Perfect server: Debian 9 (stretch) V1.0 (page 2)

botond published 2019. 01. 21., h - 17:45 time
Perfect Server: Debian 9 (Stretch) V1.0 (page 2) | Linux Portal

2. page content

 

Continuation

A Debian 9 (Stretch) is the perfect server for v1.0 on the first page of the installer description, we installed the Postfix, Dovecot, MariaDB and rkhunter programs. On this page we will continue with the installation, starting with Amavisd, SpamAssassin and ClamAV.

 

 

Install Amavisd-new, SpamAssassin and ClamAV

To install the titles, run the following apt-get command (I split it into several lines for clarity):

apt-get install -y \
    amavisd-new spamassassin clamav clamav-daemon \
    zoo unzip bzip2 arj nomarch lzop cabextract \
    apt-listchanges libnet-ldap-perl libauthen-sasl-perl \
    clamav-docs daemon libio-string-perl libio-socket-ssl-perl \
    libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey

Az ISPConfig The 3 installation uses amavisd, which loads the SpamAssassin filter directory separately, so we can stop it now to free up some memory by using the service and systemctl commands:

service spamassassin stop
systemctl disable spamassassin

 

Installing Apache2, PHP, FCGI, suExec, Pear, phpMyAdmin, and mcrypt

Use the following command to install the Apache, PHP, FCGI, suExec, Pear, phpMyAdmin and mcrypt packages:

apt-get -y install \
    apache2 apache2-doc apache2-utils libapache2-mod-php \
    php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap \
    phpmyadmin php7.0-cli php7.0-cgi \
    libapache2-mod-fcgid apache2-suexec-pristine php-pear \
    php7.0-mcrypt mcrypt imagemagick libruby \
    libapache2-mod-python \
    php7.0-curl php7.0-intl php7.0-pspell php7.0-recode \
    php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl \
    memcached php-memcache php-imagick php-gettext \
    php7.0-zip php7.0-mbstring libapache2-mod-passenger \
    php7.0-soap

During the installation of the packages, some dialogs will appear with the questions.

Configure phpMyAdmin

You will first be asked which web server to configure to run phpMyAdmin:

Configure phpMyAdmin - Select a web server

Select Apache2 here.

To get started, phpMyAdmin needs a basic database in which to store its own settings, and so on. The following panel asks you about the automatic creation of this database:

Configure phpMyAdmin - Automatically configure a basic database

Of course, we want to create the basic database automatically, so choose it here Yes option.

In addition, the system requires an application-level database access (control user) to perform administrative operations on the databases in the background. This access is used only by the system. You will be prompted for a new password in the following panel:

Configure phpMyAdmin - Enter your application-level access password

This account will have nothing to do in the future, so press enter to generate a password for yourself.

If you are prompted for a password confirmation here and do not allow me to leave the password blank afterwards, then enter something. I've seen it before ...

Finally, if we have done everything right, we can now log into phpMyAdmin with root:

phpMyAdmin - Login

phpMyAdmin - Home screen

Configuring Apache

Enable basic Apache modules: 

a2enmod suexec rewrite ssl actions include cgi headers

And if you want WebDAV, then let's run this:

a2enmod dav_fs dav auth_digest

Then, a known vulnerability (httpoxy) with a small setting. Create a new Apache configuration file (/etc/apache2/conf-available/httpoxy.conf):

nano /etc/apache2/conf-available/httpoxy.conf

Then add the following content:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

Let's enable configuration with a2andconf command:

a2enconf httpoxy

And let's restart Apache:

service apache2 restart

 

 

Install Let's Encrypt

ISPConfig 3 supports Let's Encrypt complete treatment with which it is free SSL we can provide certificates to the websites we manage to be secure HTTPS to run them on a protocol.

If you are installing our server for live use, you should definitely install Let's Encrypt. Here's how:

Let's open it APT package manager source list:

nano /etc/apt/sources.list

And if you're not already on the list, add the backports repository to get the latest ACME Client package:

deb http://ftp.debian.org/debian stretch-backports main

Then update the package manager database:

apt-get update

Then install the latest certbot program (for Apache) from the backports repository:

apt-get install python-certbot-apache -t stretch-backports
In the original description, it installs the certbot package smoothly, but only 0.10.2-1 8 + ~ bpo1 version certbot package is available. From the backports repository, however 0.28.0-1 9 + ~ bpo1 version at the time of writing this description (January 2019).
I've made one about this before another description, in which I detailed the variations around the certbot versions.
Update (2019-03-18):
The 0.28.0-1 certbot package, previously in backports only, has since been ported to Debian 9 (Stretch) main storage so you can install the same version without using backports. However, it is always worth looking at the backports packages as newer versions always appear first. So if you stay with the backports repository, you will probably get newer versions of your packages from there, but at least the same as the main repository.
That's why I left the original part in the description.

After installation, you can also query the version:

certbot --version

And the answer is:

certbot 0.28.0

So we got exactly the latest version.

Otherwise, it's a good idea to install Let's Encrypt in a test environment so you can familiarize yourself with it, look around your config files, etc., so that when you are in a sharp situation, you have to work on it more routinely.

After that, let's do no more with Let's Encryption, and ISPConfig3 will now handle retrieving / renewing SSLs for web pages.

 

Install PHP-FPM

In order to PHP-FPM We can run PHP in SAPI mode, we need to install the appropriate package separately:

apt-get -y install php7.0-fpm

I have the 7.0.33 version, which is now the latest from the 7.0 branch (2018. December 6 release).

Later (after the server is fully installed), you can optionally install older PHP (5.6.x) or a newer one (7.1.x, 7.2.x) if one or more web pages to run require 7.0 to maintain compatibility. a version other than x. You can find out more about these in other tutorials.

Next, we need to enable some Apache modules that are required for PHP-FPM to work properly:

a2enmod actions proxy_fcgi alias

Then restart Apache:

service apache2 restart

Install PHP opcode cache (optional)

For PHP-based websites - especially if any CMS system we are running - it is advisable to install the PHP intermediate code cache module. Optional, but significantly reduces the generation time of more complex PHP-based websites.

To install, run the following command:

apt-get -y install php7.0-opcache php-apcu

Then restart Apache:

service apache2 restart

 

 

Installing PureFTPd

PureFTPd is a free FTP daemon, with which we can provide FTP and FTPS access to web hosting on the server for our customers. To install it, run the following command:

apt-get -y install pure-ftpd-common pure-ftpd-mysql

Let's create one dhparam file for PureFTPd: 

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

(Generates about 1 minutes, generating dots and extra signs, don't stop.)

Then open the / Etc / default / pure-ftpd-common file:

nano /etc/default/pure-ftpd-common

And make sure the STANDALONE_OR_INETD and VIRTUALCHROOT settings get the following values:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Then save it.

By default, FTP is an unencrypted channel, the data transmitted over it migrates as plain text between the parties. Therefore, it must be encrypted using the TLS / SSL protocol to upload / download files in encrypted form between the server and the FTP client.

To set this up, enter the following command:

echo 1 > /etc/pure-ftpd/conf/TLS

Next, create a directory for your certificate to create:

mkdir -p /etc/ssl/private/

And let's create our self-signed certificate:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Some information is needed to create the certificate, which is requested from us by the openssl program.

So the full output and the data to be input in green:

pem -out /etc/ssl/private/pure-ftpd.pem
Generating a RSA private key
..................................................................................................+++++
............................+++++
writing new private key to '/etc/ssl/private/pure-ftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Magyarország
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxportal
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:debian9.linuxportal.vm
Email Address []:email címem

Next, set the permissions of your generated pem file to chmod command to prevent other users from accessing the server:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

service pure-ftpd-mysql restart

 

A next page we continue with installing Quota.

 

Related Content, Useful Links:

 

Navigation

This description consists of several pages:

 

Tags
perfect server
Debian
Debian 9 Stretch
installation
configuration
SpamAssassin
ClamAV
Apache
PHP
phpMyAdmin
Let's Encrypt
PHP-FPM
pureFTP
backports