Content
- page: Upgrading the system and installing and configuring basic accessories
- page: Install Let's Encrypt, FTP, DNS Server, Web Stats, Jailkit and Fail2Ban
- page: Install RoundCube webmail client and ISPConfig3 control panel
The 1. page content
- Introductory
- Prerequisites
- The repository database and updating packages
- How to install the server
- Set the default Shell
- System clock synchronization
- Installing compression programs
- Install other basic programs
- Installing a mail system
- MariaDB Options
- Install spam filters and anti-virus software
- Apache settings
- Navigation
Introductory
In this description, we will make a Debian 10 (Buster) version of the perfect server. With this build, we get a complete web server based on Debian 10 (Buster), such as one LAMP system in addition, it includes many other features, making it great for running live websites.
I will mark this server with a version number of 1.0, so there may be several versions of it later. Similar server installations have previously been made in the following versions:
- Perfect server: Debian 8 (Jessie) V1.0 (Installation guide | download virtual machine)
- Perfect server: Debian 9 (stretch) V1.0 (Installation guide | download virtual machine)
A new version of the perfect server series installation guide has been prepared, which can be viewed at the following link:
Prerequisites
The repository database and updating packages
Before we begin the installation, our first task is to update the package store database and our packages so that we can work with the latest packages. To do this, issue the following command:
apt-get update && apt-get upgrade
How to install the server
As I mentioned, this installation, unlike previous perfect server installations, will now not be based on a minimal system, but on the LAMP server state that follows one by one. This will make this Debian 10 server line more modular, and our previous LAMP machine will remain "reusable". The advantage of this is that you do not have to start the entire server installation from scratch, but because we have already suffered during the assembly of the LAMP system, we will now build on them, so this description will be so shorter than its predecessors. We can also consider this as an "upgrade" of the LAMP server. This implementation is now particularly useful, as installing and configuring the phpMyAdmin web database management interface on Debian 10 is quite a chore, as it is not part of the factory package, so you have to do everything manually. So now we can take this long step as part of the previous LAMP server.
When you are ready, log on to our LAMP server as root and get started!
Set the default Shell
In Debian 10, the Dash Shell is set as the default, but it is ISPConfig When installing Bash shellWe will need. To change this, run the following command:
dpkg-reconfigure dash
Here, select Gender option. The program will do what is necessary symbolic links reorganize.
System clock synchronization
It is a good idea that our server is on time. We can solve this automatically NTP protocol that occasionally synchronizes the clock in the background. To install this, run the following command:
apt-get -y install ntp
Installing compression programs
In the future, we will need various compression programs, which we will use during the installation, but they will be important especially during the operation of the server in the ISPConfig system, or for performing various background tasks, for example. It is a good idea to install them at the same time with the following command:
apt-get install -y \
zip unzip bzip2 arj nomarch lzop cabextract \
p7zip p7zip-full unrar lrzip
Install other basic programs
We need to install a few more basic packages that are needed to run the entire server but are not part of larger program groups, so they are installed here. You can install these with the following command:
apt-get -y install \
openssl \
rkhunter \
binutils \
daemon \
patch \
apt-listchanges \
apt-transport-https
Installing a mail system
The server's outgoing (SMTP) mail is sent to the Postfix program, incoming mail (POP3/IMAP) and the Dovecot program. These are installed with the following command:
apt-get -y install \
postfix \
postfix-mysql \
postfix-doc \
getmail4 \
dovecot-imapd \
dovecot-pop3d \
dovecot-mysql \
dovecot-sieve \
dovecot-lmtpd
During installation, the Postfix configuration will start:
Here select Website option.
In the following panel, you need to set the server name:
Here the system fills in the server name by default, but we make sure the server is complete, FQDN give the name of what the hostname It can also be obtained with the -f command.
The installer then installs the other packages and configures them.
More Postfix settings
After installing the mail client packages, we still need to configure Postfix to open the SSL / TLS ports to allow secure mail to work through them. To do this, open the /etc/postfix/master.cf file:
nano /etc/postfix/master.cf
And do the following:
- Take the comments a submission and that smtps parts. These are right in the first part of the file.
- Remove comments from the appropriate option lines (starting with -o), as shown below.
- Supplement the options also in the following example, according to the parts highlighted in green.
So the point is that this part of the file looks exactly like the one below:
[...] submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING [...]
So in both sections, we remove the comments from the first 3 options and then add the lines highlighted in green. And of course the a submission and smtps Make sure you leave comments in front of line items starting with.
Once you have it, save the file and restart Postfix:
systemctl restart postfix
MariaDB Options
A MariaDB database server was already installed during the construction of the LAMP server, now we only need to prepare it for the mud to stand up to higher traffic and load as part of a more serious server configuration.
Fine tuning
Open the /etc/mysql/mariadb.conf.d/50-server.cnf file:
nano /etc/mysql/mariadb.conf.d/50-server.cnf
Make the following settings here:
- Add a comment before this line:
bind-address = 127.0.0.1
(This will play a role in ISPConfig, where you will be able to switch to created databases to have remote access ...) - Insert the following line immediately below this line:
sql_mode = NO_ENGINE_SUBSTITUTION
(I have already written about the role of this in New features and changes to the Debian 10 (Buster) operating system in my article.) - And the Max_allowed_packet value 64M and take the comment out of it as well.
(And this is good for managing a larger package size with MariaDB. Some database-based software, such as Matomoalso)
So, when all is done, this part of the MariaDB configuration file will look like this:
[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 sql-mode = "NO_ENGINE_SUBSTITUTION" [...] max_allowed_packet = 64M [...]
Set file limits
Save the file, and then open the following: /etc/security/limits.conf
nano /etc/security/limits.conf
Add the following two lines to the end:
mysql soft nofile 65535 mysql hard nofile 65535
Let's save it.
Open for editing a /etc/systemd/system/mysqld.service file:
nano /etc/systemd/system/mysqld.service
Here, look for this commented setting:
#LimitNOFILE=16364
Take the comment from the beginning of the line and set it to "infinity":
LimitNOFILE=infinity
then save.
Service restart and MariaDB testing
Restart Services:
systemctl daemon-reload
systemctl restart mariadb
Let's test MariaDB:
netstat -tap | grep mysql
The output of the command should be something like:
tcp6 0 0 [::]:mysql [::]:* LISTEN 2199/mysqld
Install spam filters and anti-virus software
The software package that is now being installed is designed to increase the security of mail, which filters spam and virus content in incoming and outgoing mail. To install program packages, run the following multi-line command:
apt-get install -y \
amavisd-new \
spamassassin \
clamav clamav-daemon clamav-docs \
postgrey \
libnet-ldap-perl libauthen-sasl-perl \
libio-string-perl libio-socket-ssl-perl \
libnet-ident-perl libnet-dns-perl libdbd-mysql-perl
Then, disable Spamassassin, because ISPConfig will control this too, so you are sitting in memory now:
systemctl stop spamassassin
systemctl disable spamassassin
The packages you install are nothing more, they will be used in the background in the mail section of ISPConfig by the spam filter and systems that handle various mail rules.
Apache settings
Az Apache web server has already been added when installing the LAMP server, so let's just make some additional settings on it.
Enable basic modules
First we enable the basic Apache modules:
a2enmod \
suexec rewrite ssl actions \
include cgi headers \
proxy_fcgi alias
Enable WebDAV (optional)
If you want WebDAV service on the server, we enable the necessary Apache modules:
a2enmod dav_fs dav auth_digest
Closing an httpoxy vulnerability
A known vulnerability (httpoxy) with the following setting. Create a new Apache configuration file (/etc/apache2/conf-available/httpoxy.conf):
nano /etc/apache2/conf-available/httpoxy.conf
And let's add these three lines:
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
Enable configuration:
a2enconf httpoxy
Finally, restart Apache:
systemctl restart apache2
A next page we continue with Let's Encrypt's free SSL installation.
- Perfect server: Debian 8 (Jessie) V1.0
- Perfect server: Debian 9 (stretch) V1.0
- Perfect server: Debian 11 (Bullseye) v1.0
- How to build and arming our ISPConfig3 server and how to secure our control panel, main services and websites with Let's Encrypt SSL
- Installing Debian 10 (Buster) LAMP Server v1.0
- Debian 11 (Bullseye) LAMP server v1.0 installation
- The Perfect Server - Debian 10 (Buster) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1
- How to configure custom PHP versions on our ISPConfig server
- How to install PHP 8 on your Debian or Ubuntu server
- Download the perfect server: Debian 10 (Buster) v1.1
- How to set the default website on our ISPConfig server so that the Apache2 Debian Default page is not loaded when accessing the server's IP address or full hostname
- How to upgrade our perfect server based on Debian 10 (Buster) to Debian 11 (Bullseye)
Navigation
- To post registration and login required
- 2535 views