本教程展示了安装带有Apache 2.4,Postfix,Dovecot,Bind和PureFTPD的Ubuntu 18.04(Bionic Beaver)Web托管服务器,以便为安装ISPConfig 3.1做好准备。生成的系统将提供Web,邮件,邮件列表,DNS和FTP服务器。
ISPConfig是一个Web托管控制面板,允许您通过Web浏览器配置以下服务:Apache或Nginx Web服务器,Postfix邮件服务器,Courier或Dovecot IMAP / POP3服务器,MySQL,BIND或MyDNS名称服务器,PureFTPd,SpamAssassin,ClamAV , 还有很多。此设置包括安装Apache(而不是Nginx),BIND(而不是MyDNS)和Dovecot(而不是Courier)。
1.初步说明
在本教程中,我使用主机名server1.example.com,IP地址为192.168.1.100,网关为192.168.1.1。 这些设置可能因您而异,因此您必须在适当的位置更换它们。在继续之前,您需要按照教程中的说明进行Ubuntu 18.04的基本小安装 。
必须使用root权限运行本教程中的命令。要避免在每个命令前添加sudo,您必须通过运行以下方式成为root用户:
sudo -s
在你继续之前。
2.编辑/etc/apt/sources.list并更新Linux安装
编辑/etc/apt/sources.list。从文件中注释掉或删除安装CD,并确保已启用Universe和多版本存储库。之后看起来应该是这样的:
nano /etc/apt/sources.list
## deb cdrom:[Ubuntu-Server 18.04 LTS _Bionic Beaver_ - Release amd64 (20180425.1)]/ bionic main restricted#deb cdrom:[Ubuntu-Server 18.04 LTS _Bionic Beaver_ - Release amd64 (20180425.1)]/ bionic main restricted# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to# newer versions of the distribution.deb http://de.archive.ubuntu.com/ubuntu/ bionic main restricted# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic main restricted## Major bug fix updates produced after the final release of the## distribution.deb http://de.archive.ubuntu.com/ubuntu/ bionic-updates main restricted# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates main restricted## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu## team. Also, please note that software in universe WILL NOT receive any## review or updates from the Ubuntu security team.deb http://de.archive.ubuntu.com/ubuntu/ bionic universe# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic universedeb http://de.archive.ubuntu.com/ubuntu/ bionic-updates universe# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates universe## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu## team, and may not be under a free licence. Please satisfy yourself as to## your rights to use the software. Also, please note that software in## multiverse WILL NOT receive any review or updates from the Ubuntu## security team.deb http://de.archive.ubuntu.com/ubuntu/ bionic multiverse# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic multiversedeb http://de.archive.ubuntu.com/ubuntu/ bionic-updates multiverse# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates multiverse## N.B. software from this repository may not have been tested as## extensively as that contained in the main release, although it includes## newer versions of some applications which may provide useful features.## Also, please note that software in backports WILL NOT receive any review## or updates from the Ubuntu security team.deb http://de.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse## Uncomment the following two lines to add software from Canonical's## 'partner' repository.## This software is not part of Ubuntu, but is offered by Canonical and the## respective vendors as a service to Ubuntu users.# deb http://archive.canonical.com/ubuntu bionic partner# deb-src http://archive.canonical.com/ubuntu bionic partnerdeb http://security.ubuntu.com/ubuntu bionic-security main restricted# deb-src http://security.ubuntu.com/ubuntu bionic-security main restricteddeb http://security.ubuntu.com/ubuntu bionic-security universe# deb-src http://security.ubuntu.com/ubuntu bionic-security universedeb http://security.ubuntu.com/ubuntu bionic-security multiverse# deb-src http://security.ubuntu.com/ubuntu bionic-security multiverse
然后跑
apt-get update
更新apt包数据库和
apt-get upgrade
安装新的更新(如果有的话)。如果您发现新内核作为更新的一部分安装,则应在以后重新引导系统:
reboot
3.更改默认Shell
/ bin / sh是/ bin / dash的符号链接,但我们需要/ bin / bash,而不是/ bin / dash。因此,我们这样做:
dpkg-reconfigure dash
使用dash作为默认系统shell(/ bin / sh)? < – 不
如果不这样做,ISPConfig安装将失败。
4.禁用AppArmor
AppArmor是一个安全扩展(类似于SELinux),应该提供扩展的安全性。在我看来,你不需要它来配置一个安全的系统,它通常会导致更多的问题而不是优势(在你完成一周的故障排除之后想想它,因为某些服务没有按预期工作,然后你发现一切都很好,只有AppArmor导致问题)。因此,我禁用它(如果你想稍后安装ISPConfig,这是必须的)。
我们可以像这样禁用它:
service apparmor stopupdate-rc.d -f apparmor remove apt-get remove apparmor apparmor-utils
5.同步系统时钟
这是系统时钟与NTP(同步是个好主意ñ etwork 牛逼 IME p当您运行在物理服务器在Internet rotocol)服务器。如果您运行虚拟服务器,则应跳过此步骤。赶紧跑
apt-get -y install ntp
并且您的系统时间将始终保持同步。
6.安装Postfix,Dovecot,MariaDB,rkhunter和binutils
要安装postfix,我们需要确保sendmail没有安装并运行。要停止并删除sendmail,请运行以下命令:
service sendmail stop; update-rc.d -f sendmail remove
错误消息:
Failed to stop sendmail.service: Unit sendmail.service not loaded.
