完美的服务器 - Ubuntu 14.10(nginx,BIND,Dovecot,ISPConfig 3)
本教程将介绍如何准备Ubuntu 14.10(Utopic Unicorn)服务器(使用nginx,BIND,Dovecot)安装ISPConfig 3 ,以及如何安装ISPConfig 3. ISPConfig 3是一个Webhosting控制面板,可让您配置以下内容通过Web浏览器的服务:Apache或nginx Web服务器,Postfix邮件服务器,Courier或Dovecot IMAP / POP3服务器,MySQL,BIND或MyDNSNameservers,PureFTPd,SpamAssassin,ClamAV等。 这个设置包括nginx(而不是Apache),BIND(而不是MyDNS)和Dovecot(而不是Courier)。
ISPConfig 3手册
为了学习如何使用ISPConfig 3,我强烈建议您下载ISPConfig 3手册 。
在超过300页上,它涵盖了ISPConfig(管理员,经销商,客户端)背后的概念,介绍了如何安装和更新ISPConfig 3,为ISPConfig中的所有表单和表单域以及有效输入示例提供了参考,并提供了教程用于ISPConfig 3中最常见的任务。它还列出了如何使服务器更安全,并在最后添加了故障排除部分。
初步说明
在本教程中,我使用hostname server1.example.com ,IP地址为192.168.0.100和网关192.168.0.1 。 这些设置可能会有所不同,因此您必须在适当的情况下更换它们。 在继续进行之前,您需要安装Ubuntu 14.10的基本安装,如教程中所述。
2.编辑/etc/apt/sources.list并更新Linux安装
编辑/etc/apt/sources.list 。 从文件中注释或删除安装CD,并确保启用了Universe和multiverse存储库。 它应该是这样的:
nano /etc/apt/sources.list
# # deb cdrom:[Ubuntu-Server 14.10 _Utopic Unicorn_ - Release amd64 (20141022.2)]/ utopic main restricted #deb cdrom:[Ubuntu-Server 14.10 _Utopic Unicorn_ - Release amd64 (20141022.2)]/ utopic main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. deb http://de.archive.ubuntu.com/ubuntu/ utopic main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ utopic main restricted ## Major bug fix updates produced after the final release of the ## distribution. deb http://de.archive.ubuntu.com/ubuntu/ utopic-updates main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ utopic-updates main restricted ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team. Also, please note that software in universe WILL NOT receive any ## review or updates from the Ubuntu security team. deb http://de.archive.ubuntu.com/ubuntu/ utopic universe deb-src http://de.archive.ubuntu.com/ubuntu/ utopic universe deb http://de.archive.ubuntu.com/ubuntu/ utopic-updates universe deb-src http://de.archive.ubuntu.com/ubuntu/ utopic-updates universe ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://de.archive.ubuntu.com/ubuntu/ utopic multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ utopic multiverse deb http://de.archive.ubuntu.com/ubuntu/ utopic-updates multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ utopic-updates multiverse ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. deb http://de.archive.ubuntu.com/ubuntu/ utopic-backports main restricted universe multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ utopic-backports main restricted universe multiverse deb http://security.ubuntu.com/ubuntu utopic-security main restricted deb-src http://security.ubuntu.com/ubuntu utopic-security main restricted deb http://security.ubuntu.com/ubuntu utopic-security universe deb-src http://security.ubuntu.com/ubuntu utopic-security universe deb http://security.ubuntu.com/ubuntu utopic-security multiverse deb-src http://security.ubuntu.com/ubuntu utopic-security multiverse ## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. ## This software is not part of Ubuntu, but is offered by Canonical and the ## respective vendors as a service to Ubuntu users. # deb http://archive.canonical.com/ubuntu utopic partner # deb-src http://archive.canonical.com/ubuntu utopic partner ## Uncomment the following two lines to add software from Ubuntu's ## 'extras' repository. ## This software is not part of Ubuntu, but is offered by third-party ## developers who want to ship their latest software. # deb http://extras.ubuntu.com/ubuntu utopic main # deb-src http://extras.ubuntu.com/ubuntu utopic main ~
然后跑
apt-get update
更新apt包数据库和
apt-get upgrade
安装最新的更新(如果有的话)。 如果您看到新内核作为更新的一部分进行安装,那么您应该重新启动系统:
reboot
3.更改默认Shell
/ bin / sh是/ bin / dash的符号链接,但是我们需要/ bin / bash ,not / bin / dash 。 所以我们这样做:
dpkg-reconfigure dash
使用破折号作为默认系统shell(/ bin / sh)? < - 不
如果不这样做,则ISPConfig安装将失败。
4.禁用AppArmor
AppArmor是一个安全扩展(类似于SELinux),应该提供扩展的安全性。 默认情况下不会安装13.10。 我们将交叉检查是否安装。 在我看来,你不需要配置一个安全的系统,它通常会导致更多的问题,而不是优势(考虑到你做了一周的故障排除后,因为一些服务不能按预期工作,然后你发现一切都很好,只有AppArmor导致了这个问题)。 因此我禁用它(如果你想稍后安装ISPConfig,这是必须的)。
我们可以禁用它:
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
5.同步系统时钟
通过互联网将系统时钟与NTP( n etwork协议)服务器同步是个好主意。 只需运行
apt-get install ntp ntpdate
您的系统时间将始终保持同步。
6.安装Postfix,Dovecot,MySQL,phpMyAdmin,rkhunter,binutils
我们可以使用单个命令安装Postfix,Dovecot,MySQL,rkhunter和binutils:
apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
您将被问到以下问题:
MySQL“root”用户的新密码: < - yourrootsqlpassword
重复MySQL“root”用户的密码: < - yourrootsqlpassword
创建自签名SSL证书?: < - 是的
主机名: < - server1.example.com
仅限本地: < - OK
一般类型的邮件配置: < - 网站
系统邮件名称: < - server1.example.com
接下来在Postfix中打开TLS / SSL和提交端口:
nano /etc/postfix/master.cf
取消注释提交和smtps部分如下 - 添加-o smtpd_client_restrictions = permit_sasl_authenticated行,拒绝两个部分,并留下所有其他的评论:
[...] submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING [...]
之后重新启动Postfix:
service postfix restart
我们希望MySQL在所有接口上监听,而不仅仅是localhost,因此我们编辑/etc/mysql/my.cnf并注释掉bind-address = 127.0.0.1 :
nano /etc/mysql/my.cnf
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
然后我们重新启动MySQL:
service mysql restart
现在检查网络是否启用。 跑
netstat -tap | grep mysql
输出应如下所示:
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 23785/mysqld
root@server1:~#
7.安装Amavisd-new,SpamAssassin和Clamav
要安装amavisd-new,SpamAssassin和ClamAV,我们运行
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
ISPConfig 3设置使用amavisd在内部加载SpamAssassin过滤器库,因此我们可以停止SpamAssassin释放一些RAM:
service spamassassin stop
update-rc.d -f spamassassin remove
运行clamav使用
freshclam
service clamav-daemon start
