Setting Up Linux Server
This tutorial really should be titled "How to get your
Debian server off the ground as quickly as possible", since it's based on
minimal Debian Linux (stable) install.
Here you'll be able to get your box secured very quickly, and then get the
services running with minimum hassle and pain.
This guide first started when I rented a server from
http://www.linode.com,
it's actually a virtual server based on
User-mode
Linux. Very interesting stuff. I rented the server because my own server at
home is going up and down like a yoyo because of electricity problem. Then while
I was spending time configuring it, I thought it'd be great if I document what
I've done, so I can configure future servers easily.
I chose Debian because it enable you to administer and
secure your servers with minimum amount of time:
- Packages install in very little time, with
their dependencies automatically resolved for you -
It just makes sense, lessening the learning
time for any services in it :- Config files can be found under /etc/<package_name>
- Logfiles can be found under /var/log/<package_name>
- Data related to various packages can be
found under /var/lib/<package_name> - Documentations can be found under /usr/share/doc/<package_name>
- You can start/stop any services with
/etc/init.d/<service name> start/stop/reload/restart - To reconfigure a package, just type
dpkg-reconfigure <package_name> - and so on.
- Debian (stable) packages are kept secure,
from known security holes, by Debian's security team. After having a server
taken over by crackers, due to failing to patch OpenSSH's security hole in
time, I appreciate this greatly. - Then keeping them up to date, especially with the
security patches, is only a matter of putting apt-get update and
apt-get upgrade in your crontab file.
As a comparison, I'm also responsible for Solaris-based webservers, and I
spend more time on them keeping apache+mod_ssl+openssh uptodate (lest I risk
them breached by crackers) than on my Debian server (which is fully loaded
with various services)
By the way, you can still use this guide even for non-Linode
servers. Just do a basic Debian install (if you don't know how,
click
here), and then follow this guide to make your server ready to serve.
NOTE
If you want to have quota enforced to your users,
don't forget to have a separate partition mounted as /home and
formatted with ext3 filesystem.
Implementing quota on the whole disk space may not be a good idea.
Without further ado, here's the guide. (anything
beginning with "#" are comments, don't type it in the console)
First things' first
First things first - update your Debian's software
package list :
apt-get update
The following are a few packages that will be needed to
if you have to compile a software package.
mkdir /downloads apt-get install gcc apt-get install make apt-get install flex apt-get install libc6-dev
A few more important tools:
apt-get install less apt-get install file
Also don't forget to subscribe to Debian's security
announcement list - this will ensure that you'll be notified whenever a security
update is available. I suggest you subscribe to it using an email address which
you check very frequently.
http://lists.debian.org/debian-security-announce/
Now let's continue with our first software installation -
the firewall.
Firewall installation (firehol)
For the firewall, we'll be using Firehol (a console-based
firewall),
http://firehol.sourceforge.net
I like firehol because it'll secure your server very
quickly, accessible from console, doesn't put files everywhere, and very easy to
understand.
It works by reading /etc/firehol/firehol.conf
contents, then translates them into iptables commands. So instead of dealing
with cryptic iptables command, we'll be using Firehol's syntax, which is much
more human-readable.
It also has the advantage of reducing the possibility of
making mistake, because it's so much simpler compared to iptables' syntax.
To install Firehol, do the following:
apt-get install gawk apt-get install iproute cd /downloads wget http://belnet.dl.sourceforge.net/sourceforge/firehol/firehol-1.191.tar.bz2 bzip2 -d firehol-1.191.tar.bz2 tar xvf firehol-1.191.tar cd firehol-1.191 mkdir /etc/firehol
OK, now we need to configure Firehol. Create the config
file, by entering vi /etc/firehol/firehol.conf in the command line. Then
in the editor, enter the following lines :
version 5
server_althttp_ports="tcp/8080"
client_althttp_ports="default"
# to avoid dhcp-client from filling logs with its complaints about not being able to contact a DHCP server...
server_dhcpclient_ports="udp/67"
client_dhcpclient_ports="default"
# if you need to blacklist incoming connection from an IP, use the following line
blacklist this "24.202.51.30 24.202.51.31"
# if you need to blacklist incoming AND outgoing connection from/to an IP, use the following line
blacklist full 202.43.165.125 65.160.141.215
# notice how one is using quotes, but not the other
# redirection example - redirect traffic to port 1234 to port 110
redirect to 110 inface eth0 proto tcp dport 1234
interface eth0 internet
# enable all available protection - against DoS, invalid packets, etc
protection strong
server "icmp ftp ssh smtp dns http https pop3 althttp rsync webmin" accept
# client "icmp ftp ssh smtp dns http https pop3 althttp rsync webmin dhcpclient" accept
client all acceptSave and exit the editor.
