Install ispconfig on Centos 7

由 datahunter 在三, 02/03/2016 - 17:13 發表

最後更新: 2016-03-03

Configure epel

yum -y install epel-release

yum -y install yum-priorities

vi /etc/yum.repos.d/epel.repo

[epel]
priority=10

yum update

Enable Quota

# Enabling quota on the / (root) partition

yum -y install quota

mount | grep ' / '

/dev/mapper/centos-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

* 注意有 noquota 在尾

vi /etc/default/grub

GRUB_CMDLINE_LINUX=" ... rootflags=uquota,gquota"

grub2-mkconfig -o /boot/grub2/grub.cfg

vi /etc/fstab

/dev/mapper/centos-root /                       xfs     defaults,uquota,gquota        1 1

quotacheck -avugm

quotaon -avug

Disable selinux

vi /etc/sysconfig/selinux

SELINUX=disabled

Checking

getsebool -a

getsebool:  SELinux is disabled

Set hostname

vi /etc/hostname

you.host.name

Checking

hostname

Install useful tools

yum -y install vim screen

yum -y install tar gzip bzip2 unzip p7zip

yum -y install net-tools psmisc nload telnet tcpdump bind-utils whois iotop htop smem

yum -y install wget curl rsync

Setting

echo "vbell off" > ~/.screenrc

echo "set bg=dark" > ~/.vimrc

OS Turning

唔用 ipv6

vi /etc/default/grub

GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."

grub2-mkconfig -o /boot/grub2/grub.cfg

唔用 NetworkManager

systemctl disable NetworkManager

啟用 boot up script

chmod 750 /etc/rc.d/rc.local

Sync 時間

yum -y install ntpdate

crontab -e

# daily sync time
13 13 * * *     /usr/sbin/ntpdate stdtime.gov.hk > /dev/null 2>&1

# sync time after reboot
@reboot         /usr/sbin/ntpdate stdtime.gov.hk > /dev/null 2>&1

限制 ssh

vi /etc/ssh/sshd_config

AllowUsers root

systemctl restart sshd

建立 system admin 的 alias

vi /etc/aliases

root: [email protected]

newaliases

安裝 vm tools

yum -y install open-vm-tools

systemctl enable vmtoolsd

systemctl start vmtoolsd

Configure Firewall

# ftp
firewall-cmd --add-port=21/tcp --permanent
firewall-cmd --add-port=9001-9100/tcp --permanent

# web
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=8080/tcp --permanent

# e-mail
firewall-cmd --add-port=143/tcp --permanent
firewall-cmd --add-port=110/tcp --permanent
firewall-cmd --add-port=1025/tcp --permanent
firewall-cmd --add-port=25/tcp --permanent

# ssh
firewall-cmd --add-rich-rule='rule family="ipv4" source address="x.x.x.x" port protocol="tcp" port="22" accept' --permanent
firewall-cmd --remove-service=ssh --permanent

# remove other
firewall-cmd --remove-service=dhcpv6-client --permanent

# reload firewall
firewall-cmd --reload

# check it
firewall-cmd --list-all

# 1025~1030 -> 25
firewall-cmd --direct --permanent --add-rule ipv4 nat PREROUTING 0 -p tcp --dport 1025:1030 -j REDIRECT --to-port 25

reboot

pure-ftpd

yum -y install pure-ftpd

vi /etc/pure-ftpd/pure-ftpd.conf

BrokenClientsCompatibility  yes
MaxClientsNumber            20
MaxClientsPerIP             4
IPV4Only                    yes
PassivePortRange            9001 9100

NoAnonymous                 yes

systemctl enable pure-ftpd.service

systemctl restart pure-ftpd.service

httpd

# 安裝

yum -y install httpd mod_ssl

# mod_fcgid 及 httpd-itk 安其中一個即可

yum install httpd-itk mod_fcgid

cd /etc/httpd/conf.modules.d/

00-base.conf

# disable_modules.sh

#!/bin/bash

cp 00-base.conf 00-base.conf.bak

mylist="authn_dbd_module
authn_dbm_module
authn_socache_module
authz_dbd_module
authz_dbm_module
authz_owner_module
cache_module
cache_disk_module
dbd_module
dumpio_module
echo_module
slotmem_plain_module
slotmem_shm_module
socache_dbm_module
socache_memcache_module
substitute_module
unique_id_module
userdir_module
data_module
"

