完美的服务器 – Ubuntu 18.04(Bionic Beaver)与Apache,PHP,MySQL,PureFTPD,BIND,Postfix,Dovecot和ISPConfig 3.1

本教程展示了安装带有Apache 2.4,Postfix,Dovecot,Bind和PureFTPD的Ubuntu 18.04(Bionic Beaver)Web托管服务器,以便为安装ISPConfig 3.1做好准备。生成的系统将提供Web,邮件,邮件列表,DNS和FTP服务器。

ISPConfig是一个Web托管控制面板,允许您通过Web浏览器配置以下服务:Apache或Nginx Web服务器,Postfix邮件服务器,Courier或Dovecot IMAP / POP3服务器,MySQL,BIND或MyDNS名称服务器,PureFTPd,SpamAssassin,ClamAV , 还有很多。此设置包括安装Apache(而不是Nginx),BIND(而不是MyDNS)和Dovecot(而不是Courier)。

1.初步说明

在本教程中,我使用主机名server1.example.com,IP地址为192.168.1.100,网关为192.168.1.1。  这些设置可能因您而异,因此您必须在适当的位置更换它们。在继续之前,您需要按照教程中的说明进行Ubuntu 18.04的基本最小安装  。

必须使用root权限运行本教程中的命令。要避免在每个命令前添加sudo,您必须通过运行以下方式成为root用户:

sudo -s

在你继续之前。

2.编辑/etc/apt/sources.list并更新Linux安装

编辑/etc/apt/sources.list。从文件中注释掉或删除安装CD,并确保已启用Universe多版本存储库。之后看起来应该是这样的:

nano /etc/apt/sources.list
## deb cdrom:[Ubuntu-Server 18.04 LTS _Bionic Beaver_ - Release amd64 (20180425.1)]/ bionic main restricted#deb cdrom:[Ubuntu-Server 18.04 LTS _Bionic Beaver_ - Release amd64 (20180425.1)]/ bionic main restricted# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to# newer versions of the distribution.deb http://de.archive.ubuntu.com/ubuntu/ bionic main restricted# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic main restricted## Major bug fix updates produced after the final release of the## distribution.deb http://de.archive.ubuntu.com/ubuntu/ bionic-updates main restricted# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates main restricted## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu## team. Also, please note that software in universe WILL NOT receive any## review or updates from the Ubuntu security team.deb http://de.archive.ubuntu.com/ubuntu/ bionic universe# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic universedeb http://de.archive.ubuntu.com/ubuntu/ bionic-updates universe# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates universe## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu## team, and may not be under a free licence. Please satisfy yourself as to## your rights to use the software. Also, please note that software in## multiverse WILL NOT receive any review or updates from the Ubuntu## security team.deb http://de.archive.ubuntu.com/ubuntu/ bionic multiverse# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic multiversedeb http://de.archive.ubuntu.com/ubuntu/ bionic-updates multiverse# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates multiverse## N.B. software from this repository may not have been tested as## extensively as that contained in the main release, although it includes## newer versions of some applications which may provide useful features.## Also, please note that software in backports WILL NOT receive any review## or updates from the Ubuntu security team.deb http://de.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse## Uncomment the following two lines to add software from Canonical's## 'partner' repository.## This software is not part of Ubuntu, but is offered by Canonical and the## respective vendors as a service to Ubuntu users.# deb http://archive.canonical.com/ubuntu bionic partner# deb-src http://archive.canonical.com/ubuntu bionic partnerdeb http://security.ubuntu.com/ubuntu bionic-security main restricted# deb-src http://security.ubuntu.com/ubuntu bionic-security main restricteddeb http://security.ubuntu.com/ubuntu bionic-security universe# deb-src http://security.ubuntu.com/ubuntu bionic-security universedeb http://security.ubuntu.com/ubuntu bionic-security multiverse# deb-src http://security.ubuntu.com/ubuntu bionic-security multiverse