One last step, edit /usr/src/linux/.config per
this
thread in the Linode forums - that's it, if you have a Linode.com server.
Now run Firehol :
./firehol.sh start
Congratulations - you've managed to accomplish the most
significant task in securing your server ! Now we can start setting up
application in peace.
NOTE : If you see that your 7-lines firehol.conf becomes
150-lines of iptables commands, and thought "heck, my server will be bogged down
by this !" - don't worry. Firehol is very optimized. Chances are, if you execute
the iptable commands manually yourself, you'll only be able to save a few lines
at most. And iptables is blazingly fast. So you can rest assured about this.
Harden Your Server !
Once you got a firewall installed, you've done a
significant step in securing your server.
But do realize that the process of securing your server doesn't stop
there !
Securing your server is a topic that deserve its own
article. You may find out more about it here:
Computer Security
Server security monitor (logcheck)
Logcheck will help you in monitoring the security of your
server.
It works by monitoring the logfiles, and when it
encounter interesting information (as defined by you) it'll be emailed to your
email account. It's a great help in monitoring the security of our servers,
since it'll report to us directly to our mailbox.
To install logcheck, just type the following :
apt-get install logcheck
A tip - if you're swamped by irrelevant kernel messages
regarding packets being sent/received, edit /etc/logcheck/logcheck.ignore,
and add the next two lines at the end :
kernel: IN-internet:IN=eth0 OUT= kernel: OUT-internet:IN= OUT=eth0
Secure remote access (openssh)
Installing OpenSSH is very easy in Debian, just type
apt-get install ssh*
Don't forget to *secure it -
click here for the details.
TIPS
Get more than one SSH daemon to run on different ports. This way, if you manage
to lock yourself out, you can still get in via different port.
Just add 15 * * * * /usr/sbin/sshd -p 2222 to your crontab (and don't
forget to open that port in your firewall as well).
(thanks to
Dicky
for the idea]
However, if you want to be even more safe, you can always
have a second OpenSSH installation. This will come handy if we screwed the
Debian's installation - the second installation will still be available so we
won't be locked out of our own server (believe me, it's not funny at all
when it happened) NOTE - you must keep this installation updated manually,
otherwise criminals may be able to use it to break into your server instead!
OpenSSL
I need to install a second instance of OpenSSH; and it
requires OpenSSL.
If you own a Linode.com server, you can safely skip to the next section
cd /downloads wget http://www.openssl.org/source/openssl-0.9.7d.tar.gz tar xzvf openssl-0.9.7d.tar.gz cd openssl-0.9.7d mkdir /usr/local/openssl-0.9.7d ./config --prefix=/usr/local/openssl-0.9.7d make make test make install
OpenSSH
ATTENTION - Linode.com users
You DON'T need to install OpenSSH, because it's
already installed. And you don't need to install a second instance of it in case
you got locked out of your server, because you can always connect again via your
Linode host console (look for it in your membership page. That's another
advantage of using UML-based server (such as Linode's)
Otherwise, it's highly recommended to have a second
instance of SSHd running. You'll thank me when the main SSHd instance went dead,
because you can still access your server via this second instance.
To install the second instance of OpenSSH, do the
following :
apt-get install zlib1g apt-get install zlib1g-dev cd /downloads ### NOTE - substitute "openssh-3.8.1p1" with the latest version available !!!! wget http://ftp.bit.nl/mirror/openssh/openssh-3.8.1p1.tar.gz tar xzvf openssh-3.8.1p1.tar.gz cd openssh-3.8.1p1 mkdir /usr/local/openssh-3.8.1p1 ./configure --prefix=/usr/local/openssh-3.8.1p1 --with-ssl-dir=/usr/local/openssl-0.9.7d make make install # --- enabling Privilege Separation feature of OpenSSH mkdir /var/empty chown root:sys /var/empty chmod 755 /var/empty groupadd sshd useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd ln -s /usr/local/openssh-3.8.1p1 /usr/local/openssh
Again, don't miss the steps to secure this OpenSSH
installation -
click here for the details.