没关系,这只是意味着没有安装sendmail,所以没有什么可以删除的。
现在我们可以用一个命令安装Postfix,Dovecot,MariaDB(作为MySQL替代品),rkhunter和binutils:
apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo
您将被问到以下问题:
General type of mail configuration: <-- Internet SiteSystem mail name: <-- server1.example.com
请务必使用子域作为“系统邮件名称”,例如server1.example.com或server1.yourdomain.com,而不是稍后要用作电子邮件域的域(例如yourdomain.tld)。
接下来,在Postfix中打开TLS / SSL和提交端口:
nano /etc/postfix/master.cf
取消注释提交和smtps部分,如下所示 – 添加行-o smtpd_client_restrictions = permit_sasl_authenticated,拒绝这两个部分,然后将所有内容留下评论:
[...] submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING [...]
注意: “ – o ….”行前面的空格很重要!
之后重启Postfix:
service postfix restart
我们希望MySQL能够监听所有接口,而不仅仅是localhost。因此,我们编辑/etc/mysql/mariadb.conf.d/50-server.cnf并注释掉绑定地址= 127.0.0.1:
nano /etc/mysql/mariadb.conf.d/50-server.cnf
[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1
[...]
现在我们在MariaDB中设置root密码。跑:
mysql_secure_installation
您将被问到以下问题:
Enter current password for root (enter for none): <-- press enterSet root password? [Y/n] <-- yNew password: <-- Enter the new MariaDB root password hereRe-enter new password: <-- Repeat the passwordRemove anonymous users? [Y/n] <-- yDisallow root login remotely? [Y/n] <-- yReload privilege tables now? [Y/n] <-- y
将MariaDB中的密码身份验证方法设置为本机,以便我们以后可以使用PHPMyAdmin以root用户身份进行连接:
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
编辑文件/etc/mysql/debian.cnf并在以password开头的行中将MYSQL / MariaDB root密码设置为两次。
nano /etc/mysql/debian.cnf
需要添加的MySQL root密码显示在read中,在此示例中密码为“howtoforge”。使用mysql_secure_installation命令将“howtoforge”替换为您为MySQL root用户设置的密码。
# Automatically generated for Debian scripts. DO NOT TOUCH![client]host = localhostuser = rootpassword = howtoforgesocket = /var/run/mysqld/mysqld.sock[mysql_upgrade]host = localhostuser = rootpassword = howtoforgesocket = /var/run/mysqld/mysqld.sockbasedir = /usr
然后我们重启MariaDB:
service mysql restart
现在检查是否已启用网络。跑
netstat -tap | grep mysql
输出应如下所示:
root@server1:~# netstat -tap | grep mysqltcp6 0 0 [::]:mysql [::]:* LISTEN 30591/mysqldroot@server1:~#
7.安装Amavisd-new,SpamAssassin和Clamav
为了安装amavisd-new,SpamAssassin和ClamAV,我们运行
apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey
ISPConfig 3设置使用amavisd在内部加载SpamAssassin过滤器库,因此我们可以阻止SpamAssassin释放一些RAM:
service spamassassin stopupdate-rc.d -f spamassassin remove
要启动ClamAV使用:
freshclamservice clamav-daemon start
第一次运行freshclam时可以忽略以下错误。
ERROR: /var/log/clamav/freshclam.log is locked by another processERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
amavisd-new程序目前在Ubuntu 18.04中存在一个错误,它可以防止电子邮件正确地与Dkim签名。运行以下命令修补amavisd-new。
