The Perfect Setup - Mandrake/Mandriva 10.2  

<< HOWTO-Index

  NEW! Visit my Linux forums!

  This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.

Subscribe to FalkoTimme.com Newsletter
and stay informed about my latest HOWTOs and projects.
Email
(If you want to unsubscribe from our newsletter, visit this link.)

The Perfect Setup - Mandrake/Mandriva 10.2

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited: 07/19/2005

This is a detailed description about the steps to be taken to setup a Mandrake 10.2 based server that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.). In addition to that I will show how to use Debian's package manager apt on an rpm-based system because it takes care of package dependencies automagically which can save a lot of trouble.

I will use the following software:

  • Web Server: Apache 2.0.x
  • Mail Server: Postfix (easier to configure than sendmail; has a shorter history of security holes than sendmail)
  • DNS Server: BIND9
  • FTP Server: proftpd
  • POP3/IMAP servers
  • Webalizer for web site statistics

In the end you should have a system that works reliably and is ready for the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

Requirements

To install such a system you will need the following:

1 The Base System

Boot from your Mandrake 10.2 CD (CD 1) or DVD. Press Enter to start the installation:

Choose your language next:

Accept the license and click on Next:

Select Standard as the Security level and leave the field Security Administrator empty:

Now we have to partition our hard disk. You can choose to let the Mandrake installer do the partitioning, or you can do it yourself. I want to create a small /boot partition (less than 100 MB) with the file system ext3, a swap partition and a huge / partition (again with ext3):

Click on Next if you have all three CDs of the Mandrake Download Edition:

Select None and click on Next:

Now we are to select the package groups we want to install. Select Internet station, Network Computer (client), Configuration, Console Tools, Development, Web/FTP, Mail, Database, Firewall/Router and Network Computer server and click on Next:

The package installation starts:

Give root a password:

Create another user (e.g. admin):

Now the installer presents us a summary of the installation and gives us the possibility to change settings by clicking on the appropriate Configure button. First of all we adjust our keyboard layout (if you don't have a US keyboard...):

Next we configure the time zone we're in:

Finally we change the Network - lan settings. Select LAN connection unless you're using something different:

Select the network interface you want to configure (normally eth0):

We want to assign a static IP address to our network interface (remember, we're installing a server...), so we do not want to get an IP address using BOOTP or DHCP. Therefore we choose Manual configuration:

Now enter the IP address and a Netmask:

Enter the Host name (e.g. server1.example.com), up to three DNS servers (e.g. 145.253.2.75 and 193.174.32.18) and the Gateway:

You can leave the field Zeroconf Host name empty:

Do not allow users to start the connection. It's a server, and servers are always online (at least, they should be...):

We've now made all necessary configurations, so we can leave the summary screen by clicking on Next:

Now you can download the latest updates:

The installation is now finished, you can now remove the CD or DVD and reboot the system:

 

 

2 Installing And Configuring The Rest Of The System

Starting the SSH Daemon

You have to start the SSH daemon before you can login via SSH (using PuTTY or something else). To do that, you first have to login as admin on the system itself, then run su and provide the password for root:

(Direct login as root is not allowed on the system itself, that's why you have to login as admin first. If you use SSH, you can directly login as root.)

Then start the SSH daemon:

/etc/init.d/sshd start

 

Configure Additional IP Addresses

Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:

DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.100
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this:

DEVICE=eth0:0
BOOTPROTO=static
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no

Afterwards we have to restart the network:

/etc/init.d/network restart

 

Setting The Hostname

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

 

Install apt For Mandrake

apt is the packaging system used on Debian. Since it cares much better for package dependencies than rpm it would be nice if we could use it on our new Mandrake system. This would save us a lot of hassle. Fortunately, apt has been ported to a lot of rpm based distributions, and is also available for Mandrake 10.2 (you will love it... :-)).

rpm -ivh ftp://ftp.lip6.fr/pub/linux/distributions/Mandrakelinux/official/10.2/\
i586/media/contrib/libapt-pkg0-0.5.15cnc6-5mdk.i586.rpm
rpm -ivh ftp://ftp.lip6.fr/pub/linux/distributions/Mandrakelinux/official/10.2/\
i586/media/contrib/apt-0.5.15cnc6-5mdk.i586.rpm

Edit /etc/apt/sources.list. It should contain the following line:

rpm ftp://ftp.lip6.fr/pub/linux/distributions/Mandrakelinux/official/10.2/i586/media/ media_info/hdlist_main main

Run

apt-get update

 

Install Some Software

apt-get install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp flex


Quota

apt-get install quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the partition with the mount point /):

# This file is edited by fstab-sync - see 'man fstab-sync' for details
/dev/sda6 / ext3 defaults,usrquota,grpquota 1 1
/dev/sda1 /boot ext3 defaults 1 2
/dev/hdc /mnt/cdrom iso9660 user,iocharset=iso8859-1,noauto,ro,exec 0 0
none /mnt/floppy supermount dev=/dev/fd0,fs=ext2:vfat,--,umask=0,iocharset=iso8859-1,sync,codepage=850 0 0
none /proc proc defaults 0 0
/dev/sda5 swap swap defaults 0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug


DNS-Server

apt-get install bind

In the Manadrake BIND package there are a few files missing (e.g. /etc/named.conf), therefore BIND will not start when you run

/etc/init.d/named start

This is nothing to worry about because all needed files are created by ISPConfig as soon as you create your first DNS record with ISPConfig.

