Perfect server: Debian 10 (Buster) V1.0

botond published March 2020, 01, Thu - 02:17 time

Content

  1. page: Upgrading the system and installing and configuring basic accessories
  2. page: Install Let's Encrypt, FTP, DNS Server, Web Stats, Jailkit and Fail2Ban
  3. page: Install RoundCube webmail client and ISPConfig3 control panel

 

The 1. page content

 

Introductory

In this description, we will make a Debian 10 (Buster) version of the perfect server. With this build, we get a complete web server based on Debian 10 (Buster), such as one LAMP system in addition, it includes many other features, making it great for running live websites.

I will mark this server with a version number of 1.0, so there may be several versions of it later. Similar server installations have previously been made in the following versions:

 

Update 2022-12-13:
A new version of the perfect server series installation guide has been prepared, which can be viewed at the following link:

 

Prerequisites

This guide was completed earlier Debian 10 (Buster) LAMP Server v1.0 will be based on installation, so you have to do this download in the form of a virtual machine required!

 

The repository database and updating packages

Before we begin the installation, our first task is to update the package store database and our packages so that we can work with the latest packages. To do this, issue the following command:

apt-get update && apt-get upgrade

 

How to install the server

As I mentioned, this installation, unlike previous perfect server installations, will now not be based on a minimal system, but on the LAMP server state that follows one by one. This will make this Debian 10 server line more modular, and our previous LAMP machine will remain "reusable". The advantage of this is that you do not have to start the entire server installation from scratch, but because we have already suffered during the assembly of the LAMP system, we will now build on them, so this description will be so shorter than its predecessors. We can also consider this as an "upgrade" of the LAMP server. This implementation is now particularly useful, as installing and configuring the phpMyAdmin web database management interface on Debian 10 is quite a chore, as it is not part of the factory package, so you have to do everything manually. So now we can take this long step as part of the previous LAMP server.

When you are ready, log on to our LAMP server as root and get started!

The Shell commands shown in this tutorial are usually ready-to-serve, so after selecting and copying to the clipboard, you can paste them into the terminal, which most terminal programs use SHIFT + INSERT key combination.

 

Set the default Shell

In Debian 10, the Dash Shell is set as the default, but it is ISPConfig When installing Bash shellWe will need. To change this, run the following command:

dpkg-reconfigure dash

Set the default Shell

Here, select Gender option. The program will do what is necessary symbolic links reorganize.

 

System clock synchronization

It is a good idea that our server is on time. We can solve this automatically NTP protocol that occasionally synchronizes the clock in the background. To install this, run the following command:

apt-get -y install ntp

 

Installing compression programs

In the future, we will need various compression programs, which we will use during the installation, but they will be important especially during the operation of the server in the ISPConfig system, or for performing various background tasks, for example. It is a good idea to install them at the same time with the following command:

apt-get install -y \
    zip unzip bzip2 arj nomarch lzop cabextract \
    p7zip p7zip-full unrar lrzip

 

Install other basic programs

We need to install a few more basic packages that are needed to run the entire server but are not part of larger program groups, so they are installed here. You can install these with the following command:

apt-get -y install \
    openssl \
    rkhunter \
    binutils \
    daemon \
    patch \
    apt-listchanges \
    apt-transport-https

 

 

Installing a mail system

The server's outgoing (SMTP) mail is sent to the Postfix program, incoming mail (POP3/IMAP) and the Dovecot program. These are installed with the following command:

apt-get -y install \
    postfix \
    postfix-mysql \
    postfix-doc \
    getmail4 \
    dovecot-imapd \
    dovecot-pop3d \
    dovecot-mysql \
    dovecot-sieve \
    dovecot-lmtpd

During installation, the Postfix configuration will start:

Postfix Configuration - Select the type of mail

Here select Website option.

In the following panel, you need to set the server name:

Postfix Configuration - Set the server name

Here the system fills in the server name by default, but we make sure the server is complete, FQDN give the name of what the hostname It can also be obtained with the -f command.

The installer then installs the other packages and configures them.

