e-mail   
 Menu
  Home
  Download
  Top 10 Downloads
  Last 15 New Files
  Web Links
  Tips
  Last 15 New Tips
  NLM Programming
  Admins Club





Installation and Administration






Polish Forum SUSE




Novell Connection Magazine


 
Who's Online

 There are currently,
12 guest(s)
that is (are) online.
 


The Perfect Setup - SUSE 10.1 (32-bit)

Author: Falko Timme

This is a detailed description about how to set up a SuSE 10.1 based server that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.).

I will use the following software:

  • Web Server: Apache 2.2.0
  • Database Server: MySQL 5.0
  • Mail Server: Postfix
  • DNS Server: BIND9
  • FTP Server: proftpd (ISPConfig will not work with vsftpd on SUSE 10.1)
  • POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.
  • Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

1 The Base System

Boot from your first SuSE 10.1-CD and select Installation from the boot screen:

Select your language:

Skip the media check by clicking on Next:

Accept the license agreement:

Select New installation:

Select your time zone next:

At the Desktop Selection screen, choose Other and click on Select...:

As we want to install a server, we do not need a desktop. Therefore we select Text Mode and click on OK and then on Next.

The Installation Settings screen lists the available installation settings. You can change each of its choices by navigating to the appropriate headline. First, I change the partitioning scheme by clicking on Partitioning and then on Create Custom Partition Setup and then on Next:

Select Custom Partitioning (for experts):

Now we create the partitions. I will use the following partition scheme:

/boot 100 MB
swap 500 MB
/ the rest of the hard disk

Creating a partition: Click on Create, select Primary Partition, select the format. I will use ext3 for all partitions (I want to install quota later on, and quota works best with ext3 - you might encounter problems with reiserFS!) except the swap partition, that is of type swap. Then select the mountpoint corresponding to the above partitioning scheme.

Your partition table should look now similar to this one here, depending on your hard disk size. Click on Finish to proceed to the next step.

    Now switch to Expert mode (the Expert tab in the Installation Settings), select your Keyboard Layout and Accept:

    Back on the Installation Settings screen, click on Accept and then on Install:

    The hard disk is being formatted:

    The package installation starts (click on the Details tab to see the detailed installation progress):

    After the basic package installation the system reboots. Remove the SuSE CD and go sure to boot from the hard disk:

    After the system has come up again, we must provide a Hostname and a Domain Name. My server's name is server1.example.com, so I fill in server1 as Hostname and example.com as Domain Name. Afterwards, we disable Change Hostname via DHCP because a server's hostname should be static.

    Next provide a password for root. Then hit the [Tab] key until the Next is highlighted and hit return.

    On to the Network Configuration. First we disable the default firewall. This is necessary to prepare the system for the ISPConfig installation. ISPConfig provides its own firewall. If you do not want to install ISPConfig, leave the firewall enabled. To navigate in text-mode use the tab and arrow keys. Enable or disable selections by hitting the return key.


    Then mark Network Interfaces and hit return. The following screen should come up:

    Hit the [Tab] key until [Edit] is highlighted, then hit return. You should now be on the Network Address Setup screen:

    I do not want to get IP addresses from a DHCP server because a server should have static IP addresses so I change this by selecting Static Address Setup and enter an IP Address (e.g. 192.168.0.181) and a Subnet Mask (e.g. 255.255.255.0):

    Then go to the Hostname and Name Server settings. The hostname (server1.example.com) should already be there (remember, we specified this earlier in our setup). Fill in up to three Name Servers (e.g. 145.253.2.75, 193.174.32.18, and 194.25.0.60). Unfortunately we cannot disable Update Name Servers and Search List via DHCP - I think this is a bug in YaST. Afterwards, hit OK.

    Next, go to Routing and enter the Default Gateway. For me, this is 192.168.0.1:

    Then we can leave the network card configuration by hitting Next twice:

    Our network configuration is finished now, therefore we hit Next again on the Network Configuration screen:

    The network configuration is being saved:

    Now the internet connection of the system is tested and you may download the latest updates from a SuSE mirror and install them. Be patient here, this might take a few minutes (package management is really slow on SuSE 10.1).