for m in $mylist
do
        sed -i /$m/s/^/#/ 00-base.conf
done

# 停用及保留無用的 Setting

cd /etc/httpd/conf.modules.d

mkdir _bak

mv 01-cgi.conf 00-proxy.conf 00-dav.conf 00-lua.conf _bak/

touch 01-cgi.conf 00-proxy.conf 00-dav.conf 00-lua.conf

vim 00-mpm.conf

# For 1GB VM
MaxRequestWorkers 32

# 安全設定

vim /etc/httpd/conf/httpd.conf

Options Indexes FollowSymLinks

Options -Indexes +FollowSymLinks

加入

<Directory />
    AllowOverride none
    Require all denied
    Options -Indexes +FollowSymLinks
</Directory>

# 有安 itk 時要用 (用 mod_fcgid 比教安全)

vim 00-mpm-itk.conf

LoadModule mpm_itk_module modules/mod_mpm_itk.so

# Default hosts

vim /etc/httpd/conf/sites-enabled/001-default.vhost

<VirtualHost *:80>
    ErrorLog /dev/null
    TransferLog /dev/null
    ServerAdmin [email protected]
    <Directory /var/www/html>
        Require all granted
    </Directory>
</VirtualHost>

# Default Page

echo "<html><h1><body>Server is working</body></h1></html>" > /var/www/html/index.htm

# 清 NameVirtualHost

sed -i '/NameVirtualHost/d' /etc/httpd/conf/httpd.conf

sed -i '/NameVirtualHost/d' /etc/httpd/conf/sites-enabled/000-ispconfig.conf

sed -i '/NameVirtualHost/d' /etc/httpd/conf/sites-enabled/000-ispconfig.vhost

# 設定 Service

apachectl -t

systemctl enable httpd.service

systemctl restart httpd.service

mariadb

yum -y install mariadb mariadb-server

vim /etc/my.cnf.d/server.cnf

[mysqld]
innodb_log_buffer_size=256K
innodb_buffer_pool_size=5M

systemctl enable mariadb

systemctl restart mariadb

mysql_secure_installation

php

# Install

yum -y install php php-gd php-imap php-ldap php-mysql php-odbc php-pear \
php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-mssql php-snmp \
php-soap php-tidy curl perl-libwww-perl ImageMagick libxml2

# Config

# After Install Apache

vim /etc/httpd/conf.d/php.conf

DirectoryIndex index.php index.html index.htm

phpmyadmin

yum -y install phpmyadmin

vim /etc/httpd/conf.d/phpMyAdmin.conf

<Directory /usr/share/phpMyAdmin/>
   AddDefaultCharset UTF-8
   <IfModule mod_authz_core.c>
     # Apache 2.4
     <RequireAny>
        #Require all granted
        Require ip x.x.x.x
     </RequireAny>
   </IfModule>
</Directory>

Report Tools

# Centos7 上係沒有 webalizer 的包的

yum -y install awstats

mail

# SMTP (Port 25)

yum -y install postfix

vim /etc/postfix/main.cf

inet_protocols = ipv4

#content_filter = amavis:[127.0.0.1]:10024
#receive_override_options = no_address_mappings

smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination,
 check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client sbl.spamhaus.org,
 reject_rbl_client cbl.abuseat.org

message_size_limit = 15728640

smtp_helo_name = you.mail.domain

/etc/postfix/master.cf

1025 inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=no
  -o smtpd_tls_security_level=none
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

systemctl enable postfix

systemctl restart postfix

# pop3, imap (110, 143)

yum -y install dovecot dovecot-mysql dovecot-pigeonhole

ln -s /etc/dovecot/dovecot-sql.conf /etc/dovecot-sql.conf

systemctl enable dovecot

systemctl restart dovecot

vim /etc/dovecot/dovecot.conf

listen = *
ssl = no

Spam Filter

# spamassassin

# Install

yum -y install spamassassin

# Test SA update

sa-update -v

Update finished, no fresh updates were available

# Clamav

Install

yum install clamav clamav-server \
clamav-data \
clamav-update \
clamav-filesystem \
clamav-scanner-systemd \
clamav-lib \
clamav-server-systemd

sed -i -e "s/^Example/#Example/" /etc/freshclam.conf

sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf

freshclam:

/etc/freshclam.conf

# Comment or remove the line below.
#Example

freshclam

clamav:

cd /etc/clamd.d/

mkdir backup

mv scan.conf backup/

ln -s /etc/clamd.d/amavisd.conf /etc/clamd.d/scan.conf

systemctl restart clamd.scan

systemctl enable clamd.scan

Testing

systemctl status clamd.scan

clamdscan -c /etc/clamd.d/scan.conf /etc/hosts

/etc/hosts: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)

# amavisd

yum -y install amavisd-new

rm /etc/amavisd.conf

vim /etc/amavisd/amavisd.conf

@bypass_virus_checks_maps = (1);

$max_servers = 1;

vi /etc/postfix/master.cf

amavis unix - - - - 1 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

systemctl enable amavisd

systemctl restart amavisd

# tools

yum -y install getmail mailman

postmap hash:/etc/mailman/virtual-mailman

# webmail

yum -y install roundcubemail

vi /etc/httpd/conf.d/roundcubemail.conf

# 加入 webmail alias
Alias /webmail /usr/share/roundcubemail

<Directory /usr/share/roundcubemail/>
    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require all granted
    </IfModule>
</Directory>


<Directory /usr/share/roundcubemail/installer/>
    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require ip 127.0.0.1
    </IfModule>
</Directory>

http://xxx/webmail/installer

生成

/etc/roundcubemail/config.inc.php

# 最後

chown root /etc/roundcubemail/config.inc.php

systemctl restart postfix.service

Security

yum -y install fail2ban

systemctl enable fail2ban.service

systemctl start fail2ban.service

yum -y install rkhunter

Ispconfig

cd /usr/src/

tar -zxf ISPConfig-3.0.5.4p9.tar.gz

cd ispconfig3_install/install

php -q install.php

設定:

cd /usr/local/ispconfig/interface/web

mkdir _backup

mv dns help vm _backup/

Turning

1. 改 Login

Default Login: admin / admin

2. System

Server Services

Server Config

# Server

* Backup directory is a mount?

# Web

* Security level - Medium

* Disable - Send ... to ... client

System -> Interface -> Main Config

Main Config

# Sites tab

* Database name prefix = [CLIENTNAME]_

# Domain tab

* Use the domain limits in client module to add new domains

# Misc tab

* Clean Dashboard atom feed URL (admin)

* Discard changes on tab change

* Tab change warning

* Minimum password length: 8

* Minimum password strength: Good

Client Template

INSERT INTO `client_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, 
`sys_perm_group`, `sys_perm_other`, `template_name`, `template_type`, `limit_maildomain`, 
`limit_mailbox`, `limit_mailalias`, `limit_mailaliasdomain`, `limit_mailforward`, 
`limit_mailcatchall`, `limit_mailrouting`, `limit_mailfilter`, `limit_fetchmail`, 
`limit_mailquota`, `limit_spamfilter_wblist`, `limit_spamfilter_user`, `limit_spamfilter_policy`, 
`limit_web_ip`, `limit_web_domain`, `limit_web_quota`, `web_php_options`, `limit_cgi`, `limit_ssi`, 
`limit_perl`, `limit_ruby`, `limit_python`, `force_suexec`, `limit_hterror`, `limit_wildcard`, `limit_ssl`, 
`limit_web_subdomain`, `limit_web_aliasdomain`, `limit_ftp_user`, `limit_shell_user`, `ssh_chroot`, 
`limit_webdav_user`, `limit_backup`, `limit_aps`, `limit_dns_zone`, `limit_dns_slave_zone`, 
`limit_dns_record`, `limit_database`, `limit_database_quota`, `limit_cron`, `limit_cron_type`, 
`limit_cron_frequency`, `limit_traffic_quota`, `limit_client`, `limit_domainmodule`, 
`limit_mailmailinglist`, `limit_openvz_vm`, `limit_openvz_vm_template_id`) VALUES
(1, 1, 1, 'riud', 'riud', '', 'Standard-Plan', 'm', 1, 10, 10, 1, 10, 1, 0, 0, 0, 1024, 0, 0, 0, NULL, 
1, 1024, 'no,mod', 'n', 'y', 'n', 'n', 'n', 'n', 'y', 'y', 'n', 1, 1, 1, 0, 'no', 0, 'y', 0, 0, 0, 
0, 1, -1, 0, 'url', 5, -1, 0, 0, 0, 0, 0);

Cleanup

yum clean all

history -c