To get it ran everytime the server starts, create
/etc/rc.boot/starting-services, then put the following line in: /usr/local/openssh/sbin/sshd
&
Database server (mysql, postgresql)
MySQL v3.x
apt-get install mysql-server mysqladmin -u root password '<password>' mysqladmin -u root -h <hostname> password '<password>' /etc/init.d/mysql stop
To troubleshoot MySQL, you can run it with
logging enabled :
# shutdown MySQL mysqladmin -p shutdown # execute MySQL with loggin enabled safe_mysqld --log=/var/log/mysql.log
Now you can see all queries submitted in /var/log/mysql.log
PostgreSQL
(FIXME)
Webserver (apache)
Very easy, just type: apt-get install apache
Apache is already started when the installation finished.
But if you need to do something about it, just type /etc/init.d/apache help
Anti DoS
DoS (Denial of Service) attack is quite popular with
criminals because it's relatively easy to do, and it can cause significant
damages - especially to mission critical websites.
We have implemented a measure to counter network DoS
attempts (amazingly in only 1 line, no more, thanks to FireHOL), but then
criminals can attempt to do application DoS. So we need to harden Apache as
well.
- Thankfully, this is relatively easy to do on Debian
stable server. Just follow these instructions -
- Install apache-common package :
apt-get install apache-common - Edit /etc/apache/httpd.conf
- Make sure the following line is not
commented : LoadModule throttle_module... - Put the following lines after
ServerName directive. It will limit to 40 requests/second from each
visitors:
- Install apache-common package :
<IfModule mod_throttle.c>
ThrottlePolicy Request 40 1s
<Location /throttle-status>
SetHandler throttle-status
</Location>
</IfModule>- Stop and start apache: /etc/init.d/apache stop
and then /etc/init.d/apache start
To check its status, go to the relevant URL, such as
http://www.mydomain.com/throttle-status
The sample configuration above will protect you from the
most simple & common of Web DoS attack - request flood. For protection against
other Web DoS attacks, you may refer to
mod_throttle's
documentation.
mod_security
Many criminals now found that instead of attacking the
server directly, it's way easier to breach it via web applications that are
hosted on the machine.
PHP-based apps are probably the most popular being broken into. It doesn't
necessarily mean that it's insecure by nature, it's probably just because it's
so easy to learn that people are busy creating things with it straight away -
and forgot about security.
Firewall doesn't help at all with application-level
attacks, so we need to use an Application Firewall.
Enter mod_security.
Amazingly,
mod_security
is offering a lot in this new field for nothing. Although it won't solve all of
your security problem (make no mistake about it), it will however help you
significantly to secure your web-based applications with very little work on
our part.
Unfortunately there's no mod_security package for Debian
stable (not even in backports). But thankfully, it's quite easy to rectify this
situation. Just follow these instructions:
cd /downloads # get mod_security wget http://www.modsecurity.org/download/mod_security-1.8.6.tar.gz tar xzvf mod_security-1.8.6.tar.gz # get Apache's source - need dpkg-dev package (which contains dpkg-source) apt-get install dpkg-dev apt-get source apache # compile Apache, to create apxs # install a few required tools first apt-get install sharutils apt-get install libdb3-dev apt-get install debhelper # compile Apache now cd apache-1.3.26 make -f debian/rules # compile mod_security.c, to become mod_security.so cd /downloads/mod_security-1.8.6 /downloads/apache-1.3.26/debian/apxs -cia -I /downloads/apache-1.3.26/apache-1.3.26/build-tree/apache_1.3.26/src/include/ apache1/mod_security.c
Note that it may appear to be creating a new /etc/apache/httpd.conf
file (with the old one renamed to /etc/apache/httpd.conf.bak). This is not
the case - all current configuration are preserved, with only mod_security
activated as the difference.