 

MySQL (4.1)

apt-get install MySQL MySQL-client libmysql14-devel

/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap

It should show a line like this:

tcp        0      0 *:mysql                 *:*                     LISTEN      6621/mysqld

If it does not, edit /etc/sysconfig/mysqld and remove --skip-networking from the Variable MYSQLD_OPTIONS:

# (oe) Remove --skip-networking to enable network access from
# non local clients. Access from localhost will still work.
MYSQLD_OPTIONS=""

# (oe) set TMPDIR and TMP environment variables
TMPDIR="${datadir}/.tmp"
TMP="${TMPDIR}"

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

 

Postfix With SMTP-AUTH And TLS

apt-get install cyrus-sasl libsasl2 libsasl2-devel libsasl2-plug-plain libsasl2-plug-anonymous libsasl2-plug-crammd5 libsasl2-plug-digestmd5 libsasl2-plug-gssapi libsasl2-plug-login postfix imap

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'mydestination = /etc/postfix/local-host-names, localhost.example.com'

Edit /etc/postfix/sasl/smtpd.conf. It should look like this:

# SASL library configuration file for postfix
# all parameters are documented into:
# /usr/share/doc/cyrus-sasl-2.*/options.html

# The mech_list parameters list the sasl mechanisms to use,
# default being all mechs found.
mech_list:         plain login

# To authenticate using the separate saslauthd daemon, (e.g. for
# system or ldap users). Also see /etc/sysconfig/saslauthd.
pwcheck_method:    saslauthd
saslauthd_path:    /var/lib/sasl2/mux

# To authenticate against users stored in sasldb.
#pwcheck_method:    auxprop
#auxprop_plugin:    sasldb
#sasldb_path:       /var/lib/sasl2/sasldb2

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Now start Postfix, saslauthd, imap and pop3:

chkconfig imap on
chkconfig imaps on
chkconfig ipop3 on
chkconfig pop3s on
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
/etc/init.d/xinetd restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

 

Apache With PHP

apt-get install apache2-mod_php php-cli php-ini php-gd php-xml php-ldap php-xmlrpc php-domxml php-imap php-mysql php-pear php-readline php-xslt php432-devel curl libcurl3-devel perl-libwww-perl ImageMagick

Now edit /etc/httpd/conf.d/70_mod_php.conf and comment out the AddType lines:

<IfDefine HAVE_PHP4>
  <IfModule !mod_php4.c>
    LoadModule php4_module    extramodules/mod_php4.so
  </IfModule>
</IfDefine>

<IfModule mod_php4.c>
    PHPINIDir /etc
</IfModule>

<IfModule mod_mime.c>
    #AddType application/x-httpd-php .php
    #AddType application/x-httpd-php .php3
    #AddType application/x-httpd-php .php4
    #AddType application/x-httpd-php .phtml
    #AddType application/x-httpd-php-source .phps
</IfModule>

Edit /etc/httpd/conf/apache-mime.types and comment oout the following lines:

#application/x-perl             perl pl
#application/x-php              php php3 php4

Edit /etc/httpd/conf/httpd2.conf and add the following line to the LoadModule section:

LoadModule php4_module    extramodules/mod_php4.so

(Although this line is already in /etc/httpd/conf.d/70_mod_php.conf this is very important because otherwise the command httpd -t will report errors instead of Syntax OK when the virtual hosts created by ISPConfig contain lines like php_admin_flag safe_mode On or the like!)

Restart Apache:

/etc/init.d/httpd restart

 

Proftpd

apt-get install proftpd
/etc/init.d/proftpd start

For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.linux.co.uk/localsite/Userguide/linked/userguide.html):

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."

Be sure to comment out the following lines in /etc/proftpd.conf in order to allow ftp users to CHMOD: 

# Bar use of SITE CHMOD by default
# <Limit SITE_CHMOD>
#  DenyAll
# </Limit>

and restart Proftpd:

/etc/init.d/proftpd restart

 

Webalizer

To install webalizer, run

cd /tmp/
wget --passive-ftp ftp://ftp.mrunix.net/pub/webalizer/webalizer-2.01-10-static.gz
gunzip webalizer-2.01-10-static.gz
mv webalizer-2.01-10-static /usr/bin/webalizer
chmod 755 /usr/bin/webalizer

 

Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server do the following:

apt-get install rdate

rdate -s 128.2.136.71

Create /var/spool/cron/root:

# update time with ntp server
0 3,9,15,21 * * * /usr/bin/rdate -s 128.2.136.71 | logger -t NTP

Then run

chmod 600 /var/spool/cron/root
/etc/init.d/crond restart

 

Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

Installation using the Perl Shell

Login to your command line as root and run the following command to start the Perl shell:

perl -MCPAN -e shell

If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok.

Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.

The big advantage of the Perl shell compared to the two other methods described here is that it cares about dependencies when installing new modules. I.e., if it turns out that a prerequisite Perl module is missing when you install another module the Perl shell asks you if it should install the prerequisite module for you. You should answer that question with "Yes".

Run the following commands to install the modules needed by SpamAssassin:

install HTML::Parser
install Digest::SHA1
q (to leave the Perl shell)

If a module is already installed on your system you will get a message similar to this one:

HTML::Parser is up to date.

Successful installation of a module looks like this:

/usr/bin/make install -- OK



The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

 

A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Mandrake's suExec is compiled with /var/www as Doc_Root. Run /usr/sbin/apache2-suexec -V, and the output should look like this:

To select /var/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.

Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /var/www as the home directory for websites.

 

Links

 

  NEW! Visit my Linux forums!

  This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.

If you find this page useful you can acknowledge your gratitude by making a donation (through PayPal):

<< HOWTO-Index
 
Copyright 2021, Falko Timme. All rights reserved.
     Home  |  News  |  HOWTOs  |  Projects  |  Forums  |  Support  |  About Me   |  Contact Information  |  Site Map