    Now configure the Online Update function and install the latest updates, if available:

    When asked how users should authenticate, choose Local (/etc/passwd):

    Create a second user other than root (e.g. admin):

    Read the release notes (if you like...) and hit Next:

    Finally YaST performs a hardware check (graphics cards, printers, sound, TV cards and Bluetooth). You can accept the results of this check as this hardware is not important for a server.

    Congratulations! Your base installation is complete.

      2 Adding Installation Sources

      To make package installation easier, I will add a network installation source. If you want to install all packages from CD / DVD, you can skip this step. Start yast2:

      yast2

      Go to Software -> Installation Source:

      Select Add and enter a mirror near you. You can find a list of mirrors here: http://www.opensuse.org/Mirrors_Development_Build.

      I selected this http mirror ( yes, it is an http mirror even though the URL starts with ftp :-) ):

      ftp.uni-erlangen.de/pub/mirrors/opensuse/distribution/SL-10.1/inst-source

      As Server Name, I enter ftp.uni-erlangen.de, and as Directory on Server I fill in /pub/mirrors/opensuse/distribution/SL-10.1/inst-source:

      Finally I move my new installation source to the top of the list so that it will be the preferred location to fetch software packages from. At the same time I delete my SuSE CDs from the list (normally it would be enough to move the CDs down the list, but YaST seems to be buggy - whenever I moved the CDs down, they were back at the top when I entered YaST the next time...).

      Hit Finish afterwards. You have to be patient now, in my tests it took about ten minutes(!) until YaST updated the installation sources. During that period, it seems as if YaST was hanging, but in fact it is working. You can check that in a second shell windows with the command

      tail -f /var/log/YaST2/y2log

      I don't know what the SuSE developers did to YaST, but it's a change for the worse for sure...

       

      3 Install Some Software

      Now we install a few packages that are needed later on. Run

      yast -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget

      If you're on a 64-bit system (only then!), you must also install openssl-devel-32bit:

      yast -i openssl-devel-32bit

      4 Quota

      To install quota, run

      yast -i quota

      Edit /etc/fstab to look like this (I added ,usrquota,grpquota to partition /dev/sda3 (mount point /; your device name might be /dev/hda2 or similar):

      vi /etc/fstab

      /dev/sda3            /                    ext3       acl,user_xattr,usrquota,grpquota        1 1
      /dev/sda1 /boot ext3 acl,user_xattr 1 2
      /dev/sda2 swap swap defaults 0 0
      proc /proc proc defaults 0 0
      sysfs /sys sysfs noauto 0 0
      debugfs /sys/kernel/debug debugfs noauto 0 0
      devpts /dev/pts devpts mode=0620,gid=5 0 0
      /dev/fd0 /media/floppy auto noauto,user,sync 0 0

      Then run:

      touch /aquota.user /aquota.group
      chmod 600 /aquota.*

      and reboot the system:

      shutdown -r now

      After the system has come up again, enable quota like this:

      quotacheck -avugm
      quotaon -avug

       

      5 DNS Server

      Run

      yast -i bind bind-chrootenv bind-devel bind-utils

      Then we add the system startup links for BIND and start it:

      chkconfig --add named
      /etc/init.d/named start

      Bind will run in a chroot jail under /var/lib/named.


      6 MySQL

      In order to install MySQL, we run

      yast -i mysql mysql-client mysql-shared perl-DBD-mysql perl-DBI perl-Data-ShowTable mysql-devel

      Then we add the system startup links for MySQL and start it:

      chkconfig --add mysql
      /etc/init.d/mysql start

      Now check that networking is enabled. Run

      netstat -tap

      In the output you should see a line like this one:

      tcp        0      0 *:mysql                 *:*                     LISTEN      6621/mysqld

      If you don't see a line like this, edit /etc/my.cnf, comment out the option skip-networking:

      vi /etc/my.cnf

      #skip-networking

      and restart your MySQL server:

      /etc/init.d/mysql restart

      Run

      mysqladmin -u root password yourrootsqlpassword
      mysqladmin -h server1.example.com -u root password yourrootsqlpassword

      to set a password for the user root (otherwise anybody can access your MySQL database!).

