7 Configure the Network

7 Configure the Network

7 Configure The Network Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100): vi /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 Then restart your network: /etc/init.d/networking restart Then edit /etc/hosts. Make it look like this: vi /etc/hosts 127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters Now run echo server1.example.com > /etc/hostname /etc/init.d/hostname restart Afterwards, run hostname hostname -f Both should show server1.example.com now. 8 Edit /etc/apt/sources.list And Update Your Linux Installation Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this: vi /etc/apt/sources.list # # deb cdrom:[Ubuntu-Server 11.10 _Oneiric Ocelot_ - Release amd64 (20111011)]/ dists/oneiric/main/binary- i386/ # deb cdrom:[Ubuntu-Server 11.10 _Oneiric Ocelot_ - Release amd64 (20111011)]/ dists/oneiric/restricted/binary-i386/ # deb cdrom:[Ubuntu-Server 11.10 _Oneiric Ocelot_ - Release amd64 (20111011)]/ oneiric main restricted #deb cdrom:[Ubuntu-Server 11.10 _Oneiric Ocelot_ - Release amd64 (20111011)]/ dists/oneiric/main/binary- i386/ #deb cdrom:[Ubuntu-Server 11.10 _Oneiric Ocelot_ - Release amd64 (20111011)]/ dists/oneiric/restricted/binary-i386/ #deb cdrom:[Ubuntu-Server 11.10 _Oneiric Ocelot_ - Release amd64 (20111011)]/ oneiric main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. deb http://de.archive.ubuntu.com/ubuntu/ oneiric main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ oneiric main restricted ## Major bug fix updates produced after the final release of the ## distribution. deb http://de.archive.ubuntu.com/ubuntu/ oneiric- updates main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ oneiric- updates main restricted ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team. Also, please note that software in universe WILL NOT receive any ## review or updates from the Ubuntu security team. deb http://de.archive.ubuntu.com/ubuntu/ oneiric universe deb-src http://de.archive.ubuntu.com/ubuntu/ oneiric universe deb http://de.archive.ubuntu.com/ubuntu/ oneiric- updates universe deb-src http://de.archive.ubuntu.com/ubuntu/ oneiric- updates universe ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://de.archive.ubuntu.com/ubuntu/ oneiric multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ oneiric multiverse deb http://de.archive.ubuntu.com/ubuntu/ oneiric- updates multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ oneiric- updates multiverse ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. deb http://de.archive.ubuntu.com/ubuntu/ oneiric- backports main restricted universe multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ oneiric- backports main restricted universe multiverse deb http://security.ubuntu.com/ubuntu oneiric-security main restricted deb-src http://security.ubuntu.com/ubuntu oneiric- security main restricted deb http://security.ubuntu.com/ubuntu oneiric-security universe deb-src http://security.ubuntu.com/ubuntu oneiric- security universe deb http://security.ubuntu.com/ubuntu oneiric-security multiverse deb-src http://security.ubuntu.com/ubuntu oneiric- security multiverse ## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. ## This software is not part of Ubuntu, but is offered by Canonical and the ## respective vendors as a service to Ubuntu users. # deb http://archive.canonical.com/ubuntu oneiric partner # deb-src http://archive.canonical.com/ubuntu oneiric partner ## Uncomment the following two lines to add software from Ubuntu's ## 'extras' repository. ## This software is not part of Ubuntu, but is offered by third-party ## developers who want to ship their latest software. # deb http://extras.ubuntu.com/ubuntu oneiric main # deb-src http://extras.ubuntu.com/ubuntu oneiric main Then run apt-get update to update the apt package database and apt-get upgrade to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards: reboot 9 Change The Default Shell /bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this: dpkg-reconfigure dash Use dash as the default system shell (/bin/sh)? <-- No If you don't do this, the ISPConfig installation will fail. 10 Disable AppArmor AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on). We can disable it like this: /etc/init.d/apparmor stop update-rc.d -f apparmor remove apt-get remove apparmor apparmor-utils 11 Synchronize the System Clock It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run apt-get install ntp ntpdate and your system time will always be in sync. 12 Install Postfix, Courier, Saslauthd, MySQL, rkhunter, binutils We can install Postfix, Courier, Saslauthd, MySQL, rkhunter, and binutils with a single command: apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier- imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2- bin libpam-mysql openssl getmail4 rkhunter binutils maildrop You will be asked the following questions: New password for the MySQL "root" user: <-- yourrootsqlpassword Repeat password for the MySQL "root" user: <-- yourrootsqlpassword Create directories for web-based administration? <-- No General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com SSL certificate required <-- Ok If you find out (later after you have configured your first email account in ISPConfig) that you cannot send emails and get the following error in /var/log/mail.log... SASL LOGIN authentication failed: no mechanism available ... please go to http://www.howtoforge.com/forums/showpost.php? p=265831&postcount=25 to learn how to resolve the issue. We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1: vi /etc/mysql/my.cnf [...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 [...] Then we restart MySQL: /etc/init.d/mysql restart Now check that networking is enabled. Run netstat -tap | grep mysql The output should look like this: root@server1:~# netstat -tap | grep mysql tcp 0 0 *:mysql *:* LISTEN 22355/mysqld root@server1:~# During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates... cd /etc/courier rm -f /etc/courier/imapd.pem rm -f /etc/courier/pop3d.pem ... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary): vi /etc/courier/imapd.cnf [...] CN=server1.example.com [...] vi /etc/courier/pop3d.cnf [...] CN=server1.example.com [...] Then recreate the certificates... mkimapdcert mkpop3dcert ... and restart Courier-IMAP-SSL and Courier-POP3-SSL: /etc/init.d/courier-imap-ssl restart /etc/init.d/courier-pop-ssl restart 13 Install Amavisd-new, SpamAssassin, And Clamav To install amavisd-new, SpamAssassin, and ClamAV, we run apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl- perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident- perl zip libnet-dns-perl The ISPConfig 3 setup uses amavisd which loads the SpamAssassin

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    30 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us