Login

Installing ISPConfig On Ubuntu Xenial

Full Webhosting Platform For Your Pine

Article
Comments (1)
AdministratorJuly 3rd 2017
This tutorial shows the installation of an Ubuntu 16.04 (Xenial Xerus) web hosting server with Apache2, Postfix, Dovecot, Bind and PureFTPD to prepare it for the installation of ISPConfig.
196
0
Share
Post
What You Need
Pine A64/A64+/SoPine Board (A64+/SoPine Recommended)
Step 1 Preparation
This tutorial assumes that you have already installed Ubuntu using the methods described in the Getting Started - Linux guide.

It is recommended to run the system off of an external hard drive as the performance benefits are noticeable. Follow the Linux On An External Drive guide if you wish.

At this point login to your Ubuntu OS by either remotely logging in via ssh or directly with a monitor/keyboard hooked up to your Pine 64 (username: ubuntu & password: ubuntu).

Once logged in you will have to reconfigure the default shell in order for this to work properly.
sudo -i
dpkg-reconfigure dash
Then answer "No" to "Use dash as the default system shell (/bin/sh)".
Step 2 Disable AppArmor
AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion, you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore, I disable it (this is a must if you want to install ISPConfig later on).
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
Step 3 Sync The System Clock
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet when you run a physical server.

Note: You may want to install fake-hwclock if you do not have a RTC battery attached to your Pine.
apt-get -y install ntp ntpdate
Step 4 Postfix, Dovecot, MariaDB, Rkhunter & Binutils
We must first run the following:
service sendmail stop; update-rc.d -f sendmail remove
Ignore the "Failed to stop sendmail.service: Unit sendmail.service not loaded." message if it pops up as it means that sendmail was probably not installed.

Now we install Postfix, Dovecot, MariaDB, rkhunter, and binutils.
apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo
You will be asked the following questions:
General type of mail configuration: <-- Internet Site
System mail name: <-- server.yourdomain.com
Note: It is important that you use a subdomain as "system mail name" like server.yourdomain.com and not a domain that you want to use as email domain (e.g. yourdomain.com) later.

Now we edit the Postfix config:
nano /etc/postfix/master.cf
Now uncomment the "submission inet n" section and the following:
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
Now add the following after "-o smtpd_sasl_auth_enable=yes"
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Now uncomment in the "smtps inet n" section and the following:
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
Now add the following after "-o smtpd_sasl_auth_enable=yes"
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Note: please remember to add 2 spaces before the "-o".

Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.
service postfix restart
Now we want to edit the MariaDB settings to remove the binding to the 127.0.0.1 address by adding a "#" to comment it out.
nano /etc/mysql/mariadb.conf.d/50-server.cnf
Find the line that reads as follows and add the "#" at the beginning to it

#bind-address = 127.0.0.1

Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

Next we will secure the MariaDB server by assigning a new MariaDB root password to it.
mysql_secure_installation
You will be presented with the following upon running the script:
Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter your new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y
Finally we restart MariaDB.
service mysql restart
Step 5 Amavisd-new, SpamAssassin & ClamAV
To install Amavisd-new, SpamAssassin & Clamav we runn the following:
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey
We then disable SpamAssassin from loading as ISPConfig will be in charge of loading it when needed and modify ClamAV to work with ISPConfig.
service spamassassin stop
update-rc.d -f spamassassin remove
nano /etc/clamav/clamd.conf
We now change the "AllowSupplementaryGroups false" option to "AllowSupplementaryGroups true"

Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

We now start ClamAV with the following commands.
freshclam
service clamav-daemon start
Note: if you get a "WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory" message you can simply ignore it.
Step 6 Apache, PHP 7, PHPMyAdmin & Mcrypt
This step will install Apache, PHP 7 and various other requirements for ISPConfig.
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php-auth php7.0-mcrypt mcrypt imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring
You will then see and answer the following as follows:
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- Yes
MySQL application password for phpmyadmin: <-- Press enter
Now perform the following:
a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest headers
nano /etc/apache2/conf-available/httpoxy.conf
Add the following to the config file.

RequestHeader unset Proxy early
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

Then execute the following:
a2enconf httpoxy
service apache2 restart
We will now edit the mime types to host Ruby files with ISPConfig handling the permissions by adding a "#" in front of the line that reads "application/x-ruby rb".
#application/x-ruby rb
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

Then we restart Apache.
service apache2 restart
Step 7 PHP Opcode Cache & PHP-FPM
To help speed up PHP in general on the Pine and offer an alternative PHP modes.
apt-get install php7.0-opcache php-apcu libapache2-mod-fastcgi php7.0-fpm
a2enmod actions fastcgi alias
service apache2 restart
Step 8 Let's Encrypt
Adding Let's Encrypt SSL certificates to your hosting platform.
apt-get -y install letsencrypt
Step 9 PureFTPd & Quota
Adding FTP plus Quota capabilities to ISPConfig.