Now let's start configuring mod_security, enter the
following into /etc/apache/httpd.conf :
<IfModule mod_security.c>
# Turn the filtering engine On or Off
# (or DynamicOnly - but it'll require a bit further configuration)
SecFilterEngine On
# This will fool a lot of script kiddies to waste their time attacking our Apache server
# with IIS4 exploits - enjoy it by viewing their futile attempts in Apache's log :)
SecServerSignature "Microsoft-IIS/4.0"
# Some sane defaults
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 0 255
# Only log suspicious requests
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache/modsec_audit_log
# Debug level set to a minimum
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache/modsec_debug_log
# By default log and deny suspicious requests
# with HTTP status 403
SecFilterDefaultAction "deny,log,status:403"
# Basic protection against SQL attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Basic protection against XSS attacks :
# filter out any <script> tag on URL
SecFilter "<[[:space:]]*script"
# filter out any HTML tag on URL
SecFilter "<.+>"
# Basic protection against Directory traversal attacks
SecFilter "\.\./"
# Basic protection agains Command execution attacks
SecFilter /bin/sh
SecFilter /bin/bash
SecFilter /bin/ls
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-formurlencoded$|^multipart/form-data;)"
# Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Protect against Chunked transfer requests
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# The following will only allow "admin" user to logon
# if they're connecting via the specified IP address
#SecFilterSelective ARG_username admin chain
#SecFilterSelective REMOTE_ADDR "!^ADMIN_IP_ADDRESS_HERE$"
</IfModule>Now restart Apache - and you're set!
Again, do realize that we have only utilize a little of
this powerful utility's capability. Therefore you might be interested in the
following reading materials:
-
Introduction
to mod_security -
More
mod_security filters -
Good
security resource -
PHP:
Preventing register_global problems
Apache chroot
Chroot/jail-ing an application is a process of limiting
an application's access to a specific directory.
For example; if you have chroot-ed Apache to /var/www,
then it won't be able to access /etc.
This is very useful when (always assume the worst) a criminal broke into your
machine via Apache - then it'll be "jailed" in Apache's directory, and not able
to do much damage.
However, I've chroot-ed Apache before and it was a
very painful experience. Various applications (especially CGIs) refuses to
work without messing around with it. Debugging problems are harder than usual.
Etc.
Thankfully, if you have implemented mod_security (see
above) - this becomes significantly easier to setup and maintain.
Read the following article on how to accomplish
this.
- Chroot-ing Apache -
the
mod_security way
Secure Webserver (apache-ssl)
Very easy, just type: apt-get install apache-ssl
A few notes:
- When asked to enable suExec, choose yes
- On configuring certificate, enter the
information correctly. - (You can also apply for a free certificate
from
http://www.cacert.org
later) - You may have harden
apache - but you have NOT harden
apache-ssl. To harden it, you can begin
from here
Apache is already started when the installation finished.
But if you need to do something about it, just type /etc/init.d/apache-ssl
help
However, it seems to be having problems serving non-SSL
pages, so to serve non-SSL pages, you'll need to
install standard Apache as well. (see above)
Application Server (php4)
Again, very simple: apt-get install php4
Now restart Apache:
- Apache: /etc/init.d/apache stop and
then /etc/init.d/apache start - Apache-SSL: /etc/init.d/apache-ssl stop and
then /etc/init.d/apache-ssl start
suPHP - hardening PHP
suPHP
is an Apache module which will make PHP scripts to be executed with its owner's
permission - instead of the usual (with Apache user's permission)
This helps on securing our server because if an intruder
managed to gain access to our server through one of vulnerable PHP script; then
he will only have access to the script's owner files only - instead of
everything accessible by Apache.
Needless to say, people who runs servers such as ones
being used for webhosting will find this tool indispensable.
I haven't got any luck compiling suPHP for Debian stable
- however, Emmanuel Lacour was kind enough to package it and made it available
to everyone. Follow these steps to install it in your own server:
- Put the following in /etc/apt/sources.list
: deb
http://manu.home-dn.net/debian/suphp
woody main - Update apt's database: apt-get update
- Now let's install suphp : apt-get install suphp-common
suPHP is now installed, but we still need to configure
and then restart Apache to activate it :
- Open /etc/apache/httpd.conf
- REMARK this line : LoadModule php4_module /usr/lib/apache/1.3/libphp4.so
- Put in this line : LoadModule
suphp_module /usr/lib/apache/1.3/mod_suphp.so - In the global section, enter these lines:
suPHP_Engine on and suPHP_ConfigPath /etc/php4/apache - REMARK this line : AddType application/x-httpd-php
.php - REMARK this line : AddType application/x-httpd-php-source
.phps - Add this line : AddHandler x-httpd-php .php
- Close and save the file
- Restart Apache : /etc/init.d/apache stop
and then /etc/init.d/apache start
Now suPHP is handling all the PHP scripts.
