e-mail   
 Menu
  Home
  Download
  Top 10 Downloads
  Last 15 New Files
  Web Links
  Tips
  Last 15 New Tips
  NLM Programming
  Admins Club





Installation and Administration






Polish Forum SUSE




Novell Connection Magazine


 
Who's Online

 There are currently,
6 guest(s)
that is (are) online.
 


The Perfect Setup - SUSE 10.0

Version 1.2
Author: Till Brehm
Last edited: 03/09/2006

This is a detailed description about the steps to be taken to setup a OpenSUSE 10.0 based server that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.) and the ISPConfig control panel.

I will use the following software:

  • Web Server: Apache 2.0.x
  • Mail Server: Postfix (easier to configure than sendmail; has a shorter history of security holes than sendmail)
  • DNS Server: BIND9
  • FTP Server: proftpd (ISPConfig will not work with vsftpd on OpenSUSE 10.0)
  • POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.
  • Webalizer for web site statistics

In the end you should have a system that works reliably and is ready for the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

  • OpenSUSE 10.0.
  • an internet connection...

1 The Base System

Boot from your first OpenSUSE 10-CD and select Installation from the boot screen:

SuSe Linux is booting, to see a more detailed booting progress press Escape:

Select your language:

Skip the media check by clicking on Next:

Accept the licence agreement:

The installer analyzes your system. Select your time zone next:

Select Other and click on Select...:

For a server setup, I select Text Mode and go with NextInstallation Settings). You can change each of its choices by navigating to the appropriate headline. First, I change the partitioning scheme:

Click on Partitioning and then on Create Custom Partition Setup and click Next:

Select Custom Partitioning (for experts):

Now we create the partitions. I will use the following partition scheme:

/boot 50 MB
/swap 1GB
/ 10 GB
/var the rest of the hard disk

Creating a partition: Click on create, select primary partition, select the format. I will use EXT3 for all partitions except the swap partition, that is of type swap. Then select the mountpoint corresponding to the above partitioning scheme.

Your partition table should look now similar to this one here, depending on your hard disk size. Click on Finish to proceed to the next step.

ISP Server Setup - OpenSUSE 10 - Page 2

    Now I've switched to Expert mode (the Expert tab in the Installation Settings), selected my Keyboard Layout and Accept:

    Back on the Installation Settings screen, click on Accept and then on Install:

    The hard disk is being formatted:

    The package installation starts (Click on the Details tab to see the detailed installation progress):

    After the basic package installation the system reboots. Remove the OpenSuSE CD and go sure to boot from the hard disk:

    After the package installation, you have to provide a password for root. Then hit the [Tab] key until the Next is highlighted and hit return.

    First we disable the default firewall. This is nescessary to prepare the system for the ISPConfig installation. ISPConfig provides its own firewall. If you do not want to install ISPConfig, leave the firewall enabled. To navigate in text-mode use the tab and arrow keys. Enable or disable selections by hitting the return key.

ISP Server Setup - OpenSUSE 10 - Page 3

    Now we do the network configuration. Hit the [Tab] key until the window with the settings is highlighted, then hit the cursor keys until Network Interfaces is highlighted and hit return.

    On the next screen that appears, hit the [Tab] key until [Edit] is highlighted, then hit return:

    I do not want to get IP addresses from a DHCP server because a server should have static IP addresses so I change this by selecting Static Address Setup and enter an IP Address (e.g. 192.168.0.199) and a Subnet Mask (e.g. 255.255.255.0):

    Under Host Name and Name Server Configuration I set my hostname server1.example.com and enter up to 3 DNS servers (e.g. 145.253.2.75193.174.32.18):

    Under Routing Configuration I set my gateway (e.g. 192.168.0.1):

    Under Advanced -> Additional Addresses you can set additional IP addresses. I want to create a virtual network card eth0:0 with the IP address 192.168.0.200 (my main one is 192.168.0.199 in this example) so I select Additional Addresses:

    I enter an Alias Name (0), my additional IP address (192.168.0.200) and my netmask (255.255.255.0):

    Click on OK, then OK again:

    Back to the main Network Configuration screen, and then Next:

    The network configuration is being saved:

    Now the internet connection of the system is tested and you may download the latest updates from a SUSE mirror and install them:

    When asked how users should authenticate choose Local (/etc/passwd):

    Create a second user other than root (e.g. admin):

    The system configuration gets written:

    Read the release notes (if you like...) and select Next + hit Enter:

    Finally YaST performs a hardware check (graphics cards, printers, sound, TV cards and Bluetooth). You can accept the results of this check as this hardware is not important for a server.

    Congratulations! Your base installation is complete.

    On to the next step...

ISP Server Setup - OpenSUSE 10 - Page 4

    2 Installing And Configuring The Rest Of The System

    Now I can login on the console and enable the SSH daemon:

    chkconfig --add sshd

    /etc/init.d/sshd start

    Now I can login remotely with an SSH Client like Putty and make the 2nd part of the installation.

    Configure Additional IP Addresses

    If you want to add more IP addresses to your system, simply run

    yast2

    The YaST Control Center will pop up. Go to Network Devices -> Network Card. The next steps are the same as during the network setup in the installation.

    Setting The Hostname


    /bin/hostname -F /etc/hostname

    Adding Installation Sources

    To make package installation easier, I will add a network installation source. If you want to install all packages from CD / DVD, you can skip this step. Start yast2:

    yast2

    Select Installation Source, then Add and enter a mirror near you. You can find a list of mirrors here: http://www.opensuse.org/Mirrors_Development_Build.

    I selected this http mirror ( yes, it is an http mirror even though the URL starts with ftp :-) ):

    ftp.uni-erlangen.de/pub/mirrors/opensuse/distribution/SL-10.0-OSS/inst-source

    Then change the order of the installation sources, so that your new source is at the top. Then select Finish and Quit.

    Install Some Software

    yast -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget

    If you're on a 64-bit system (only then!), you must also install openssl-devel-32bit:

    yast -i openssl-devel-32bit


    Quota

    yast -i quota

    Edit /etc/fstab to look like this (I added ,usrquota,grpquota to partition /dev/sda3 (mount point /; your device name might be ) and to /dev/sda4 (mount point /var)):

    /dev/sda3            /                    ext3       acl,user_xattr,usrquota,grpquota        1 1
    /dev/sda1 /boot ext3 acl,user_xattr 1 2
    /dev/sda4 /var ext3 acl,user_xattr,usrquota,grpquota 1 2
    /dev/sda2 swap swap defaults 0 0
    proc /proc proc defaults 0 0
    sysfs /sys sysfs noauto 0 0
    usbfs /proc/bus/usb usbfs noauto 0 0
    devpts /dev/pts devpts mode=0620,gid=5 0 0
    /dev/dvdram /media/dvdram subfs noauto,fs=cdfss,ro,procuid,nosuid,nodev,exec,iocharset=utf8 0 0
    /dev/fd0 /media/floppy subfs noauto,fs=floppyfss,procuid,nodev,nosuid,sync 0 0

    Then run:

    touch /aquota.user /aquota.group
    chmod 600 /aquota.*
    mount -o remount /
    touch /var/aquota.user /var/aquota.group
    chmod 600 /var/aquota.*
    mount -o remount /var
    quotacheck -avugm

    You will get this warning when running quotacheck the first time. Don't worry about it.

    quotacheck: WARNING - Quotafile //aquota.user was probably truncated. Can't save quota settings...
    quotacheck: WARNING - Quotafile //aquota.group was probably truncated. Can't save quota settings...

    Then run:

    quotaon -avug


    DNS-Server

    yast -i bind bind-chrootenv bind-devel bind-utils

    chkconfig --add named
    /etc/init.d/named start

    Bind will run in a chroot jail under /var/lib/named.

    MySQL

    yast -i mysql mysql-client mysql-shared perl-DBD-mysql perl-DBI perl-Data-ShowTable mysql-devel

    chkconfig --add mysql
    /etc/init.d/mysql start

    netstat -tap

    It should show a line like this:

    tcp        0      0 *:mysql                 *:*                     LISTEN      6621/mysqld

    If it does not, edit /etc/my.cnf, comment out the option skip-networking:

    # Don't listen on a TCP/IP port at all. This can be a security enhancement,
    # if all processes that need to connect to mysqld run on the same host.
    # All interaction with mysqld must be made via Unix sockets or named pipes.
    # Note that using this option without enabling named pipes on Windows
    # (via the "enable-named-pipe" option) will render mysqld useless!
    #
    #skip-networking

    and restart your MySQL server:

    /etc/init.d/mysql restart

    Run

    mysqladmin -u root password yourrootsqlpassword

    to set a password for the user root (otherwise anybody can access your MySQL database!).