cd /tmpwget https://git.ispconfig.org/ispconfig/ispconfig3/raw/stable-3.1/helper_scripts/ubuntu-amavisd-new-2.11.patchcd /usr/sbincp -pf amavisd-new amavisd-new_bakpatch < /tmp/ubuntu-amavisd-new-2.11.patch
如果你的’patch’命令出错,那么Ubuntu可能已经解决了这个问题,所以忽略那个错误应该是安全的。
7.1安装Metronome XMPP服务器(可选)
Metronome XMPP服务器提供XMPP聊天服务器。此步骤是可选的,如果您不需要聊天服务器,则可以跳过此步骤。没有其他ISPConfig功能依赖于此软件。
使用apt安装以下软件包。
apt-get -y install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks
luarocks install lpc
为Metronome添加shell用户。
adduser --no-create-home --disabled-login --gecos 'Metronome' metronome
将Metronome下载到/ opt目录并进行编译。
cd /opt; git clone https://github.com/maranda/metronome.git metronomecd ./metronome; ./configure --ostype=debian --prefix=/usrmakemake install
节拍器现已安装到/ opt /节拍器。
8.安装Apache,PHP,phpMyAdmin,FCGI,SuExec,Pear和mcrypt
Apache 2.4,PHP 7.2,phpMyAdmin,FCGI,suExec和Pear可以按如下方式安装:
apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-imap phpmyadmin php7.2-cli php7.2-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt imagemagick libruby libapache2-mod-python php7.2-curl php7.2-intl php7.2-pspell php7.2-recode php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl memcached php-memcache php-imagick php-gettext php7.2-zip php7.2-mbstring php-soap php7.2-soap
您将看到以下问题:
Web server to reconfigure automatically: <-- apache2 Configure database for phpmyadmin with dbconfig-common? <-- YesMySQL application password for phpmyadmin: <-- Press enter
然后运行以下命令以启用Apache模块suexec,rewrite,ssl,actions和include( 如果要使用WebDAV,还可以使用dav,dav_fs和auth_digest):
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest headers
为了确保服务器不会受到HTTPOXY 漏洞的攻击,我将在全局中禁用apache中的HTTP_PROXY头。使用nano创建一个新的httpoxy.conf文件:
nano /etc/apache2/conf-available/httpoxy.conf
将此内容粘贴到文件中:
<IfModule mod_headers.c>RequestHeader unset Proxy early </IfModule>
运行以下命令启用配置文件:
a2enconf httpoxy
之后重启Apache:
service apache2 restart
如果你想举办扩展名为Ruby文件.RB通过ISPConfig创建你的网站,你必须注释掉该行应用程序/ x-红宝石RB在/etc/mime.types:
nano /etc/mime.types
[...] #application/x-ruby rb [...]
(这仅适用于.rb文件;扩展名为.rbx的 Ruby文件开箱即用。)
之后重启Apache:
service apache2 restart
8.1 PHP操作码缓存(可选)
Opcache是一个免费的PHP操作码,用于缓存和优化PHP中间代码。APCu是一个兼容模块,为许多CMS缓存系统使用的Opcache提供APC兼容功能。建议安装这些PHP扩展以加速PHP页面。
APCu 可以按如下方式安装:
apt-get -y install php7.2-opcache php-apcu
现在重启Apache:
service apache2 restart
8.2 PHP-FPM
要将PHP-FPM与Apache一起使用,我们需要mod_proxy_fcgi Apache模块,该模块默认安装并且只需要启用。我们可以安装PHP-FPM,如下所示:
apt-get -y install php7.2-fpm
确保启用模块并重新启动Apache:
a2enmod actions proxy_fcgi alias service apache2 restart
10.1安装HHVM(HipHop虚拟机),可选
在这一步中,我们将使用apt安装HHVM。HHVM是由Facebook开发的快速PHP引擎。
apt-get -y install hhvm
9.安装Let’s Encrypt
ISPConfig 3.1内置支持免费的SSL证书颁发机构让我们加密。Let’s Encrypt功能允许您在ISPConfig中为您的网站创建免费的SSL证书。
现在我们将添加对Let的加密的支持。
apt-get -y install certbot
10.安装Mailman
ISPConfig允许您管理(创建/修改/删除)Mailman邮件列表。如果要使用此功能,请按如下方式安装Mailman:
apt-get -y install mailman
选择至少一种语言,例如:
要支持的语言: < – en(英语)
缺少网站列表 < – 好的
错误’ Job for mailman.service失败,因为控制进程退出并显示错误代码。‘现在可以忽略了。
在我们启动Mailman之前,必须创建一个名为mailman的第一个邮件列表:
newlist mailman
root @ server1 :〜#newlist mailman
输入运行列表的人员的电子邮件: < – admin电子邮件地址,例如listadmin@example.com
初始 邮件员 密码:< – 邮件员列表的管理员密码
完成邮件列表的创建,你必须
通过添加以下行来编辑/ etc / aliases(或等效)文件,并可能运行
`newaliases’程序:
## mailman mailing list
mailman: “|/var/lib/mailman/mail/mailman post mailman”
mailman-admin: “|/var/lib/mailman/mail/mailman admin mailman”
mailman-bounces: “|/var/lib/mailman/mail/mailman bounces mailman”
mailman-confirm: “|/var/lib/mailman/mail/mailman confirm mailman”
mailman-join: “|/var/lib/mailman/mail/mailman join mailman”
mailman-leave: “|/var/lib/mailman/mail/mailman leave mailman”
mailman-owner: “|/var/lib/mailman/mail/mailman owner mailman”
mailman-request: “|/var/lib/mailman/mail/mailman request mailman”
mailman-subscribe: “|/var/lib/mailman/mail/mailman subscribe mailman”
mailman-unsubscribe: “|/var/lib/mailman/mail/mailman unsubscribe mailman”
Hit enter to notify mailman owner…<– ENTER
root@server1:~#
之后打开/ etc / aliases ……
nano /etc/aliases
…并添加以下行:
[...] ## mailman mailing list mailman: "|/var/lib/mailman/mail/mailman post mailman" mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman" mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman" mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman" mailman-join: "|/var/lib/mailman/mail/mailman join mailman" mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman" mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman" mailman-request: "|/var/lib/mailman/mail/mailman request mailman" mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman" mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
运行
newaliases
之后重启Postfix:
service postfix restart
后,我们必须启用Mailman Apache配置:
ln -s /etc/mailman/apache.conf /etc/apache2/conf-available/mailman.conf
这为所有Apache vhosts 定义了别名/ cgi-bin / mailman /,这意味着您可以访问Mailman管理界面以获取http:// <vhost> / cgi-bin / mailman / admin / <listname>中的列表,以及邮件列表用户的网页可以在http:// <vhost> / cgi-bin / mailman / listinfo / <listname>中找到。
在http:// <vhost> / pipermail下,您可以找到邮件列表存档。
使用以下命令激活配置:
a2enconf mailman
之后重启Apache:
service apache2 restart
然后启动Mailman守护程序:
service mailman start
11.安装PureFTPd和配额
可以使用以下命令安装PureFTPd和quota:
apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool
编辑文件/ etc / default / pure-ftpd-common …
nano /etc/default/pure-ftpd-common
…并确保将启动模式设置为独立并设置VIRTUALCHROOT = true:
[...] STANDALONE_OR_INETD=standalone [...] VIRTUALCHROOT=true [...]