TIPS: If you find your PHP scripts no longer working,
adding execute to their attributes will solve most of the problem.
Database web-interface (phpMyAdmin)
This package will enable us to maintain our MySQL
databases easily via browser.
cd /usr/local/apache_1.3.31/htdocs/ wget http://belnet.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.5.6.tar.bz2 bzip2 -d phpMyAdmin-2.5.6.tar.bz2 tar xvf phpMyAdmin-2.5.6.tar cd phpMyAdmin-2.5.6
Now you need to edit /usr/local/apache_1.3.31/htdocs/phpMyAdmin-2.5.6/config.inc.php
accordingly, and you're set. Basically, enter the URL to phpMyAdmin at "Pma
Absolute Uri?"
variable, then specify root's password - that's it
Security note:
MySQL is already secured by the firewall (access to
MySQL from Internet is blocked), so you need to avoid making phpMyAdmin from
becoming the backdoor to your MySQL database for hackers. You really should
secure the interface to phpMyAdmin with password and with all
communications with it encrypted with SSL protocol (otherwise people can read
your password by sniffing the network traffic).
You can setup the password by enabling it on
config.inc.php, and you can protect it with SSL by setting it up in Apache-SSL's
httpd.conf file. Example:
<Directory /var/www/phpMyAdmin>
AuthName "Authentication Required"
AuthType Basic
AuthUserFile /etc/.htpasswd
Require valid-user
</Directory>Of course, don't forget to create /etc/.htpasswd
by using /usr/bin/htpasswd, or this won't work.
Terminal Server (screen)
screen is a nifty program to enable terminal-server like
capabilities of Linux, but console-based. Very useful, you can disconnect from
the server at any time, and when you connect again, everything will be exactly
as you left it !
"man screen" for more info, don't forget to print out its
commands list for easy reference
apt-get install screen
Backup server (rsync)
This will enable us to backup the server / manage mirrors
easily and securely
apt-get install rsync
Use the following /etc/rsyncd.conf on the server that you
want to backup:
pid file = /var/run/rsync.pid [root-dir] comment = This module is to enable me to backup this server ONLY path = / use chroot = false read only = true list = false uid = 0 gid = 0 hosts allow = <target_server_IP_addr>
To start the rsync server, do the following:
rsync --daemon
To backup the data in that server, execute the following
command on the machine you want to do store the backup.
rsync -avuz rsync://<your_server_IP_addr>/root-dir <backup_directory>
Mailserver (postfix+courier+amavis+clamav+spamassassin+sqwebmail+phpmailman+quota)
I need a mailserver which will have the following
features:
- Multiple/virtual domains
- MySQL backend (so adding more domains can
be done via web-interface) - Secure IMAP, POP3, SMTP
- Anti-virus
- Anti-spam
- Webmail
- Mailing list
- Mail Quota
Thankfully, Christoph Haas already did an excellent job
on the subject. You can setup Postfix, ISP-style (virtual domains, MySQL
backend, POP3/IMAP, Secure Auth-SMTP, Anti-virus, Webmail) by following his
guide here :
http://www.workaround.org/articles/ispmail/
Now let's work on the rest:
Aliases
You can put aliases in forwardings table - but
what about aliases that execute commands instead of forwarding to another email
address ?
How it works:
- We need to forward a full email address (eg:
emailaddress@mydomain.com) to a local email address (eg: emailaddress) in
/etc/virtual-aliases. - Then the local email address (eg: emailaddress)
will be mapped to a command (eg: "|/usr/bin/executeme") in /etc/aliases
Example:
/etc/virtual-aliases
razor-feedback@mydomain.com razor-feedback
/etc/aliases
razor-feedback: "|/usr/bin/razor-report"
To do this, follow this steps:
- Edit /etc/postfix/main.cf
- Ensure that in virtual_maps line,
there's this entry: hash:/etc/virtual-aliases - Ensure that in alias_maps line,
there's this entry: hash:/etc/aliases - Save & quit
-
To add new command aliases:
- Add them to /etc/aliases and
/etc/virtual-aliases as noted above - Run postmap /etc/virtual-aliases
- Run postalias /etc/aliases
- Reload postfix: postfix reload
- Add them to /etc/aliases and
Anti-spam
We'll be using Spam Assassin?,
and uses its Statistical Analysis feature + Razor plugin.
First, we'll be using
backports.org
quite a lot, to ensure that we're using a rather recent version of the package.
Usually I'm more interested in stability, but with spammers constantly creating
new tricks, I think it's fair to say that we need the latest tools available to
combat it effectively.
To use backports, ensure that the following line exists
in your /etc/apt/sources.list - note: REPLACE any existing reference to
backports.org with the following:
deb http://www.backports.org/debian stable amavisd-new clamav arj file razor spamassassin unzoo mailman
Now let's start installing
Spam Assassin?
:
apt-get install procmail apt-get install spamassassin apt-get install razor #Create the default configuration files in /etc/razor razor-client razor-admin -create # Register yourself with the razor network. razor-admin -discover razor-admin -register -user postmaster@domain.com -pass whateverpasswordyouwish
To enable Razor:
- Edit /etc/spamassassin/local.cf
- Ensure that there's the following line:
use_razor2 1
A good razor user will give his/her spam to the
central database, so everyone else won't get that spam. We can do this easily by
setting up an email address where all email send to it ill be send to razor's
database. Let's assume that the email address is razor-feedback@mydomain.com :
- Ensure that you have enabled aliases (look
above) - Put an alias in /etc/vitual-aliases:
razor-feedback@mydomain.com razor-feedback - Put an alias in /etc/aliases:
razor-feedback: "|/usr/bin/razor-report" - Update virtual aliases database: postmap
/etc/virtual-aliases - Update local aliases database: postalias
/etc/aliases - Reload postfix: postfix reload
To enable Spam
Assassin?
in amavisd-new:
- Edit /etc/amavis/amavisd.conf
- Ensure that the following line is commented
: @bypass_spam_checks_acl (there are TWO of them, quite close to each
other) - Ensure that the following line exist:
$remove_existing_spam_headers = 0;
(the default is 1, so spam that gets passed will have no headers which identify
it as spam - which makes it difficult for our users to filter it)
- Save and quit
- Restart amavisd-new: amavisd-new stop and
then amavisd-new start
Mailman
To install Mailman, type apt-get install mailman.
This will install the latest version from backports.org
The one in Debian stable repository doesn't even understand virtual domain, and
thus unsuitable for most cases.
Once installed, we then need to set it up.
- Edit /etc/postfix/main.cf
- Ensure that the following line exist:
owner_request_special = no - Ensure that in virtual_maps there's
this entry: hash:/var/lib/mailman/data/virtual-mailman - Ensure that in alias_maps there's
this entry: hash:/var/lib/mailman/data/aliases - Save & quit
Now edit Mailman's config file:
- Edit /etc/mailman/mm_cfg.py
- Ensure that the following line exist:
MTA = "Postfix" - Ensure that the following line exist:
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['my.domain1.com', 'my.domain2.com', 'my.domain3.com']
- Save & quit
To add new list:
- Type newlist <list_name>@<my.domain1.com>,
and answer the questions. - Type /usr/lib/mailman/bin/genaliases,
which will update /var/lib/mailman/data/aliases and /var/lib/mailman/data/virtual-mailman
accordingly - Reload Mailman: /etc/init.d/mailman
force-reload
Enjoy!
Troubleshooting
- It's boring indeed but check and check again
for TYPOS. I did it myself several times! (head hangs in shame) - If spam headers (X-Spam) are not present in
the incoming emails, make sure that your domain is in local_domains_acl
list, which is in /etc/amavis/amavisd.conf file. - If you're having problems with Amavis and
not sure where to start, here's a clue - instead of starting amavis the usual
ay (/etc/init.d/amavis start), type this instead: */usr/sbin/amavisd-new
debug*
Then if you trying sending an email through it, you'l
be able to see the details, how it processed that email, and therefore hopefully
you'll be able to spot anything that went wrong.
FTP Server (proftpd)
Just type apt-get install proftpd really.
NOTE:
I suggest you use SFTP instead, which automatically
enabled when you install SSH. Then your users can use
WinSCP
to upload files to your server securely.
Don't get me wrong, ProFTPd is an excellent product - but
the FTP protocol by its nature is not secure.
Web Admin interface (webmin + virtualmin + usermin)
NOTE
I was planning to setup a Cpanel-like
facility, but free, hence this chapter on Webmin + Virtualmin. However, the plan
got cancelled halfway, and now I administer my server via console. So please be
aware that the setup mentioned on this chapter has not been rigorously tested,
and you may need to do more work to get it to work like Cpanel.
Webmin installs cleanly (unline many other server
management software), of high quality (many webhosters are using it now), and
quite easy to use.
Unfortunately, the debian woody package is very buggy
(according to it's own maintainer, no less) so we're installing from source -
good thing it's very easy to do.
apt-get install libnet-ssleay-perl apt-get install libauthen-pam-perl cd /downloads wget http://aleron.dl.sourceforge.net/sourceforge/webadmin/webmin-1.140.tar.gz tar xzvf webmin-1.140.tar.gz cd webmin-1.140 ./setup.sh /usr/local/webmin # install the requirements of virtualmin apt-get install bind9 apt-get install webalizer apt-get install libdbd-mysql-perl apt-get install quota # installing additional packages that's nice to have apt-get install mon apt-get install proftpd apt-get install postgresql apt-get install libdbd-pg-perl
Then download virtualmin :
wget http://www.webmin.com/download/virtualmin/virtual-server-1.91.wbm.gz
Once downloaded, install it via
https://<your_website>:10000/webmin/edit_mods.cgi
To get virtualmin up and running quickly, concentrate on
getting the following Webmin modules to work properly : Apache, Bind, MySQL
or/and PostgreSQL, Postfix, Quota, and Webalizer. Only then you'll be able to
start using virtualmin.
Bandwidth monitor (ntop)
ntop
is a utility which will monitor your server's bandwidth usage, and present the
detailed report via browser. It's very detailed, it'll even show you how much
bandwidth is being used by different Internet protocol (eg: http, smtp, pop3,
etc). And the installation couldn't be easier, just enter the following:
apt-get install ntop
And that's it !
To view the reports, just enter *http://yourserver_ip_address:3000*
in your browser.
Quota
To setup quota, create another partition, use ext3
filesystem, edit /etc/fstab, and make it looks like this:
/dev/ubdc /home ext3 defaults,usrquota,grpquota 1 1
then mount it, then :
quotacheck -av -Fvfsold quotaon -av
Quota facility is now enabled on /home
You can control quota for each user via webmin.
spinner
a nifty utility which will avoid your SSH connection from
timing out, by continuously printing a character in the top-left of the screen.
cd /downloads wget http://downloads.laffeycomputer.com/current_builds/spinner/spinner-current.tar.gz tar xvzf spinner-current.tar.gz cd spinner-1.2.4 ./configure --prefix=/usr/local make make install /usr/local/bin/spinner
Credits
I've had excellent feedback via Linode's forum,
especially from
this
thread
A lot of things here are the result of suggestions made
by
ged,
especially from
his
own similar guide. We've agreed to work together on this guide.
And of course thanks to everyone that have made
open-source to be such a success - especially to the developers.
Special thanks goes to you, the users, for choosing to
use open-source solutions. Without you, there's no way OSS will succeed.
To contact me:
click here
Referenced pages/websites:
- ISP-style email service with Debian stable and
Postfix:
http://www.workaround.org/articles/ispmail/
Disclaimer
This tutorial gives no guarantee that it will work for
you, or be sufficiently secure for your purposes. Before using this document,
you must agree that its authors and distributers will not be held liable for any
damages due to using this information. If you don't agree to this, you may not
utilise the information in this guide.
I welcome positive contributions/critique/advice/etc for
this article. Just
click here to let me know about it.
To-do list
- Install netsnmp+mrtg to enable monitoring of
almost everything about the server (ram/cpu/disk/etc usage) -
click
here - Modify mailserver tutorial to utilise quota, by
following
this
instruction (may have to ditch sqwebmail ?)
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 