Perfect Server: Debian 8 (Jessie) V1.0 (page 3)

botond published March 2018, 05, Thu - 03:13 time
Perfect server - Debian, ISPConfig, Apache, PHP, MySQL

Content

 

Installing and configuring Quota

The Quota program allows us to set storage limits for users that the system will not allow. To install it, run the following apt-get command:

apt-get -y install quota quotatool

Edit the / etc / fstab file and replace it with the green highlighted part (", Usrjquota = quota.user, grpjquota = quota.group, jqfmt = vfsv0") as follows:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=b20b97ad-0bcd-41e8-bcfa-9538c9f6a3ae / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
# swap was on /dev/sda5 during installation
UUID=dc8dd9f2-3f97-4b81-9150-3255a1778da9 none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/sr1        /media/cdrom1   udf,iso9660 user,noauto     0       0

 

Of course, if you need quotas on another mount point (for example, if / var / www is mounted separately) then you need to make that change on that mount point. Since I installed everything on a partition, I have to configure the mount point "/" (root) on this server for quota.

 

Then reconnect the modified partition to mount command and enable quota:

mount -o remount /
quotacheck -avugm
quotaon -avug

We can double-check the quota system with quotacheck:

quotacheck -avugmf

Normally, the output is something like:

quotacheck: Scanning /dev/sda1 [/] done
quotacheck: Checked 4998 directories and 50736 files

So the quota system is ready. Later we will be able to regulate this nicely ISPConfig from its interface (web hosting / email hosting / FTP / in the form of database quotas).

 

TIPP:
For this reason, for example, the web hosting structure (/ var vagy / Var / www) on a separate partition, because then you only need to apply the quotas to less system load, as Quota does not have to monitor the entire file system.

 

 

Install BIND DNS server

A BIND DNS server can be easily installed with the following command:

apt-get install bind9 dnsutils

 

Install Vlogger, Webalizer and AWStats

Here's how to install the log and stat programs:

apt-get -y install \
    vlogger webalizer awstats geoip-database \
    libclass-dbi-mysql-perl

Then open awstats cron file:

nano /etc/cron.d/awstats

And comment on both cron lines (ISPConfig will run these):

MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 

Install Jailkit

With Jailkit, we can create a complete chroot environment for locked users so users cannot access each other's directory structure.

 

Important!
You do not need to install Jailkit, but only if you want to create chroot SSH users later. However, it will not work later if installed after ISPConfig! Therefore, it is now up to us to decide if we will use it in the future!
I recommend installing it because you never know it will come in handy at any time. For example, if you are hosting a server on a server for a foreign client, security issues will not hurt your head.

 

Jailkit is not part of the Debian distribution, so you need to compile it from source and install the completed installation package. First, install the translation utilities:

apt-get -y install \
    build-essential autoconf automake \
    libtool flex bison debhelper binutils

Then select the latest Jailkit source package from maker (I have the latest 2.19), download the wget command a / Tmp directory and unpack:

cd /tmp
wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar -xvzf jailkit-2.19.tar.gz

Translate the unpacked source:

cd jailkit-2.19
./debian/rules binary

It turns around quickly. Then locate the .deb installation package that you created and install dpkg using the command:

cd ..
dpkg -i jailkit_2.19-1_amd64.deb

Finally, clean up unnecessary things:

rm -rf /tmp/jailkit*

 

 

Installing and configuring Fail2

A Fail2Ban is a very powerful security tool that cleverly blocks attackers' IP addresses. We can also track your activity from ISPConfig. Install it with the following command:

apt-get -y install fail2ban

Then configure it to monitor both PureFTPd and Dovecot. Create the following file:

nano /etc/fail2ban/jail.local

And let's include the following:

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled  = true
port     = smtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 3

Then create two filter files with the content below them. PureFTPd filter file:

nano /etc/fail2ban/filter.d/pureftpd.conf
[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

And Dovecot's filter:

nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

A postfix filter is already there, just add a line to it:

echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf

Finally, restart fail2:

service fail2ban restart

 

Related Content, Useful Links:

 

This description consists of several pages:

 

Tags
perfect server
Debian
Height
BIND
vlogger
Webalizer
awstats
jailkit
fail2ban