Note: in order to add Quota capabilities to your install you require a kernel with it enabled. It is alright to not use it but if you wish to use it you will have to build the kernel or download Pine 64 Pro's "Server Kernel" build.
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
Now edit the PureFTPd config to and ensure the options below match.
STANDALONE_OR_INETD=standalone
VIRTUALCHROOT=true
Configure PureFTPd to use TLS.
echo 1 > /etc/pure-ftpd/conf/TLS
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Then answer the following as follows (substituting your info where applicable).
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server.yourdomain.com").
Email Address []: <-- Enter your Email Address.
Wrapping up PureFTPd.
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
The following bit is only used for Quota enabled kernels. We simply will be adding ",usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0" in fstab to "/" portion (root partition drive).
nano /etc/fstab
/dev/sda1 / ext4 defaults,noatime,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1 /dev/sda5 none swap sw 0 0
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

The following will enable Quota.
mount -o remount /
quotacheck -avugm
quotaon -avug
Step 10 BIND DNS
Straight forward BIND install.
apt-get install bind9 dnsutils haveged
Step 11 Vlogger, Webalizer & AWstats
Add and enable stats for your hosting platform by performing the following:
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
We now edit awstats cron by commenting it out so it matches exactly below:
nano /etc/cron.d/awstats
#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.
Step 12 Jailkit
We will need to compile Jailkit as it is an integral part of ISPConfig for offering chroot to ssh users.
apt-get install build-essential autoconf automake1.11 libtool flex bison debhelper binutils
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
./debian/rules binary
cd ..
dpkg -i jailkit_2.19-1_*.deb
rm -rf jailkit-2.19*
Step 13 Fail2Ban and UFW
This beefs up security for your ISPConfig webhosting platform.
apt-get install fail2ban
Now we add a few rules for security purposes to monitor PureFTPd and Dovecot.
nano /etc/fail2ban/jail.local
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

Now some filters.
nano /etc/fail2ban/filter.d/pureftpd.conf
[Definition]
failregex = .*pure-ftpd: (.*@) [WARNING] Authentication failed for user.*
ignoreregex =
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

Next filter.
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login (auth failed|Aborted login (tried to use disabled|Disconnected (auth failed|Aborted login (d+ authentication attempts).*rip=(?PS*),.*
ignoreregex =
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

Now finally we execute the following:
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
service fail2ban restart
apt-get install ufw
Step 14 Roundcube Webmail
Cause every webhosting platform needs one.
apt-get install roundcube roundcube-core roundcube-mysql roundcube-plugins roundcube-plugins-extra javascript-common libjs-jquery-mousewheel php-net-sieve tinymce
You will need to answer the following like so.
Configure database for roundcube with dbconfig-common? <-- Yes
MySQL application password for roundcube: <-- Press enter
Now we edit the Roundcube config for Apache.

Remove the # in front of the first 2 alias lines, add the two other "Alias" statements and add the line "AddType application/x-httpd-php .php" right after the "" line.
nano /etc/apache2/conf-enabled/roundcube.conf
Alias /webmail /var/lib/roundcube


AddType application/x-httpd-php .php
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

Now finally we edit the Roundcube config file to use the localhost as it's default host as so.
nano /etc/roundcube/config.inc.php
$config['default_host'] = 'localhost';
Now hit "CTRL+X" followed by "Y" and then "Enter" to save the changes.

Finally we execute the following:
service apache2 restart
Step 15 ISPConfig
Now we install ISPConfig.
cd /tmp
wget -O ispconfig.tar.gz https://git.ispconfig.org/ispconfig/ispconfig3/repository/archive.tar.gz?ref=stable-3.1
tar xfz ispconfig.tar.gz
cd ispconfig3*/install/
php -q install.php
Answer the questions as follows (with your own substitutions where applicable).
Select language (en,de) [en]: <-- Hit Enter
Installation mode (standard,expert) [standard]: <-- Hit Enter
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.canomi.com]: <-- Hit Enter
MySQL server hostname [localhost]: <-- Hit Enter
MySQL server port [3306]: <-- Hit Enter
MySQL root username [root]: <-- Hit Enter
MySQL root password []: <-- Enter your MySQL root password
MySQL database to create [dbispconfig]: <-- Hit Enter
MySQL charset [utf8]: <-- Hit Enter

Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key .......................................................................++
........................................................................................................................................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
State or Province Name (full name) [Some-State]: <-- Enter the name of the state
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server.yourdomain.com
Email Address []: <-- Hit Enter
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Jailkit
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Metronome XMPP Server
writing new private key to 'localhost.key'
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) [server1.canomi.com]: <-- Enter the server hostname, in my case: server.yourdomain.com
Email Address []: <-- Hit Enter

Configuring Ubuntu Firewall
Configuring Fail2ban
[INFO] service OpenVZ not detected
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:

Admin password [admin]:

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter
Generating RSA private key, 4096 bit long modulus
.......................++
................................................................................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
State or Province Name (full name) [Some-State]: <-- Enter the name of the state
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server.yourdomain.com
Email Address []: <-- Hit Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- Hit Enter
An optional company name []: <-- Hit Enter
writing RSA key

Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.
To finalize the install we execute the following:
echo "update user set plugin='' where User='root';" | mysql -root -p mysql
sync
reboot
Now your ISPConfig webhosting platform is up and running after reboot. To access the GUI open a browser window to https://SERVER-IP-ADDRESS:8080. You will have to accept the self signed cert in order to access the page.
AdministratorJuly 7th 2017
This article can be further expanded on to include setting things up in an active mirrored cluster setup.

I will write it up when I have some down time in the near future.