然后跑

apt-get update

更新apt包数据库和

apt-get upgrade

安装最新的更新(如果有的话)。如果您发现新内核作为更新的一部分安装,则应在以后重新引导系统:

reboot

3.更改默认Shell

/ bin / sh/ bin / dash的符号链接,但我们需要/ bin / bash,而不是/ bin / dash。因此,我们这样做:

dpkg-reconfigure dash

使用dash作为默认系统shell(/ bin / sh)? < – 不

如果不这样做,ISPConfig安装将失败。

4.禁用AppArmor

AppArmor是一个安全扩展(类似于SELinux),应该提供扩展的安全性。在我看来,你不需要它来配置一个安全的系统,它通常会导致更多的问题而不是优势(在你完成一周的故障排除之后想想它,因为某些服务没有按预期工作,然后你发现一切都很好,只有AppArmor导致问题)。因此,我禁用它(如果你想稍后安装ISPConfig,这是必须的)。

我们可以像这样禁用它:

service apparmor stopupdate-rc.d -f apparmor remove apt-get remove apparmor apparmor-utils

5.同步系统时钟

这是系统时钟与NTP(同步是个好主意ñ etwork 牛逼 IME p当您运行在物理服务器在Internet rotocol)服务器。如果您运行虚拟服务器,则应跳过此步骤。赶紧跑

apt-get -y install ntp

并且您的系统时间将始终保持同步。

6.安装Postfix,Dovecot,MariaDB,rkhunter和binutils

要安装postfix,我们需要确保sendmail没有安装并运行。要停止并删除sendmail,请运行以下命令:

service sendmail stop; update-rc.d -f sendmail remove

错误消息:

Failed to stop sendmail.service: Unit sendmail.service not loaded.

没关系,这只是意味着没有安装sendmail,所以没有什么可以删除的。

现在我们可以用一个命令安装Postfix,Dovecot,MariaDB(作为MySQL替代品),rkhunter和binutils:

apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

您将被问到以下问题:

General type of mail configuration: <-- Internet SiteSystem mail name: <-- server1.example.com

请务必使用子域作为“系统邮件名称”,例如server1.example.com或server1.yourdomain.com,而不是稍后要用作电子邮件域的域(例如yourdomain.tld)。

接下来,在Postfix中打开TLS / SSL和提交端口:

nano /etc/postfix/master.cf

取消注释提交smtps部分,如下所示 – 添加行-o smtpd_client_restrictions = permit_sasl_authenticated,拒绝这两个部分,然后将所有内容留下评论:

[...]
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

注意: “ – o ….”行前面的空格很重要!

之后重启Postfix:

service postfix restart

我们希望MySQL能够监听所有接口,而不仅仅是localhost。因此,我们编辑/etc/mysql/mariadb.conf.d/50-server.cnf并注释掉绑定地址= 127.0.0.1

nano /etc/mysql/mariadb.conf.d/50-server.cnf
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1

[...]

现在我们在MariaDB中设置root密码。跑:

mysql_secure_installation

您将被问到以下问题:

Enter current password for root (enter for none): <-- press enterSet root password? [Y/n] <-- yNew password: <-- Enter the new MariaDB root password hereRe-enter new password: <-- Repeat the passwordRemove anonymous users? [Y/n] <-- yDisallow root login remotely? [Y/n] <-- yReload privilege tables now? [Y/n] <-- y

将MariaDB中的密码身份验证方法设置为本机,以便我们以后可以使用PHPMyAdmin以root用户身份进行连接:

echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root

编辑文件/etc/mysql/debian.cnf并在以password开头的行中将MYSQL / MariaDB root密码设置为两次。

nano /etc/mysql/debian.cnf

需要添加的MySQL root密码显示在read中,在此示例中密码为“howtoforge”。使用mysql_secure_installation命令将“howtoforge”替换为您为MySQL root用户设置的密码。

# Automatically generated for Debian scripts. DO NOT TOUCH![client]host = localhostuser = rootpassword = howtoforgesocket = /var/run/mysqld/mysqld.sock[mysql_upgrade]host = localhostuser = rootpassword = howtoforgesocket = /var/run/mysqld/mysqld.sockbasedir = /usr

然后我们重启MariaDB:

service mysql restart

现在检查是否已启用网络。跑

netstat -tap | grep mysql

输出应如下所示:

root@server1:~# netstat -tap | grep mysqltcp6 0 0 [::]:mysql [::]:* LISTEN 30591/mysqldroot@server1:~#

7.安装Amavisd-new,SpamAssassin和Clamav

为了安装amavisd-new,SpamAssassin和ClamAV,我们运行

apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

ISPConfig 3设置使用amavisd在内部加载SpamAssassin过滤器库,因此我们可以阻止SpamAssassin释放一些RAM:

service spamassassin stopupdate-rc.d -f spamassassin remove

要启动ClamAV使用:

freshclamservice clamav-daemon start

第一次运行freshclam时可以忽略以下错误。

ERROR: /var/log/clamav/freshclam.log is locked by another processERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

amavisd-new程序目前在Ubuntu 18.04中存在一个错误,它可以防止电子邮件正确地与Dkim签名。运行以下命令修补amavisd-new。

cd /tmpwget https://git.ispconfig.org/ispconfig/ispconfig3/raw/stable-3.1/helper_scripts/ubuntu-amavisd-new-2.11.patchcd /usr/sbincp -pf amavisd-new amavisd-new_bakpatch < /tmp/ubuntu-amavisd-new-2.11.patch

如果你的’patch’命令出错,那么Ubuntu可能已经解决了这个问题,所以忽略那个错误应该是安全的。

7.1安装Metronome XMPP服务器(可选)

Metronome XMPP服务器提供XMPP聊天服务器。此步骤是可选的,如果您不需要聊天服务器,则可以跳过此步骤。没有其他ISPConfig功能依赖于此软件。

使用apt安装以下软件包。

apt-get -y install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks
luarocks install lpc

为Metronome添加shell用户。

adduser --no-create-home --disabled-login --gecos 'Metronome' metronome

将Metronome下载到/ opt目录并进行编译。

cd /opt; git clone https://github.com/maranda/metronome.git metronomecd ./metronome; ./configure --ostype=debian --prefix=/usrmakemake install

节拍器现已安装到/ opt /节拍器。

8.安装Apache,PHP,phpMyAdmin,FCGI,SuExec,Pear和mcrypt

Apache 2.4,PHP 7.2,phpMyAdmin,FCGI,suExec和Pear可以按如下方式安装:

apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-imap phpmyadmin php7.2-cli php7.2-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt  imagemagick libruby libapache2-mod-python php7.2-curl php7.2-intl php7.2-pspell php7.2-recode php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl memcached php-memcache php-imagick php-gettext php7.2-zip php7.2-mbstring php-soap php7.2-soap

您将看到以下问题:

Web server to reconfigure automatically: <-- apache2 Configure database for phpmyadmin with dbconfig-common? <-- YesMySQL application password for phpmyadmin: <-- Press enter

然后运行以下命令以启用Apache模块suexecrewritesslactionsinclude( 如果要使用WebDAV,还可以使用davdav_fsauth_digest):

a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest headers

为了确保服务器不会受到HTTPOXY  漏洞的攻击,我将在全局中禁用apache中的HTTP_PROXY头。使用nano创建一个新的httpoxy.conf文件:

nano /etc/apache2/conf-available/httpoxy.conf

将此内容粘贴到文件中:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

运行以下命令启用配置文件:

a2enconf httpoxy

之后重启Apache:

service apache2 restart

如果你想举办扩展名为Ruby文件.RB通过ISPConfig创建你的网站,你必须注释掉该行应用程序/ x-红宝石RB/etc/mime.types

nano /etc/mime.types
[...]
#application/x-ruby                             rb
[...]

(这仅适用于.rb文件;扩展名为.rbx的 Ruby文件开箱即用。)

之后重启Apache:

service apache2 restart

8.1 PHP操作码缓存(可选)

Opcache是​​一个免费的PHP操作码,用于缓存和优化PHP中间代码。APCu是一个兼容模块,为许多CMS缓存系统使用的Opcache提供APC兼容功能。建议安装这些PHP扩展以加速PHP页面。

APCu  可以按如下方式安装:

apt-get -y install php7.2-opcache php-apcu

现在重启Apache:

service apache2 restart

8.2 PHP-FPM

要将PHP-FPM与Apache一起使用,我们需要mod_proxy_fcgi Apache模块,该模块默认安装并且只需要启用。我们可以安装PHP-FPM,如下所示:

apt-get -y install php7.2-fpm

确保启用模块并重新启动Apache:

a2enmod actions proxy_fcgi alias service apache2 restart

10.1安装HHVM(HipHop虚拟机),可选

在这一步中,我们将使用apt安装HHVM。HHVM是由Facebook开发的快速PHP引擎。

apt-get -y install hhvm

9.安装Let’s Encrypt

ISPConfig 3.1内置支持免费的SSL证书颁发机构让我们加密。Let’s Encrypt功能允许您在ISPConfig中为您的网站创建免费的SSL证书。

现在我们将添加对Let的加密的支持。

apt-get -y install certbot

10.安装Mailman

ISPConfig允许您管理(创建/修改/删除)Mailman邮件列表。如果要使用此功能,请按如下方式安装Mailman:

apt-get -y install mailman

选择至少一种语言,例如:

要支持的语言: < – en(英语) 
缺少网站列表 < – 好的

错误’ Job for mailman.service失败,因为控制进程退出并显示错误代码。‘现在可以忽略了。

在我们启动Mailman之前,必须创建一个名为mailman的第一个邮件列表:

newlist mailman

root @ server1 :〜#newlist mailman 
输入运行列表的人员的电子邮件:
 < – admin电子邮件地址,例如[email protected] 
初始 邮件员  密码:< – 邮件员列表的管理员密码
完成邮件列表的创建,你必须
通过添加以下行来编辑/ etc / aliases(或等效)文件,并可能运行
`newaliases’程序:

## mailman mailing list 
mailman:              “|/var/lib/mailman/mail/mailman post mailman” 
mailman-admin:        “|/var/lib/mailman/mail/mailman admin mailman” 
mailman-bounces:      “|/var/lib/mailman/mail/mailman bounces mailman” 
mailman-confirm:      “|/var/lib/mailman/mail/mailman confirm mailman” 
mailman-join:         “|/var/lib/mailman/mail/mailman join mailman” 
mailman-leave:        “|/var/lib/mailman/mail/mailman leave mailman” 
mailman-owner:        “|/var/lib/mailman/mail/mailman owner mailman” 
mailman-request:      “|/var/lib/mailman/mail/mailman request mailman” 
mailman-subscribe:    “|/var/lib/mailman/mail/mailman subscribe mailman” 
mailman-unsubscribe:  “|/var/lib/mailman/mail/mailman unsubscribe mailman” 

Hit enter to notify mailman owner…
<– ENTER

root@server1:~#

之后打开/ etc / aliases ……

nano /etc/aliases

…并添加以下行:

[...]
## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

运行

newaliases

之后重启Postfix:

service postfix restart

最后,我们必须启用Mailman Apache配置:

ln -s /etc/mailman/apache.conf /etc/apache2/conf-available/mailman.conf

这为所有Apache vhosts 定义了别名/ cgi-bin / mailman /,这意味着您可以访问Mailman管理界面以获取http:// <vhost> / cgi-bin / mailman / admin / <listname>中的列表,以及邮件列表用户的网页可以在http:// <vhost> / cgi-bin / mailman / listinfo / <listname>中找到

http:// <vhost> / pipermail下,您可以找到邮件列表存档。

使用以下命令激活配置:

a2enconf mailman

之后重启Apache:

service apache2 restart

然后启动Mailman守护程序:

service mailman start

11.安装PureFTPd和配额

可以使用以下命令安装PureFTPd和quota:

apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool

编辑文件/ etc / default / pure-ftpd-common …

nano /etc/default/pure-ftpd-common

…并确保将启动模式设置为独立并设置VIRTUALCHROOT = true

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

现在我们配置PureFTPd以允许FTP和TLS会话。FTP是一种非常不安全的协议,因为所有密码和所有数据都以明文形式传输。通过使用TLS,可以加密整个通信,从而使FTP更加安全。

如果要允许FTP和TLS会话,请运行

echo 1 > /etc/pure-ftpd/conf/TLS

要使用TLS,我们必须创建SSL证书。我在/ etc / ssl / private /中创建它,因此我首先创建该目录:

mkdir -p /etc/ssl/private/

之后,我们可以生成SSL证书,如下所示:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

国家名称(2个字母代码)[AU]:< – 输入您的国家/地区名称(例如,“DE”)。州或省名称(全名)[Some-State]:< – 输入您的州或省名称。地点名称(例如,城市)[]:< – 输入您的城市。组织名称(例如,公司)[Internet Widgits Pty Ltd]:< – 输入您的组织名称(例如,您公司的名称)。组织单位名称(例如,部分)[]:< – 输入您的组织单位名称(例如“IT部门”)。通用名称(例如,您的名称)[]:< – 输入系统的完全限定域名(例如“server1.example.com”)。电子邮件地址[]:< – 输入您的电子邮件地址。 

更改SSL证书的权限:

chmod 600 /etc/ssl/private/pure-ftpd.pem

然后重启PureFTPd:

service pure-ftpd-mysql restart

编辑/ etc / fstab。我看起来像这样(我添加了usrjquota = quota.user,grpjquota = quota.group,jqfmt = vfsv0到具有挂载点的分区/):

nano /etc/fstab
# /etc/fstab: static file system information.## Use 'blkid' to print the universally unique identifier for a# device; this may be used with UUID= as a more robust way to name devices# that works even if disks are added and removed. See fstab(5).## <file system> <mount point> <type> <options> <dump> <pass>/dev/mapper/server1--vg-root / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1/dev/mapper/server1--vg-swap_1 none swap sw 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0

要启用配额,请运行以下命令:

mount -o remount /
quotacheck -avugmquotaon -avug

 这将显示以下输出:

root@server1:/opt/metronome# quotacheck -avugmquotacheck: Scanning /dev/mapper/server1--vg-root [/] donequotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.quotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.quotacheck: Checked 13602 directories and 96597 filesquotacheck: Old file not found.quotacheck: Old file not found.root@server1:/opt/metronome# quotaon -avug/dev/mapper/server1--vg-root [/]: group quotas turned on/dev/mapper/server1--vg-root [/]: user quotas turned on

12.安装BIND DNS服务器

BIND可以按如下方式安装:

apt-get -y install bind9 dnsutils haveged

启用并启动伪造的守护程序:

systemctl enable havegedsystemctl start haveged

13.安装Vlogger,Webalizer和AWStats

可以按如下方式安装Vlogger,Webalizer和AWStats:

apt-get -y install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl

之后打开/etc/cron.d/awstats ……

nano /etc/cron.d/awstats

…并注释掉该文件中的所有内容:

#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

14.安装Jailkit

仅当您想要chroot SSH用户时才需要Jailkit。它可以安装如下(重要的是:Jailkit必须在ISPConfig之前安装 – 以后不能安装!):

apt-get -y install build-essential autoconf automake1.11 libtool flex bison debhelper binutils
cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gztar xvfz jailkit-2.19.tar.gzcd jailkit-2.19echo 5 > debian/compat

然后通过运行以下命令构建jailkit包:

./debian/rules binary

您现在可以安装Jailkit .deb包,如下所示:

cd ..dpkg -i jailkit_2.19-1_*.debrm -rf jailkit-2.19*

15.安装fail2ban和UFW

这是可选的,但建议使用,因为ISPConfig监视器会尝试显示日志:

apt-get -y install fail2ban

要使fail2ban监视PureFTPd和Dovecot,请创建文件/etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local
[pure-ftpd] 
enabled = true 
port = ftp 
filter = pure-ftpd 
logpath = / var / log / syslog 
maxretry = 3 

[dovecot]

enabled = true filter = dovecot action = iptables-multiport [name = dovecot-pop3imap,port = “pop3,pop3s,imap,imaps”,protocol = tcp] logpath = /var/log/mail.log maxretry = 5

[postfix]

enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3

之后重启fail2ban:

service fail2ban restart

要安装UFW防火墙,请运行此apt命令:

apt-get install ufw

16.安装Roundcube Webmail

要安装Roundcube Webmail,请运行:

apt-get -y install roundcube roundcube-core roundcube-mysql roundcube-plugins javascript-common libjs-jquery-mousewheel php-net-sieve tinymce

安装人员将询问以下问题:

Configure database for roundcube with dbconfig-common? <-- YesMySQL application password for roundcube: <-- Press enter

然后编辑RoundCube apache配置文件。

nano /etc/apache2/conf-enabled/roundcube.conf

并删除Alias行前面的#,然后为/ webmail添加第二个Alias行,并在“<Directory / var / lib / roundcube>”后面添加“AddType application / x-httpd-php .php”行线:

# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
Alias /roundcube /var/lib/roundcube
Alias /webmail /var/lib/roundcube [...] <Directory /var/lib/roundcube> AddType application/x-httpd-php .php [...]

然后重启apache

service apache2 restart

然后编辑RoundCube config.inc.php配置文件:

nano /etc/roundcube/config.inc.php

并将默认主机更改为localhost:

$config['default_host'] = 'localhost';

这可以防止Roundcube在登录表单中显示服务器名称输入字段。

17.安装ISPConfig 3.1

要从最新发布的版本安装ISPConfig 3,请执行以下操作:

cd /tmp wget -O ispconfig.tar.gz https://git.ispconfig.org/ispconfig/ispconfig3/repository/archive.tar.gz?ref=stable-3.1tar xfz ispconfig.tar.gzcd ispconfig3*/install/

下一步是运行

php -q install.php

这将启动ISPConfig 3安装程序。安装程序将为您配置Postfix,Dovecot等所有服务。

# php -q install.php
--------------------------------------------------------------------------------_____ ___________ _____ __ _ ____|_ _/ ___| ___ \ / __ \ / _(_) /__ \| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/__/ ||___/--------------------------------------------------------------------------------
>> Initial configuration
Operating System: Ubuntu 18.04 (Bionic Beaver)
Following will be a few questions for primary configuration so be careful.Default values are in [brackets] and can be accepted with <ENTER>.Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]: <-- Hit Enter
Installation mode (standard,expert) [standard]: <-- Hit Enter
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.canomi.com]: <-- Hit Enter
MySQL server hostname [localhost]: <-- Hit Enter
MySQL server port [3306]: <-- Hit Enter
MySQL root username [root]: <-- Hit Enter
MySQL root password []: <-- Enter your MySQL root password
MySQL database to create [dbispconfig]: <-- Hit Enter
MySQL charset [utf8]: <-- Hit Enter
Configuring PostgreyConfiguring PostfixGenerating a 4096 bit RSA private key.......................................................................++........................................................................................................................................++writing new private key to 'smtpd.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]: <-- Enter 2 letter country codeState or Province Name (full name) [Some-State]: <-- Enter the name of the  stateLocality Name (eg, city) []: <-- Enter your cityOrganization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enterOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server1.example.comEmail Address []: <-- Hit EnterConfiguring MailmanConfiguring DovecotConfiguring SpamassassinConfiguring AmavisdConfiguring GetmailConfiguring BINDConfiguring JailkitConfiguring PureftpdConfiguring ApacheConfiguring vloggerConfiguring Metronome XMPP Serverwriting new private key to 'localhost.key'-----Country Name (2 letter code) [AU]: <-- Enter 2 letter country codeLocality Name (eg, city) []: <-- Enter your cityOrganization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enterOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (e.g. server FQDN or YOUR name) [server1.canomi.com]: <-- Enter the server hostname, in my case: server1.example.comEmail Address []: <-- Hit Enter
Configuring Ubuntu FirewallConfiguring Fail2ban[INFO] service OpenVZ not detectedConfiguring Apps vhostInstalling ISPConfigISPConfig Port [8080]:
Admin password [admin]:
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter
Generating RSA private key, 4096 bit long modulus.......................++................................................................................................................................++e is 65537 (0x10001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]: <-- Enter 2 letter country codeState or Province Name (full name) [Some-State]: <-- Enter the name of the  stateLocality Name (eg, city) []: <-- Enter your cityOrganization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enterOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server1.example.comEmail Address []: <-- Hit Enter
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: <-- Hit EnterAn optional company name []: <-- Hit Enterwriting RSA key
Configuring DBServerInstalling ISPConfig crontabno crontab for rootno crontab for getmailDetect IP addressesRestarting services ...Installation completed.

安装程序会自动配置所有基础服务,因此无需手动配置。

之后,您可以访问http(s)下的ISPConfig 3 ://server1.example.com:8080 /http(s)://192.168.0.100:8080 /(HTTP或HTTPS取决于您在安装期间选择的内容)。使用用户名admin和密码admin登录(首次登录后应更改默认密码):

现在可以使用该系统了。

18.本教程的虚拟机映像下载

本教程以ovf / ova格式随时可用的虚拟机映像提供,该映像与VMWare和Virtualbox兼容。虚拟机映像使用以下登录详细信息:

SSH / Shell登录

用户名:administrator 
密码:howtoforge

该用户拥有sudo权限。

ISPConfig登录

用户名:admin 
密码:admin

MySQL登录

用户名:root 
密码:howtoforge

VM的IP为192.168.0.100,可以在文件/etc/netplan/01-netcfg.yaml中进行更改。请更改以上所有密码以保护虚拟机。

19.链接

  • Ubuntu:http://www.ubuntu.com/
  • ISPConfig:http://www.ispconfig.org/

备注:本文参考网址

滚动至顶部
扫码添加微信联系我们 关闭