现在我们配置PureFTPd以允许FTP和TLS会话。FTP是一种非常不安全的协议,因为所有密码和所有数据都以明文形式传输。通过使用TLS,可以加密整个通信,从而使FTP更加安全。
如果要允许FTP和TLS会话,请运行
echo 1 > /etc/pure-ftpd/conf/TLS
要使用TLS,我们必须创建SSL证书。我在/ etc / ssl / private /中创建它,因此我首先创建该目录:
mkdir -p /etc/ssl/private/
之后,我们可以生成SSL证书,如下所示:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
国家名称(2个字母代码)[AU]:< – 输入您的国家/地区名称(例如,“DE”)。州或省名称(全名)[Some-State]:< – 输入您的州或省名称。地点名称(例如,城市)[]:< – 输入您的城市。组织名称(例如,公司)[Internet Widgits Pty Ltd]:< – 输入您的组织名称(例如,您公司的名称)。组织单位名称(例如,部分)[]:< – 输入您的组织单位名称(例如“IT部门”)。通用名称(例如,您的名称)[]:< – 输入系统的完全限定域名(例如“server1.example.com”)。电子邮件地址[]:< – 输入您的电子邮件地址。
更改SSL证书的权限:
chmod 600 /etc/ssl/private/pure-ftpd.pem
然后重启PureFTPd:
service pure-ftpd-mysql restart
编辑/ etc / fstab。我看起来像这样(我添加了usrjquota = quota.user,grpjquota = quota.group,jqfmt = vfsv0到具有挂载点的分区/):
nano /etc/fstab
# /etc/fstab: static file system information.## Use 'blkid' to print the universally unique identifier for a# device; this may be used with UUID= as a more robust way to name devices# that works even if disks are added and removed. See fstab(5).## <file system> <mount point> <type> <options> <dump> <pass>/dev/mapper/server1--vg-root / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1/dev/mapper/server1--vg-swap_1 none swap sw 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
要启用配额,请运行以下命令:
mount -o remount /
quotacheck -avugmquotaon -avug
这将显示以下输出:
root@server1:/opt/metronome# quotacheck -avugmquotacheck: Scanning /dev/mapper/server1--vg-root [/] donequotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.quotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.quotacheck: Checked 13602 directories and 96597 filesquotacheck: Old file not found.quotacheck: Old file not found.root@server1:/opt/metronome# quotaon -avug/dev/mapper/server1--vg-root [/]: group quotas turned on/dev/mapper/server1--vg-root [/]: user quotas turned on
12.安装BIND DNS服务器
BIND可以按如下方式安装:
apt-get -y install bind9 dnsutils haveged
启用并启动伪造的守护程序:
systemctl enable havegedsystemctl start haveged
13.安装Vlogger,Webalizer和AWStats
可以按如下方式安装Vlogger,Webalizer和AWStats:
apt-get -y install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
之后打开/etc/cron.d/awstats ……
nano /etc/cron.d/awstats
…并注释掉该文件中的所有内容:
#MAILTO=root #*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh # Generate static reports: #10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
14.安装Jailkit
仅当您想要chroot SSH用户时才需要Jailkit。它可以安装如下(重要的是:Jailkit必须在ISPConfig之前安装 – 以后不能安装!):
apt-get -y install build-essential autoconf automake1.11 libtool flex bison debhelper binutils
cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gztar xvfz jailkit-2.19.tar.gzcd jailkit-2.19echo 5 > debian/compat
然后通过运行以下命令构建jailkit包:
./debian/rules binary
您现在可以安装Jailkit .deb包,如下所示:
cd ..dpkg -i jailkit_2.19-1_*.debrm -rf jailkit-2.19*
15.安装fail2ban和UFW
这是可选的,但建议使用,因为ISPConfig监视器会尝试显示日志:
apt-get -y install fail2ban
要使fail2ban监视PureFTPd和Dovecot,请创建文件/etc/fail2ban/jail.local:
nano /etc/fail2ban/jail.local
[pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = / var / log / syslog maxretry = 3
[dovecot]
enabled = true filter = dovecot action = iptables-multiport [name = dovecot-pop3imap,port = “pop3,pop3s,imap,imaps”,protocol = tcp] logpath = /var/log/mail.log maxretry = 5
[postfix]
enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3
之后重启fail2ban:
service fail2ban restart
要安装UFW防火墙,请运行此apt命令:
apt-get install ufw
16.安装Roundcube Webmail
要安装Roundcube Webmail,请运行:
apt-get -y install roundcube roundcube-core roundcube-mysql roundcube-plugins javascript-common libjs-jquery-mousewheel php-net-sieve tinymce
安装人员将询问以下问题:
Configure database for roundcube with dbconfig-common? <-- YesMySQL application password for roundcube: <-- Press enter
然后编辑RoundCube apache配置文件。
nano /etc/apache2/conf-enabled/roundcube.conf
并删除Alias行前面的#,然后为/ webmail添加第二个Alias行,并在“<Directory / var / lib / roundcube>”后面添加“AddType application / x-httpd-php .php”行线:
# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
Alias /roundcube /var/lib/roundcube
Alias /webmail /var/lib/roundcube [...] <Directory /var/lib/roundcube> AddType application/x-httpd-php .php [...]