    Postfix With SMTP-AUTH And TLS

    yast -i cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd

    chkconfig --add saslauthd
    /etc/init.d/saslauthd start

    mkdir /etc/postfix/ssl
    cd /etc/postfix/ssl/
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
    chmod 600 smtpd.key
    openssl req -new -key smtpd.key -out smtpd.csr
    openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
    openssl rsa -in smtpd.key -out smtpd.key.unencrypted
    mv -f smtpd.key.unencrypted smtpd.key
    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

    postconf -e 'mydomain = example.com'
    postconf -e 'myhostname = server1.$mydomain'
    postconf -e 'smtpd_sasl_local_domain ='
    postconf -e 'smtpd_sasl_auth_enable = yes'
    postconf -e 'smtpd_sasl_security_options = noanonymous'
    postconf -e 'broken_sasl_auth_clients = yes'
    postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
    postconf -e 'inet_interfaces = all'
    postconf -e 'alias_maps = hash:/etc/aliases'
    postconf -e 'smtpd_tls_auth_only = no'
    postconf -e 'smtp_use_ -e 'smtp_tls_note_starttls_offer = yes'
    postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
    postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
    postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
    postconf -e 'smtpd_tls_loglevel = 1'
    postconf -e 'smtpd_tls_received_header = yes'
    postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
    postconf -e 'tls_random_source = dev:/dev/urandom'

    To enable tls connections in postfix, edit /etc/postfix/master.cf and uncomment the line:

    #tlsmgr unix - - n 1000? 1 tlsmgr

    Now restart Postfix:

    /etc/init.d/postfix restart

    To see if SMTP-AUTH and TLS work properly now run the following command:

    telnet localhost 25

    After you have established the connection to your postfix mail server type

    ehlo localhost

    If you see the lines

    250-STARTTLS

    and

    250-AUTH

    then everything is fine.

    Type

    quit

    to return to the system's shell.

    Courier-IMAP/Courier-POP3

    I want to use a POP3/IMAP daemon that has Maildir support. That's why I use Courier-IMAP and Courier-POP3.

    yast -i courier-imap fam-server courier-authlib expect tcl
    chkconfig --add fam
    chkconfig --add courier-authdaemon
    chkconfig --add courier-pop
    chkconfig --add courier-imap
    /etc/init.d/courier-pop start
    /etc/init.d/courier-imap start

    postconf -e 'home_mailbox = Maildir/'
    postconf -e 'mailbox_command ='
    /etc/init.d/postfix restart

    *Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.

ISP Server Setup - OpenSUSE 10 - Page 5

    Apache/PHP5

    yast2 -i apache2 apache2-devel apache2-mod_perl apache2-mod_php5 apache2-prefork libapr0 perl-HTML-Parser perl-HTML-Tagset perl-Tie-IxHash perl-URI perl-libwww-perl php5 php5-devel zlib zlib-devel

    yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dbase php5-dbx php5-debuginfo php5-dio php5-dom php5-fam php5-filepro php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mhash php5-mysql php5-mysqli php5-ncurses php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-yp php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl (1 line!)

    chkconfig --add apache2

    ISPConfig configures the perl and PHP mimetypes on a per vhost basis, so we comment them out in the global setup.
    Edit /etc/mime.types. Comment out the following 2 lines:

    # application/x-httpd-php                phtml pht php
    # application/x-perl pl pm

    Edit /etc/apache2/httpd.conf and change

    DirectoryIndex index.html index.html.var

    to

    DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx

    Edit /etc/sysconfig/a add rewrite to the APACHE_MODULES line:

    APACHE_MODULES="access actions alias auth [...] setenvif ssl suexec userdir php4 php5 rewrite"

    Also add SSL to the APACHE_SERVER_FLAGS line:

    APACHE_SERVER_FLAGS="SSL"

    Then run

    SuSEconfig
    /etc/init.d/apache2 start

    Proftpd

    I want to use Proftpd instead of vsftpd which is SUSE's default FTP server because the control panel software I am going to install on this server (ISPConfig) requires Proftpd on SUSE 10.0 (on other distributions this is different). Since there are no SUSE packages for Proftpd I have to compile it manually:

    cd /tmp/
    wget --passive-ftp ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.10.tar.gz

    tar xvfz proftpd-1.2.10.tar.gz
    cd proftpd-1.2.10/
    ./configure --sysconfdir=/etc
    make
    make install

    cd ../
    rm -fr proftpd-1.2.10*

    Now create the file /etc/init.d/proftpd:

    #! /bin/sh
    # Copyright (c) 2000-2001 SuSE GmbH Nuernberg, Germany.
    # All rights reserved.
    #
    # Original author: Marius Tomaschewski <mt@suse.de>
    #
    # Slightly modified in 2003 for use with SuSE Linux 8.1,
    # by http://www.learnlinux.co.uk/
    #
    # Slightly modified in 2005 for use with SuSE Linux 9.2,
    # by Falko Timme
    #
    # /etc/init.d/proftpd
    #
    ### BEGIN INIT INFO
    # Provides: proftpd
    # Required-Start: $network $remote_fs $syslog $named
    # Required-Stop:
    # Default-Start: 3 5
    # Default-Stop: 0 1 2 6
    # Description: Starts ProFTPD server
    ### END INIT INFO

    # Determine the base and follow a runlevel link name.
    base=${0##*/}
    link=${base#*[SK][0-9][0-9]}

    # Force execution if not called by a runlevel directory.
    test $link = $base && START_PROFTPD=yes # Modified by learnlinux.co.uk
    test "$START_PROFTPD" = yes || exit 0 # Modified by learnlinux.pd_cfg ] || exit 6
    [ -x $proftpd_bin ] || exit 5

    # Source status functions
    . /etc/rc.status

    # First reset status of this service
    rc_reset

    case "$1" in
    start)
    echo -n "Starting ProFTPD Server: "
    test -f /etc/shutmsg && rm -f /etc/shutmsg
    /sbin/startproc $proftpd_bin
    rc_status -v
    ;;

    stop)
    echo -n "Shutting down ProFTPD Server: "
    test -x /usr/local/sbin/ftpshut && /usr/local/sbin/ftpshut now && sleep 1
    /sbin/killproc -TERM $proftpd_bin
    test -f /etc/shutmsg && rm -f /etc/shutmsg
    rc_status -v
    ;;

    restart)
    ## If first returns OK call the second, if first or
    ## second command fails, set echo return value.
    $0 stop
    $0 start
    rc_status
    ;;

    try-restart)
    ## Stop the service and if this succeeds (i.e. the
    ## service was running before), start it again.
    ## Note: not (yet) part of LSB (as of 0.7.5)
    $0 status >/dev/null && $0 restart
    rc_status
    ;;

    reload|force-reload)
    ## Exclusive possibility: Some services must be stopped
    ## and started to force a new load of the configuration.
    echo -n "Reload ProFTPD Server: "
    /sbin/killproc -HUP $proftpd_bin
    rc_status -v
    ;;

    status)
    # Status has a slightly different for the status command:
    # 0 - service running
    # 1 - service dead, but /var/run/ pid file exists
    # 2 - service dead, but /var/lock/ lock file exists
    # 3 - service not running
    echo -n "Checking for ProFTPD Server: "
    checkproc $proftpd_bin
    rc_status -v
    ;;

    probe)
    ## Optional: Probe for the necessity of a reload,
    ## give out the argument which is required for a reload.
    [ $proftpd_cfg -nt $proftpd_pid ] && echo reload
    ;;

    *)
    echo "Usage: $0 {start|stop|status|restart|reload|try-restart|probe}"
    exit 1
    ;;
    esac

    # Set an exit status.
    rc_exit

    chmod 755 /etc/init.d/proftpd
    chkconfig --add proftpd

    /etc/init.d/proftpd start

    For security reasons you can add the following lines to /etc/proftpd.conf:

    DefaultRoot ~
    IdentLookups off
    ServerIdent on "FTP Server ready."

    Be sure to comment out the following lines in order to allow ftp users to CHMOD:

    # Bar use of SITE CHMOD by default
    # <Limit SITE_CHMOD>
    # DenyAll
    # </Limit>

    and restart Proftpd:

    /etc/init.d/proftpd restart

    Webalizer

    To insta webalizer, just run

    yast2 -i webalizer

    Synchronize the System Clock

    If you want to have the system clock synchronized with an NTP server do the following:

    yast2 -i xntp

    Add an NTP server

    yast2

    Select Network Services -> NTP Client:

    Then select Automatically Start NTP Daemon During Boot and enter the address of the NTP server. I used public the Server with the IP address 192.43.244.18. Then select Finish, Quit.

    Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

    yast2 -i perl-HTML-Parser perl-Net-DNS perl-Digest-SHA1


    On To The Next Step...

    The configuration of the server is now finished, and we go on by installing ISPConfig on it.

ISP Server Setup - OpenSUSE 10 - Page 6

    3 Installing ISPConfig

    I will install the current ISPConfig version. Download the current ISPConfig version from http://www.ispconfig.org/downloads.htm to your /tmp directory.

    Unpack the ISPConfig-archive and change to the directory install_ispconfig:

    tar xvfz ISPConfig*.tar.gz
    cd install_ispconfig

    Start the setup script

    ./setupThe installer will now compile an Apache with PHP5 that will run on port 81 and is needed by the ISPConfig system itself. It will not interfere with your existing Apache installation so you can go on unworried.

    When the ISPConfig Apache is built, a custom SSL certificate is built. Therefore you are asked a few questions. You can accept the default values, or you can enter new values there, this does not matter:

    In step 7 (Encrypting RSA private key of CA with a pass phrase for security [ca.key]) and step 8 (Encrypting RSA private key of SERVER with a pass phrase for security [server.key]) of the certificate creation process you are asked if you want to encrypt the respective key now. Choose n there because otherwise you will always be asked for a password whenever you want to restart the ISPConfig system which means it cannot be restarted without human interaction!

    If the compilation fails, the setup is stopped and all compiled files are removed. From the error message you get you should be able to see the reason for the failure (in most cases a package (like the MySQL header files) is missing). Try to solve the problem and the re-run ./setup.

    In case of success the setup goes on:

    Please choose your language. This is the language of the ISPConfig interface.

    Afterwards you are shown the ISPConfig licence (BSD licence). Please read it carefully! You accept it by typing y. If you do not want to accept the ISPConfig licence, type n, and the installation routine stops.

    As installation mode I chose expert because i want to set the website root to /var/www. When you are asked for installation mode, type 2 and hit return.

    Now you are ask if the daemons like postfix etc. are recognized correctly and for their file locations, chose yes y.

    When you are asked:

    Web-Root: /home/www
    Is this correct? [y/n]

    choose n and enter /var/www as Web-Root.

    asked for some installation settings:

    Please enter your MySQL server: localhost
    Please enter your MySQL user: root
    Please enter your MySQL password: (Enter the password you chose when setting up the MySQL Server)

    Please enter a name for the ISPConfig database (e.g. db_ispconfig): db_ispconfig
    Please enter the IP address of the ISPConfig web (e.g. 192.168.0.1): 192.168.0.199 (Enter your IP here)

    Now you are ask to enter the host and domain of your server. If your server has a host and domainname, enter them now. As this is a test install in my local network, I leave the host empty and enter my IP address instead of the domain.

    Please enter the host name (e.g. www):
    Please enter the domain (e.g. xyz.de): 192.169.0.199

    Please select the protocol (http or https (SSL encryption)) to use to access the ISPConfig system:
    1) HTTPS
    2) HTTP
    Your Choice:
    1

    After you have answered the questions ISPConfig should be duly installed. If you indicated www as host and xyz.com as the domain during the installation, you will find the ISPConfig interface under https://www.xyz.de:81 or http://www.xyz.de:81. Here you can login first with the user name admin and password admin. It is recommended to change the password immediately! This can be done in the ISPConfig web interface under Tools -> Change password.

    Then go to Management -> Server -> Settings in the ISPConfig control panel and tick the Maildir checkbox on the EMail tab.

    If your server has more than one IP address, please check if your additional IP addresses have been correctly detected by the installation routine under Management -> Server ->
    Settings
    on the tab Server -> IP List.



Portal posiada akceptację firmy Novell Polska
Wszystkie materiały dotyczące produktów firmy Novell umieszczono za zgodą Novell Polska
Portal has been accepted by the Novell Polska
All materials concerning products of Novell firm are placed with Novell Polska consent.
NetWare is a registered trademark of Novell Inc. in the United States and other countries.
Windows is a trademark or a registered trademark of Microsoft Corporation in the United States and other countries.
Sybase is a registered trademark of Sybase Inc. in the United States of America.
Other company and product names are trademarks or registered trademarks of their respective owners.