This is a detailed description about how to set up a SuSE 10.1 based
server that offers all services needed by ISPs and hosters (web server
(SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP
server, MySQL server, POP3/IMAP, Quota, Firewall, etc.).
In the end you should have a system that works reliably, and if you
like you can install the free webhosting control panel ISPConfig (i.e.,
ISPConfig runs on it out of the box).
I want to say first that this is not the only way of setting up such a
system. There are many ways of achieving this goal but this is the way I
take. I do not issue any guarantee that this will work for you!
As we want to install a server, we do not need a desktop. Therefore we
select Text Mode and click on OK and then on Next.
Now we create the partitions. I will use the following partition
scheme:
Your partition table should look now similar to this one here,
depending on your hard disk size. Click on Finish to proceed to the next step.
Then mark Network Interfaces and hit
return. The following screen should come up:
Hit the [Tab] key until [Edit] is highlighted, then hit return. You
should now be on the Network Address Setup
screen:
I do not want to get IP addresses from a DHCP server because a server
should have static IP addresses so I change this by selecting Static Address Setup and enter an IP Address (e.g. 192.168.0.181) and a Subnet
Mask (e.g. 255.255.255.0):
Then go to the Hostname and Name Server
settings. The hostname (server1.example.com)
should already be there (remember, we specified this earlier in our
setup). Fill in up to three Name Servers (e.g.
145.253.2.75, 193.174.32.18, and 194.25.0.60). Unfortunately we cannot disable Update Name Servers and Search List via DHCP - I
think this is a bug in YaST. Afterwards, hit OK.
Next, go to Routing and enter the Default Gateway. For me, this is 192.168.0.1:
Then we can leave the network card configuration by hitting Next twice:
Our network configuration is finished now, therefore we hit Next again on the Network
Configuration screen:
The network configuration is being saved:
Now the internet connection of the system is tested and you may
download the latest updates from a SuSE mirror and install them. Be
patient here, this might take a few minutes (package management is
really slow on SuSE 10.1).
Now configure the Online Update function
and install the latest updates, if available:
When asked how users should authenticate, choose Local (/etc/passwd):
Create a second user other than root (e.g. admin):
Read the release notes (if you like...) and hit Next:
Finally YaST performs a hardware check (graphics cards, printers,
sound, TV cards and Bluetooth). You can accept the results of this check
as this hardware is not important for a server.
Congratulations! Your base installation is complete.
2 Adding Installation Sources
To make package installation easier, I will add a network
installation source. If you want to install all packages from CD / DVD,
you can skip this step. Start yast2:
yast2
Go to Software -> Installation Source:
Select Add and enter a mirror near you. You
can find a list of mirrors here: http://www.opensuse.org/Mirrors_Development_Build.
I selected this http mirror ( yes, it is an http mirror even though
the URL starts with ftp :-) ):
ftp.uni-erlangen.de/pub/mirrors/opensuse/distribution/SL-10.1/inst-source
As Server Name, I enter ftp.uni-erlangen.de, and as Directory on Server I fill in /pub/mirrors/opensuse/distribution/SL-10.1/inst-source:
Finally I move my new installation source to the top of the list so
that it will be the preferred location to fetch software packages from.
At the same time I delete my SuSE CDs from the list (normally it would
be enough to move the CDs down the list, but YaST seems to be buggy -
whenever I moved the CDs down, they were back at the top when I entered
YaST the next time...).
Hit Finish afterwards. You have to be
patient now, in my tests it took about ten minutes(!) until YaST updated
the installation sources. During that period, it seems as if YaST was
hanging, but in fact it is working. You can check that in a second shell
windows with the command
tail -f /var/log/YaST2/y2log
I don't know what the SuSE developers did to YaST, but it's a change
for the worse for sure...