然后重启apache
service apache2 restart
然后编辑RoundCube config.inc.php配置文件:
nano /etc/roundcube/config.inc.php
并将默认主机更改为localhost:
$config['default_host'] = 'localhost';
这可以防止Roundcube在登录表单中显示服务器名称输入字段。
17.安装ISPConfig 3.1
要从新发布的版本安装ISPConfig 3,请执行以下操作:
cd /tmp wget -O ispconfig.tar.gz https://git.ispconfig.org/ispconfig/ispconfig3/repository/archive.tar.gz?ref=stable-3.1tar xfz ispconfig.tar.gzcd ispconfig3*/install/
下一步是运行
php -q install.php
这将启动ISPConfig 3安装程序。安装程序将为您配置Postfix,Dovecot等所有服务。
# php -q install.php
--------------------------------------------------------------------------------_____ ___________ _____ __ _ ____|_ _/ ___| ___ \ / __ \ / _(_) /__ \| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/__/ ||___/--------------------------------------------------------------------------------
>> Initial configuration
Operating System: Ubuntu 18.04 (Bionic Beaver)
Following will be a few questions for primary configuration so be careful.Default values are in [brackets] and can be accepted with <ENTER>.Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]: <-- Hit Enter
Installation mode (standard,expert) [standard]: <-- Hit Enter
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.canomi.com]: <-- Hit Enter
MySQL server hostname [localhost]: <-- Hit Enter
MySQL server port [3306]: <-- Hit Enter
MySQL root username [root]: <-- Hit Enter
MySQL root password []: <-- Enter your MySQL root password
MySQL database to create [dbispconfig]: <-- Hit Enter
MySQL charset [utf8]: <-- Hit Enter
Configuring PostgreyConfiguring PostfixGenerating a 4096 bit RSA private key.......................................................................++........................................................................................................................................++writing new private key to 'smtpd.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]: <-- Enter 2 letter country codeState or Province Name (full name) [Some-State]: <-- Enter the name of the stateLocality Name (eg, city) []: <-- Enter your cityOrganization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enterOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server1.example.comEmail Address []: <-- Hit EnterConfiguring MailmanConfiguring DovecotConfiguring SpamassassinConfiguring AmavisdConfiguring GetmailConfiguring BINDConfiguring JailkitConfiguring PureftpdConfiguring ApacheConfiguring vloggerConfiguring Metronome XMPP Serverwriting new private key to 'localhost.key'-----Country Name (2 letter code) [AU]: <-- Enter 2 letter country codeLocality Name (eg, city) []: <-- Enter your cityOrganization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enterOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (e.g. server FQDN or YOUR name) [server1.canomi.com]: <-- Enter the server hostname, in my case: server1.example.comEmail Address []: <-- Hit Enter
Configuring Ubuntu FirewallConfiguring Fail2ban[INFO] service OpenVZ not detectedConfiguring Apps vhostInstalling ISPConfigISPConfig Port [8080]:
Admin password [admin]:
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter
Generating RSA private key, 4096 bit long modulus.......................++................................................................................................................................++e is 65537 (0x10001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]: <-- Enter 2 letter country codeState or Province Name (full name) [Some-State]: <-- Enter the name of the stateLocality Name (eg, city) []: <-- Enter your cityOrganization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enterOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server1.example.comEmail Address []: <-- Hit Enter
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: <-- Hit EnterAn optional company name []: <-- Hit Enterwriting RSA key
Configuring DBServerInstalling ISPConfig crontabno crontab for rootno crontab for getmailDetect IP addressesRestarting services ...Installation completed.
安装程序会自动配置所有基础服务,因此无需手动配置。
之后,您可以访问http(s)下的ISPConfig 3 ://server1.example.com:8080 /或http(s)://192.168.0.100:8080 /(HTTP或HTTPS取决于您在安装期间选择的内容)。使用用户名admin和密码admin登录(登录后应更改默认密码):
现在可以使用该系统了。
18.本教程的虚拟机映像下载
本教程以ovf / ova格式随时可用的虚拟机映像提供,该映像与VMWare和Virtualbox兼容。虚拟机映像使用以下登录详细信息:
SSH / Shell登录
用户名:administrator
密码:howtoforge
该用户拥有sudo权限。
ISPConfig登录
用户名:admin
密码:admin
MySQL登录
用户名:root
密码:howtoforge
VM的IP为192.168.0.100,可以在文件/etc/netplan/01-netcfg.yaml中进行更改。请更改以上所有密码以保护虚拟机。
19.链接
- Ubuntu:http://www.ubuntu.com/
- ISPConfig:http://www.ispconfig.org/
备注:本文参考网址