Configurar nuevo vps contabo ubuntu ispconfig

Posted on | By kbs | No comments
¿En qué podemos ayudarte?
< Regresar
Estás aquí:
Imprimir
Created Onagosto 18, 2021
Last Updated Onagosto 18, 2021
bykbs

Cambios al Sistema operativo

Verificar e Instalar Nano y Vim-nox

#sudo apt-get -y install nano vim-nox

# sudo nano /etc/hosts

Cambia el nombre de la dirección ip asignada al server

127.0.0.1 localhost
192.168.0.100 server1.example.com server1

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

 

Cambia el nombre del hosts

#sudo echo server1 > /etc/hostname

#sudo hostname server1

Valida el nombre

#hostname

#hostname -f

root@server1:/home/administrator# hostname
server1
root@server1:/home/administrator# hostname -f
server1.example.com

Editamos el archivo nano /etc/apt/sources.list para validar que tengamos los repositorios correctos y remover cualquiera de los repositorios de instalacion, debera quedar como el siguiente ejemplo. “No importa el server validar que los contenedores existan”

#nano /etc/apt/sources.list

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu focal main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu focal main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu focal-updates main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu focal-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu focal universe
# deb-src http://de.archive.ubuntu.com/ubuntu focal universe
deb http://de.archive.ubuntu.com/ubuntu focal-updates universe
# deb-src http://de.archive.ubuntu.com/ubuntu focal-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu focal multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu focal multiverse
deb http://de.archive.ubuntu.com/ubuntu focal-updates multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu focal-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu focal partner
# deb-src http://archive.canonical.com/ubuntu focal partner

deb http://de.archive.ubuntu.com/ubuntu focal-security main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu focal-security main restricted
deb http://de.archive.ubuntu.com/ubuntu focal-security universe
# deb-src http://de.archive.ubuntu.com/ubuntu focal-security universe
deb http://de.archive.ubuntu.com/ubuntu focal-security multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu focal-security multiverse

#apt-get update

#apt-get upgrade

Reconfigurar el shell

#dpkg-reconfigure dash

Deshabilitar AppArmor

#service apparmor stop

#update-rc.d -f apparmor remove

#apt-get remove apparmor apparmor-utils

Instalar NTP

#apt-get -y install ntp

Instalar Postfix, Dovecot, MariaDB, rkhunter, and binutils.

Para instalar postfix se tiene que quitar sendmail

#service sendmail stop; update-rc.d -f sendmail remove

Instalar Postfix, Dovecot, MariaDB, rkhunter, and binutils.

#apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo patche

Se haran las siguientes preguntas

General type of mail configuration: <– Internet Site

System mail name: <– server1.example.com

Cambio a postfix

#nano /etc/postfix/master.cf

Descomenta las secciones “submission” y “smtps” como se muestra

lo demas se deja igual

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

 

NOTA: Los espacios en blanco frente a la linea “-o …. ” son importantes.

Reiniciar postfix

# service postfix restart

Queremos que MySQL escuche todas las interfases, no solo la localhost. Entonces editamos /etc/mysql/mariadb.conf.d/50-server.cnf y comentamos la linea bind-address = 127.0.0.1:

#nano /etc/mysql/mariadb.conf.d/50-server.cnf

[…]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1

[…]

Ponemos password de root, para MariaDB

#mysql_secure_installation

Enter current password for root (enter for none): <– press enter
Set root password? [Y/n] <– y
New password: <– Enter the new MariaDB root password here
Re-enter new password: <– Repeat the password
Remove anonymous users? [Y/n] <– y
Disallow root login remotely? [Y/n] <– y
Reload privilege tables now? [Y/n] <– y

Configuramos la autenticación del password en MariaDB en modo nativo para que podamos usar el usuario root en phpmyadmin.

#echo “update mysql.user set plugin = ‘mysql_native_password’ where user=’root’;” | mysql -u root

Editar el archivo /etc/mysql/debian.cnf y poner el password de root MYSQL / MariaDB en los renglones que comienzan con password. Hay que poner el mismo puesto en el paso anterior.

#nano /etc/mysql/debian.cnf

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = PWAQUI
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = PWAQUI
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

#nano /etc/security/limits.conf

Agregar las lineas, al final del archivo

mysql soft nofile 65535
mysql hard nofile 65535

#mkdir /etc/systemd/system/mysql.service.d/

#nano /etc/systemd/system/mysql.service.d/limits.conf

Pega estas lineas en el archivo

[Service]
LimitNOFILE=infinity

Actualizamos demonios ,reiniciamos servicios y validamos que este arriba la DB.

#systemctl daemon-reload
#service mariadb restart

#netstat -tap | grep mysql

Instalamos Amavisd-new, SpamAssassin, and Clamav

#apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

The ISPConfig 3 usa amavisd el cualcarga internamiente la libreria de SpamAssassin asi que podemos detener el servicio para liberar RAM:

#service spamassassin stop
#update-rc.d -f spamassassin remove

Iniciamos ClamAV:

#freshclam
#service clamav-daemon start

El error siguiente puede ser ignorado

ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

Instalar Apache, PHP, phpMyAdmin, FCGI, SuExec, Pear

#apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.4 php7.4-common php7.4-gd php7.4-mysql php7.4-imap phpmyadmin php7.4-cli php7.4-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear libruby libapache2-mod-python php7.4-curl php7.4-intl php7.4-pspell php7.4-sqlite3 php7.4-tidy php7.4-xmlrpc php7.4-xsl memcached php-memcache php-imagick php7.4-zip php7.4-mbstring php-soap php7.4-soap php7.4-opcache php-apcu php7.4-fpm libapache2-reload-perl

Veras la siguiente pregunta

Web server to reconfigure automatically: <– apache2

Configure database for phpmyadmin with dbconfig-common? <– Yes

MySQL application password for phpmyadmin: <– Press enter

Ejecuta el siguiente comando para habilitar los modulos en apache suexec, rewrite, ssl, actions, e incluue (plus dav, dav_fs, and auth_digest por si queremos usar WebDAV):

#a2enmod suexec rewrite ssl actions include cgi alias proxy_fcgi

#a2enmod dav_fs dav auth_digest headers

Para asegurarnos que el server no pueda ser atacado a traves de la vulnerabilidad del HTTPOXY vulnerability,deshabilitaremos HTTP_PROXY header en apache de manera global. Creamos un nuevo archivo llamado httpoxy.conf con nano:

#nano /etc/apache2/conf-available/httpoxy.conf

Agrega las siguientes lineas

    RequestHeader unset Proxy early

Habilitamos la configuacion

#a2enconf httpoxy

Reiniciamos servicios

#service apache2 restart

Si quieres que el servidor tenga archivos de Ruby con extension .rb creados con ISPConfig, se tiene que comentar la linea application/x-ruby rb en /etc/mime.types:

#nano /etc/mime.types

Comenta las siguientes lineas

[...]
#application/x-ruby                             rb
[...]

Reiniciamos servicios

#service apache2 restart

Instalar Let’s Encrypt

#apt-get install certbot

Instalar BIND

#apt-get -y install bind9 dnsutils haveged

Inicia haveged

#systemctl enable haveged
#systemctl start haveged

Instala Vlogger, Webalizer, AWStats and GoAccess

#apt-get -y install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl

Instala la ultima version de GoAccess directamente del repositorio GoAccess:

#echo “deb https://deb.goaccess.io/ $(lsb_release -cs) main” | sudo tee -a /etc/apt/sources.list.d/goaccess.list
#wget -O – https://deb.goaccess.io/gnugpg.key | sudo apt-key –keyring /etc/apt/trusted.gpg.d/goaccess.gpg add –
#sudo apt-get update
#sudo apt-get install goaccess

#nano /etc/cron.d/awstats

Comenta las siguientes lineas

#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

Instala Jailkit
Jailkit es usado para asegurar los shells de los usarios y jobs del cron en ISPConfig.

#apt-get -y install jailkit

Instala fail2ban y UFW

#apt-get -y install fail2ban

Configura fail2ban

#nano /etc/fail2ban/jail.local

Agrega las siguientes lineas

[pure-ftpd]
enabled  = false
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix]
enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 3

Reiniciamos servicios

#service fail2ban restart

Instalamos firewall UFW

#apt-get install ufw

Instalar ISPconfig

#apt install patch

#cd /tmp

#wget -O ispconfig.tar.gz https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz

#tar xfz ispconfig.tar.gz

#cd ispconfig3*/install/

#php -q install.php

NOTA SE RECOMIENDA QUE ANTES DE HACE ESTE PASO YA SE HAYA HECHO EL REGISTRO EN EL DNS DE ESTE SERVIDOR Y DE LOS DOMINIOS AL CUAL SE LE GENERARAN LOS CERTIFICADOS SSL.


——————————————————————————–
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `–.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `–. \ __/ | | / _ \| ‘_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
——————————————————————————–


>> Initial configuration

Operating System: Ubuntu 20.04.1 LTS (Focal Fossa)

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in “quit” (without the quotes) to stop the installer.


Select language (en,de) [en]: <– Hit Enter

Installation mode (standard,expert) [standard]: <– Hit Enter

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.canomi.com]: <– Hit Enter

MySQL server hostname [localhost]: <– Hit Enter

MySQL server port [3306]: <– Hit Enter

MySQL root username [root]: <– Hit Enter

MySQL root password []: <– Enter your MySQL root password

MySQL database to create [dbispconfig]: <– Hit Enter

MySQL charset [utf8]: <– Hit Enter

Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
……………………………………………………………..++
……………………………………………………………………………………………………………………….++
writing new private key to ‘smtpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]: <– Enter 2 letter country code
State or Province Name (full name) [Some-State]: <– Enter the name of the state
Locality Name (eg, city) []: <– Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter company name or press enter
Organizational Unit Name (eg, section) []: <– Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <– Enter the server hostname, in my case: server1.example.com
Email Address []: <– Hit Enter
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Jailkit
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Metronome XMPP Server
writing new private key to ‘localhost.key’
—–
Country Name (2 letter code) [AU]: <– Enter 2 letter country code
Locality Name (eg, city) []: <– Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter company name or press enter
Organizational Unit Name (eg, section) []: <– Hit Enter
Common Name (e.g. server FQDN or YOUR name) [server1.canomi.com]: <– Enter the server hostname, in my case: server1.example.com
Email Address []: <– Hit Enter

Configuring Ubuntu Firewall
Configuring Fail2ban
[INFO] service OpenVZ not detected
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:

Admin password [admin]:

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <– Hit Enter

Generating RSA private key, 4096 bit long modulus
…………………..++
………………………………………………………………………………………………………………..++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]: <– Enter 2 letter country code
State or Province Name (full name) [Some-State]: <– Enter the name of the state
Locality Name (eg, city) []: <– Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter company name or press enter
Organizational Unit Name (eg, section) []: <– Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <– Enter the server hostname, in my case: server1.example.com
Email Address []: <– Hit Enter

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: <– Hit Enter
An optional company name []: <– Hit Enter
writing RSA key

Symlink ISPConfig LE SSL certs to postfix? (y,n) [y]: <– Hit Enter

Symlink ISPConfig LE SSL certs to pureftpd? Creating dhparam file takes some times. (y,n) [y]: <– Hit Enter

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…………………………………………………….+…………………………………………………………………………………………………………………………………………………….+……………….


Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services …
Installation completed.

 

Etiquetas:
Table of Contents
Category: Configuración e Instalación, LINUX, Tutoriales

Deja un comentario