3 Install Some Software
Now we install a few packages that are needed later on. Run
yast -i findutils readline libgcc glibc-devel
findutils-locate gcc flex lynx compat-readline4 db-devel wget
If you're on a 64-bit system (only then!), you must also install
openssl-devel-32bit:
yast -i openssl-devel-32bit
4 Quota
To install quota, run
yast -i quota
Edit /etc/fstab to look like this (I added
,usrquota,grpquota to partition /dev/sda3 (mount point /;
your device name might be /dev/hda2 or
similar):
vi /etc/fstab
/dev/sda3 / ext3 acl,user_xattr,usrquota,grpquota 1 1 /dev/sda1 /boot ext3 acl,user_xattr 1 2 /dev/sda2 swap swap defaults 0 0 proc /proc proc defaults 0 0 sysfs /sys sysfs noauto 0 0 debugfs /sys/kernel/debug debugfs noauto 0 0 devpts /dev/pts devpts mode=0620,gid=5 0 0 /dev/fd0 /media/floppy auto noauto,user,sync 0 0 |
Then run:
touch /aquota.user /aquota.group
chmod 600 /aquota.*
and reboot the system:
shutdown -r now
After the system has come up again, enable quota like this:
quotacheck -avugm
quotaon -avug
5 DNS Server
Run
yast -i bind bind-chrootenv bind-devel bind-utils
Then we add the system startup links for BIND and start it:
chkconfig --add named
/etc/init.d/named start
Bind will run in a chroot jail under /var/lib/named.
6 MySQL
In order to install MySQL, we run
yast -i mysql mysql-client mysql-shared perl-DBD-mysql
perl-DBI perl-Data-ShowTable mysql-devel
Then we add the system startup links for MySQL and start it:
chkconfig --add mysql
/etc/init.d/mysql start
Now check that networking is enabled. Run
netstat -tap
In the output you should see a line like this one:
tcp 0 0 *:mysql *:* LISTEN 6621/mysqld |
If you don't see a line like this, edit /etc/my.cnf, comment out the option skip-networking:
vi /etc/my.cnf
and restart your MySQL server:
/etc/init.d/mysql restart
Run
mysqladmin -u root password
yourrootsqlpassword
mysqladmin -h server1.example.com -u root
password yourrootsqlpassword
to set a password for the user root
(otherwise anybody can access your MySQL database!).
7 Postfix With SMTP-AUTH And TLS
Postfix is already installed, but we must install Cyrus-SASL now:
yast -i cyrus-sasl cyrus-sasl-crammd5
cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain
cyrus-sasl-saslauthd
Then we add the system startup links for saslauthd and start it:
chkconfig --add saslauthd
/etc/init.d/saslauthd
start
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd
/etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out
smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key
-out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey
smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out
smtpd.key.unencrypted
mv -f smtpd.key.unencrypted
smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem
-out cacert.pem -days 3650
Next we configure Postfix for SMTP-AUTH and TLS:
postconf -e 'mydomain = example.com'
postconf -e
'myhostname = server1.$mydomain'
postconf -e 'smtpd_sasl_local_domain
='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e
'smtpd_sasl_security_options = noanonymous'
postconf -e
'broken_sasl_auth_clients = yes'
postconf -e
'smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf
-e 'inet_interfaces = all'
postconf -e 'alias_maps =
hash:/etc/aliases'
postconf -e 'smtpd_tls_auth_only = no'
postconf
-e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf
-e 'smtp_tls_note_starttls_offer = yes'
postconf -e
'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e
'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e
'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e
'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header =
yes'
postconf -e 'smtpd_tls_session_cache_timeout =
3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
To enable TLS connections in Postfix, edit /etc/postfix/master.cf and uncomment the tlsmgr line so that it looks like this one:
vi /etc/postfix/master.cf
tlsmgr unix - - n 1000? 1 tlsmgr |
Now restart Postfix:
/etc/init.d/postfix restart
To see if SMTP-AUTH and TLS work properly now run the following
command:
telnet localhost 25
After you have established the connection to your Postfix mail server
type
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH
then everything is fine.
Type
quit
to return to the system's shell.
8 Courier-IMAP/Courier-POP3
I want to use a POP3/IMAP daemon that has Maildir support. That's why
I use Courier-IMAP and Courier-POP3.
yast -i courier-imap fam-server courier-authlib expect
tcl
Afterwards we add the system startup links and start POP3, IMAP,
POP3s and IMAPs:
chkconfig --add fam
chkconfig --add
courier-authdaemon
chkconfig --add courier-pop
chkconfig --add
courier-imap
/etc/init.d/courier-pop
start
/etc/init.d/courier-imap start
chkconfig --add
courier-pop-ssl
chkconfig --add
courier-imap-ssl
/etc/init.d/courier-pop-ssl
start
/etc/init.d/courier-imap-ssl start
If you do not want to use ISPConfig, configure Postfix to deliver
emails to a user's Maildir*:
postconf -e 'home_mailbox = Maildir/'
postconf -e
'mailbox_command ='
/etc/init.d/postfix restart
*Please note: You do not have to do this if you
intend to use ISPConfig on your system as ISPConfig does the
necessary configuration using procmail recipes. But please go sure to
enable Maildir under Management -> Server -> Settings -> EMail
in the ISPConfig web interface.
