Content

2. page content

Continuation

The description on the first page we started installing the server on the mail system, MariaDB and Apache and we have installed some important add-ons, on this site we will continue to build the server, starting with the installation of free SSL by Let’s Encrypt.

Install Let's Encrypt

A Let's Encrypt free SSL certificates can be used to certify web pages on the server to keep it secure HTTPS we can reach them through a connection.

curl https://get.acme.sh | sh -s

With this we have nothing more to do, Let's Encrypt integrates with ISPConfig control panel, which will then be handled fully automatically.

Installing and configuring an FTP server

FTP we will use PureFTPd as the server. To install it, run the following command:

apt-get -y install pure-ftpd-common pure-ftpd-mysql

Let's create one dhparam file for PureFTPd: 

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

Generating will take about 0,5-1 minutes (depending on machine performance), with points and extra marks being displayed, do not stop. Once it has run, open the / Etc / default / pure-ftpd-common file to edit:

nano /etc/default/pure-ftpd-common

And make sure the STANDALONE_OR_INETD and VIRTUALCHROOT settings get the following values:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Then save it.

By default, FTP is an unencrypted channel, the data transmitted over it migrates as plain text between the parties. Therefore, it must be encrypted using the TLS / SSL protocol to upload / download files in encrypted form between the server and the FTP client.

To set this up, enter the following command:

echo 1 > /etc/pure-ftpd/conf/TLS

Next, create a directory for your certificate to create:

mkdir -p /etc/ssl/private/

And let's create our self-signed certificate:

openssl req \
    -x509 -nodes -days 7300 \
    -newkey rsa:2048 \
    -keyout /etc/ssl/private/pure-ftpd.pem \
    -out /etc/ssl/private/pure-ftpd.pem

Some information is needed to create the certificate, which is requested from us by the openssl program.

So the full output and the data to be input in green:

pem -out /etc/ssl/private/pure-ftpd.pem
Generating a RSA private key
...+++++.....................................++...................................................+++++
....................+++.....++...
writing new private key to '/etc/ssl/private/pure-ftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Magyarország
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxportal
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:debian10.linuxportal.vm
Email Address []:email címem

Here we can even leave the fields blank, they do not matter. Then set the permissions of our generated pem file to chmod command to prevent other users from accessing the server:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

service pure-ftpd-mysql restart

Installing and configuring Quota

You can use Quota to control hosting quotas so that websites cannot exceed their set hosting limits.

The quota system operates in the following separately regulated areas:

• Web hosting quota
• Database hosting quota
• Email hosting quota

To install it, run the following command:

apt-get -y install quota quotatool

You can enforce storage limitation in the file system by opening / etc / fstab file:

nano /etc/fstab

And insert exactly the following part:

,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0

in the following way to look like our / etc / fstab file:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=1937031d-39a3-4c74-8420-6ad213f7c104 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0  1
# swap was on /dev/sda5 during installation
UUID=1020a50b-c32f-4443-8fbc-f98e4620f506 none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

This fstab file comes from a single-partition base system installation where everything is on the root partition. If / var directory structure is mounted from a separate partition, in which case this part must be inserted in its mount line, so the point is where the web hosts are (/ Var / www / ... structure), the quota system should be enforced there.

You will then need to reconnect the affected storage device to which you inserted the above section to enable it. Thus, according to this example:

mount -o remount /

If the web root structure is mounted elsewhere, then that link point is used.

Check the quota system before switching on:

quotacheck -avugm

Normally the output is something like:

quotacheck: Scanning /dev/sda1 [/] done
quotacheck: Cannot stat old user quota file //quota.user: Nincs ilyen fájl vagy könyvtár. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file //quota.group: Nincs ilyen fájl vagy könyvtár. Usage will not be subtracted.
quotacheck: Cannot stat old user quota file //quota.user: Nincs ilyen fájl vagy könyvtár. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file //quota.group: Nincs ilyen fájl vagy könyvtár. Usage will not be subtracted.
quotacheck: Checked 6052 directories and 58069 files
quotacheck: Old file not found.
quotacheck: Old file not found.

At first it may seem like an error, but the system is not turned on yet. Turn it on:

quotaon -avug

/dev/sda1 [/]: group quotas turned on
/dev/sda1 [/]: user quotas turned on

From here, ISPConfig will arrange more ...

Install BIND DNS server

A DNS server provides the ability to domain names not just a "A" record to redirect to the storage on the server, but a name server redirect to manage the entire DNS zone records locally. This will allow you to manage these records on the ISPConfig interface and, not least, complete the mail on the server. It is also a prerequisite for Let's Encrypt to work on zone management on the server.

A BIND A DNS server can be installed with the following command:

apt-get -y install bind9 dnsutils haveged

Install web statistics

Webalizer and AWStats web statistics generate reports of visits to Web sites from analysis of log files accumulated by Apache. Unlike metrics that can be embedded in the source code of a web page - which can usually only measure visits that run JavaScript - these statistics can extract from the server-side log files, for example, various robot visits as well as requests for individual HTTP resources such as images on the web page. JS, CSS and other downloads. To install them, run the following command:

apt-get -y install \
    webalizer awstats geoip-database \
    libclass-dbi-mysql-perl libtimedate-perl

Then open the /etc/cron.d/awstats file:

nano /etc/cron.d/awstats

And let's comment on the two lines created by the installer:

MAILTO=root

# */10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
# 10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

Let's save it.

