The 1. page content
In this tutorial we will build the perfect server Debian 9 (Stretch). I will label this server with the 1.0 version number as it will add many more later, so I can easily refer to this installation with the version numbers. By the way, the server has already been created Debian 8 (Jessie), which can be viewed here.
The description of the Howtoforge's recipe based on it.
The server contains many components, so it takes longer to build. If you need a simpler server setup, I recommend using Debian 9 (Stretch) LAMP Server preparation.
A newer version of the server is ready: Perfect server: Debian 10 (Buster) V1.0
Update Debian packages
As with all major installation work, we will now start by updating the packages. However, you need to configure your luggage storage properly before upgrading packages. If we hadn't done it at the end of the base system installation, then we are definitely replacing the expansion of luggage storage!
But if we're done with it, let's update it APT package manager database and packages:
apt-get update apt-get upgrade
Configure / verify network and host name
Setting up a network and host name is also very important, so if you have previously installed a base system and are unsure, check the based on previous guidance.
The hostname of this server is:
And the full server name is:
So in this installer, I will go through these hostname settings. We use our own server name for installation.
Set the default shell
System clock synchronization
The system clock should be synchronized with NTP protocol to keep accurate time on the server:
apt-get install ntp
Installing Postfix, Dovecot, MySQL, rkhunter, and Binutils
Install the components mentioned in the title in one apt-get command:
apt-get install -y \ postfix postfix-mysql postfix-doc \ mariadb-client mariadb-server \ openssl getmail4 rkhunter binutils \ dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd\ sudo
In Debian 9 a MySQL instead, MariaDB is in the distribution repository, so we will install this. Because of its high compatibility, it can completely replace MySQL.
However, if you still want to install MySQL, you can replace it later, in a different description.
To run this command, the installer will start, and a few questions about the SMTP server (postfix) configuration will appear:
If you are installing the server for live use, select "Internet Site" here.
When installing a home test environment, you can also select "Local only", but in this case, you can also select "Internet Site" because, for example, a relay host can send mail from your home computer to an external server.
Then open the /etc/postfix/master.cf file
and make the TLS / SSL settings to look exactly like this part of the configuration file:
[...] submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING [...]
Save and then restart the postfix:
service postfix restart
Configuring MySQL / MariaDB
Let's secure our database configuration by disabling the test database and the anonymous user and their associated privileges:
Here are a few more questions to run:
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none):
Here you need to enter the root password for the database. Since no password has been set in the recent installation, press enter.
You will then be asked if you want to change your root password:
OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have a root password set, so you can safely answer 'n'. Change the root password? [Y/n]
Press "Y" and enter the new password and repeat. This sets the MariaDB root password.
He then describes that MariaDB has an anonymous user installed by default, which allows anyone to log in without a separate user account. It is intended for test use only and is recommended for removal under sharp use.
Here's how to answer the question accordingly:
Remove anonymous users? [Y/n]
Be sure to select "Y" when in use.
You will then be prompted to disable the root user remote access:
Disallow root login remotely? [Y/n]
Select "Y" here unless you need remote root access.
A phpMyAdmin logging is not remote logging because it runs on the server and is therefore a local connection wherever we use it. So if you disable remote root access with the "Y" option, you will still be able to log in as root as well on the phpMyAdmin interface.
You will then be asked to delete the "test" database, which is also created for test purposes and can be accessed by any user:
Remove test database and access to it? [Y/n]
Be sure to delete "Y" for live use.
- Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n]
This will delete the body database and its associated permissions. You will then be asked to reload the privileges. Here, press "Y".
Above, we have disabled remote access for the root user. However, we now allow you to be able to connect to databases from other hosts by default, not just from localhost (except of course with root). To do this, open the /etc/mysql/mariadb.conf.d/50-server.cnf file:
Comment on the line beginning with "bind-address" and insert the line starting with "sql-mode" below to look like this section:
[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 sql-mode="NO_ENGINE_SUBSTITUTION" [...]
Let's save it.
Configure the root user defaults fileso that you do not have to type in the root password again at the command prompt.
Enter the root password in both places (if the password contains special characters, include the apostrophe):
# Automatically generated for Debian scripts. DO NOT TOUCH! [client] host = localhost user = root password = <root jelszó> socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = root password = <root jelszó> socket = /var/run/mysqld/mysqld.sock basedir = /usr
Let's save it.
Use the following command to change the MariaDB root user password authentication mode to native so that PHPMyAdmin can connect as root later (I split it into two lines, but this is a command):
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | \ mysql --defaults-file=/etc/mysql/debian.cnf
We no longer need to type the root password for the database, thanks to our defaults file. (It was the other way around in the original description, but it makes more sense to configure the defaults file first and use it immediately. So I swapped the two parts)
Then, increase the maximum number of files that MariaDB can open. Open the /etc/security/limits.conf file:
and add the following two lines to the end:
mysql soft nofile 65535 mysql hard nofile 65535
Create a new directory (/etc/systemd/system/mysql.service.d/):
mkdir -p /etc/systemd/system/mysql.service.d/
Create a new file in the directory:
And let's put the following two lines:
Let's save it.
Update the systemdand restart MariaDB:
systemctl daemon-reload service mysql restart
At the second command he throws a warning:
Warning: mysql.service changed on disk. Run 'systemctl daemon-reload' to reload units.
The first time I installed, I didn't know what to think of this message, so I started searching. In the Howtoforge forum, I found two questions about this, namely one here, and and another here. In both topics, the same message was asked, and in each case the original description was chosen by the author to ignore this message.
To confirm this, I have previously installed the same server on my desktop, written the same thing, but it works fine without any errors.
You can also check if the MySQL / MariaDB daemon is running:
netstat -nap | grep mysql
And the output must be something similar when properly operating:
tcp6 0 0 :::3306 :::* LISTEN 13648/mysqld unix 2 [ ACC ] STREAM LISTENING 69347 13648/mysqld /var/run/mysqld/mysqld.sock
And to keep you asleep, you can still search for running services:
systemctl | grep mariadb
And you have to give it something like this:
mariadb.service loaded active running MariaDB 10.1.37 database server
So good from all angles. At first, of course, I was worried, so I was looking for these.
A next page continues with installing Amavisd, SpamAssassin, and ClamAV antivirus and SPAM filtering programs ...
- Download perfect server: Debian 9 (Stretch) V1.0
- Perfect server: Debian 8 (Jessie) V1.0
- Perfect server: Debian 10 (Buster) V1.0
- Install Debian 9 (Stretch) Minimum Server
- Howtoforge - The Perfect Server - Debian 9 (Stretch) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1 (source)
- Installing Debian 8 (Jessie) LAMP Server v1.0
- Installing Debian 9 (Stretch) LAMP Server v1.0
- Install v18.04 on the Ubuntu 1.0 LTS (Bionic Beaver) LAMP Server
- How to install PHP 5.6.40 as an optional version on Debian 9 (Stretch) perfect server
- How to configure custom PHP versions on our ISPConfig server
- Installing and setting up Drupal 8 CMS system
- Installing WordPress 5.2 CMS on an ISPConfig server environment
- Install a minimum server for Ubuntu 18.04 LTS (Bionic Beaver)