc.:

'està configurant linux-image-3.2.0-57-generic (3.2.0-57.87)…
Running depmod.
update-initramfs: deferring update (hook will be called later)
The link /initrd.img is a dangling linkto /boot/initrd.img-3.2.0-57-generic
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 3.2.0-57-generic /boot/vmlinuz-3.2.0-57-generic
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 3.2.0-57-generic /boot/vmlinuz-3.2.0-57-generic
update-initramfs: Generating /boot/initrd.img-3.2.0-57-generic
E: /usr/share/initramfs-tools/hooks/fixrtc failed with return 1.
update-initramfs: failed for /boot/initrd.img-3.2.0-57-generic with 1.
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
Failed to process /etc/kernel/postinst.d at /var/lib/dpkg/info/linux-image-3.2.0-57-generic.postinst line 1010.
dpkg: s'ha produït un error en processar linux-image-3.2.0-57-generic (--configure):
 el subprocés s'ha instaŀlat el script post-installation retornà el codi d'eixida d'error 2
dpkg: problemes de dependències impedeixen la configuració de linux-image-server:
 linux-image-server depèn de linux-image-3.2.0-57-generic; tot i així:
  El paquet linux-image-3.2.0-57-generic encara no està configurat.
dpkg: s'ha produït un error en processar linux-image-server (--configure):
 problemes de dependències - es deixa sense configurar
dpkg: problemes de dependències impedeixen la configuració de linux-server:
 linux-server depèn de linux-image-server (= 3.2.0.57.68); tot i així:
  El paquet linux-image-server encara no està configurat.
dpkg: s'ha produït un error en processar linux-server (--configure):
 problemes de dependències - es deixa sense configurar
S'està configurant mc-dNo s'ha escrit cap informe perquè el missatge d'error indica que és un error consequent de una fallida anterior.
                                                                                                                                       No s'ha escrit cap informe perquè el missatge d'error indica que és un error consequent de una fallida anterior.
                                                                                                       ata (3:4.8.1-2ubuntu1)…
S'està configurant mc (3:4.8.1-2ubuntu1)…
S'han trobat errors en processar:
 linux-image-3.2.0-57-generic
 linux-image-server
 linux-server
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@seeds4c:~#


To fix it, run these commands:

sudo chmod -x /usr/share/initramfs-tools/hooks/fixrtc
sudo apt-get -f install
sudo apt-get install linux-server linux-image-server


Then we can reboot the server

command on a console
sudo reboot now

1.3.3. Instal·lar ISP-Config 3

Manual ISPCOnfig3.
Comprat:
Image 130518 Recibo Del Pago PayPal Manual ISPConfig3

Also available some version online here:

ISPConfig 3 Manual - Compuland - 25/10/2011 (20Mb)
http://www.compuland.com.br/helio/ispconfig_3_manual.pdf


3rd part, from step 9:
http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3-p3

root@r:~# apt-get install ssh openssh-server


root@r:~# cat /etc/network/interfaces
# This configuration file is auto-generated.
#
# WARNING: Do not edit this file, your changes will be lost.
# Please create/edit /etc/network/interfaces.head and
# /etc/network/interfaces.tail instead, their contents will be
# inserted at the beginning and at the end of this file, respectively.
#
# NOTE: it is NOT guaranteed that the contents of /etc/network/interfaces.tail
# will be at the very end of this file.
#

# Auto generated lo interface
auto lo
iface lo inet loopback

# Auto generated venet0 interface
auto venet0
iface venet0 inet manual
	up ifconfig venet0 up
	up ifconfig venet0 127.0.0.2
	up route add default dev venet0
	down route del default dev venet0
	down ifconfig venet0 down


iface venet0 inet6 manual
	up route -A inet6 add default dev venet0
	down route -A inet6 del default dev venet0

auto venet0:0
iface venet0:0 inet static
	address 94.23.86.26
	netmask 255.255.255.255

root@r:~# cat /etc/hosts
::1		localhost ip6-localhost ip6-loopback
fe00::0		ip6-localnet
ff00::0		ip6-mcastprefix
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

127.0.0.1 localhost.localdomain localhost
# Auto-generated hostname. Please do not remove this comment.
94.23.86.26 r.dimensis.com  r
root@r:~#


apt-get install nano
nano /etc/apt/sources.list


Update the list of sources to this one:

Contents of /etc/apt/sources.list
#deb http://archive.ubuntu.com/ubuntu precise main restricted universe
#deb http://archive.ubuntu.com/ubuntu precise-updates main restricted universe
#deb http://security.ubuntu.com/ubuntu precise-security main restricted universe multiverse
#deb http://archive.canonical.com/ubuntu precise partner

# Added by Xavi
deb http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu precise-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu precise-security main restricted universe multiverse
deb http://archive.canonical.com/ubuntu precise partner
deb http://de.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu precise main
# deb-src http://extras.ubuntu.com/ubuntu precise main

Optional step

Veure també versió nova 2013-02-22, que inclou un 1click installer (encara que empra una versió molt vella de tiki, 3.8):
http://www.ispconfig.org/releases/ispconfig-3-0-5-final-released/


9 Change The Default Shell


/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash


Use dash as the default system shell (/bin/sh)? < - - No

If you don't do this, the ISPConfig installation will fail.

10 Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils

11 Synchronize the System Clock


It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate


and your system time will always be in sync.

Change time zone to match your local time zone

root@r:~# date
ds mai 18 14:21:32 MSK 2013
root@r:~# sudo dpkg-reconfigure tzdata

Current default time zone: 'Europe/Madrid'
Local time is now:      ds mai 18 12:22:22 CEST 2013.
Universal Time is now:  Sat May 18 10:22:22 UTC 2013.

root@r:~# date
ds mai 18 12:25:52 CEST 2013
root@r:~#

Continue with section 4

Continue with Section 4
http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3-p4

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo


Postfix: Internet site
Domain: r.dimensis.com
mysql root:

[ Rootkit Hunter version 1.3.8 ]: File updated: searched for 167 files, found 137

Next open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/master.cf


Uncomment the submission and smtps sections (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it):

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]


Restart Postfix afterwards:

/etc/init.d/postfix restart


We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

nano /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]


Then we restart MySQL:

/etc/init.d/mysql restart


Now check that networking is enabled. Run

netstat -tap | grep mysql


The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      21298/mysqld
root@server1:~#


13 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl


The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove

14 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-curl php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-python libapache2-mod-perl2


You will see the following question:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest


Restart Apache afterwards:

/etc/init.d/apache2 restart


If you want to host Ruby files with the extension .rb on your web sites created through ISPConfig, you must comment out the line application/x-ruby rb in /etc/mime.types:

nano /etc/mime.types

[...]
#application/x-ruby                             rb
[...]


(This is needed only for .rb files; Ruby files with the extension .rbx work out of the box.)

Restart Apache afterwards:

/etc/init.d/apache2 restart


14.1 Xcache

Xcache is a free and open PHP opcode cacher for caching and optimizing PHP intermediate code. It's similar to other PHP opcode cachers, such as eAccelerator and APC. It is strongly recommended to have one of these installed to speed up your PHP page.

Xcache can be installed as follows:

apt-get install php5-xcache


Now restart Apache:

/etc/init.d/apache2 restart

14.2 PHP-FPM

Starting with the upcoming ISPConfig 3.0.5, there will be an additional PHP mode that you can select for usage with Apache: PHP-FPM. If you plan to use this PHP mode, it makes sense to configure your system for it now so that later on when you upgrade to ISPConfig 3.0.5, your system is prepared (the latest ISPConfig version at the time of this writing is ISPConfig 3.0.4.4).

To use PHP-FPM with Apache, we need the mod_fastcgi Apache module (please don't mix this up with mod_fcgid - they are very similar, but you cannot use PHP-FPM with mod_fcgid). We can install PHP-FPM and mod_fastcgi as follows:

apt-get install libapache2-mod-fastcgi php5-fpm


Make sure you enable the module and restart Apache:

a2enmod actions fastcgi alias
/etc/init.d/apache2 restart

15 Install Mailman

Since version 3.0.4, ISPConfig also allows you to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:

apt-get install mailman


Select at least one language, e.g.:

Languages to support: <-- en (English)
I also added ca & es, but left en as default.

Before we can start Mailman, a first mailing list called mailman must be created:

newlist mailman

root@server1:~# newlist mailman
Enter the email of the person running the list: <-- admin email address, e.g. listadmin@example.com
Initial mailman password: <-- admin password for the mailman list
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases' program:

## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

Hit enter to notify mailman owner... <-- ENTER

root@server1:~#


Open /etc/aliases afterwards...

nano /etc/aliases


... and add the following lines:

[...]
## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"


Run

newaliases


afterwards and restart Postfix:

/etc/init.d/postfix restart


Finally we must enable the Mailman Apache configuration:

ln -s /etc/mailman/apache.conf /etc/apache2/conf.d/mailman.conf

This defines the alias /cgi-bin/mailman/ for all Apache vhosts, which means you can access the Mailman admin interface for a list at http://<vhost>/cgi-bin/mailman/admin/<listname>, and the web page for users of a mailing list can be found at http://<vhost>/cgi-bin/mailman/listinfo/<listname>.


Under http://<vhost>/pipermail you can find the mailing list archives.

Restart Apache afterwards:

/etc/init.d/apache2 restart


Then start the Mailman daemon:

/etc/init.d/mailman start

Therefore, Mailman added also.


First list added:
http://r.dimensis.com/cgi-bin/mailman/admin/mailman/

Continue with section 5

http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3-p5
PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool


Edit the file /etc/default/pure-ftpd-common...

nano /etc/default/pure-ftpd-common


... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

Contents of /etc/default/pure-ftpd-common
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]


Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS


In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/


Afterwards, we can generate the SSL certificate as follows:

root@r:~# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 2048 bit RSA private key
.+++
..............+++
writing new private key to '/etc/ssl/private/pure-ftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Catalonia
Locality Name (eg, city) []:Barcelona
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tiki and PluginR Testing ground        
Organizational Unit Name (eg, section) []:PluginR
Common Name (e.g. server FQDN or YOUR name) []:r.dimensis.com
Email Address []:xavier.depedro@vhir.org
root@r:~#


Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem


Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart


Edit /etc/fstab. The one from the guy from the tutorial looked like this (He added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

nano /etc/fstab

contents of the file of the guy that wrote the tutorial, but not in r.dimensis.com
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=4b58d345-1c55-4ac5-940e-7245938656a6 /boot           ext2    defaults        0       2
/dev/mapper/server1-swap_1 none            swap    sw              0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0


However, in r.dimensis.com, instead, our fstab looks like:

proc  /proc       proc    defaults    0    0
none  /dev/pts    devpts  rw,gid=5,mode=620    0    0
none  /run/shm    tmpfs   defaults    0    0


So there is no root partition...

To enable quota, if I had changed the root partition line in fstab, I would have run these commands:

mount -o remount /
quotacheck -avugm
quotaon -avug


So that I skip this part in r.dimensis.com

17 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils


18 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl


Open /etc/cron.d/awstats afterwards...

nano /etc/cron.d/awstats


... and comment out everything in that file:

#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh


19 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz
tar xvfz jailkit-2.16.tar.gz
cd jailkit-2.16
./debian/rules binary


You can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.16-1_*.deb
rm -rf jailkit-2.16*



20 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban


To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

nano /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5


Then create the following two filter files:

nano /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =


Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

Continue with section 6

http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3-p6

21. Squireelmail


To install the SquirrelMail webmail client, run

apt-get install squirrelmail


Then configure SquirrelMail:

squirrelmail-configure


We must tell SquirrelMail that we are using Dovecot-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <-- D


SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server
    gmail       = IMAP access to Google mail (Gmail) accounts

    quit        = Do not change anything
Command >> <-- dovecot


SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server
    gmail       = IMAP access to Google mail (Gmail) accounts

    quit        = Do not change anything
Command >> dovecot

              imap_server_type = dovecot
         default_folder_prefix = <none>
                  trash_folder = Trash
                   sent_folder = Sent
                  draft_folder = Drafts
            show_prefix_option = false
          default_sub_of_inbox = false
show_contain_subfolders_option = false
            optional_delimiter = detect
                 delete_folder = false

Press any key to continue... <-- press a key


SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <-- S


SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <-- Q


Now we will configure SquirrelMail so that you can use it from within your web sites (created through ISPConfig) by using the /squirrelmail or /webmail aliases. So if your website is www.example.com, you will be able to access SquirrelMail using www.example.com/squirrelmail or www.example.com/webmail.

SquirrelMail's Apache configuration is in the file /etc/squirrelmail/apache.conf, but this file isn't loaded by Apache because it is not in the /etc/apache2/conf.d/ directory. Therefore we create a symlink called squirrelmail.conf in the /etc/apache2/conf.d/ directory that points to /etc/squirrelmail/apache.conf and reload Apache afterwards:

cd /etc/apache2/conf.d/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
/etc/init.d/apache2 reload


Now open /etc/apache2/conf.d/squirrelmail.conf...

nano /etc/apache2/conf.d/squirrelmail.conf


... and add the following lines to the <Directory /usr/share/squirrelmail></Directory> container that make sure that mod_php is used for accessing SquirrelMail, regardless of what PHP mode you select for your website in ISPConfig:

[...]
<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    AddType application/x-httpd-php .php
    php_flag magic_quotes_gpc Off
    php_flag track_vars On
    php_admin_flag allow_url_fopen Off
    php_value include_path .
    php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
    php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname:/var/spool/squirrelmail
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>
  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
[...]


Create the directory /var/lib/squirrelmail/tmp...

mkdir /var/lib/squirrelmail/tmp


... and make it owned by the user www-data:

chown www-data /var/lib/squirrelmail/tmp


Reload Apache again:

/etc/init.d/apache2 reload


That's it already - /etc/apache2/conf.d/squirrelmail.conf defines an alias called /squirrelmail that points to SquirrelMail's installation directory /usr/share/squirrelmail.

You can now access SquirrelMail from your web site as follows:

http://192.168.0.100/squirrelmail
http://r.dimensis.com/squirrelmail

You can also access it from the ISPConfig control panel vhost (after you have installed ISPConfig, see the next chapter) as follows (this doesn't need any configuration in ISPConfig):

http://server1.example.com:8080/squirrelmail

If you'd like to use the alias /webmail instead of /squirrelmail, simply open /etc/apache2/conf.d/squirrelmail.conf...

nano /etc/apache2/conf.d/squirrelmail.conf


... and add the line Alias /webmail /usr/share/squirrelmail:

Alias /squirrelmail /usr/share/squirrelmail
Alias /webmail /usr/share/squirrelmail
[...]

Then reload Apache:

/etc/init.d/apache2 reload


Now you can access Squirrelmail as follows:

http://192.168.0.100/webmail
http://www.example.com/webmail
http://server1.example.com:8080/webmail (after you have installed ISPConfig, see the next chapter)




If you'd like to define a vhost like webmail.example.com where your users can access SquirrelMail, you'd have to add the following vhost configuration to /etc/apache2/conf.d/squirrelmail.conf:

nano /etc/apache2/conf.d/squirrelmail.conf

[...]
<VirtualHost 1.2.3.4:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName webmail.example.com
</VirtualHost>


Make sure you replace 1.2.3.4 with the correct IP address of your server. Of course, there must be a DNS record for webmail.example.com that points to the IP address that you use in the vhost configuration. Also make sure that the vhost webmail.example.com does not exist in ISPConfig (otherwise both vhosts will interfere with each other!).

Now reload Apache...

/etc/init.d/apache2 reload


... and you can access SquirrelMail under http://webmail.example.com!

Continue with section 7

http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3-p7

Once finished, you can access your control panel at:
https://r.dimensis.com:8080/

1.4. Manage ISPConfig3

See details at:
https://doc.tiki.org/ISPConfig

Example of key section of the control panel:

Click to expand
Click to expand


For this:
http://ueb.vhir.org/blogpost9-PluginR-v0-80-released-2-new-trainings-in-July-2013

1.4.1. Add svn to jailkit ssh sessions

Sure and please, do not hesitate if you have other questions!

What version of Jailkit have you installed? There is a bug in the 2.16 release:

http://lists.gnu.org/archive/html/jailkit-users/2013-04/msg00003.html

From what I understand, normally you should only need to add '/usr/bin/svn' to 'System > Server Config > [Server] > Jailkit > Jailkit chrooted applications'. Because of this bug in the latest release which breaks '-j' usage, you need to manually run the following command for all your sites:

jk_cp /var/www/clients/[client#]/[web#] /usr/bin/svn

i.e.:

jk_cp /var/www/clients/client3/web3 /usr/bin/svn

Then Subversion will be usable at the next SSH logon. Please, also add '/usr/bin/svn to the 'Jailkit chrooted applications' setting in ISPConfig:

- Go to 'System > Server Config > [Server] > Jailkit > Jailkit chrooted applications';
- Add '/usr/bin/svn' to the list of applications;
- Click on the 'Save' button.

If you add SVN to the default setting, the line should now read '/usr/bin/groups /usr/bin/id /usr/bin/dircolors /bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/svn'.

I hope this helps! Have a great weekend!

-- 
Eric Beaurivage (eric@avantech.net | eric.beaurivage@oriaks.com)

1.4.2. Chrooted user homes

New sites are associated with clients, and some ssh users can be created associated with that client and site.
ssh users have their chrooted environents in this absolute path in the server:

/var/www/clients/clientN/webM/


For instance, for the test case of the rol site (http://rol.r.dimensis.com) for Ferran (UEB), client uat is #3 (N in hte path above), , ssh user uatferran, and the website is #8 (M in the path above). Therefore, his website will be here:

/var/www/clients/client3/web8/


And when he logs in through ssh, he will be at the apparentpath for him:

/home/uatferran/


His website http://rol.r.dimenis.com will be initially fed with the contents at the file (chrooted, apparently absolute path for him):

/web/index.html


Which in fact, will be the real paths at the server for his home directory and website are:

/var/www/clients/client3/web8/home/uatferran/
/var/www/clients/client3/web8/web/index.html

1.4.3.1. Re-set admin password

If you need to re-set the admin password, run this SQL thorugh phpmyadmin on the appropriate db for ispconfig

UPDATE sys_user SET passwort = md5('YourNewPassword') WHERE username = 'admin';

Other tweaks by hand when needed

In case it is needed, see this intructions copied from forums in howtoforge:
(from http://www.howtoforge.com/forums/showthread.php?t=4373&page=2 & page 3)

How to do this:

1) Install a SSH daemon that supports chrooting.
2) Enable chrooting in ISPConfig in the file /home/admispconfig/ispconfig/config.inc.php
3) Every newly created or updated user is chrooted by ISPConfig. ISPConfig runs the script /root/ispconfig/scripts/shell/create_chroot_env.sh automatically to copy the needed binaries and dependencies to the chroot enviroment.


And:

Got it!

The file ld-linux.so.2 isn't being copied into the chrooted lib/ when new users are created. Without it, bash fails.

I'll investigate why this is and try to fix it. I assume I can add it to the create_chroot_env.sh script...