      7 Postfix With SMTP-AUTH And TLS

      Postfix is already installed, but we must install Cyrus-SASL now:

      yast -i cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd

      Then we add the system startup links for saslauthd and start it:

      chkconfig --add saslauthd
      /etc/init.d/saslauthd start

      Afterwards we create the certificates for TLS:

      mkdir /etc/postfix/ssl
      cd /etc/postfix/ssl/
      openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
      chmod 600 smtpd.key
      openssl req -new -key smtpd.key -out smtpd.csr
      openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
      openssl rsa -in smtpd.key -out smtpd.key.unencrypted
      mv -f smtpd.key.unencrypted smtpd.key
      openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

      Next we configure Postfix for SMTP-AUTH and TLS:

      postconf -e 'mydomain = example.com'
      postconf -e 'myhostname = server1.$mydomain'
      postconf -e 'smtpd_sasl_local_domain ='
      postconf -e 'smtpd_sasl_auth_enable = yes'
      postconf -e 'smtpd_sasl_security_options = noanonymous'
      postconf -e 'broken_sasl_auth_clients = yes'
      postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
      postconf -e 'inet_interfaces = all'
      postconf -e 'alias_maps = hash:/etc/aliases'
      postconf -e 'smtpd_tls_auth_only = no'
      postconf -e 'smtp_use_tls = yes'
      postconf -e 'smtpd_use_tls = yes'
      postconf -e 'smtp_tls_note_starttls_offer = yes'
      postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
      postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
      postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
      postconf -e 'smtpd_tls_loglevel = 1'
      postconf -e 'smtpd_tls_received_header = yes'
      postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
      postconf -e 'tls_random_source = dev:/dev/urandom'

      To enable TLS connections in Postfix, edit /etc/postfix/master.cf and uncomment the tlsmgr line so that it looks like this one:

      vi /etc/postfix/master.cf

      tlsmgr    unix  -       -       n       1000?   1       tlsmgr

      Now restart Postfix:

      /etc/init.d/postfix restart

      To see if SMTP-AUTH and TLS work properly now run the following command:

      telnet localhost 25

      After you have established the connection to your Postfix mail server type

      ehlo localhost

      If you see the lines

      250-STARTTLS

      and

      250-AUTH

      then everything is fine.

      Type

      quit

      to return to the system's shell.

       

      8 Courier-IMAP/Courier-POP3

      I want to use a POP3/IMAP daemon that has Maildir support. That's why I use Courier-IMAP and Courier-POP3.

      yast -i courier-imap fam-server courier-authlib expect tcl

      Afterwards we add the system startup links and start POP3, IMAP, POP3s and IMAPs:

      chkconfig --add fam
      chkconfig --add courier-authdaemon
      chkconfig --add courier-pop
      chkconfig --add courier-imap
      /etc/init.d/courier-pop start
      /etc/init.d/courier-imap start
      chkconfig --add courier-pop-ssl
      chkconfig --add courier-imap-ssl
      /etc/init.d/courier-pop-ssl start
      /etc/init.d/courier-imap-ssl start

      If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's Maildir*:

      postconf -e 'home_mailbox = Maildir/'
      postconf -e 'mailbox_command ='
      /etc/init.d/postfix restart

      *Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.


      9 Apache/PHP5

      Now we install Apache with PHP5:

      yast2 -i apache2 apache2-devel apache2-mod_perl apache2-mod_php5 apache2-prefork perl-HTML-Parser perl-HTML-Tagset perl-Tie-IxHash perl-URI perl-libwww-perl php5 php5-devel zlib zlib-devel

      Then we install some PHP5 modules:

      yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dbase php5-debuginfo php5-dom php5-filepro php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mhash php5-mysql php5-mysqli php5-ncurses php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl

      Next we edit /etc/apache2/httpd.conf:

      vi /etc/apache2/httpd.conf

      and change DirectoryIndex to

      DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4
      index.php3 index.pl index.html.var index.aspx default.aspx

      Edit /etc/sysconfig/apache2 and add rewrite to the APACHE_MODULES line:

      vi /etc/sysconfig/apache2

      APACHE_MODULES="actions alias auth_basic [...] negotiation setenvif ssl suexec userdir php5 rewrite"

      Also add SSL to the APACHE_SERVER_FLAGS line:

      APACHE_SERVER_FLAGS="SSL"

      Now configure your system to start Apache at boot time:

      chkconfig --add apache2

      Then run

      SuSEconfig
      /etc/init.d/apache2 start

       

      9.1 Disable PHP And Perl Globally

      (If you do not plan to install ISPConfig on this server, please skip this section!)

