ISP_CentOS

This tutorial shows how to set up a CentOS 5.4 server (x86_64) that offers all services needed by ISPs and web hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 64-bit version of CentOS 5.4, but should apply to the 32-bit version with very little modifications as well. In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I will use the following software:

  • Web Server: Apache 2.2 with PHP 5.1.6
  • Database Server: MySQL 5.0
  • Mail Server: Postfix
  • DNS Server: BIND9 (chrooted)
  • FTP Server: Proftpd
  • POP3/IMAP server: Dovecot
  • Webalizer for web site statistics

Please note that this setup does not work for ISPConfig 3! It is valid for ISPConfig 2 only!

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Requirements

To install such a system you will need the following:

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

3 Install The Base System

Boot from your first CentOS 5.4 CD (CD 1) or the CentOS 5.4 DVD. Press <ENTER> at the boot prompt:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

It can take a long time to test the installation media so we skip this test here:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

// <![CDATA[
document.write(‘

‘);
// ]]>

// <![CDATA[
if (typeof ord==’undefined’) {ord=Math.random()*10000000000000000;}
document.write(”);
// ]]>// <![CDATA[
document.write(”);
// ]]>// Click here to find out more! // <![CDATA[
document.write(‘

‘);
// ]]>

The welcome screen of the CentOS installer appears. Click on Next:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Choose your language next:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Select your keyboard layout:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

I’m installing CentOS 5.4 on a fresh system, so I answer Yes to the question Would you like to initialize this drive, erasing ALL DATA?

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Now we must select a partitioning scheme for our installation. For simplicity’s sake I select Remove linux partitions on selected drives and create default layout. This will result in a small /boot and a large / partition as well as a swap partition. Of course, you’re free to partition your hard drive however you like it. Then I hit Next:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Answer the following question (Are you sure you want to do this?) with Yes:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

On to the network settings. The default setting here is to configure the network interfaces with DHCP, but we are installing a server, so static IP addresses are not a bad idea… Click on the Edit button at the top right.

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

In the window that pops up uncheck Use dynamic IP configuration (DHCP) and Enable IPv6 support and give your network card a static IP address (in this tutorial I’m using the IP address 192.168.0.100 for demonstration purposes) and a suitable netmask (e.g. 255.255.255.0; if you are not sure about the right values, http://www.subnetmask.info might help you):

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Set the hostname manually, e.g. server1.example.com, and enter a gateway (e.g. 192.168.0.1) and up to two DNS servers (e.g. 213.191.92.86 and 145.253.2.75):

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Choose your time zone:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Give root a password:

Click to enlarge

Now we select the software we want to install. Select nothing but Server (uncheck everything else). Also don’t check Packages from CentOS Extras. Then check Customize now, and click on Next:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Now we must select the package groups we want to install. Select Editors, Text-based Internet, Development Libraries, Development Tools, DNS Name Server, FTP Server, Mail Server, MySQL Database, Server Configuration Tools, Web Server, Administration Tools, Base, and System Tools (unselect all other package groups) and click on Next:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

The installer checks the dependencies of the selected packages:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Click on Next to start the installation:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

The hard drive is being formatted:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

The installation begins. This will take a few minutes:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Finally, the installation is complete, and you can remove your CD or DVD from the computer and reboot it:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

After the reboot, you will see this screen. Select Firewall configuration and hit Run Tool:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the CentOS firewall).

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it, too (this is a must if you want to install ISPConfig later on). Hit OK afterwards:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Then leave the Setup Agent by selecting Exit:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Then log in as root and reboot the system so that your changes can be applied:

reboot

Now, on to the configuration…

4 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1
::1             localhost6.localdomain6 localhost6

5 Configure Additional IP Addresses

(This section is totally optional. It just shows how to add additional IP addresses to your network interface eth0 if you need more than one IP address. If you’re fine with one IP address, you can skip this section.)

Let’s assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which contains the settings for eth0. We can use this as a sample for our new virtual network interface eth0:0:

cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:0

Now we want to use the IP address 192.168.0.101 on the virtual interface eth0:0. Therefore we open the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 and modify it as follows (we can leave out the HWADDR line as it is the same physical network card):

vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes

Afterwards we have to restart the network:

/etc/init.d/network restart

You might also want to adjust /etc/hosts after you have added new IP addresses, although this is not necessary.

Now run

ifconfig

You should now see your new IP address in the output:

[root@server1 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:FD:78:BE
inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fefd:78be/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:469 errors:0 dropped:0 overruns:0 frame:0
TX packets:534 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:43223 (42.2 KiB)  TX bytes:100665 (98.3 KiB)
Base address:0x1070 Memory:e8820000-e8840000

eth0:0    Link encap:Ethernet  HWaddr 00:0C:29:FD:78:BE
inet addr:192.168.0.101  Bcast:192.168.0.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
Base address:0x1070 Memory:e8820000-e8840000

lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

[root@server1 ~]#

// <![CDATA[
document.write(‘

‘);
// ]]>

// <![CDATA[
if (typeof ord==’undefined’) {ord=Math.random()*10000000000000000;}
document.write(”);
// ]]>// <![CDATA[
document.write(”);
// ]]>// Click here to find out more! // <![CDATA[
document.write(‘

‘);
// ]]>

6 Disable The Firewall And SELinux

(You can skip this chapter if you have already disabled the firewall and SELinux at the end of the basic system installation (in the Setup Agent).)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the CentOS firewall).

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it, too (this is a must if you want to install ISPConfig later on).

Run

system-config-securitylevel

Set both Security Level and SELinux to Disabled and hit OK:

Click to enlarge

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Afterwards we must reboot the system:

reboot

7 Install Some Software

First we import the GPG keys for software packages:

rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Then we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

8 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):

vi /etc/fstab

/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

9 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Then do this:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
touch /var/named/chroot/etc/named.conf
chkconfig –levels 235 named on
/etc/init.d/named start

// <![CDATA[
document.write(‘

‘);
// ]]>

// <![CDATA[
if (typeof ord==’undefined’) {ord=Math.random()*10000000000000000;}
document.write(”);
// ]]>// <![CDATA[
document.write(”);
// ]]>// Click here to find out more! // <![CDATA[
document.write(‘

‘);
// ]]>

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

10 MySQL (5.0)

To install MySQL, we do this:

yum install mysql mysql-devel mysql-server

Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:

chkconfig –levels 235 mysqld on
/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

It should show a line like this:

[root@server1 ~]# netstat -tap | grep mysql
tcp        0      0 *:mysql                     *:*                         LISTEN      2420/mysqld
[root@server1 ~]#

If it does not, edit /etc/my.cnf and comment out the option skip-networking:

vi /etc/my.cnf

[...]
#skip-networking
[...]

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

11 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_sasl_authenticated_header = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
postconf -e ‘mynetworks = 127.0.0.0/8’

We must edit /usr/lib64/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 32Bit Centos 5.4 you must edit the file /usr/lib/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib64/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):

postconf -e ‘myhostname = server1.example.com’

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server1.example.com

By default, CentOS’ Dovecot daemon provides only IMAP and IMAPs services. Because we also want POP3 and POP3s we must configure Dovecot to do so. We edit /etc/dovecot.conf and enable the line protocols = imap imaps pop3 pop3s:

// <![CDATA[
document.write(‘

‘);
// ]]>

// <![CDATA[
if (typeof ord==’undefined’) {ord=Math.random()*10000000000000000;}
document.write(”);
// ]]>// <![CDATA[
document.write(”);
// ]]>// Click here to find out more! // <![CDATA[
document.write(‘

‘);
// ]]>

vi /etc/dovecot.conf

[...]
# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to "none".
protocols = imap imaps pop3 pop3s
[...]

Now start Postfix, saslauthd, and Dovecot:

chkconfig –levels 235 sendmail off
chkconfig –levels 235 postfix on
chkconfig –levels 235 saslauthd on
chkconfig –levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine.

[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system’s shell.

11.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user’s Maildir (you can also do this if you use ISPConfig – it doesn’t hurt ;-)):

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

12 Apache2 With PHP, Ruby, Python, WebDAV

Now we install Apache with PHP (this is PHP 5.1.6):

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel

Then edit /etc/httpd/conf/httpd.conf:

vi /etc/httpd/conf/httpd.conf

and change DirectoryIndex to

[...]
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl
[...]

Now configure your system to start Apache at boot time:

chkconfig –levels 235 httpd on

Start Apache:

/etc/init.d/httpd start

12.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddHandler and AddType lines:

vi /etc/httpd/conf.d/php.conf

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#

LoadModule php5_module modules/libphp5.so

#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddHandler php5-script .php
#AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

Afterwards we restart Apache:

/etc/init.d/httpd restart

12.2 Installing mod_ruby

For CentOS 5.4, there’s no mod_ruby package available, so we must compile it ourselves. First we install some prerequisites:

yum install httpd-devel ruby ruby-devel

Next we download and install mod_ruby as follows:

cd /tmp
wget http://www.modruby.net/archive/mod_ruby-1.3.0.tar.gz
tar zxvf mod_ruby-1.3.0.tar.gz
cd mod_ruby-1.3.0/
./configure.rb –with-apr-includes=/usr/include/apr-1
make
make install

Finally we must add the mod_ruby module to the Apache configuration, so we create the file /etc/httpd/conf.d/ruby.conf…

vi /etc/httpd/conf.d/ruby.conf

LoadModule ruby_module modules/mod_ruby.so

… and restart Apache:

/etc/init.d/httpd restart

12.3 Installing mod_python

To install mod_python, we simply run…

yum install mod_python

… and restart Apache afterwards:

/etc/init.d/httpd restart

// <![CDATA[
document.write(‘

‘);
// ]]>

// <![CDATA[
if (typeof ord==’undefined’) {ord=Math.random()*10000000000000000;}
document.write(”);
// ]]>// <![CDATA[
document.write(”);
// ]]>// Click here to find out more! // <![CDATA[
document.write(‘

‘);
// ]]>

12.4 WebDAV

WebDAV should already be enabled, but to check this, open /etc/httpd/conf/httpd.conf and make sure that the following two modules are active:

vi /etc/httpd/conf/httpd.conf

[...]
LoadModule dav_module modules/mod_dav.so
[...]
LoadModule dav_fs_module modules/mod_dav_fs.so
[...]

If you have to modify /etc/httpd/conf/httpd.conf, don’t forget to restart Apache afterwards:

/etc/init.d/httpd restart

13 ProFTPd

ISPConfig has better support for proftpd than vsftpd, so let’s remove vsftpd:

yum remove vsftpd

Because CentOS has no proftpd package, we have to compile Proftpd manually:

cd /tmp/
wget –passive-ftp ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.2b.tar.gz
tar xvfz proftpd-1.3.2b.tar.gz
cd proftpd-1.3.2b/
./configure –sysconfdir=/etc
make
make install
cd ..
rm -fr proftpd-1.3.2b*

The proftpd binary gets installed in /usr/local/sbin, but we need it in /usr/sbin, so we create a symlink:

ln -s /usr/local/sbin/proftpd /usr/sbin/proftpd

Now create the init script /etc/init.d/proftpd:

vi /etc/init.d/proftpd

#!/bin/sh
# $Id: proftpd.init,v 1.1 2004/02/26 17:54:30 thias Exp $
#
# proftpd        This shell script takes care of starting and stopping
#                proftpd.
#
# chkconfig: - 80 30
# description: ProFTPD is an enhanced FTP server with a focus towards \
#              simplicity, security, and ease of configuration. \
#              It features a very Apache-like configuration syntax, \
#              and a highly customizable server infrastructure, \
#              including support for multiple 'virtual' FTP servers, \
#              anonymous FTP, and permission-based directory visibility.
# processname: proftpd
# config: /etc/proftp.conf
# pidfile: /var/run/proftpd.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -x /usr/sbin/proftpd ] || exit 0

RETVAL=0

prog="proftpd"

start() {
        echo -n $"Starting $prog: "
        daemon proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/proftpd
}

stop() {
        echo -n $"Shutting down $prog: "
        killproc proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/proftpd
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status proftpd
        RETVAL=$?
        ;;
  restart)
        stop
        start
        ;;
  condrestart)
        if [ -f /var/lock/subsys/proftpd ]; then
          stop
          start
        fi
        ;;
  reload)
        echo -n $"Re-reading $prog configuration: "
        killproc proftpd -HUP
        RETVAL=$?
        echo
        ;;
  *)
        echo "Usage: $prog {start|stop|restart|reload|condrestart|status}"
        exit 1
esac

exit $RETVAL

Then we make the init script executable:

chmod 755 /etc/init.d/proftpd

Next we open /etc/proftpd.conf and change Group to nobody:

vi /etc/proftpd.conf

[...]
Group                           nobody
[...]

For security reasons you can also add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd.conf

[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
[...]

To make sure that FTP users can use the chmod command, comment out the <Limit SITE_CHMOD> section:

[...]
# Bar use of SITE CHMOD by default
#<Limit SITE_CHMOD>
#  DenyAll
#</Limit>
[...]

Now we can create the system startup links for Proftpd:

chkconfig –levels 235 proftpd on

And finally we start Proftpd:

/etc/init.d/proftpd start

14 Webalizer

To install webalizer, just run

yum install webalizer

15 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yum install ntp

chkconfig –levels 235 ntpd on
ntpdate 0.pool.ntp.org
/etc/init.d/ntpd start

16 Install Some Perl Modules

ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the required Perl modules with a single command:

yum install perl-HTML-Parser perl-DBI perl-Net-DNS perl-Digest-SHA1

17 The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

17.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as CentOS’ suExec is compiled with /var/www as Doc_Root. Run

/usr/sbin/suexec -V

and the output should look like this:

[root@server1 ~]# /usr/sbin/suexec -V
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=”public_html”
[root@server1 ~]#

// <![CDATA[
document.write(‘

‘);
// ]]>

// <![CDATA[
if (typeof ord==’undefined’) {ord=Math.random()*10000000000000000;}
document.write(”);
// ]]>// <![CDATA[
document.write(”);
// ]]>// Click here to find out more! // <![CDATA[
document.write(‘

‘);
// ]]>

So if you want to use suExec with ISPconfig, don’t change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can’t change the web root anyway so you’ll be able to use suExec in any case).

18 Links

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: