The 1. page content
Introductory
In this description, we will make a Debian 9 (Stretch) version of the perfect server. I will mark this server with a version number of 1.0 because it will add a lot more later, so I can more easily refer to the version numbers for that particular installation. By the way, the server has been completed before Also in Debian 8 (Jessie), which can be viewed here.
The description of the Howtoforge's recipe based on it.
The server contains many components, so it takes longer to build. If you need a simpler server setup, I recommend using Debian 9 (Stretch) LAMP Server preparation.
A newer version of the server for Debian 10 is ready: Perfect server: Debian 10 (Buster) V1.0
Prerequisites
Update Debian packages
As with all major installation work, we will now start by updating the packages. However, you need to configure your luggage storage properly before upgrading packages. If we hadn't done it at the end of the base system installation, then we are definitely replacing the expansion of luggage storage!
But if we're done with it, let's update it APT package manager database and packages:
apt-get update
apt-get upgrade
Configure / verify network and host name
Setting up a network and host name is also very important, so if you have previously installed a base system and are unsure, check the based on previous guidance.
The hostname of this server is a hostname we can retrieve it using the command:
hostname
debian9
And the full server name is a hostname with the -f switch:
hostname -f
debian9.linuxportal.vm
So in this installer, I will go through these hostname settings. We use our own server name for installation.
Set the default shell
Debian 9 defaults to Dash shell, which is not appropriate for this installation, we need to migrate to Bashto:
dpkg-reconfigure dash
Here, select nem option. The system will then switch to symbolic links to Bash. This is important for later ISPConfig control panel installation, because it would not start without it.
System clock synchronization
The system clock should be synchronized with NTP protocol to ensure that the time on the server is always accurate:
apt-get install ntp
Installing Postfix, Dovecot, MySQL, rkhunter, and Binutils
Install the components mentioned in the title in one apt-get command:
apt-get install -y \
postfix postfix-mysql postfix-doc \
mariadb-client mariadb-server \
openssl getmail4 rkhunter binutils \
dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd\
sudo
In Debian 9 a MySQL instead, MariaDB is in the distribution repository, so we will install this. Because of its high compatibility, it can completely replace MySQL.
However, if you still want to install MySQL, you can replace it later, in a different description.
Set Postfix
To run the command, the installer will start, and then the SMTP server will ask a few questions (Postfix) settings:
If you are installing the server for live use, select "Internet Site" here.
When installing a home test environment, you can also select "Local only", but in this case, you can also select "Internet Site" because, for example, a relay host can send mail from your home computer to an external server.
Here, if you have set the hostname correctly before, it will be offered FQDN laugh. Or, set yourself right domain name, from which we send out emails.
Then open the /etc/postfix/master.cf file
nano /etc/postfix/master.cf
and configure the TLS / SSL settings to make this part of the configuration file look exactly like this:
[...] submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING [...]
Save and then restart the postfix:
service postfix restart
Configuring MySQL / MariaDB
Secure your database configuration by disabling the test database and the anonymous user and their associated permissions To do this, run mysql_secure_installation command:
mysql_secure_installation
Here are a few more questions to run:
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none):
Here we need to enter the root password of the database. Since no password has been set in the recent installation, press enter.
You will then be asked if you want to change your root password:
OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have a root password set, so you can safely answer 'n'. Change the root password? [Y/n]
Press "Y" and enter the new password and repeat. This sets the MariaDB root password.
He then describes that MariaDB has an anonymous user installed by default, which allows anyone to log in without a separate user account. It is intended for test use only and is recommended for removal under sharp use.
Here, accordingly, answer the question:
Remove anonymous users? [Y/n]
Be sure to select "Y" when in use.
You will then be prompted to disable remote access for the root user:
Disallow root login remotely? [Y/n]
Select the "Y" option here, unless you need remote root access.
A phpMyAdmin login does not count as remote login because it runs on the server, so it counts as a local connection, wherever we use it. Thus, if you disable remote root access with the "Y" option in the phpMyAdmin interface, you will still be able to log in as root.
It then asks if you want to delete the "test" database, which has also been created for test purposes and which can be accessed by any user:
Remove test database and access to it? [Y/n]
Be sure to delete "Y" for live use.
- Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n]
This will delete the body database and its associated permissions. You will then be asked to reload the privileges. Here, press "Y".
Above, we have disabled remote access for the root user. However, we now allow you to be able to connect to databases from other hosts by default, not just from localhost (except of course with root). To do this, open the /etc/mysql/mariadb.conf.d/50-server.cnf file:
nano /etc/mysql/mariadb.conf.d/50-server.cnf
Comment on the line beginning with "bind-address" and insert the line starting with "sql-mode" below to look like this section:
[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 sql-mode="NO_ENGINE_SUBSTITUTION" [...]
Let's save it.
Configure the root user defaults fileso that you do not have to type in the root password again at the command prompt.
nano /etc/mysql/debian.cnf
Enter the root password in both places (if the password contains special characters, put it in apostrophes):
# Automatically generated for Debian scripts. DO NOT TOUCH! [client] host = localhost user = root password = <root jelszó> socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = root password = <root jelszó> socket = /var/run/mysqld/mysqld.sock basedir = /usr
Let's save it.
Use the following command to change the password authentication method for the MariaDB root user to native so that PHPMyAdmin can connect as root later (I broke into two lines, but this is a command):
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | \
mysql --defaults-file=/etc/mysql/debian.cnf
Here we no longer have to type in the root password of the database, thanks to our defaults file. (It was the other way around in the original description, but it makes more sense to set the defaults file first and use it right after that. So I swapped the two parts)
Then increase the maximum number of files that MariaDB can open. Open the /etc/security/limits.conf file:
nano /etc/security/limits.conf
and add the following two lines to the end:
mysql soft nofile 65535 mysql hard nofile 65535
Create a new directory (/etc/systemd/system/mysql.service.d/):
mkdir -p /etc/systemd/system/mysql.service.d/
Create a new file in the directory:
nano /etc/systemd/system/mysql.service.d/limits.conf
And let's put the following two lines:
[Service] LimitNOFILE=infinity
Let's save it.
Restart Services
Update the systemdand restart MariaDB:
systemctl daemon-reload
service mysql restart
At the second command he throws a warning:
Warning: mysql.service changed on disk. Run 'systemctl daemon-reload' to reload units.
When I first installed it, I didn't know what to think of this message, so I started searching. I found a question about this in two places in the Howtoforge forum, the one here, and and another here. In both topics, the same message was asked, and in each case the original description was chosen by the author to ignore this message.
To confirm this, I previously installed the same server on my desktop, it wrote the same even then, but it works nicely without any errors.
You can also check if the MySQL / MariaDB daemon is running:
netstat -nap | grep mysql
And the output must be something similar when properly operating:
tcp6 0 0 :::3306 :::* LISTEN 13648/mysqld unix 2 [ ACC ] STREAM LISTENING 69347 13648/mysqld /var/run/mysqld/mysqld.sock
And to keep you asleep, you can still search for running services:
systemctl | grep mariadb
And you have to give it something like this:
mariadb.service loaded active running MariaDB 10.1.37 database server
So good from all angles. At first, of course, I was worried, so I was looking for these.
A next page the description continues with the installation of Amavisd, SpamAssassin, and ClamAV antivirus and SPAM filtering programs ...
- Download perfect server: Debian 9 (Stretch) V1.0
- Perfect server: Debian 8 (Jessie) V1.0
- Perfect server: Debian 10 (Buster) V1.0
- Perfect server: Debian 11 (Bullseye) v1.0
- How to build and arming our ISPConfig3 server and how to secure our control panel, main services and websites with Let's Encrypt SSL
- Install Debian 9 (Stretch) Minimum Server
- Howtoforge - The Perfect Server - Debian 9 (Stretch) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1 (source)
- Installing Debian 8 (Jessie) LAMP Server v1.0
- Installing Debian 9 (Stretch) LAMP Server v1.0
- Install v18.04 on the Ubuntu 1.0 LTS (Bionic Beaver) LAMP Server
- Debian 11 (Bullseye) LAMP server v1.0 installation
- How to install PHP 5.6.40 as an optional version on Debian 9 (Stretch) perfect server
- How to configure custom PHP versions on our ISPConfig server
- Installing and setting up Drupal 8 CMS system
- Installing WordPress 5.2 CMS on an ISPConfig server environment
- Install a minimum server for Ubuntu 18.04 LTS (Bionic Beaver)
- How to set the default website on our ISPConfig server so that the Apache2 Debian Default page is not loaded when accessing the server's IP address or full hostname
Navigation
- To post registration and login required
- 2463 views