9 Apache/PHP5
Now we install Apache with PHP5:
yast2 -i apache2 apache2-devel apache2-mod_perl
apache2-mod_php5 apache2-prefork perl-HTML-Parser perl-HTML-Tagset
perl-Tie-IxHash perl-URI perl-libwww-perl php5 php5-devel zlib
zlib-devel
Then we install some PHP5 modules:
yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype
php5-curl php5-dbase php5-debuginfo php5-dom php5-filepro php5-ftp
php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap
php5-mbstring php5-mcrypt php5-mhash php5-mysql php5-mysqli php5-ncurses
php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop
php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer
php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi
php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl
Next we edit /etc/apache2/httpd.conf:
vi /etc/apache2/httpd.conf
and change DirectoryIndex to
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4
index.php3 index.pl index.html.var index.aspx default.aspx |
Edit /etc/sysconfig/apache2 and add rewrite to the APACHE_MODULES line:
vi /etc/sysconfig/apache2
APACHE_MODULES="actions alias auth_basic [...] negotiation setenvif ssl suexec userdir php5 rewrite" |
Also add SSL to the APACHE_SERVER_FLAGS line:
APACHE_SERVER_FLAGS="SSL" |
Now configure your system to start Apache at boot time:
chkconfig --add apache2
Then run
SuSEconfig
/etc/init.d/apache2 start
9.1 Disable PHP And Perl Globally
(If you do not plan to install ISPConfig on this server, please skip
this section!)
In ISPConfig you will configure PHP and Perl on a per-website basis,
i.e. you can specify which website can run PHP and Perl scripts and
which one cannot. This can only work if PHP and Perl are disabled
globally because otherwise all websites would be able to run PHP/Perl
scripts, no matter what you specify in ISPConfig.
To disable PHP and Perl globally, we edit /etc/mime.types and comment out the application/x-perl and application/x-php lines:
#application/x-perl pl pm al perl #application/x-php php php3 php4 |
Afterwards we restart Apache:
/etc/init.d/apache2 restart
10 Proftpd
I want to use Proftpd instead of vsftpd which is SuSE's default FTP server because
the control panel software I am going to install on this server (ISPConfig) requires
Proftpd on SUSE 10.1 (on other distributions
this is different). Since there are no SUSE packages for Proftpd I have to compile it manually:
cd /tmp/
wget --passive-ftp
ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0.tar.gz
tar xvfz
proftpd-1.3.0.tar.gz
cd proftpd-1.3.0/
./configure
--sysconfdir=/etc
make
make install
cd ..