More Postfix settings

After installing the mail client packages, we still need to configure Postfix to open the SSL / TLS ports to allow secure mail to work through them. To do this, open the /etc/postfix/master.cf file:

nano /etc/postfix/master.cf

And do the following:

  • Take the comments a submission and that smtps parts. These are right in the first part of the file.
  • Remove comments from the appropriate option lines (starting with -o), as shown below.
  • Supplement the options also in the following example, according to the parts highlighted in green.

So the point is that this part of the file looks exactly like the one below:

[...]
submission inet  n       -       -       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       -       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]

So in both sections, we remove the comments from the first 3 options and then add the lines highlighted in green. And of course the a submission and smtps Make sure you leave comments in front of line items starting with.

Once you have it, save the file and restart Postfix:

systemctl restart postfix

 

 

MariaDB Options

A MariaDB database server was already installed during the construction of the LAMP server, now we only need to prepare it for the mud to stand up to higher traffic and load as part of a more serious server configuration.

Fine tuning

Open the /etc/mysql/mariadb.conf.d/50-server.cnf file: 

nano /etc/mysql/mariadb.conf.d/50-server.cnf

Make the following settings here:

  • Add a comment before this line:
    bind-address = 127.0.0.1
    (This will play a role in ISPConfig, where you will be able to switch to created databases to have remote access ...)
  • Insert the following line immediately below this line:
    sql_mode = NO_ENGINE_SUBSTITUTION
    (I have already written about the role of this in New features and changes to the Debian 10 (Buster) operating system in my article.)
  • And the Max_allowed_packet value 64M and take the comment out of it as well.
    (And this is good for managing a larger package size with MariaDB. Some database-based software, such as Matomoalso)

So, when all is done, this part of the MariaDB configuration file will look like this:

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
sql-mode                = "NO_ENGINE_SUBSTITUTION"

[...]

max_allowed_packet      = 64M

[...]

Set file limits

Save the file, and then open the following: /etc/security/limits.conf

nano /etc/security/limits.conf

Add the following two lines to the end:

mysql soft nofile 65535
mysql hard nofile 65535

Let's save it.

Open for editing a /etc/systemd/system/mysqld.service file:

nano /etc/systemd/system/mysqld.service

Here, look for this commented setting:

#LimitNOFILE=16364

Take the comment from the beginning of the line and set it to "infinity":

LimitNOFILE=infinity

then save.

Service restart and MariaDB testing

Restart Services:

systemctl daemon-reload
systemctl restart mariadb

Let's test MariaDB:

netstat -tap | grep mysql

The output of the command should be something like:

tcp6       0      0 [::]:mysql              [::]:*                  LISTEN      2199/mysqld

 

Install spam filters and anti-virus software

The software package that is now being installed is designed to increase the security of mail, which filters spam and virus content in incoming and outgoing mail. To install program packages, run the following multi-line command:

apt-get install -y \
    amavisd-new \
    spamassassin \
    clamav clamav-daemon clamav-docs \
    postgrey \
    libnet-ldap-perl libauthen-sasl-perl \
    libio-string-perl libio-socket-ssl-perl \
    libnet-ident-perl libnet-dns-perl libdbd-mysql-perl

Then, disable Spamassassin, because ISPConfig will control this too, so you are sitting in memory now:

systemctl stop spamassassin
systemctl disable spamassassin

The packages you install are nothing more, they will be used in the background in the mail section of ISPConfig by the spam filter and systems that handle various mail rules.

 

 

Apache settings

Az Apache web server has already been added when installing the LAMP server, so let's just make some additional settings on it.

Enable basic modules

First we enable the basic Apache modules:

a2enmod \
    suexec rewrite ssl actions \
    include cgi headers \
    proxy_fcgi alias

Enable WebDAV (optional)

If you want WebDAV service on the server, we enable the necessary Apache modules:

a2enmod dav_fs dav auth_digest

Closing an httpoxy vulnerability

A known vulnerability (httpoxy) with the following setting. Create a new Apache configuration file (/etc/apache2/conf-available/httpoxy.conf):

nano /etc/apache2/conf-available/httpoxy.conf

And let's add these three lines:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

Enable configuration:

a2enconf httpoxy

Finally, restart Apache:

systemctl restart apache2

 

A next page we continue with Let's Encrypt's free SSL installation.

 

 

Navigation

This description consists of several pages: