http://www2.thailandpost.co.th/search_ems.asp
EMS (package) From Thai to Japan
0.5 kg 600 Baht
1.0 750
1.5 900
2.0 1050
2.5 1200
3.0 1350
3.5 1500
4.0 1630
4.5 1760
5.0 1890
5.5 2010
6.0 2130
6.5 2250
7.0 2370
7.5 2490
8.0 2610
8.5 2730
9.0 2850
9.5 2970
10.0 3090
วันอังคารที่ 29 มิถุนายน พ.ศ. 2553
Moringa
ร้านสมุนไพรออนไลน์
196/3 ม. 8 ต.นิคมสร้างตนเอง อ.เมือง จ.ลพบุรี ลพบุรี 15000 ไทย
โทรศัพท์: 089-1345551 แฟกซ์: 036-615007
เว็บไซต์: http://www.organicthailand.com
196/3 ม. 8 ต.นิคมสร้างตนเอง อ.เมือง จ.ลพบุรี ลพบุรี 15000 ไทย
โทรศัพท์: 089-1345551 แฟกซ์: 036-615007
เว็บไซต์: http://www.organicthailand.com
วันอาทิตย์ที่ 27 มิถุนายน พ.ศ. 2553
วันพฤหัสบดีที่ 24 มิถุนายน พ.ศ. 2553
Townhouse
ขายทาวน์เฮ้าส์ ซอยสุขสวัสดิ์ 32 เลขที่ 325/20 ตรงจากปากซอย ชนอู่วัฒนาบางปะกอก เลี้ยวซ้ายตรงไป ผ่านประตูสีเหลือง เลี้ยวขวา เข้าไปจนสุดซอยอยู่ทางด้านซ้าย ระยะทางจากปากซอยประมาณ 200 เมตร
คมนาคมสะดวก มีรถเมล์ผ่านหลายสาย ใกล้ศูนย์การค้า เทสโก้โลตัส รพ นวมินทร์ ธ. ไทยพาณิชย์ ทางด่วนสุขสวัสดิ์ และทางด่วนพระราม 2
เป็นทาวน์เฮ้าส์ 3 ชั้ัน 3 ห้องนอน 2 ห้องน้ำ พื้นหินอ่อน มีอ่างอาบน้ำ เครื่องทำน้ำอุ่น แทงค์น้ำ ห้องครัว เครื่องดูดควัน
ขายที่ 2.79 ล้านบาท
คมนาคมสะดวก มีรถเมล์ผ่านหลายสาย ใกล้ศูนย์การค้า เทสโก้โลตัส รพ นวมินทร์ ธ. ไทยพาณิชย์ ทางด่วนสุขสวัสดิ์ และทางด่วนพระราม 2
เป็นทาวน์เฮ้าส์ 3 ชั้ัน 3 ห้องนอน 2 ห้องน้ำ พื้นหินอ่อน มีอ่างอาบน้ำ เครื่องทำน้ำอุ่น แทงค์น้ำ ห้องครัว เครื่องดูดควัน
ขายที่ 2.79 ล้านบาท
วันพุธที่ 23 มิถุนายน พ.ศ. 2553
ติดตั้ง joomla บน ubuntu 10.04
From http://opensource.cc.psu.ac.th/%E0%B8%95%E0%B8%B4%E0%B8%94%E0%B8%95%E0%B8%B1%E0%B9%89%E0%B8%87_joomla_1.5.x_%E0%B8%9A%E0%B8%99_ubuntu
* joomla เวอร์ชั่นล่าสุดของรุ่น 1.5.x คือ 1.5.18
* ต้นฉบับจาก http://joomla.org
* ทดสอบกับ ubuntu 10.04, 8.04
* หน้าเวบและข้อมูลใน database ที่ใช้ encoding แบบ UTF-8 ใช้ character set แบบ Unicode
ตัวอย่างนี้ทดสอบกับ joomla 1.5.18
1. ติดตั้ง apache web server ด้วยคำสั่ง sudo apt-get install apache2 apache2-doc
และสั่งเพิ่ม module ด้วยคำสั่ง sudo a2enmod rewrite
แล้วสั่ง reload ด้วยคำสั่ง sudo /etc/init.d/apache2 restart
ใช้ browser ตรวจสอบดูว่า web server ใช้งานได้แล้ว โดยไปที่เวบ http://localhost
2. ติดตั้ง mysql database server ด้วยคำสั่ง sudo apt-get install mysql-server
ระหว่างติดตั้งหากมีคำถามที่เกี่ยวกับการตั้งรหัสผ่าน ก็ให้เคาะแป้น enter ผ่านไปก่อนทั้งหมด
หลังติดตั้งเสร็จแล้วให้รีบตั้ง รหัสผ่าน root ของ mysql-server ใหม่
ตัวอย่างนี้ตั้งรหัสผ่านว่า mysqldroot ใช้คำสั่งคือ mysqladmin -uroot password mysqldroot
3. ติดตั้ง php ด้วยคำสั่ง sudo apt-get install php5 php5-mysql php5-gd php5-ldap
แล้วสั่งให้ apache ทำงานใหม่ด้วยคำสั่ง sudo /etc/init.d/apache2 restart
4. ติดตั้ง unzip ด้วยคำสั่ง sudo apt-get install unzip
5. สร้าง database สำหรับ CMS ที่ต้องการติดตั้ง
ตัวอย่างสร้าง database ชื่อ testjoomla ใช้คำสั่ง
mysql -uroot -pmysqldroot -e "CREATE DATABASE testdatabase CHARACTER SET 'UTF8';"
***หากต้อง การลบ database เดิมที่เคยสร้างไว้แล้ว ใช้คำสั่งว่า
mysql -uroot -pmysqldroot -e "DROP DATABASE testdatabase;"
แล้วกำหนดสิทธิ์การ ใช้ database testdatabase ให้แก่ user
ตัวอย่างสร้าง user ชื่อ mamamysql โดยมีรหัสผ่านว่า mamapass ใช้คำสั่งคือ
mysql -uroot -pmysqldroot -e "grant all privileges on testdatabase.* to 'mamamysql'@'localhost' identified by 'mamapass' ;"
6. เตรียมพื้นที่สำหรับติดตั้ง joomla ไว้ที่ /var/www/test-joomla ด้วยคำสั่ง
sudo mkdir -p /var/www/test-joomla
7. ดาวน์โหลดแฟ้ม joomla 1.5.18 จาก http://ftp.psu.ac.th/pub/joomla/Joomla_1.5.18-Stable-Full_Package.tar.gz
มาเก็บไว้ด้วยคำสั่ง wget http://ftp.psu.ac.th/pub/joomla/Joomla_1.5.18-Stable-Full_Package.tar.gz -O /tmp/Joomla_1.5.18-Stable-Full_Package.tar.gz
แล้วแตกแฟ้มออกมา เก็บไว้ที่ /var/www/test-joomla ด้วยคำสั่ง
sudo tar -zxvf /tmp/Joomla_1.5.18-Stable-Full_Package.tar.gz -C /var/www/test-joomla
แล้ว ปรับสิทธิ์เจ้าของ /var/www/test-joomla ให้แก่ apache ด้วยคำสั่ง
sudo chown -R www-data.www-data /var/www/test-joomla
8. ต่อไปต้องติดตั้งปรับแต่งระบบ joomla ครั้งแรก ให้ไปที่เวบ http://localhost/test-joomla
ขั้นตอน 1 : ภาษา
ให้เลือก th_TH - Thai (ภาษาไทย) แล้วคลิกปุ่มถัดไป
ขั้นตอน 2 : ตรวจสอบก่อนการติดตั้ง
ให้ตรวจสอบดูถ้ามีค่าเป็น yes หรือ สนับสนุน หมด ดังตัวอย่างแสดงว่าใช้ได้ ให้คลิกปุ่มถัดไป
PHP เวอร์ชั่น >= 4.3.10 Yes
- สนับสนุน zlib compression Yes
- สนับสนุน XML Yes
- สนับสนุน MySQL Yes
MB language is default Yes
MB string overload off Yes
configuration.php เขียนลงไฟล์ได้ Yes
ขั้นตอน 3 : ลิขสิทธิ์
ให้คลิกปุ่มถัดไป
ขั้น ตอน 4 : ฐานข้อมูล
ให้ตั้งค่าดังนี้
ชนิดฐานข้อมูล mysql
ชื่อ host คือ localhost
ชื่อผู้ใช้ฐานข้อมูล คือ mamamysql
รหัสผ่านคือ mamapass
ชื่อฐานข้อมูลคือ testdatabase
เสร็จแล้วให้คลิกปุ่มถัดไป
ขั้น ตอน 5 : การตั้งค่าระบบ FTP
ไม่ต้องทำอะไร ให้คลิกปุ่มถัดไป
ขั้น ตอน 6 : การตั้งค่าระบบ
ให้ป้อนค่าต่างๆ
ชื่อเวบไซต์ คือชื่อที่ปรากฏบนหัว browser
อีเมล์ของท่าน คืออีเมล์ที่จะสื่อสารกับเจ้าของเวบนี้
รหัสผ่านของผู้ดูแล คือรหัสผ่าน admin ของเวบนี้ *** ห้ามลืม !!!
ยืนยันรหัสผ่านของผู้ดูแล ซ้ำอีกครั้ง
ให้ คลิกปุ่มยืนยัน ติดตั้งข้อมูลตัวอย่าง จนได้ว่า ข้อมูลตัวอย่างที่ติดตั้งเสร็จสมบูรณ์
เสร็จแล้วให้คลิกปุ่มถัดไป
ขั้น ตอนที่ 7 : เสร็จสิ้น เป็นอันว่าเสร็จเรียบร้อย
แต่จะยังเข้าใช้งาน ไม่ได้ ต้องไปลบพื้นที่ installation ทิ้งก่อน ด้วยคำสั่ง
sudo rm -rf /var/www/test-joomla/installation
9. การติดตั้งภาษาไทย ให้ดาวน์โหลดแฟ้ม ftp://ftp.psu.ac.th/pub/joomla/th-TH_joomla_lang_full.1.5.15v1.zip
ติด ตั้งโดยเลือกหัวข้อ Extensions->Install/Uninstall->Install
การ ตั้งค่าให้เป็นภาษาไทย ให้ตั้งค่าที่ Extensions->Language Manager
การ จัดการ template อยู่ที่ Extensions->Template Manager
* joomla เวอร์ชั่นล่าสุดของรุ่น 1.5.x คือ 1.5.18
* ต้นฉบับจาก http://joomla.org
* ทดสอบกับ ubuntu 10.04, 8.04
* หน้าเวบและข้อมูลใน database ที่ใช้ encoding แบบ UTF-8 ใช้ character set แบบ Unicode
ตัวอย่างนี้ทดสอบกับ joomla 1.5.18
1. ติดตั้ง apache web server ด้วยคำสั่ง sudo apt-get install apache2 apache2-doc
และสั่งเพิ่ม module ด้วยคำสั่ง sudo a2enmod rewrite
แล้วสั่ง reload ด้วยคำสั่ง sudo /etc/init.d/apache2 restart
ใช้ browser ตรวจสอบดูว่า web server ใช้งานได้แล้ว โดยไปที่เวบ http://localhost
2. ติดตั้ง mysql database server ด้วยคำสั่ง sudo apt-get install mysql-server
ระหว่างติดตั้งหากมีคำถามที่เกี่ยวกับการตั้งรหัสผ่าน ก็ให้เคาะแป้น enter ผ่านไปก่อนทั้งหมด
หลังติดตั้งเสร็จแล้วให้รีบตั้ง รหัสผ่าน root ของ mysql-server ใหม่
ตัวอย่างนี้ตั้งรหัสผ่านว่า mysqldroot ใช้คำสั่งคือ mysqladmin -uroot password mysqldroot
3. ติดตั้ง php ด้วยคำสั่ง sudo apt-get install php5 php5-mysql php5-gd php5-ldap
แล้วสั่งให้ apache ทำงานใหม่ด้วยคำสั่ง sudo /etc/init.d/apache2 restart
4. ติดตั้ง unzip ด้วยคำสั่ง sudo apt-get install unzip
5. สร้าง database สำหรับ CMS ที่ต้องการติดตั้ง
ตัวอย่างสร้าง database ชื่อ testjoomla ใช้คำสั่ง
mysql -uroot -pmysqldroot -e "CREATE DATABASE testdatabase CHARACTER SET 'UTF8';"
***หากต้อง การลบ database เดิมที่เคยสร้างไว้แล้ว ใช้คำสั่งว่า
mysql -uroot -pmysqldroot -e "DROP DATABASE testdatabase;"
แล้วกำหนดสิทธิ์การ ใช้ database testdatabase ให้แก่ user
ตัวอย่างสร้าง user ชื่อ mamamysql โดยมีรหัสผ่านว่า mamapass ใช้คำสั่งคือ
mysql -uroot -pmysqldroot -e "grant all privileges on testdatabase.* to 'mamamysql'@'localhost' identified by 'mamapass' ;"
6. เตรียมพื้นที่สำหรับติดตั้ง joomla ไว้ที่ /var/www/test-joomla ด้วยคำสั่ง
sudo mkdir -p /var/www/test-joomla
7. ดาวน์โหลดแฟ้ม joomla 1.5.18 จาก http://ftp.psu.ac.th/pub/joomla/Joomla_1.5.18-Stable-Full_Package.tar.gz
มาเก็บไว้ด้วยคำสั่ง wget http://ftp.psu.ac.th/pub/joomla/Joomla_1.5.18-Stable-Full_Package.tar.gz -O /tmp/Joomla_1.5.18-Stable-Full_Package.tar.gz
แล้วแตกแฟ้มออกมา เก็บไว้ที่ /var/www/test-joomla ด้วยคำสั่ง
sudo tar -zxvf /tmp/Joomla_1.5.18-Stable-Full_Package.tar.gz -C /var/www/test-joomla
แล้ว ปรับสิทธิ์เจ้าของ /var/www/test-joomla ให้แก่ apache ด้วยคำสั่ง
sudo chown -R www-data.www-data /var/www/test-joomla
8. ต่อไปต้องติดตั้งปรับแต่งระบบ joomla ครั้งแรก ให้ไปที่เวบ http://localhost/test-joomla
ขั้นตอน 1 : ภาษา
ให้เลือก th_TH - Thai (ภาษาไทย) แล้วคลิกปุ่มถัดไป
ขั้นตอน 2 : ตรวจสอบก่อนการติดตั้ง
ให้ตรวจสอบดูถ้ามีค่าเป็น yes หรือ สนับสนุน หมด ดังตัวอย่างแสดงว่าใช้ได้ ให้คลิกปุ่มถัดไป
PHP เวอร์ชั่น >= 4.3.10 Yes
- สนับสนุน zlib compression Yes
- สนับสนุน XML Yes
- สนับสนุน MySQL Yes
MB language is default Yes
MB string overload off Yes
configuration.php เขียนลงไฟล์ได้ Yes
ขั้นตอน 3 : ลิขสิทธิ์
ให้คลิกปุ่มถัดไป
ขั้น ตอน 4 : ฐานข้อมูล
ให้ตั้งค่าดังนี้
ชนิดฐานข้อมูล mysql
ชื่อ host คือ localhost
ชื่อผู้ใช้ฐานข้อมูล คือ mamamysql
รหัสผ่านคือ mamapass
ชื่อฐานข้อมูลคือ testdatabase
เสร็จแล้วให้คลิกปุ่มถัดไป
ขั้น ตอน 5 : การตั้งค่าระบบ FTP
ไม่ต้องทำอะไร ให้คลิกปุ่มถัดไป
ขั้น ตอน 6 : การตั้งค่าระบบ
ให้ป้อนค่าต่างๆ
ชื่อเวบไซต์ คือชื่อที่ปรากฏบนหัว browser
อีเมล์ของท่าน คืออีเมล์ที่จะสื่อสารกับเจ้าของเวบนี้
รหัสผ่านของผู้ดูแล คือรหัสผ่าน admin ของเวบนี้ *** ห้ามลืม !!!
ยืนยันรหัสผ่านของผู้ดูแล ซ้ำอีกครั้ง
ให้ คลิกปุ่มยืนยัน ติดตั้งข้อมูลตัวอย่าง จนได้ว่า ข้อมูลตัวอย่างที่ติดตั้งเสร็จสมบูรณ์
เสร็จแล้วให้คลิกปุ่มถัดไป
ขั้น ตอนที่ 7 : เสร็จสิ้น เป็นอันว่าเสร็จเรียบร้อย
แต่จะยังเข้าใช้งาน ไม่ได้ ต้องไปลบพื้นที่ installation ทิ้งก่อน ด้วยคำสั่ง
sudo rm -rf /var/www/test-joomla/installation
9. การติดตั้งภาษาไทย ให้ดาวน์โหลดแฟ้ม ftp://ftp.psu.ac.th/pub/joomla/th-TH_joomla_lang_full.1.5.15v1.zip
ติด ตั้งโดยเลือกหัวข้อ Extensions->Install/Uninstall->Install
การ ตั้งค่าให้เป็นภาษาไทย ให้ตั้งค่าที่ Extensions->Language Manager
การ จัดการ template อยู่ที่ Extensions->Template Manager
วันอาทิตย์ที่ 20 มิถุนายน พ.ศ. 2553
***Denyhosts configurations
http://www.cyberciti.biz/faq/block-ssh-attacks-with-denyhosts/
Step # 1: Make Sure Python is installed
First, make sure python is installed under Debian / Ubuntu Linux:
# dpkg --list
grep python2
Find out version (DenyHosts requires 2.3 or above version)
$ python -V
Output:
Python 2.5.1
Step # 2: Download DenyHosts
Visit official project home page to grab latest source code or packages. Use apt-get command under Debian / Ubuntu Linux, enter
$ sudo apt-get install denyhosts
DenyHosts configuration - /etc/denyhosts.conf
1. The default configuration file is /etc/denyhosts.conf.
2. You also need to create / update a whitelist in /etc/hosts.allow. For example, if you have static IP assigned by ISP, enter in this file. You can add all the important hosts that you never want blocked.
Step # 1: Setup a whitelist
Open /etc/hosts.allow:
# vi /etc/hosts.allow
Allow sshd from 202.54.1.2 i.e. you never want to block yourself
sshd: 202.54.1.2
Save and close the file. Verify and examines your tcp wrapper configuration file and reports all potential and real problems:
# tcpdchk -v
Step # 1: Configure DenyHosts
Open default configuration file - /etc/denyhosts.conf, enter:
# vi /etc/denyhosts.conf
Setup your email ID so you would receive emails regarding newly restricted hosts and suspicious logins, set this address to match your email address.
ADMIN_EMAIL = vivek@nixcraft.com
Save and close the file. Here is my own sample configuration file for Debian Linux 4.0 server (config file is documented very well, just open and read it):
############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY =
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = vivek@nixcraft.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
Restart the daemon:
# /etc/init.d/denyhosts restart
First of all, references to WORK_DIR point to /var/lib/denyhosts/ or something similar on your system.
The default location for the hosts.deny file is /etc/hosts.deny.
Here's the method I used to unblock an IP:
Stop DenyHosts
/etc/init.d/denyhosts stop
Remove the IP address from hosts.deny
Remove all lines containing the IP address from the following files:
WORK_DIR/hosts
WORK_DIR/hosts-restricted
WORK_DIR/hosts-root
WORK_DIR/hosts-valid
WORK_DIR/users-hosts
Consider adding the IP address to WORK_DIR/allowed-hosts
Start DenyHosts
Step # 1: Make Sure Python is installed
First, make sure python is installed under Debian / Ubuntu Linux:
# dpkg --list
grep python2
Find out version (DenyHosts requires 2.3 or above version)
$ python -V
Output:
Python 2.5.1
Step # 2: Download DenyHosts
Visit official project home page to grab latest source code or packages. Use apt-get command under Debian / Ubuntu Linux, enter
$ sudo apt-get install denyhosts
DenyHosts configuration - /etc/denyhosts.conf
1. The default configuration file is /etc/denyhosts.conf.
2. You also need to create / update a whitelist in /etc/hosts.allow. For example, if you have static IP assigned by ISP, enter in this file. You can add all the important hosts that you never want blocked.
Step # 1: Setup a whitelist
Open /etc/hosts.allow:
# vi /etc/hosts.allow
Allow sshd from 202.54.1.2 i.e. you never want to block yourself
sshd: 202.54.1.2
Save and close the file. Verify and examines your tcp wrapper configuration file and reports all potential and real problems:
# tcpdchk -v
Step # 1: Configure DenyHosts
Open default configuration file - /etc/denyhosts.conf, enter:
# vi /etc/denyhosts.conf
Setup your email ID so you would receive emails regarding newly restricted hosts and suspicious logins, set this address to match your email address.
ADMIN_EMAIL = vivek@nixcraft.com
Save and close the file. Here is my own sample configuration file for Debian Linux 4.0 server (config file is documented very well, just open and read it):
############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY =
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = vivek@nixcraft.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
Restart the daemon:
# /etc/init.d/denyhosts restart
First of all, references to WORK_DIR point to /var/lib/denyhosts/ or something similar on your system.
The default location for the hosts.deny file is /etc/hosts.deny.
Here's the method I used to unblock an IP:
Stop DenyHosts
/etc/init.d/denyhosts stop
Remove the IP address from hosts.deny
Remove all lines containing the IP address from the following files:
WORK_DIR/hosts
WORK_DIR/hosts-restricted
WORK_DIR/hosts-root
WORK_DIR/hosts-valid
WORK_DIR/users-hosts
Consider adding the IP address to WORK_DIR/allowed-hosts
Start DenyHosts
วันเสาร์ที่ 19 มิถุนายน พ.ศ. 2553
ckeck installed program on Linux
I found out how to do this recently and thought it might be helpful to some people. To output this information to a file in your home directory you would use,
Code:
dpkg --get-selections > installed-software
And if you wanted to use the list to reinstall this software on a fresh ubuntu setup,
Code:
dpkg --set-selections < installed-software
followed by
Code:
dselect
Code:
dpkg --get-selections > installed-software
And if you wanted to use the list to reinstall this software on a fresh ubuntu setup,
Code:
dpkg --set-selections < installed-software
followed by
Code:
dselect
https://www.thnic.co.th/index.php
http://www.knit.or.th/
extension domain name @ https://www.thnic.co.th/index.php
with you email and knit password
extension domain name @ https://www.thnic.co.th/index.php
with you email and knit password
Restart after changing /etc/hosts
After changing your hosts in /etc/hosts, you can restart it using network restart;
/etc/init.d/network restart
/etc/init.d/network restart
วันศุกร์ที่ 18 มิถุนายน พ.ศ. 2553
virtual host in ubuntu
If you wish to configure a new virtual host or site, copy that file into the same directory with a name you choose. For example:
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mynewsite
Edit the new file to configure the new site using some of the directives described below.
•The ServerAdmin directive specifies the email address to be advertised for the server's administrator. The default value is webmaster@localhost. This should be changed to an email address that is delivered to you (if you are the server's administrator). If your website has a problem, Apache2 will display an error message containing this email address to report the problem to. Find this directive in your site's configuration file in /etc/apache2/sites-available.
•The Listen directive specifies the port, and optionally the IP address, Apache2 should listen on. If the IP address is not specified, Apache2 will listen on all IP addresses assigned to the machine it runs on. The default value for the Listen directive is 80. Change this to 127.0.0.1:80 to cause Apache2 to listen only on your loopback interface so that it will not be available to the Internet, to (for example) 81 to change the port that it listens on, or leave it as is for normal operation. This directive can be found and changed in its own file, /etc/apache2/ports.conf
•The ServerName directive is optional and specifies what FQDN your site should answer to. The default virtual host has no ServerName directive specified, so it will respond to all requests that do not match a ServerName directive in another virtual host. If you have just acquired the domain name ubunturocks.com and wish to host it on your Ubuntu server, the value of the ServerName directive in your virtual host configuration file should be ubunturocks.com. Add this directive to the new virtual host file you created earlier (/etc/apache2/sites-available/mynewsite).
You may also want your site to respond to www.ubunturocks.com, since many users will assume the www prefix is appropriate. Use the ServerAlias directive for this. You may also use wildcards in the ServerAlias directive.
For example, the following configuration will cause your site to respond to any domain request ending in .ubunturocks.com.
ServerAlias *.ubunturocks.com
•The DocumentRoot directive specifies where Apache should look for the files that make up the site. The default value is /var/www. No site is configured there, but if you uncomment the RedirectMatch directive in /etc/apache2/apache2.conf requests will be redirected to /var/www/apache2-default where the default Apache2 site awaits. Change this value in your site's virtual host file, and remember to create that directory if necessary!
The /etc/apache2/sites-available directory is not parsed by Apache2. Symbolic links in /etc/apache2/sites-enabled point to "available" sites.
Enable the new VirtualHost using the a2ensite utility and restart Apache:
sudo a2ensite mynewsite
sudo /etc/init.d/apache2 restart
Be sure to replace mynewsite with a more descriptive name for the VirtualHost. One method is to name the file after the ServerName directive of the VirtualHost.
Similarly, use the a2dissite utility to disable sites. This is can be useful when troubleshooting configuration problems with multiple VirtualHosts:
sudo a2dissite mynewsite
sudo /etc/init.d/apache2 restart
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mynewsite
Edit the new file to configure the new site using some of the directives described below.
•The ServerAdmin directive specifies the email address to be advertised for the server's administrator. The default value is webmaster@localhost. This should be changed to an email address that is delivered to you (if you are the server's administrator). If your website has a problem, Apache2 will display an error message containing this email address to report the problem to. Find this directive in your site's configuration file in /etc/apache2/sites-available.
•The Listen directive specifies the port, and optionally the IP address, Apache2 should listen on. If the IP address is not specified, Apache2 will listen on all IP addresses assigned to the machine it runs on. The default value for the Listen directive is 80. Change this to 127.0.0.1:80 to cause Apache2 to listen only on your loopback interface so that it will not be available to the Internet, to (for example) 81 to change the port that it listens on, or leave it as is for normal operation. This directive can be found and changed in its own file, /etc/apache2/ports.conf
•The ServerName directive is optional and specifies what FQDN your site should answer to. The default virtual host has no ServerName directive specified, so it will respond to all requests that do not match a ServerName directive in another virtual host. If you have just acquired the domain name ubunturocks.com and wish to host it on your Ubuntu server, the value of the ServerName directive in your virtual host configuration file should be ubunturocks.com. Add this directive to the new virtual host file you created earlier (/etc/apache2/sites-available/mynewsite).
You may also want your site to respond to www.ubunturocks.com, since many users will assume the www prefix is appropriate. Use the ServerAlias directive for this. You may also use wildcards in the ServerAlias directive.
For example, the following configuration will cause your site to respond to any domain request ending in .ubunturocks.com.
ServerAlias *.ubunturocks.com
•The DocumentRoot directive specifies where Apache should look for the files that make up the site. The default value is /var/www. No site is configured there, but if you uncomment the RedirectMatch directive in /etc/apache2/apache2.conf requests will be redirected to /var/www/apache2-default where the default Apache2 site awaits. Change this value in your site's virtual host file, and remember to create that directory if necessary!
The /etc/apache2/sites-available directory is not parsed by Apache2. Symbolic links in /etc/apache2/sites-enabled point to "available" sites.
Enable the new VirtualHost using the a2ensite utility and restart Apache:
sudo a2ensite mynewsite
sudo /etc/init.d/apache2 restart
Be sure to replace mynewsite with a more descriptive name for the VirtualHost. One method is to name the file after the ServerName directive of the VirtualHost.
Similarly, use the a2dissite utility to disable sites. This is can be useful when troubleshooting configuration problems with multiple VirtualHosts:
sudo a2dissite mynewsite
sudo /etc/init.d/apache2 restart
วันพฤหัสบดีที่ 17 มิถุนายน พ.ศ. 2553
Check disk and files in Linux
The common way to check for all partition disk space, how much is still remain, you can simple use
df -h
Usually I will put -h to make it size human readable.
Another good tools to check the disk space for directories, we use du. You may realized that when you type ls -l, the size of every directories have the same size 4096, it is because directories is actually a file. But for us, we want to know how large the load it store instead the directory file itself.
To show all directories size including sub directories, type
du -h
To calculate the current directory size you are in (-s stand for summary)
du -sh
To show all the 1 level sub directories size (which you are not interested at sub sub directories.)
du -sh *
To show the size of specific directory
du -sh /home
To show the size of all sub directories of a specific directory
du -sh /home/*
df -h
Usually I will put -h to make it size human readable.
Another good tools to check the disk space for directories, we use du. You may realized that when you type ls -l, the size of every directories have the same size 4096, it is because directories is actually a file. But for us, we want to know how large the load it store instead the directory file itself.
To show all directories size including sub directories, type
du -h
To calculate the current directory size you are in (-s stand for summary)
du -sh
To show all the 1 level sub directories size (which you are not interested at sub sub directories.)
du -sh *
To show the size of specific directory
du -sh /home
To show the size of all sub directories of a specific directory
du -sh /home/*
เพิ่มความเร็วอินเทอร์เน็ต 2 ลิงค์รวมกัน ด้วย Linksys RV042
http://sys2u.com/xpert/viewtopic.php?f=5&t=25
เพิ่มความเร็วอินเทอร์เน็ต 2 ลิงค์รวมกัน ด้วย Linksys RV042
บทความสำหรับ: ผู้ที่มีความรู้เกี่ยวกับระบบเครือข่ายในระดับเบื้องต้นถึงปานกลาง (v1.1) ดาวน์โหลด (216 KB)
โดย ศุภสิทธิ์ ศิริพานิชกร
ท่านสามารถดาวน์โหลดบทความนี้ได้ที่ http://www.sys2u.com/kb/kb004.pdf
คำถาม
ถ้าท่านสามารถใช้งานอินเทอร์เน็ตด้วยความเร็วของ 2 ลิงค์รวมกัน ไม่ดีกว่าหรือครับ ? ด้วยฟังก์ชั่นการทำงานแบบโหลดบาลานซ์โหมด (Load-Balanced Mode) ของ Linksys RV042 ที่จะทำให้ท่านสามารถใช้งานอินเทอร์เน็ตด้วยความเร็วของ 2 ลิงค์รวมกัน
ในกรณีที่ลิงค์ใดลิงค์หนึ่งไม่ทำงาน Linksys RV042 จะปรับการเชื่อมต่ออินเทอร์เน็ตของเครื่องลูกข่ายที่ใช้งานในลิงค์ที่มีปัญหาย้ายไปยังลิงค์ที่ทำงานปกติทันที จนกว่าลิงค์ทั้งสองจะกลับมาทำงานได้ดีดังเดิม Linksys RV042 จะปรับการเชื่อมต่ออินเทอร์เน็ตให้กลับไปใช้งานทั้ง 2 ลิงค์ตามปกติ
อุปกรณ์ Linksys RV042 VPN / Load-Balanced Router เราท์เตอร์ครอบจักรวาล
เพิ่มความเร็วอินเทอร์เน็ต 2 ลิงค์รวมกัน ด้วย Linksys RV042
บทความสำหรับ: ผู้ที่มีความรู้เกี่ยวกับระบบเครือข่ายในระดับเบื้องต้นถึงปานกลาง (v1.1) ดาวน์โหลด (216 KB)
โดย ศุภสิทธิ์ ศิริพานิชกร
ท่านสามารถดาวน์โหลดบทความนี้ได้ที่ http://www.sys2u.com/kb/kb004.pdf
คำถาม
ถ้าท่านสามารถใช้งานอินเทอร์เน็ตด้วยความเร็วของ 2 ลิงค์รวมกัน ไม่ดีกว่าหรือครับ ? ด้วยฟังก์ชั่นการทำงานแบบโหลดบาลานซ์โหมด (Load-Balanced Mode) ของ Linksys RV042 ที่จะทำให้ท่านสามารถใช้งานอินเทอร์เน็ตด้วยความเร็วของ 2 ลิงค์รวมกัน
ในกรณีที่ลิงค์ใดลิงค์หนึ่งไม่ทำงาน Linksys RV042 จะปรับการเชื่อมต่ออินเทอร์เน็ตของเครื่องลูกข่ายที่ใช้งานในลิงค์ที่มีปัญหาย้ายไปยังลิงค์ที่ทำงานปกติทันที จนกว่าลิงค์ทั้งสองจะกลับมาทำงานได้ดีดังเดิม Linksys RV042 จะปรับการเชื่อมต่ออินเทอร์เน็ตให้กลับไปใช้งานทั้ง 2 ลิงค์ตามปกติ
อุปกรณ์ Linksys RV042 VPN / Load-Balanced Router เราท์เตอร์ครอบจักรวาล
How to install postfix dovecot sasl+squirrelmail for relay host
From
http://www.debianadmin.com/debian-mail-server-setup-with-postfix-dovecot-sasl-squirrel-mail.html
Postfix is an attempt to provide an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and hopefully secure, while at the same time being sendmail compatible enough to not upset your users.
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It’s fast, simple to set up, requires no special administration and it uses very little memory.
When sending mail, the Postfix SMTP client can look up the remote SMTP server hostname or destination domain (the address right-hand part) in a SASL password table, and if a username/password is found, it will use that username and password to authenticate to the remote SMTP server. And as of version 2.3, Postfix can be configured to search its SASL password table by the sender email address.
SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
Note : If you install Postfix/Dovecot mail server you will ONLY be able to send mail within your network. You can only send mail externally if you install SASL authentication with TLS. As otherwise you get “Relay Access Denied” error.
Install Postfix MTA (Mail Transfer Agent)
Use the following command to install postfix in debian
#aptitude install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules popa3d
During installation, postfix will ask for few questions like name of server and answer those questions by entering your domain name and select Internet site for postfix.
Postfix configuration file is located at:/etc/postfix/main.cf. You can edit this file using popular text editor vi /etc/postfix/main.cf
Restart Postfix Server using the following command
#/etc/init.d/postfix restart
Install Dovecot
Dovecot is POP3/IMAP server which needs MTA like Postfix to work properly.
#aptitude install dovecot-imapd dovecot-pop3d dovecot-common
Dovecot configuration file is located at: /etc/dovecot/dovecot.conf
Before we proceed we need to make some changes with dovecot configuration file. Double check the following entries in the file if the values are entered properly.
Edit the dovecot configuration file using the following command
#vi /etc/dovecot/dovecot.conf
# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
Now, create a user to test our pop3 mail with outlook:
#adduser user_name
Note: Always create a separate user to test your mail or ftp.
Restart Dovecot using the following command
#/etc/init.d/dovecot restart
Now, you can use your outlook express to test whether your new mail server is working or not. Just enter username: with password in outlook.
Remember you will NOT be able to send email outside your network, you will be only be able to send within your domain or local network. If you attempt to send email you get “relay access denied” error from outlook express. However, you should have no problems in receiving your email from outlook. Inorder to send email external email you will need to configure SASL authentication as described below.
Configure SASL Authentication with TLS
SASL Configuration + TLS (Simple authentication security layer with transport layer security) used mainly to authenticate users before sending email to external server, thus restricting relay access. If your relay server is kept open, then spammers could use your mail server to send spam. It is very essential to protect your mail server from misuse.
Let us set up SMTP authentication for our users with postfix and dovecot.
Edit the postfix configuration file /etc/postfix/main.cf and enter the few lines to enable authentication of our users
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = yourdomain.com
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
#to prevent unknown sender
smtpd_sender_restrictions = reject_sender_login_mismatch
postfix does a chroot so it can’t communicate with saslauthd.
#rm -r /var/run/saslauthd/
#mkdir -p /var/spool/postfix/var/run/saslauthd
#ln -s /var/spool/postfix/var/run/saslauthd /var/run
#chgrp sasl /var/spool/postfix/var/run/saslauthd
#adduser postfix sasl
On the Dovecot side you also need to specify the dovecot authentication daemon socket. In this case we specify an absolute pathname. Refer to this postfix manual here
Edit /etc/dovecot/dovecot.conf file
#vi /etc/dovecot/dovecot.conf
Look for the line that starts with auth default, before that insert the lines below.
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Now, rename previous auth default to auth default2. If you dont rename this then dovecot server will give you error like multiple instances of auth default.
Now restart all the following components of mail server
#/etc/init.d/saslauthd restart
#/etc/init.d/postfix restart
#/etc/init.d/dovecot restart
Test whether your mail server works or not with your outlook express. Configure a user with a user name (without @domain) and make sure that you select my server requires authentication. Under settings select same as incoming mail server
Note:
1. If you dont enable My server requires authentication in outlook you cannot send emails to external recipients and you get relay access denied error.
2. Do not use root login to login to your mail server.
3. Dont forget to create a new user before you authenticate using outlook.
Forwarding Mails
Ever wondered how to forward your mails especially if you are a webmaster managing number of sites. You might need to forward any email sent to your primary email address. Its that easy. Just create a .forward file on your home directory. Insert list of emails addresses separated by commas, where you want to get forwarded.
Login as user and type
echo ‘destination_email_address’ > .forward
or you can use vi to create .forward file. Just Delete .forward file if you dont want any forwarding.
Installing Squirrel Web Mail
Before installing Squirrel Web Mail you need to make sure you have installed apache2 with php support
#aptitude install apache2
#aptitude install libapache2-mod-php5 php5-cli php5-common php5-cgi
#aptitude install squirrelmail
Squirrelmail configuration file is located in: /etc/squirrelmail/ folder. By default all settings are preloaded.
# Run squirrelmail configuration utility as ROOT
/usr/sbin/squirrelmail-configure
Now we want to setup to run under apache. Edit apache configuration file /etc/apache2/apache2.conf and insert the following line
Include /etc/squirrelmail/apache.conf
Restart the webserver using the following command
#/etc/init.d/apache2 restart
Access your webmail using the following link
http://yourdomain or server ip/squirrelmail
Create a separate local user and login as a new user.
Mail Server Logs
Always refer to logs located in /var/log/mail.log so that you can identify what the problem is before you can troubleshoot.
http://www.debianadmin.com/debian-mail-server-setup-with-postfix-dovecot-sasl-squirrel-mail.html
Postfix is an attempt to provide an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and hopefully secure, while at the same time being sendmail compatible enough to not upset your users.
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It’s fast, simple to set up, requires no special administration and it uses very little memory.
When sending mail, the Postfix SMTP client can look up the remote SMTP server hostname or destination domain (the address right-hand part) in a SASL password table, and if a username/password is found, it will use that username and password to authenticate to the remote SMTP server. And as of version 2.3, Postfix can be configured to search its SASL password table by the sender email address.
SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
Note : If you install Postfix/Dovecot mail server you will ONLY be able to send mail within your network. You can only send mail externally if you install SASL authentication with TLS. As otherwise you get “Relay Access Denied” error.
Install Postfix MTA (Mail Transfer Agent)
Use the following command to install postfix in debian
#aptitude install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules popa3d
During installation, postfix will ask for few questions like name of server and answer those questions by entering your domain name and select Internet site for postfix.
Postfix configuration file is located at:/etc/postfix/main.cf. You can edit this file using popular text editor vi /etc/postfix/main.cf
Restart Postfix Server using the following command
#/etc/init.d/postfix restart
Install Dovecot
Dovecot is POP3/IMAP server which needs MTA like Postfix to work properly.
#aptitude install dovecot-imapd dovecot-pop3d dovecot-common
Dovecot configuration file is located at: /etc/dovecot/dovecot.conf
Before we proceed we need to make some changes with dovecot configuration file. Double check the following entries in the file if the values are entered properly.
Edit the dovecot configuration file using the following command
#vi /etc/dovecot/dovecot.conf
# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
Now, create a user to test our pop3 mail with outlook:
#adduser user_name
Note: Always create a separate user to test your mail or ftp.
Restart Dovecot using the following command
#/etc/init.d/dovecot restart
Now, you can use your outlook express to test whether your new mail server is working or not. Just enter username: with password in outlook.
Remember you will NOT be able to send email outside your network, you will be only be able to send within your domain or local network. If you attempt to send email you get “relay access denied” error from outlook express. However, you should have no problems in receiving your email from outlook. Inorder to send email external email you will need to configure SASL authentication as described below.
Configure SASL Authentication with TLS
SASL Configuration + TLS (Simple authentication security layer with transport layer security) used mainly to authenticate users before sending email to external server, thus restricting relay access. If your relay server is kept open, then spammers could use your mail server to send spam. It is very essential to protect your mail server from misuse.
Let us set up SMTP authentication for our users with postfix and dovecot.
Edit the postfix configuration file /etc/postfix/main.cf and enter the few lines to enable authentication of our users
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = yourdomain.com
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
#to prevent unknown sender
smtpd_sender_restrictions = reject_sender_login_mismatch
postfix does a chroot so it can’t communicate with saslauthd.
#rm -r /var/run/saslauthd/
#mkdir -p /var/spool/postfix/var/run/saslauthd
#ln -s /var/spool/postfix/var/run/saslauthd /var/run
#chgrp sasl /var/spool/postfix/var/run/saslauthd
#adduser postfix sasl
On the Dovecot side you also need to specify the dovecot authentication daemon socket. In this case we specify an absolute pathname. Refer to this postfix manual here
Edit /etc/dovecot/dovecot.conf file
#vi /etc/dovecot/dovecot.conf
Look for the line that starts with auth default, before that insert the lines below.
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Now, rename previous auth default to auth default2. If you dont rename this then dovecot server will give you error like multiple instances of auth default.
Now restart all the following components of mail server
#/etc/init.d/saslauthd restart
#/etc/init.d/postfix restart
#/etc/init.d/dovecot restart
Test whether your mail server works or not with your outlook express. Configure a user with a user name (without @domain) and make sure that you select my server requires authentication. Under settings select same as incoming mail server
Note:
1. If you dont enable My server requires authentication in outlook you cannot send emails to external recipients and you get relay access denied error.
2. Do not use root login to login to your mail server.
3. Dont forget to create a new user before you authenticate using outlook.
Forwarding Mails
Ever wondered how to forward your mails especially if you are a webmaster managing number of sites. You might need to forward any email sent to your primary email address. Its that easy. Just create a .forward file on your home directory. Insert list of emails addresses separated by commas, where you want to get forwarded.
Login as user and type
echo ‘destination_email_address’ > .forward
or you can use vi to create .forward file. Just Delete .forward file if you dont want any forwarding.
Installing Squirrel Web Mail
Before installing Squirrel Web Mail you need to make sure you have installed apache2 with php support
#aptitude install apache2
#aptitude install libapache2-mod-php5 php5-cli php5-common php5-cgi
#aptitude install squirrelmail
Squirrelmail configuration file is located in: /etc/squirrelmail/ folder. By default all settings are preloaded.
# Run squirrelmail configuration utility as ROOT
/usr/sbin/squirrelmail-configure
Now we want to setup to run under apache. Edit apache configuration file /etc/apache2/apache2.conf and insert the following line
Include /etc/squirrelmail/apache.conf
Restart the webserver using the following command
#/etc/init.d/apache2 restart
Access your webmail using the following link
http://yourdomain or server ip/squirrelmail
Create a separate local user and login as a new user.
Mail Server Logs
Always refer to logs located in /var/log/mail.log so that you can identify what the problem is before you can troubleshoot.
Installing Apache2 With PHP5 And MySQL Support On Ubuntu 9.10 (LAMP)
1 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root:
sudo su
2 Installing MySQL 5
First we install MySQL 5 like this:aptitude install mysql-server mysql-client
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on: New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
3 Installing Apache2
Apache2 is available as an Ubuntu package, therefore we can install it like this:aptitude install apache2
Now direct your browser to http://192.168.0.100, and you should see the Apache2 placeholder page (It works!): Apache's default document root is /var/www on Ubuntu, and the configuration file is /etc/apache2/apache2.conf. Additional configurations are stored in subdirectories of the /etc/apache2 directory such as /etc/apache2/mods-enabled (for Apache modules), /etc/apache2/sites-enabled (for virtual hosts), and /etc/apache2/conf.d.
4 Installing PHP5
We can install PHP5 and the Apache PHP5 module as follows:aptitude install php5 libapache2-mod-php5
We must restart Apache afterwards:/etc/init.d/apache2 restart
5 Testing PHP5 / Getting Details About Your PHP5 Installation
The document root of the default web site is /var/www. We will now create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.vi /var/www/info.php
As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.
6 Getting MySQL Support In PHP5
To get MySQL support in PHP, we can install the php5-mysql package. It's a good idea to install some other PHP5 modules as well as you might need them for your applications. You can search for available PHP5 modules like this:aptitude search php5
Pick the ones you need and install them like this:aptitude install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-json
Now restart Apache2:/etc/init.d/apache2 restart
Now reload http://192.168.0.100/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:7 phpMyAdmin
phpMyAdmin is a web interface through which you can manage your MySQL databases. It's a good idea to install it:aptitude install phpmyadmin
You will see the following questions:Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
Afterwards, you can access phpMyAdmin under http://192.168.0.100/phpmyadmin/:
ubuntu 9.10 setup
For ubuntu 9.10 I have used the procedures as described in
http://www.howtoforge.com/perfect-server-ubuntu-10.04-lucid-lynx-ispconfig-2
4 Get root Privileges
After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
sudo su
(You can as well enable the root login by running
sudo passwd root
and giving root a password. You can then directly log in as root, but this is frowned upon by the Ubuntu developers and community for various reasons. See http://ubuntuforums.org/showthread.php?t=765414.)
5 Install The SSH Server (Optional)
If you did not install the OpenSSH server during the system installation, you can do it now:
aptitude install ssh openssh-server
From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 10.04 server and follow the remaining steps from this tutorial.
6 Install vim-nox (Optional)
I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-nox:
aptitude install vim-nox
(You don't have to do this if you use a different text editor such as joe or nano.)
7 Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Then restart your network:
/etc/init.d/networking restart
Then edit /etc/hosts. Make it look like this:
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.100 server1.example.com server1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Now run
echo server1.example.com > /etc/hostname
/etc/init.d/hostname restart
Afterwards, run
hostname
hostname -f
Both should show server1.example.com now.
8 Edit /etc/apt/sources.list And Update Your Linux Installation
Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:
vi /etc/apt/sources.list
# deb cdrom:[Ubuntu-Server 10.04 LTS _Lucid Lynx_ - Release amd64 (20100427)]/ lucid main restricted
#deb cdrom:[Ubuntu-Server 10.04 LTS _Lucid Lynx_ - Release amd64 (20100427)]/ lucid main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ lucid main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ lucid universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid universe
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ lucid multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid multiverse
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu lucid partner
# deb-src http://archive.canonical.com/ubuntu lucid partner
deb http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted
deb http://security.ubuntu.com/ubuntu lucid-security universe
deb-src http://security.ubuntu.com/ubuntu lucid-security universe
deb http://security.ubuntu.com/ubuntu lucid-security multiverse
deb-src http://security.ubuntu.com/ubuntu lucid-security multiverse
Then run
aptitude update
to update the apt package database and
aptitude safe-upgrade
to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
reboot
9 Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:
dpkg-reconfigure dash
Install dash as /bin/sh? <-- No If you don't do this, the ISPConfig installation will fail. 10 Disable AppArmor ( I have skipped this procedure since ISPConfig was not installed)AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).
We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils
11 Install Some Software
Now we install a few packages that are needed later on. Run
aptitude install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential
(This command must go into one line!)
12 Journaled Quota
(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)
To install quota, run
aptitude install quota
Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):
vi /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
#
#
proc /proc proc nodev,noexec,nosuid 0 0
/dev/mapper/server1-root / ext4 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1
# /boot was on /dev/sda1 during installation
UUID=9eef7b6b-5688-456c-8fe2-05ae739e3635 /boot ext2 defaults 0 2
/dev/mapper/server1-swap_1 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
To enable quota, run these commands:
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
13 DNS Server
Run
aptitude install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
vi /etc/default/bind9
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-u bind -t /var/lib/named"
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to create the file /etc/rsyslog.d/bind-chroot.conf...
vi /etc/rsyslog.d/bind-chroot.conf
... and add the following line so that we can still get important messages logged to the system logs:
$AddUnixListenSocket /var/lib/named/dev/log
Restart the logging daemon:
/etc/init.d/rsyslog restart
Start up BIND, and check /var/log/syslog for errors:
/etc/init.d/bind9 start
14 MySQL
In order to install MySQL, we run
aptitude install mysql-server mysql-client libmysqlclient16-dev
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword Repeat password for the MySQL "root" user: <-- yourrootsqlpassword We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1: vi /etc/mysql/my.cnf [...] # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 [...] Then we restart MySQL: /etc/init.d/mysql restart Now check that networking is enabled. Run netstat -tap grep mysql The output should look like this: root@server1:~# netstat -tap grep mysql tcp 0 0 *:mysql *:* LISTEN 6525/mysqld root@server1:~# 15 Postfix With SMTP-AUTH And TLS In order to install Postfix with SMTP-AUTH and TLS do the following steps: aptitude install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail You will be asked two questions. Answer as follows: General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Then run dpkg-reconfigure postfix Again, you'll be asked some questions: General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Root and postmaster mail recipient: <-- [blank] Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost Force synchronous updates on mail queue? <-- No Local networks: <-- 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 Use procmail for local delivery? <-- Yes Mailbox size limit (bytes): <-- 0 Local address extension character: <-- + Internet protocols to use: <-- all Next, do this: postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_authenticated_header = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):
postconf -e 'myhostname = server1.example.com'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
The file /etc/postfix/main.cf should now look like this:
cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":
vi /etc/default/saslauthd
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
17 Apache/PHP5/Ruby/Python/WebDAV
Now we install Apache:
aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert
Next we install PHP5, Ruby, and Python (all three as Apache modules):
aptitude install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Next we edit /etc/apache2/mods-available/dir.conf:
vi /etc/apache2/mods-available/dir.conf
and change the DirectoryIndex line:
#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml
Now we have to enable some Apache modules (SSL, rewrite, suexec, include, and WebDAV):
a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
a2enmod dav_fs
a2enmod dav
Restart Apache:
/etc/init.d/apache2 restart
We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files - you will be prompted to download the .rb file - the same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types...
vi /etc/mime.types
... and comment out the application/x-ruby line:
[...]
#application/x-ruby rb
[...]
Restart Apache:
/etc/init.d/apache2 restart
Now .rb files will be executed and displayed in the browser, just like .rbx files.
In the next chapter (17.1) we are going to disable PHP (this is necessary only if you want to install ISPConfig on this server). Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it.
17.1 Disable PHP Globally
(If you do not plan to install ISPConfig on this server, please skip this section!)
In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig. For ubuntu 9.10 I have used the procedures as described in
http://www.howtoforge.com/perfect-server-ubuntu-10.04-lucid-lynx-ispconfig-2
4 Get root Privileges
After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
sudo su
(You can as well enable the root login by running
sudo passwd root
and giving root a password. You can then directly log in as root, but this is frowned upon by the Ubuntu developers and community for various reasons. See http://ubuntuforums.org/showthread.php?t=765414.)
5 Install The SSH Server (Optional)
If you did not install the OpenSSH server during the system installation, you can do it now:
aptitude install ssh openssh-server
From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 10.04 server and follow the remaining steps from this tutorial.
6 Install vim-nox (Optional)
I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-nox:
aptitude install vim-nox
(You don't have to do this if you use a different text editor such as joe or nano.)
7 Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Then restart your network:
/etc/init.d/networking restart
Then edit /etc/hosts. Make it look like this:
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.100 server1.example.com server1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Now run
echo server1.example.com > /etc/hostname
/etc/init.d/hostname restart
Afterwards, run
hostname
hostname -f
Both should show server1.example.com now.
8 Edit /etc/apt/sources.list And Update Your Linux Installation
Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:
vi /etc/apt/sources.list
# deb cdrom:[Ubuntu-Server 10.04 LTS _Lucid Lynx_ - Release amd64 (20100427)]/ lucid main restricted
#deb cdrom:[Ubuntu-Server 10.04 LTS _Lucid Lynx_ - Release amd64 (20100427)]/ lucid main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ lucid main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ lucid universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid universe
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ lucid multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid multiverse
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu lucid partner
# deb-src http://archive.canonical.com/ubuntu lucid partner
deb http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted
deb http://security.ubuntu.com/ubuntu lucid-security universe
deb-src http://security.ubuntu.com/ubuntu lucid-security universe
deb http://security.ubuntu.com/ubuntu lucid-security multiverse
deb-src http://security.ubuntu.com/ubuntu lucid-security multiverse
Then run
aptitude update
to update the apt package database and
aptitude safe-upgrade
to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
reboot
9 Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:
dpkg-reconfigure dash
Install dash as /bin/sh? <-- No If you don't do this, the ISPConfig installation will fail. 10 Disable AppArmor ( I have skipped this procedure since ISPConfig was not installed)AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).
We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils
11 Install Some Software
Now we install a few packages that are needed later on. Run
aptitude install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential
(This command must go into one line!)
12 Journaled Quota
(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)
To install quota, run
aptitude install quota
Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):
vi /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
#
#
proc /proc proc nodev,noexec,nosuid 0 0
/dev/mapper/server1-root / ext4 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1
# /boot was on /dev/sda1 during installation
UUID=9eef7b6b-5688-456c-8fe2-05ae739e3635 /boot ext2 defaults 0 2
/dev/mapper/server1-swap_1 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
To enable quota, run these commands:
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
13 DNS Server
Run
aptitude install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
vi /etc/default/bind9
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-u bind -t /var/lib/named"
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to create the file /etc/rsyslog.d/bind-chroot.conf...
vi /etc/rsyslog.d/bind-chroot.conf
... and add the following line so that we can still get important messages logged to the system logs:
$AddUnixListenSocket /var/lib/named/dev/log
Restart the logging daemon:
/etc/init.d/rsyslog restart
Start up BIND, and check /var/log/syslog for errors:
/etc/init.d/bind9 start
14 MySQL
In order to install MySQL, we run
aptitude install mysql-server mysql-client libmysqlclient16-dev
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword Repeat password for the MySQL "root" user: <-- yourrootsqlpassword We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1: vi /etc/mysql/my.cnf [...] # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 [...] Then we restart MySQL: /etc/init.d/mysql restart Now check that networking is enabled. Run netstat -tap grep mysql The output should look like this: root@server1:~# netstat -tap grep mysql tcp 0 0 *:mysql *:* LISTEN 6525/mysqld root@server1:~# 15 Postfix With SMTP-AUTH And TLS In order to install Postfix with SMTP-AUTH and TLS do the following steps: aptitude install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail You will be asked two questions. Answer as follows: General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Then run dpkg-reconfigure postfix Again, you'll be asked some questions: General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Root and postmaster mail recipient: <-- [blank] Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost Force synchronous updates on mail queue? <-- No Local networks: <-- 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 Use procmail for local delivery? <-- Yes Mailbox size limit (bytes): <-- 0 Local address extension character: <-- + Internet protocols to use: <-- all Next, do this: postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_authenticated_header = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):
postconf -e 'myhostname = server1.example.com'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
The file /etc/postfix/main.cf should now look like this:
cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":
vi /etc/default/saslauthd
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
17 Apache/PHP5/Ruby/Python/WebDAV
Now we install Apache:
aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert
Next we install PHP5, Ruby, and Python (all three as Apache modules):
aptitude install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Next we edit /etc/apache2/mods-available/dir.conf:
vi /etc/apache2/mods-available/dir.conf
and change the DirectoryIndex line:
#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml
Now we have to enable some Apache modules (SSL, rewrite, suexec, include, and WebDAV):
a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
a2enmod dav_fs
a2enmod dav
Restart Apache:
/etc/init.d/apache2 restart
We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files - you will be prompted to download the .rb file - the same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types...
vi /etc/mime.types
... and comment out the application/x-ruby line:
[...]
#application/x-ruby rb
[...]
Restart Apache:
/etc/init.d/apache2 restart
Now .rb files will be executed and displayed in the browser, just like .rbx files.
In the next chapter (17.1) we are going to disable PHP (this is necessary only if you want to install ISPConfig on this server). Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it.
17.1 Disable PHP Globally
(If you do not plan to install ISPConfig on this server, please skip this section!)
In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.
http://www.howtoforge.com/perfect-server-ubuntu-10.04-lucid-lynx-ispconfig-2
4 Get root Privileges
After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
sudo su
(You can as well enable the root login by running
sudo passwd root
and giving root a password. You can then directly log in as root, but this is frowned upon by the Ubuntu developers and community for various reasons. See http://ubuntuforums.org/showthread.php?t=765414.)
5 Install The SSH Server (Optional)
If you did not install the OpenSSH server during the system installation, you can do it now:
aptitude install ssh openssh-server
From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 10.04 server and follow the remaining steps from this tutorial.
6 Install vim-nox (Optional)
I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-nox:
aptitude install vim-nox
(You don't have to do this if you use a different text editor such as joe or nano.)
7 Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Then restart your network:
/etc/init.d/networking restart
Then edit /etc/hosts. Make it look like this:
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.100 server1.example.com server1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Now run
echo server1.example.com > /etc/hostname
/etc/init.d/hostname restart
Afterwards, run
hostname
hostname -f
Both should show server1.example.com now.
8 Edit /etc/apt/sources.list And Update Your Linux Installation
Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:
vi /etc/apt/sources.list
# deb cdrom:[Ubuntu-Server 10.04 LTS _Lucid Lynx_ - Release amd64 (20100427)]/ lucid main restricted
#deb cdrom:[Ubuntu-Server 10.04 LTS _Lucid Lynx_ - Release amd64 (20100427)]/ lucid main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ lucid main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ lucid universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid universe
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ lucid multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid multiverse
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu lucid partner
# deb-src http://archive.canonical.com/ubuntu lucid partner
deb http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted
deb http://security.ubuntu.com/ubuntu lucid-security universe
deb-src http://security.ubuntu.com/ubuntu lucid-security universe
deb http://security.ubuntu.com/ubuntu lucid-security multiverse
deb-src http://security.ubuntu.com/ubuntu lucid-security multiverse
Then run
aptitude update
to update the apt package database and
aptitude safe-upgrade
to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
reboot
9 Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:
dpkg-reconfigure dash
Install dash as /bin/sh? <-- No If you don't do this, the ISPConfig installation will fail. 10 Disable AppArmor ( I have skipped this procedure since ISPConfig was not installed)AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).
We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils
11 Install Some Software
Now we install a few packages that are needed later on. Run
aptitude install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential
(This command must go into one line!)
12 Journaled Quota
(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)
To install quota, run
aptitude install quota
Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):
vi /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
#
#
proc /proc proc nodev,noexec,nosuid 0 0
/dev/mapper/server1-root / ext4 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1
# /boot was on /dev/sda1 during installation
UUID=9eef7b6b-5688-456c-8fe2-05ae739e3635 /boot ext2 defaults 0 2
/dev/mapper/server1-swap_1 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
To enable quota, run these commands:
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
13 DNS Server
Run
aptitude install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
vi /etc/default/bind9
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-u bind -t /var/lib/named"
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to create the file /etc/rsyslog.d/bind-chroot.conf...
vi /etc/rsyslog.d/bind-chroot.conf
... and add the following line so that we can still get important messages logged to the system logs:
$AddUnixListenSocket /var/lib/named/dev/log
Restart the logging daemon:
/etc/init.d/rsyslog restart
Start up BIND, and check /var/log/syslog for errors:
/etc/init.d/bind9 start
14 MySQL
In order to install MySQL, we run
aptitude install mysql-server mysql-client libmysqlclient16-dev
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword Repeat password for the MySQL "root" user: <-- yourrootsqlpassword We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1: vi /etc/mysql/my.cnf [...] # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 [...] Then we restart MySQL: /etc/init.d/mysql restart Now check that networking is enabled. Run netstat -tap grep mysql The output should look like this: root@server1:~# netstat -tap grep mysql tcp 0 0 *:mysql *:* LISTEN 6525/mysqld root@server1:~# 15 Postfix With SMTP-AUTH And TLS In order to install Postfix with SMTP-AUTH and TLS do the following steps: aptitude install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail You will be asked two questions. Answer as follows: General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Then run dpkg-reconfigure postfix Again, you'll be asked some questions: General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Root and postmaster mail recipient: <-- [blank] Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost Force synchronous updates on mail queue? <-- No Local networks: <-- 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 Use procmail for local delivery? <-- Yes Mailbox size limit (bytes): <-- 0 Local address extension character: <-- + Internet protocols to use: <-- all Next, do this: postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_authenticated_header = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):
postconf -e 'myhostname = server1.example.com'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
The file /etc/postfix/main.cf should now look like this:
cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":
vi /etc/default/saslauthd
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
17 Apache/PHP5/Ruby/Python/WebDAV
Now we install Apache:
aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert
Next we install PHP5, Ruby, and Python (all three as Apache modules):
aptitude install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Next we edit /etc/apache2/mods-available/dir.conf:
vi /etc/apache2/mods-available/dir.conf
and change the DirectoryIndex line:
#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml
Now we have to enable some Apache modules (SSL, rewrite, suexec, include, and WebDAV):
a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
a2enmod dav_fs
a2enmod dav
Restart Apache:
/etc/init.d/apache2 restart
We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files - you will be prompted to download the .rb file - the same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types...
vi /etc/mime.types
... and comment out the application/x-ruby line:
[...]
#application/x-ruby rb
[...]
Restart Apache:
/etc/init.d/apache2 restart
Now .rb files will be executed and displayed in the browser, just like .rbx files.
In the next chapter (17.1) we are going to disable PHP (this is necessary only if you want to install ISPConfig on this server). Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it.
17.1 Disable PHP Globally
(If you do not plan to install ISPConfig on this server, please skip this section!)
In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig. For ubuntu 9.10 I have used the procedures as described in
http://www.howtoforge.com/perfect-server-ubuntu-10.04-lucid-lynx-ispconfig-2
4 Get root Privileges
After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
sudo su
(You can as well enable the root login by running
sudo passwd root
and giving root a password. You can then directly log in as root, but this is frowned upon by the Ubuntu developers and community for various reasons. See http://ubuntuforums.org/showthread.php?t=765414.)
5 Install The SSH Server (Optional)
If you did not install the OpenSSH server during the system installation, you can do it now:
aptitude install ssh openssh-server
From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 10.04 server and follow the remaining steps from this tutorial.
6 Install vim-nox (Optional)
I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-nox:
aptitude install vim-nox
(You don't have to do this if you use a different text editor such as joe or nano.)
7 Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Then restart your network:
/etc/init.d/networking restart
Then edit /etc/hosts. Make it look like this:
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.100 server1.example.com server1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Now run
echo server1.example.com > /etc/hostname
/etc/init.d/hostname restart
Afterwards, run
hostname
hostname -f
Both should show server1.example.com now.
8 Edit /etc/apt/sources.list And Update Your Linux Installation
Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:
vi /etc/apt/sources.list
# deb cdrom:[Ubuntu-Server 10.04 LTS _Lucid Lynx_ - Release amd64 (20100427)]/ lucid main restricted
#deb cdrom:[Ubuntu-Server 10.04 LTS _Lucid Lynx_ - Release amd64 (20100427)]/ lucid main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ lucid main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ lucid universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid universe
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ lucid multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid multiverse
deb http://de.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu lucid partner
# deb-src http://archive.canonical.com/ubuntu lucid partner
deb http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted
deb http://security.ubuntu.com/ubuntu lucid-security universe
deb-src http://security.ubuntu.com/ubuntu lucid-security universe
deb http://security.ubuntu.com/ubuntu lucid-security multiverse
deb-src http://security.ubuntu.com/ubuntu lucid-security multiverse
Then run
aptitude update
to update the apt package database and
aptitude safe-upgrade
to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
reboot
9 Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:
dpkg-reconfigure dash
Install dash as /bin/sh? <-- No If you don't do this, the ISPConfig installation will fail. 10 Disable AppArmor ( I have skipped this procedure since ISPConfig was not installed)AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).
We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils
11 Install Some Software
Now we install a few packages that are needed later on. Run
aptitude install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential
(This command must go into one line!)
12 Journaled Quota
(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)
To install quota, run
aptitude install quota
Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):
vi /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
#
#
proc /proc proc nodev,noexec,nosuid 0 0
/dev/mapper/server1-root / ext4 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1
# /boot was on /dev/sda1 during installation
UUID=9eef7b6b-5688-456c-8fe2-05ae739e3635 /boot ext2 defaults 0 2
/dev/mapper/server1-swap_1 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
To enable quota, run these commands:
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
13 DNS Server
Run
aptitude install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
vi /etc/default/bind9
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-u bind -t /var/lib/named"
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to create the file /etc/rsyslog.d/bind-chroot.conf...
vi /etc/rsyslog.d/bind-chroot.conf
... and add the following line so that we can still get important messages logged to the system logs:
$AddUnixListenSocket /var/lib/named/dev/log
Restart the logging daemon:
/etc/init.d/rsyslog restart
Start up BIND, and check /var/log/syslog for errors:
/etc/init.d/bind9 start
14 MySQL
In order to install MySQL, we run
aptitude install mysql-server mysql-client libmysqlclient16-dev
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword Repeat password for the MySQL "root" user: <-- yourrootsqlpassword We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1: vi /etc/mysql/my.cnf [...] # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 [...] Then we restart MySQL: /etc/init.d/mysql restart Now check that networking is enabled. Run netstat -tap grep mysql The output should look like this: root@server1:~# netstat -tap grep mysql tcp 0 0 *:mysql *:* LISTEN 6525/mysqld root@server1:~# 15 Postfix With SMTP-AUTH And TLS In order to install Postfix with SMTP-AUTH and TLS do the following steps: aptitude install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail You will be asked two questions. Answer as follows: General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Then run dpkg-reconfigure postfix Again, you'll be asked some questions: General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Root and postmaster mail recipient: <-- [blank] Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost Force synchronous updates on mail queue? <-- No Local networks: <-- 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 Use procmail for local delivery? <-- Yes Mailbox size limit (bytes): <-- 0 Local address extension character: <-- + Internet protocols to use: <-- all Next, do this: postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_authenticated_header = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):
postconf -e 'myhostname = server1.example.com'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
The file /etc/postfix/main.cf should now look like this:
cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":
vi /etc/default/saslauthd
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
17 Apache/PHP5/Ruby/Python/WebDAV
Now we install Apache:
aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert
Next we install PHP5, Ruby, and Python (all three as Apache modules):
aptitude install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Next we edit /etc/apache2/mods-available/dir.conf:
vi /etc/apache2/mods-available/dir.conf
and change the DirectoryIndex line:
#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml
Now we have to enable some Apache modules (SSL, rewrite, suexec, include, and WebDAV):
a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
a2enmod dav_fs
a2enmod dav
Restart Apache:
/etc/init.d/apache2 restart
We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files - you will be prompted to download the .rb file - the same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types...
vi /etc/mime.types
... and comment out the application/x-ruby line:
[...]
#application/x-ruby rb
[...]
Restart Apache:
/etc/init.d/apache2 restart
Now .rb files will be executed and displayed in the browser, just like .rbx files.
In the next chapter (17.1) we are going to disable PHP (this is necessary only if you want to install ISPConfig on this server). Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it.
17.1 Disable PHP Globally
(If you do not plan to install ISPConfig on this server, please skip this section!)
In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.
clamav
clamav
1. Install ClamAV, the daemon, and freshclam.
$ sudo apt-get install clamav clamav-daemon clamav-freshclam
2. Just as it finishes installing it will of course warn you that the virus database is older than 7 days and that it will need updating.
$ sudo freshclam
3. You may notice that it will bark at you because the ClamAV installation is outdated. As of the time that I am writing this, ClamAV has released a new version however it has not yet been tested and released to the Ubuntu public. Please see this for more information. http://www.clamav.net/support/faq
1. Install ClamAV, the daemon, and freshclam.
$ sudo apt-get install clamav clamav-daemon clamav-freshclam
2. Just as it finishes installing it will of course warn you that the virus database is older than 7 days and that it will need updating.
$ sudo freshclam
3. You may notice that it will bark at you because the ClamAV installation is outdated. As of the time that I am writing this, ClamAV has released a new version however it has not yet been tested and released to the Ubuntu public. Please see this for more information. http://www.clamav.net/support/faq
How to install webmin
webmin
You need to install first some perl-related libraries required by webmin:
sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
libmd5-perl cannot be installed on Ubuntu server 10.04
Re: Trying to install libmd5-perl on Ubuntu server 10.04! The you need to download the latest webmin archive (this might change in time). I am downloading the Debian package:
wget http://www.webmin.com/download/deb/webmin-current.deb
(thanks @macrocode)
Install the Debian package with dpkg, not Aptitude:
sudo dpkg -i webmin_1.510_all.deb
* Your downloaded version may differ. Just use the deb package you’ve just downloaded.
--------------------------------------------------------------------------------
Solved:
wget http://ftp.jp.debian.org/debian/pool/main/libm/libmd5-perl/libmd5-perl_2.03-1_all.deb
or
wget http://ftp.uk.debian.org/debian/pool/main/libm/libmd5-perl/libmd5-perl_2.03-1_all.deb
then
sudo dpkg -i libmd5-perl_2.03-1_all.deb
You need to install first some perl-related libraries required by webmin:
sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
libmd5-perl cannot be installed on Ubuntu server 10.04
Re: Trying to install libmd5-perl on Ubuntu server 10.04! The you need to download the latest webmin archive (this might change in time). I am downloading the Debian package:
wget http://www.webmin.com/download/deb/webmin-current.deb
(thanks @macrocode)
Install the Debian package with dpkg, not Aptitude:
sudo dpkg -i webmin_1.510_all.deb
* Your downloaded version may differ. Just use the deb package you’ve just downloaded.
--------------------------------------------------------------------------------
Solved:
wget http://ftp.jp.debian.org/debian/pool/main/libm/libmd5-perl/libmd5-perl_2.03-1_all.deb
or
wget http://ftp.uk.debian.org/debian/pool/main/libm/libmd5-perl/libmd5-perl_2.03-1_all.deb
then
sudo dpkg -i libmd5-perl_2.03-1_all.deb
วันจันทร์ที่ 7 มิถุนายน พ.ศ. 2553
ยกเลิกบริการข่าว INN ของโทรศัพท์ AIS
ยกเลิกบริการข่าว INN ของโทรศัพท์ AIS และ 12Call ครับ
สำหรับบริการ INN อื่นๆ
1. บริการข่าวทั่วไป INN Hot News หมายเลขยกเลิก กด *452233399 กดปุ่มโทรออก
2. บริการข่าวการเมือง INN Politic News หมายเลขยกเลิก กด *452244499 กดปุ่มโทรออก
3. บริการข่าวเศรษฐกิจ INN Biz News หมายเลขยกเลิก กด *452255599 กดปุ่มโทรออก
4. บริการข่าวกีฬา INN Sport News หมายเลขยกเลิก กด *452266699 กดปุ่มโทรออก
5. บริการข่าวมุสลิม World Muslim News หมายเลขยกเลิก กด *452234599 กดปุ่มโทรออก
6. บริการข่าวบันเทิง INN Dara News หมายเลขยกเลิกบริการ กด *452211199 กดปุ่มโทรออก
(ข้อมูลจาก AIS Call Center)
เผื่อว่าใครที่เผลอกดเข้าไป ตอนที่มีการส่งSMS มา แล้วโดนหักตังค์ไปเดือนละ 30 ๆ
ก็เข้าไปกดยกเลิกได้เลยนะขอรับ
สำหรับบริการ INN อื่นๆ
1. บริการข่าวทั่วไป INN Hot News หมายเลขยกเลิก กด *452233399 กดปุ่มโทรออก
2. บริการข่าวการเมือง INN Politic News หมายเลขยกเลิก กด *452244499 กดปุ่มโทรออก
3. บริการข่าวเศรษฐกิจ INN Biz News หมายเลขยกเลิก กด *452255599 กดปุ่มโทรออก
4. บริการข่าวกีฬา INN Sport News หมายเลขยกเลิก กด *452266699 กดปุ่มโทรออก
5. บริการข่าวมุสลิม World Muslim News หมายเลขยกเลิก กด *452234599 กดปุ่มโทรออก
6. บริการข่าวบันเทิง INN Dara News หมายเลขยกเลิกบริการ กด *452211199 กดปุ่มโทรออก
(ข้อมูลจาก AIS Call Center)
เผื่อว่าใครที่เผลอกดเข้าไป ตอนที่มีการส่งSMS มา แล้วโดนหักตังค์ไปเดือนละ 30 ๆ
ก็เข้าไปกดยกเลิกได้เลยนะขอรับ
สมัครสมาชิก:
บทความ (Atom)