The finished server will be handled by ISPConfig in the background, so there is no need for them.

Install Jailkit

Chrooted users can work on the server completely separately, without having access to each other's things. This is useful, for example, if you provide storage space on your server to someone other than us. And with Jailkit, we can provide a suitable work environment (directory structure) for chrooted shell users, so they can use a (almost) complete Linux system.

That's it ISPConfig will play a role when creating a Shell user. In this case, we will be able to choose whether to chroot the newly created user.

The earlier When building Debian 9 (Stretch) a perfect server, we had to compile Jailkit from source codebecause Debian 9 was not included in the trunk. Although not included in the Debian 10 (Buster) base package, In Debian 10 backports yes. So you can choose to install the program from your source code or from the Debian 10 backports repository using the previous method. I recommend the latter because it will have the advantage of being updated through the boot. This way, our Jailkit package will stay up to date in years to come - unlike the version compiled from the source code, which remains the same version we translated once. This is a very important factor from a security point of view.

So now we'll continue with installing from backports, but if you stick to the previous method, you can do the same as described in the link above, just make sure to find and work with the latest version anyway.

Configuring Debian 10 backports repository

The backports repository is APT must be added to the package manager source file. To do this, open the / Etc / apt / sources.list file:

nano /etc/apt/sources.list

Then add the following line:

deb https://deb.debian.org/debian buster-backports main contrib non-free

Save and update your luggage database:

apt-get update

Installing the jailkit package

Now that you have configured the Debian 10 backports repository, install the jailkit package with the following command:

apt-get install jailkit

That being the case, Jailkit will be handled by ISPConfig.

Fail2ban and UFW firewall installation

A Fail2Ban with program and that UFW with firewall we can provide effective protection for our server. To install them, run the following command:

apt-get -y install fail2ban ufw

Configure basic Fail2Ban jails

In order for Fail2Ban to work properly, you need to set up the so called failover. jails, which monitor the activities to be blocked in log files generated by various services. We will not go into details on how Fail2Ban works, but read more about it in the Related Content section at the bottom of this page.

Create the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

And let's add the following jails:

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
findtime = 3600
maxretry = 2

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
findtime = 3600
maxretry = 2

[postfix-sasl-normal]
enabled = true
port = smtp
filter = postfix[mode=normal]
logpath = /var/log/mail.log
findtime = 3600
maxretry = 2

[postfix-sasl-auth]
enabled = true
port = smtp
filter = postfix[mode=auth]
logpath = /var/log/mail.log
findtime = 3600
maxretry = 2

[postfix-auth-fail]
enabled = true
port = smtp
filter = postfix-auth-fail
logpath = /var/log/mail.log
findtime = 3600
maxretry = 2

Let's save it.

The first 4 jails are part of the factory package, so we just have to turn them on. However, I found the last jail called "postfix-auth-fail" on the net, and after several months of using it myself, I can warmly recommend it, many Postfixwill take an attempt worth . We must therefore create this jail separately:

nano /etc/fail2ban/filter.d/postfix-auth-fail.conf

Then, include the following content:

# Fail2Ban filter for Postfix SMTP auth failures
#
# see: http://www.postfix.org/announcements/postfix-3.0.0.html:
#  'a password-guessing bot is logged as "disconnect from name[addr] ehlo=1 auth=0/1 commands=1/2",
#   meaning that the client sent one EHLO command that worked, one AUTH command that failed, and
#   hung up without sending a QUIT command. This information is always logged, and can help to
#   solve puzzles without verbose logging or network sniffers.'
#
[INCLUDES]

# Read common prefixes. Get any customizations from common.local
before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

#  cautious regex: strict match to messages per postfix announcement above:
#failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\] ehlo=1 auth=0/1 commands=1/2$

#  aggressive regex: match any auth failure (unless from whitelisted ip),
#  picks up a *lot* more bots than the 'cautious' regex, can ban bots
#  that send HELO as well as EHLO and bots that send QUIT.
#  Note 1: if a legit connector is trying to remember a login or password
#          and gets it wrong it gets banned - unless whitelisted
#  Note 2: this is triggered for every disconnect with failed auth. Some bots try multiple
#          passwords on a single connection - I use dovecot jail to pick these up
failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\] (ehlo|helo)=\d+ .*auth=0/\d

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

# Author: Dominic Raferd [03 Jan 2017, 29 Mar 2017]

Also save this file and restart Fail2Ban:

systemctl restart fail2ban

Fail2Ban and verifying jails

If we think about it, we can check for sure that Fail2Ban as well as jails started properly. It is enough if there is a typo in one of the filters and the given jail does not start, or worse, in Fail2B as well. Plus, it does so in a sneaky way because it doesn’t always give an error message about it. So let's check the operation of the Fail2Ban service and jails:

systemctl status fail2ban.service
cat /var/log/fail2ban.log | tail -15

Commands should normally output the following:

The service itself runs nicely, and the jails started without fail.

At the end of the server build, we will add two more jails, but these will only be done after ISPConfig is installed, because the log files monitored by the newer filters - and the directories that contain them - will only be created after ISPConfig is installed. And the jails would not be able to start until they found the configured log files.

A next page we continue with the installation of the RoundCube webmail client.

Navigation