Perfect server: Debian 9 (stretch) V1.0 (page 3)

botond published 2019. 01. 21., h - 17:56 time
Perfect Server: Debian 9 (Stretch) V1.0 (page 3) | Linux Portal

3. page content

 

Continuation

Perfect server: Debian 9 (stretch) V1.0 on page 1 of the installer description, we installed the Postfix, Dovecot, MariaDB and rkhunter components, then the second page we continued with SpamAssassin, ClamAV, Apache, PHP, PHP-FPM, phpMyAdmin, Let's Encrypt and PureFTPd.

On this page, we continue to work on installing the Quota quota system.

 

 

Install Quota

With Quota, we can control storage quotas so customers can’t exceed their set storage limits.

The quota system applies in the following separately regulated areas:

  • Web hosting quota
  • Database hosting quota
  • Email hosting quota

To install it, run the apt-get command with the following parameters:

apt-get install quota quotatool

You can enforce storage limitation in the file system by opening / etc / fstab file:

nano /etc/fstab

And insert exactly the following part:

,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0

in the following way to look like our / etc / fstab file:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=35e5eb5a-8e59-40ee-8963-cf1f8072c6a6 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0  1
# swap was on /dev/sda5 during installation
UUID=d92cc29a-7d97-456a-9ecc-fd16cff0cb4e none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

This fstab file comes from a single-partition base system installation where everything is on the root partition.

If the / var directory structure is mounted from a separate partition, you must insert this section on its line, for example:

UUID=a528cb5a-3e55-401e-8463-d21f8472c6b2  /var ext4    defaults,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0  0  2

So when you mount the / var structure, you have to append the options there, separated by commas. This way, the quota system is enforced on the web hosting partition.

You will then need to re-enable it mount-the mount point where we inserted the above section.

If the root partition has everything, then:

mount -o remount /

And if the / var structure is attached separately, then:

mount -o remount /var

Then turn it on:

quotaon -avug

Switch reports:

  • a: Enables quota on all file systems
  • v: Verbose - "verbose" mode: Prints everything
  • u: Apply quotas to users
  • g: Apply quotas to groups

If the output is successful:

/dev/sda1 [/]: group quotas turned on
/dev/sda1 [/]: user quotas turned on

Then check the quota status:

quotacheck -avugmf

Here the switches mean the same from a control point of view only:

  • m: This will not reinstall the file system to be scanned in read-only mode
  • f: Force mode. Without this, the scan will not start, saying that with a quota enabled, such a scan may cause damage to the file system. So don't use it on the go, but you can run it once with a fresh install.
quotacheck: Scanning /dev/sda1 [/] done
quotacheck: Checked 8482 directories and 69903 files

We have nothing more to do with it, from now on ISPConfig we will be able to conveniently set up different quotas for our clients (or our own accounts) in our control panel.

 

 

Install BIND DNS server

A BIND DNS To install a server, use the following command:

apt-get -y install bind9 dnsutils

If you are installing this server on a virtual machine, such as a VPS service, it is recommended that you even install the haveged daemon, which increases the low entropy (the number of random bytes available for cryptographic operations).

Interestingly, before installing daemon, we can read the available entropy value:

cat /proc/sys/kernel/random/entropy_avail

He wrote 670 on my virtual machine.

Here's how to install your havemon daemon:

apt-get install haveged

After installing it, querying the entropy level again, it already issued 2178.

This is important for DNSSEC signatures. More details on this can be found here. In addition, use these random bytes for all encrypted server functions. For example the HTTPSis also used to encrypt web pages served through SSH based connections, such as rsync synchronization over SSH, etc. It is suggested that if the average value of this is only around 100-200, it is advisable to put it on any server to ensure that the generation of different authentication keys on the system is smooth, so that the services with encryption run smoothly.

 

Install Webalizer and AWStats

You can install Webalizer and AWStats web statistics as follows:

apt-get -y install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl

Then open the /etc/cron.d/awstats file:

nano /etc/cron.d/awstats

And let's comment on the two lines created by the installer:

MAILTO=root

# */10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
# 10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

On the finished server, ISPConfig will also handle their background operations.

 

Install Jailkit

With Jailkit we can create chrooted shell users. That way, they can't see each other's files. This is useful, for example, if you provide storage space on your server to someone other than us. This way we can easily create a shell user for him, he will not be able to look into the things of other users.

Install the following packages:

apt-get -y install build-essential autoconf automake libtool flex bison debhelper binutils

These packages are needed to build a Debian installation package from the source you downloaded.

Now download the latest version of the source to the / tmp directory from the author's website. Before, of course, we check the latest version of website.

At the moment, 2.20 is the latest, so we use it. Download the wget command:

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.20.tar.gz

Unpack:

tar -xvzf jailkit-2.20.tar.gz

And go to the directory to configure Debian compatibility and then compile the installation package:

cd jailkit-2.20
echo 5 > debian/compat
./debian/rules binary

This will create a customized .deb installation package that you can install on dpkg command:

cd ..
dpkg -i jailkit_2.20-1_amd64.deb

Finally, clean up:

rm -rf /tmp/jailkit*

There's no more work to do, and ISPConfig handles it for you.

 

 

Fail2 and installing UFW Firewall

A Fail2Ban program can provide strong protection for our server. To install it, run the following command:

apt-get -y install fail2ban

Next, configure the Jails for PureFTPd, Dovec, and Postfix to monitor for attempts to attack in their log files as well in Fail2.

To do this, create the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

And let's insert the following 3 jail:

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3

Then restart Fail2Ban:

service fail2ban restart

Then install it UFW firewall:

apt-get install ufw

 

A next and last page we continue with RoundCube installing webmail client ...

 

Related Content, Useful Links:

 

Navigation

This description consists of several pages:

 

Tags
perfect server
Debian
Debian 9 Stretch
installation
configuration
Height
BIND
DNS
DNS server
Webalizer
awstats
Web statistics
jailkit
fail2ban
UFW
firewall