      In ISPConfig you will configure PHP and Perl on a per-website basis, i.e. you can specify which website can run PHP and Perl scripts and which one cannot. This can only work if PHP and Perl are disabled globally because otherwise all websites would be able to run PHP/Perl scripts, no matter what you specify in ISPConfig.

      To disable PHP and Perl globally, we edit /etc/mime.types and comment out the application/x-perl and application/x-php lines:

      #application/x-perl pl pm al perl
      #application/x-php php php3 php4

      Afterwards we restart Apache:

      /etc/init.d/apache2 restart

       

      10 Proftpd

      I want to use Proftpd instead of vsftpd which is SuSE's default FTP server because the control panel software I am going to install on this server (ISPConfig) requires Proftpd on SUSE 10.1 (on other distributions this is different). Since there are no SUSE packages for Proftpd I have to compile it manually:

      cd /tmp/
      wget --passive-ftp ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0.tar.gz
      tar xvfz proftpd-1.3.0.tar.gz
      cd proftpd-1.3.0/
      ./configure --sysconfdir=/etc
      make
      make install
      cd ..
      rm -fr proftpd-1.3.0*

      Now create the file /etc/init.d/proftpd:

      vi /etc/init.d/proftpd

      #! /bin/sh
      # Copyright (c) 2000-2001 SuSE GmbH Nuernberg, Germany.
      # All rights reserved.
      #
      # Original author: Marius Tomaschewski <mt@suse.de>
      #
      # Slightly modified in 2003 for use with SuSE Linux 8.1,
      # by http://www.learnlinux.co.uk/
      #
      # Slightly modified in 2005 for use with SuSE Linux 9.2,
      # by Falko Timme
      #
      # /etc/init.d/proftpd
      #
      ### BEGIN INIT INFO
      # Provides: proftpd
      # Required-Start: $network $remote_fs $syslog $named
      # Required-Stop:
      # Default-Start: 3 5
      # Default-Stop: 0 1 2 6
      # Description: Starts ProFTPD server
      ### END INIT INFO

      # Determine the base and follow a runlevel link name.
      base=${0##*/}
      link=${base#*[SK][0-9][0-9]}

      # Force execution if not called by a runlevel directory.
      test $link = $base && START_PROFTPD=yes # Modified by learnlinux.co.uk
      test "$START_PROFTPD" = yes || exit 0 # Modified by learnlinux.co.uk

      # Return values acc. to LSB for all commands but
      # status (see below):
      #
      # 0 - success
      # 1 - generic or unspecified error
      # 2 - invalid or excess argument(s)
      # 3 - unimplemented feature (e.g. "reload")
      # 4 - insufficient privilege
      # 5 - program is not installed
      # 6 - program is not configured
      # 7 - program is not running

      proftpd_cfg="/etc/proftpd.conf"
      proftpd_bin="/usr/local/sbin/proftpd"
      proftpd_pid="/usr/local/var/proftpd.pid"

      [ -r $proftpd_cfg ] || exit 6
      [ -x $proftpd_bin ] || exit 5

      # Source status functions
      . /etc/rc.status

      # First reset status of this service
      rc_reset

      case "$1" in
      start)
      echo -n "Starting ProFTPD Server: "
      test -f /etc/shutmsg && rm -f /etc/shutmsg
      /sbin/startproc $proftpd_bin
      rc_status -v
      ;;

      stop)
      echo -n "Shutting down ProFTPD Server: "
      test -x /usr/local/sbin/ftpshut && /usr/local/sbin/ftpshut now && sleep 1
      /sbin/killproc -TERM $proftpd_bin
      test -f /etc/shutmsg && rm -f /etc/shutmsg
      rc_status -v
      ;;

      restart)
      ## If first returns OK call the second, if first or
      ## second command fails, set echo return value.
      $0 stop
      $0 start
      rc_status
      ;;

      try-restart)
      ## Stop the service and if this succeeds (i.e. the
      ## service was running before), start it again.
      ## Note: not (yet) part of LSB (as of 0.7.5)
      $0 status >/dev/null && $0 restart
      rc_status
      ;;

      reload|force-reload)
      ## Exclusive possibility: Some services must be stopped
      ## and started to force a new load of the configuration.
      echo -n "Reload ProFTPD Server: "
      /sbin/killproc -HUP $proftpd_bin
      rc_status -v
      ;;

      status)
      # Status has a slightly different for the status command:
      # 0 - service running
      # 1 - service dead, but /var/run/ pid file exists
      # 2 - service dead, but /var/lock/ lock file exists
      # 3 - service not running
      echo -n "Checking for ProFTPD Server: "
      checkproc $proftpd_bin
      rc_status -v
      ;;

      probe)
      ## Optional: Probe for the necessity of a reload,
      ## give out the argument which is required for a reload.
      [ $proftpd_cfg -nt $proftpd_pid ] && echo reload
      ;;

      *)
      echo "Usage: $0 {start|stop|status|restart|reload|try-restart|probe}"
      exit 1
      ;;
      esac

      # Set an exit status.
      rc_exit

      Then run

      chmod 755 /etc/init.d/proftpd
      chkconfig --add proftpd

      Start Proftpd:

      /etc/init.d/proftpd start

      For security reasons you can add the following lines to /etc/proftpd.conf:

      vi /etc/proftpd.conf

      DefaultRoot ~
      IdentLookups off
      ServerIdent on "FTP Server ready."

      Be sure to comment out the following lines in order to allow ftp users to CHMOD:

      # Bar use of SITE CHMOD by default
      #<Limit SITE_CHMOD>
      # DenyAll
      #</Limit>

      and restart Proftpd:

      /etc/init.d/proftpd restart


      11 Webalizer

      To install webalizer, just run

      yast2 -i webalizer

       

      12 Synchronize the System Clock

      If you want to have the system clock synchronized with an NTP server do the following:

      yast2 -i xntp

      Add an NTP server with YaST:

      yast2

      Select Network Services -> NTP Client:

      Then select Automatically Start NTP Daemon During Boot. Under NTP Server Configuration enable Use Random Servers from pool.ntp.org. Then select Finish, Quit.

       

      13 Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

      Run

      yast2 -i perl-HTML-Parser perl-Net-DNS perl-Digest-SHA1

       

      14 Disable AppArmor

      AppArmor is a security extension of SuSE (similar to Fedora's SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

      We can disable it like this:

      /etc/init.d/boot.apparmor stop
      chkconfig -d boot.apparmor

       

      15 ISPConfig

      The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. Please check out the ISPConfig installation: http://www.ispconfig.org/manual_installation.htm

       

      15.1 A Note On SuExec

      If you want to run CGI scripts under suExec, you should specify /srv/www as the home directory for websites created by ISPConfig as SUSE 10.1's suExec is compiled with /srv/www as Doc_Root. Run /usr/sbin/suexec2 -V, and the output should look like this:

      /usr/sbin/suexec2 -V

      To select /srv/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.

      Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /srv/www as the home directory for websites.

       


Portal posiada akceptację firmy Novell Polska
Wszystkie materiały dotyczące produktów firmy Novell umieszczono za zgodą Novell Polska
Portal has been accepted by the Novell Polska
All materials concerning products of Novell firm are placed with Novell Polska consent.
NetWare is a registered trademark of Novell Inc. in the United States and other countries.
Windows is a trademark or a registered trademark of Microsoft Corporation in the United States and other countries.
Sybase is a registered trademark of Sybase Inc. in the United States of America.
Other company and product names are trademarks or registered trademarks of their respective owners.