rm -fr
proftpd-1.3.0*
Now create the file /etc/init.d/proftpd:
vi /etc/init.d/proftpd
#! /bin/sh # Copyright (c) 2000-2001 SuSE GmbH Nuernberg, Germany. # All rights reserved. # # Original author: Marius Tomaschewski <mt@suse.de> # # Slightly modified in 2003 for use with SuSE Linux 8.1, # by http://www.learnlinux.co.uk/ # # Slightly modified in 2005 for use with SuSE Linux 9.2, # by Falko Timme # # /etc/init.d/proftpd # ### BEGIN INIT INFO # Provides: proftpd # Required-Start: $network $remote_fs $syslog $named # Required-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: Starts ProFTPD server ### END INIT INFO
# Determine the base and follow a runlevel link name. base=${0##*/} link=${base#*[SK][0-9][0-9]}
# Force execution if not called by a runlevel directory. test $link = $base && START_PROFTPD=yes # Modified by learnlinux.co.uk test "$START_PROFTPD" = yes || exit 0 # Modified by learnlinux.co.uk
# Return values acc. to LSB for all commands but # status (see below): # # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running
proftpd_cfg="/etc/proftpd.conf" proftpd_bin="/usr/local/sbin/proftpd" proftpd_pid="/usr/local/var/proftpd.pid"
[ -r $proftpd_cfg ] || exit 6 [ -x $proftpd_bin ] || exit 5
# Source status functions . /etc/rc.status
# First reset status of this service rc_reset
case "$1" in start) echo -n "Starting ProFTPD Server: " test -f /etc/shutmsg && rm -f /etc/shutmsg /sbin/startproc $proftpd_bin rc_status -v ;;
stop) echo -n "Shutting down ProFTPD Server: " test -x /usr/local/sbin/ftpshut && /usr/local/sbin/ftpshut now && sleep 1 /sbin/killproc -TERM $proftpd_bin test -f /etc/shutmsg && rm -f /etc/shutmsg rc_status -v ;;
restart) ## If first returns OK call the second, if first or ## second command fails, set echo return value. $0 stop $0 start rc_status ;;
try-restart) ## Stop the service and if this succeeds (i.e. the ## service was running before), start it again. ## Note: not (yet) part of LSB (as of 0.7.5) $0 status >/dev/null && $0 restart rc_status ;;
reload|force-reload) ## Exclusive possibility: Some services must be stopped ## and started to force a new load of the configuration. echo -n "Reload ProFTPD Server: " /sbin/killproc -HUP $proftpd_bin rc_status -v ;;
status) # Status has a slightly different for the status command: # 0 - service running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running echo -n "Checking for ProFTPD Server: " checkproc $proftpd_bin rc_status -v ;;
probe) ## Optional: Probe for the necessity of a reload, ## give out the argument which is required for a reload. [ $proftpd_cfg -nt $proftpd_pid ] && echo reload ;;
*) echo "Usage: $0 {start|stop|status|restart|reload|try-restart|probe}" exit 1 ;; esac
# Set an exit status. rc_exit |
Then run
chmod 755 /etc/init.d/proftpd
chkconfig --add
proftpd
Start Proftpd:
/etc/init.d/proftpd start
For security reasons you can add the following lines to /etc/proftpd.conf:
vi /etc/proftpd.conf
DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready." |
Be sure to comment out the following lines in order to allow ftp
users to CHMOD:
# Bar use of SITE CHMOD by default #<Limit SITE_CHMOD> # DenyAll #</Limit> |
and restart Proftpd:
/etc/init.d/proftpd restart
11 Webalizer
To install webalizer, just run
yast2 -i webalizer
12 Synchronize the System Clock
If you want to have the system clock synchronized with an NTP server
do the following:
yast2 -i xntp
Add an NTP server with YaST:
yast2
Select Network Services -> NTP Client:
Then select Automatically Start NTP Daemon During
Boot. Under NTP Server Configuration
enable Use Random Servers from pool.ntp.org.
Then select Finish, Quit.
13 Install some Perl Modules needed by SpamAssassin (comes with
ISPConfig)
Run
yast2 -i perl-HTML-Parser perl-Net-DNS
perl-Digest-SHA1
14 Disable AppArmor
AppArmor is a security extension of SuSE (similar to Fedora's
SELinux) that should provide extended security. In my opinion you don't
need it to configure a secure system, and it usually causes more
problems than advantages (think of it after you have done a week of
trouble-shooting because some service wasn't working as expected, and
then you find out that everything was ok, only AppArmor was causing the
problem). Therefore I disable it (this is a must if you want to install
ISPConfig later on).
We can disable it like this:
/etc/init.d/boot.apparmor stop
chkconfig -d
boot.apparmor
15 ISPConfig
The configuration of the server is now finished, and if you wish you
can now install ISPConfig on it. Please check out the ISPConfig
installation: http://www.ispconfig.org/manual_installation.htm
15.1 A Note On SuExec
If you want to run CGI scripts under suExec, you should specify /srv/www as the home directory for websites created
by ISPConfig as SUSE 10.1's suExec is compiled with /srv/www as Doc_Root. Run
/usr/sbin/suexec2 -V, and the output should
look like this:
/usr/sbin/suexec2 -V
To select /srv/www as the home directory
for websites during the installation of ISPConfig do the following: When
you are asked for the installation mode, select the expert mode.
Later during the installation you are asked if the default directory
/home/www should be the directory where
ISPConfig will create websites in. Answer n
and enter /srv/www as the home directory for
websites.