Edit:

There are actually two libraries that bash requires which are not copied over for some reason. They ARE listed in ldd so I don't know why they don't copy.

As a temporary kludgy hack, I have added the following two lines to /root/ispconfig/scripts/shell/create_chroot_env.sh

Code:
cp /lib/ld-linux.so.2 ./lib/
cp lib/tls/libdl.so.2 ./lib/tls/


1.4.4. Basic LAMP & R Installation

basic programs installed as root
apt-get install mc htop
apt-get install mysql-server mysql-client apache2 php5 php5-tidy php-pear memcached php5-xcache php5-gd php5-xmlrpc php-xml-parser phpmyadmin postfix
apt-get install  imagemagick php5-imagick php5-gd graphviz
apt-get install  
apt-get install r-recommended
apt-get install subversion


Update R to 3.0.x (by default, Ubuntu 12.04 comes with 2.14.x, it seems)

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:marutter/rrutter 
sudo apt-get update
sudo apt-get upgrade


Change perms on site-library from R to allow users to install packages there system wide.

sudo chmod 777 /usr/local/lib/R/site-library/


Some system debian packages for R were missing (like Rcurl, etc.). I added all the ones needed for ueb, as indicated there in our knowledge base, adn everything worked like a charm after that! :-):

sudo apt-get install r-cran-rgl r-cran-misc3d libx11-dev libxt-dev libcurl4-gnutls-dev libxml2-dev r-cran-xml libgraphviz-dev libcairo2-dev r-cran-cairodevice freeglut3 freeglut3-dev r-cran-rglpk libgtk2.0-dev

1.4.5. Backup inicial /etc

Fet, abans de remenar res de configuració, ni instal·lar cap "control panel", etc.
/home/xavi/backups/130125_etc_inicial.tgz

1.4.6. Adding Tiki to Client Websites

For instance, to copy the svn installation of tiki09 under my home folder over the website of a client (lets say: client3 (uat) web8 (rol) (i.e. http://rol.r.dimensis.com ), you can do that with:

xavi@r:~# sudo su
root@r:~# cd /home/xavi/tiki09svn
root@r:~/tiki09svn# svn export --force . /var/www/clients/client3/web8/web/
Export complete.
root@r:~/tiki09svn# cd /var/www/clients/client3/web8/web/
root@r:/var/www/clients/client3/web8/web#  mv .htaccess .htaccess_old
root@r:/var/www/clients/client3/web8/web#  cp _htaccess .htaccess
root@r:/var/www/clients/client3/web8/web# sh setup.sh
User [www-data]: web8
> Group [www-data]: client3
> Multi []:
Checking dirs : 
  db ...  ok.
  dump ...  ok.
  img/wiki ...  ok.
  img/wiki_up ...  ok.
  img/trackers ...  ok.
  modules/cache ...  ok.
  temp ...  ok.
  temp/cache ...  ok.
  temp/public ...  ok.
  templates_c ...  ok.
  templates ...  ok.
  styles ...  ok.
  maps ...  ok.
  whelp ...  ok.
  mods ...  Creating directory ok.
  files ...  ok.
  tiki_tests/tests ...  ok.
  temp/unified-index ...  Creating directory ok.
Fix global perms ...
Change user to web8 and group to client3... done.
Fix normal dirs ... done.
Fix special dirs ... done.


The force option is needed since the destination folder already exists.

And the svn export is preferred (if no svn is needed) because of the space savings reducing it down to aprox. 40% of the initial size on disk (453 Mb for the svn-enabled version of tiki09svn, 181 Mb for the non-svn-enabled version).

1.4.7. Set server homepage to tiki11svn


Edit /etc/apache2/sites-enabled/000-default

and change docroot from /var/www to /var/ww/tiki, and AllowOVerride from None to All
The file should be left as like:

root@r:~# cat /etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/r.dimensis.com
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/r.dimensis.com/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>




Fetch a copy of tiki11svn to /var/www/tiki11svn
Set a symlink between /var/www/tiki11svn and /var/www/tiki
Install Tiki as usual

1.5. Corregir error enviament de correus

After everything was installed, I tried sending emails from the command line.

sudo apt-get install mailutils
echo testing | mail -s Bla xavier.depedro@vhir.org



And no email was received: I was getting this error message:

postdrop: warning: unable to look up public/pickup: No such file or directory


Therefore, I found googling a but out there that it was due to sendmail not being killed properly after postfix was installed. To solve, I did:

sudo mkfifo /var/spool/postfix/public/pickup
ps aux | grep sendmail
# Look at the ps number (e.g. NNN) corresponding to sendmail 
sudo kill NNN
sudo /etc/init.d/postfix restart


Test again, and it works:

echo testing | mail -s Bla xavier.depedro@vhir.org


1.5.1. Instal·lació de Tiki

En general he seguit aquest pasos (i actualitzat la pàgina de documentació allà):
https://doc.tiki.org/Ubuntu+Install

No empro tasksel sino apt-get install de paquets a ma.

I tiki ho baixo per subversion (mira https://dev.tiki.org/Get+code ), a:
/var/www/tiki9/

Instal·lo PluginR, i aplico els perfils r_test, i R_Heatmaps sense massa problemes. Després d'aplicar el de R_Heatmaps, sembla que falla el mostrar pàgina inicial amb url curtes. Faig els retocs habituals en .htaccess del tiki root.

Not Found
The requested URL /tiki9/HeatMaps was not found on this server.


Activo mod rewrite:

sudo a2enmod rewrite
sudo service apache2 restart


Canvio la linia de l'apache que permet emprar htaccess en subdirectoris, a: /etc/apache2/sites-enabled/000-default
L'AllowOverride de "/var/www/" s'ha de canviar de AllowOverride None a AllowOverride All, per a que quedi com:

<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>


Canvio Tiki /var/www/tiki9/.htaccess per a que permeti emprar les regles e escritptura en subdirectoris:

RewriteBase /tiki9/

I ja que hi soc faig alguns canvis més en aquest .htaccess per a millorar el funcionament de Tiki.

1.5.2. Actualització posterior de Tiki

To upgrade to latest svn version, go there as root and run, one after the previous one has finished:

svn up
sh setup.sh
php installer/shell.php


bbdd: tiki9
u: tikiuser
p: (ask xavi or Adria, if needed)
mysql details for the tiki db are usually at

/var/www/9x/db/local.php

1.5.3. PluginR

As usual, check the documentation, profiles, links to videos, screencasts & tutorials, etc, at:


Development blog:


Support forum:

1.6. Potential Graphical Connection to the server with X2GO

See:
http://www.vozidea.com/entorno-grafico-escritorio-remoto-ubuntu

And:

1.7. Monitoring

1.7.1. Icinga (Former Nagios): for Server Monitoring

See http://www.icinga.org

sudo add-apt-repository ppa:formorer/icinga
sudo apt-get update
sudo apt-get install icinga icinga-doc icinga-idoutils mysql-server libdbd-mysql mysql-client


See also:

1.7.1.1. Icinga on ISPConfig powered servers

See:

  1. http://www.howtoforge.com/server-monitoring-with-icinga-on-ubuntu-11.10
    • 1. Preliminary Note
    • 2. Installing Icinga On The Icinga Host (server1)
  2. http://www.howtoforge.com/server-monitoring-with-icinga-on-ubuntu-11.10-p2
    • 3. Configuring Icinga
  3. http://www.howtoforge.com/server-monitoring-with-icinga-on-ubuntu-11.10-p3
    • 4. Adding A Remote Server (server2) To Icinga

Click to expand
Click to expand


Alias names for this page

r.dimensis.com | r.tiki.org | Servidor r.dimensis.com

Image Seed: noun \ˈsēd\ : the beginning of something which continues to develop or grow

Knowledge seeds

Switch Language