Perfect server: Debian 9 (stretch) V1.0

botond published 2019. 01. 21., h - 17:40 time

The 1. page content

 

Introductory

In this description, we will make a Debian 9 (Stretch) version of the perfect server. I will mark this server with a version number of 1.0 because it will add a lot more later, so I can more easily refer to the version numbers for that particular installation. By the way, the server has been completed before Also in Debian 8 (Jessie), which can be viewed here.

The description of the Howtoforge's recipe based on it.

The server contains many components, so it takes longer to build. If you need a simpler server setup, I recommend using Debian 9 (Stretch) LAMP Server preparation.

Update: 2020-01-02:
A newer version of the server for Debian 10 is ready: Perfect server: Debian 10 (Buster) V1.0

 

 

Prerequisites

To install it, you need the base system on which to build the server. Of this installer description can be found here, which also contains important settings.

Update Debian packages

As with all major installation work, we will now start by updating the packages. However, you need to configure your luggage storage properly before upgrading packages. If we hadn't done it at the end of the base system installation, then we are definitely replacing the expansion of luggage storage!

But if we're done with it, let's update it APT package manager database and packages:

apt-get update
apt-get upgrade

Configure / verify network and host name

Setting up a network and host name is also very important, so if you have previously installed a base system and are unsure, check the based on previous guidance.

The hostname of this server is a hostname we can retrieve it using the command:

hostname
debian9

And the full server name is a hostname with the -f switch:

hostname -f
debian9.linuxportal.vm

So in this installer, I will go through these hostname settings. We use our own server name for installation.

Set the default shell

Debian 9 defaults to Dash shell, which is not appropriate for this installation, we need to migrate to Bashto:

dpkg-reconfigure dash

Set the default shell

Here, select nem option. The system will then switch to symbolic links to Bash. This is important for later ISPConfig control panel installation, because it would not start without it.

System clock synchronization

The system clock should be synchronized with NTP protocol to ensure that the time on the server is always accurate:

apt-get install ntp

 

Installing Postfix, Dovecot, MySQL, rkhunter, and Binutils

Install the components mentioned in the title in one apt-get command:

apt-get install -y \
    postfix postfix-mysql postfix-doc \
    mariadb-client mariadb-server \
    openssl getmail4 rkhunter binutils \
    dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd\
    sudo

In Debian 9 a MySQL instead, MariaDB is in the distribution repository, so we will install this. Because of its high compatibility, it can completely replace MySQL.

However, if you still want to install MySQL, you can replace it later, in a different description.

Set Postfix

To run the command, the installer will start, and then the SMTP server will ask a few questions (Postfix) settings:

Debian 9 (Stretch) - Perfect Server Installation - Postfix General Configuration

If you are installing the server for live use, select "Internet Site" here.

When installing a home test environment, you can also select "Local only", but in this case, you can also select "Internet Site" because, for example, a relay host can send mail from your home computer to an external server.

Debian 9 (Stretch) Installing a Perfect Server - Postfix Configuration - Setting a Domain Name

Here, if you have set the hostname correctly before, it will be offered FQDN laugh. Or, set yourself right domain name, from which we send out emails.

Then open the /etc/postfix/master.cf file

nano /etc/postfix/master.cf

and configure the TLS / SSL settings to make this part of the configuration file look exactly like this:

[...]
submission inet  n       -       -       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       -       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]

Save and then restart the postfix:

service postfix restart

 

 

Configuring MySQL / MariaDB

Secure your database configuration by disabling the test database and the anonymous user and their associated permissions To do this, run mysql_secure_installation command:

mysql_secure_installation

 

It is also part of MariaDB's MySQL compatibility that the "mysql" names are retained in the commands, packages and configuration names, so everything can be configured as with MySQL.

 

Here are a few more questions to run:

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):

Here we need to enter the root password of the database. Since no password has been set in the recent installation, press enter.

You will then be asked if you want to change your root password:

OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n]

Press "Y" and enter the new password and repeat. This sets the MariaDB root password.

He then describes that MariaDB has an anonymous user installed by default, which allows anyone to log in without a separate user account. It is intended for test use only and is recommended for removal under sharp use.

Here, accordingly, answer the question:

Remove anonymous users? [Y/n]

Be sure to select "Y" when in use.

You will then be prompted to disable remote access for the root user:

Disallow root login remotely? [Y/n]

Select the "Y" option here, unless you need remote root access.

By remote access, we mean, for example, trying to log in as a database client program running on a remote machine as root, or directly connecting as a root to databases running on the server from a remote machine.
A phpMyAdmin login does not count as remote login because it runs on the server, so it counts as a local connection, wherever we use it. Thus, if you disable remote root access with the "Y" option in the phpMyAdmin interface, you will still be able to log in as root.

It then asks if you want to delete the "test" database, which has also been created for test purposes and which can be accessed by any user:

Remove test database and access to it? [Y/n]

Be sure to delete "Y" for live use.

 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]

This will delete the body database and its associated permissions. You will then be asked to reload the privileges. Here, press "Y".

Above, we have disabled remote access for the root user. However, we now allow you to be able to connect to databases from other hosts by default, not just from localhost (except of course with root). To do this, open the /etc/mysql/mariadb.conf.d/50-server.cnf file:

nano /etc/mysql/mariadb.conf.d/50-server.cnf

Comment on the line beginning with "bind-address" and insert the line starting with "sql-mode" below to look like this section:

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1

sql-mode="NO_ENGINE_SUBSTITUTION"
[...]

Let's save it.

Configure the root user defaults fileso that you do not have to type in the root password again at the command prompt.

nano /etc/mysql/debian.cnf

Enter the root password in both places (if the password contains special characters, put it in apostrophes):

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = <root jelszó>
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = <root jelszó>
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

Let's save it.

Use the following command to change the password authentication method for the MariaDB root user to native so that PHPMyAdmin can connect as root later (I broke into two lines, but this is a command):

echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | \
    mysql --defaults-file=/etc/mysql/debian.cnf

Here we no longer have to type in the root password of the database, thanks to our defaults file. (It was the other way around in the original description, but it makes more sense to set the defaults file first and use it right after that. So I swapped the two parts)

Then increase the maximum number of files that MariaDB can open. Open the /etc/security/limits.conf file:

nano /etc/security/limits.conf

and add the following two lines to the end:

mysql soft nofile 65535
mysql hard nofile 65535

Create a new directory (/etc/systemd/system/mysql.service.d/): 

mkdir -p /etc/systemd/system/mysql.service.d/

Create a new file in the directory:

nano /etc/systemd/system/mysql.service.d/limits.conf

And let's put the following two lines:

[Service]
LimitNOFILE=infinity

Let's save it.

Restart Services

Update the systemdand restart MariaDB:

systemctl daemon-reload
service mysql restart

At the second command he throws a warning:

Warning: mysql.service changed on disk. Run 'systemctl daemon-reload' to reload units.

When I first installed it, I didn't know what to think of this message, so I started searching. I found a question about this in two places in the Howtoforge forum, the one here, and and another here. In both topics, the same message was asked, and in each case the original description was chosen by the author to ignore this message.

To confirm this, I previously installed the same server on my desktop, it wrote the same even then, but it works nicely without any errors.

You can also check if the MySQL / MariaDB daemon is running:

netstat -nap | grep mysql

And the output must be something similar when properly operating:

tcp6       0      0 :::3306                 :::*                    LISTEN      13648/mysqld        
unix  2      [ ACC ]     STREAM     LISTENING     69347    13648/mysqld         /var/run/mysqld/mysqld.sock

And to keep you asleep, you can still search for running services:

systemctl | grep mariadb

And you have to give it something like this:

mariadb.service                   loaded active running   MariaDB 10.1.37 database server

So good from all angles. At first, of course, I was worried, so I was looking for these.

A next page the description continues with the installation of Amavisd, SpamAssassin, and ClamAV antivirus and SPAM filtering programs ...

 

 

Navigation

This description consists of several pages: