Installer Ispconfig
apt-get update && apt-get upgrade
dpkg-reconfigure tzdata # Select timezone
nano /etc/hosts
127.0.0.1 localhost.localadmin localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# --- BEGIN PVE ---
7.2.2.4 raptor01.ddns.net raptor01
# --- END PVE ---
reboot
Verification:
hostname
raptor01
hostname -f
raptor01.ddns.net
apt-get update && apt-get upgrade
dpkg-reconfigure dash
Répondre « Non »
apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl openVZ getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd
Rep: site internet
Rep: raptor01.ddns.net
mysql_secure_installation
Laisser vide lorsque le mot de passe root actuel est demandé puis il faut répondre oui à toutes les questions.
Il faut ouvrir les ports TLS/SSL et submission dans Postfix en éditant le fichier /etc/postfix/master.cf
nano /etc/postfix/master.cf
Dé-commenter submission et smtps puis ajouter quelques lignes nécessaires. Cette partie du fichier devrait ressembler à ceci :
[...]
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
service postfix restart
nano /etc/mysql/mariadb.conf.d/50-server.cnf
Commenter la ligne bind-address = 127.0.0.1 et ajouter sql-mode= »NO_ENGINE_SUBSTITUTION ». Cela devrait ressembler à ça :
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
sql-mode="NO_ENGINE_SUBSTITUTION"
[...]
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
nano /etc/mysql/debian.cnf
Entrer le mot de passe root MySQL sur les deux lignes commençant par « password = » comme suit :(remplacer sqlrootpasswd par votre mot de passe défini précédemment)
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = sqlrootpasswd
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = sqlrootpasswd
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
service mysql restart
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey
service spamassassin stop
systemctl disable spamassassin
# PHP 7.0
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php7.0-mcrypt mcrypt imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring memcached libapache2-mod-passenger php7.0-soap
# PHP 7.3
# les depots
sudo apt-get install -y apt-transport-https lsb-release ca-certificates wget
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
sudo apt-get update
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php php7.3 php7.3-common php7.3-gd php7.3-mysql php7.3-imap phpmyadmin php7.3-cli php7.3-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt imagemagick libruby libapache2-mod-python php7.3-curl php7.3-intl php7.3-pspell php7.3-recode php7.3-sqlite3 php7.3-tidy php7.3-xmlrpc php7.3-xsl memcached php-memcache php-imagick php-gettext php7.3-zip php7.3-mbstring memcached libapache2-mod-passenger php7.3-soap php7.3-fpm
# C'est le moment d rouler et boire un ptit cafe ....
a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers
# vulnérabilité HTTPOXY, désactiver l’en-tête HTTP_PROXY dans Apache en # créant #le fichier /etc/apache2/conf-available/httpoxy.conf
nano /etc/apache2/conf-available/httpoxy.conf
# Copier les lignes suivantes dans le fichier:
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
# activer:
a2enconf httpoxy
service apache2 restart
# Let's encrypt
apt-get install certbot
apt-get install php7.3-fpm
# module apache
a2enmod actions proxy_fcgi alias
service apache2 restart
# monit munin
# Mailman
apt-get install mailman
newlist mailman
nano /etc/aliases
# ajouter :
## mailman mailing list
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
newaliases
service postfix restart
ln -s /etc/mailman/apache.conf /etc/apache2/conf-enabled/mailman.conf
# Remplacer le domaine interface mailman password= Mail!1649!!
http://raptor01.ddns.net/cgi-bin/mailman/admin/
http://raptor01.ddns.net/cgi-bin/mailman/listinfo/
service apache2 restart
service mailman start
# Quota pureftpd
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
# Editer le fichier /etc/default/pure-ftpd-common
nano /etc/default/pure-ftpd-common
# Mettre les valeurs STANDALONE_OR_INETD et VIRTUALCHROOT comme suit :
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
echo 1 > /etc/pure-ftpd/conf/TLS
#certificat
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Cournonterral
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raptor Free.
Organizational Unit Name (eg, section) []:Web Services
Common Name (e.g. server FQDN or YOUR name) []:raptor01.ddns.net
Email Address []:admin@raptor01.ddns.net
raptomail@protonmail.com
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
# Editer le fichier /etc/fstab
# Ajouter ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 à la ligne correspondant à la partition avec le point de montage « / » comme ci-dessous :
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda2 during installation
UUID=f5fe1fc3-41e4-4557-a101-104e32a7e2b4 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
# swap was on /dev/sda3 during installation
UUID=de1fa94d-5e13-4dc4-81f1-bc4159793d93 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
mount -o remount /
quotacheck -avugm
quotaon -avug
apt-get install bind9 dnsutils
apt-get install haveged
apt-get install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl
# Editer le fichier /etc/cron.d/awstats
nano /etc/cron.d/awstats
#Commenter toutes les lignes.
#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.$
apt-get install build-essential autoconf automake libtool flex bison debhelper binutils
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
echo 5 > debian/compat
./debian/rules binary
cd ..
dpkg -i jailkit_2.19-1_*.deb
rm -rf jailkit-2.19*
apt-get install fail2ban
Créer le fichier /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
service fail2ban restart
apt-get install iptables
apt-get install roundcube roundcube-core roundcube-mysql roundcube-plugins
nano /etc/roundcube/config.inc.php
[...]
$config['default_host'] = 'localhost';
[...]
$config['smtp_server'] = 'localhost';
[...]
# Editer le fichier /etc/apache2/conf-enabled/roundcube.conf
nano /etc/apache2/conf-enabled/roundcube.conf
# Ajouter l’allias suivant en début de fichier.
Alias /webmail /var/lib/roundcube
service apache2 reload
Vous pouvez maintenant accéder à votre webmail à l’adresse suivante : (modifier par le nom complet de votre serveur)
http://raptor01.ddns.net/webmail
# Télécharger et décompresser la dernière version d’ISPConfig (actuellement la version 3.1.6
cd /tmp
wget https://downloads.sourceforge.net/project/ispconfig/ISPConfig%203/ISPConfig-3.1.6/ISPConfig-3.1.6.tar.gz?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fispconfig%2Ffiles%2Flatest%2Fdownload&ts=1506220006&use_mirror=10gbps-io
tar xfz ISPConfig-3.1.6.tar.gz
#derniere
wget https://ispconfig.org/downloads/ISPConfig-3.1.13.tar.gz
tar xfz ISPConfig-3.1.13.tar.gz
cd ispconfig3_install/install/
# Lancer l’installation d’ISPConfig.
php -q install.php
>> Initial configuration
Operating System: Debian 9.0 (Stretch) or compatible
Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]:
Installation mode (standard,expert) [standard]:
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [raptor01.ddns.net]:
MySQL server hostname [localhost]:
MySQL server port [3306]:
MySQL root username [root]:
MySQL root password []: sqlrootpasswd
MySQL database to create [dbispconfig]:
MySQL charset [utf8]:
Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
..................................................++
.............................................................................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Cournonterral
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raptor Srv
Organizational Unit Name (eg, section) []:Web Services
Common Name (e.g. server FQDN or YOUR name) []:raptor01.ddns.net
Email Address []:admin@raptor01.ddns.net
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Jailkit
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring vlogger
[INFO] service OpenVZ not detected
Configuring Ubuntu Firewall
[INFO] service Metronome XMPP Server not detected
Configuring Fail2ban
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:
Admin password [admin]: adminpasswd
Re-enter admin password []: adminpasswd
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:
Generating RSA private key, 4096 bit long modulus
....++
....++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Cournonterral
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raptor Srv
Organizational Unit Name (eg, section) []:Web Services
Common Name (e.g. server FQDN or YOUR name) []:raptor01.ddns.net
Email Address []:admin@raptor01.ddns.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Raptor01 Free
writing RSA key
_
Configuring DBServer
Installing ISPConfig crontab
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.
chown root:root /lib