ISPConfig 3 on AWS with RDS and Ubuntu 14.10
Setting up ISPConfig on AWS with an Ubuntu 14.04 image and MySQL RDS
Features;
- Nginx
- RDS (MySQL)
- Ubuntu 14.10
- EC2
- VPC
- Dovecot
- Postfix
- ISPConfig
Basically we are using the great guide below with modifications to suit Amazon’s AWS infrastructure.
https://www.howtoforge.com/perfect-server-ubuntu-14.10-with-nginx-bind-dovecot-and-ispconfig-3
Setup a hostname on your machine;
1 |
sudo vim /etc/hostname |
Add;
1 |
www.example.com |
Edit you host file and add the hostname with your local IP
1 |
sudo vim /etc/hosts |
Example;
1 2 3 4 |
127.0.0.1 localhost 172.31.31.242 www.example.com # The following lines are desirable for IPv6 capable hosts |
Make sure that the multiverse and universe repositories are enabled by uncommenting them in;
/etc/apt/sources.list
1 |
sudo apt-get update && sudo apt-get upgrade -y |
If a new kernel was installed reboot if you don’t know just reboot anyway;
1 |
sudo reboot |
Ubuntu by default uses dash as the default shell we need to change that to bash using dpkg-reconfigure
1 |
sudo dpkg-reconfigure dash |
Select “No” when it asks if you want to use dash and the default shell.
Disable apparmor;
1 2 3 4 |
sudo service apparmor stop sudo service apparmor teardown sudo update-rc.d -f apparmor remove sudo apt-get remove apparmor apparmor-utils |
Setup NTP for time synchronisation;
1 |
sudo apt-get install ntp ntpdate |
Install postfix, rkhunter, mysql-client and bindutils;
1 |
sudo apt-get install postfix postfix-mysql postfix-doc openssl mysql-client getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve |
For the postfix setup select the following;
- Hostname – www.example.com
- Local only
- Internet Site
- System mail name – www.example.com
Modify the following lines in postfix in /etc/main/master.cf
1 |
submission inet n - - - - smtpd |
and
1 |
smtps inet n - - - - smtpd |
Now add the following line in both smtps and submission sections;
1 |
-o smtpd_client_restrictions=permit_sasl_authenticated,reject |
Restart postfix;
1 |
service postfix restart |
Install Amavisd-new, SpamAssassin and ClamAV
1 |
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl |
ISPConfig uses Amavis which loads spamassassin internally so we can stop the spamassassin process;
1 2 |
service spamassassin stop update-rc.d -f spamassassin remove |
Run clamav;
1 2 |
freshclam service clamav-daemon start |
Install Nginx;
1 2 |
sudo apt-get install nginx sudo service nginx start |
Install php5 using php5-fpm;
1 |
sudo apt-get install php5-fpm |
You might want to install some extra php5 modules like;
1 |
sudo apt-get install php5-cli php5-common php5-curl php5-gd php5-imagick php5-imap php5-intl php5-json php5-mcrypt php5-memcache php5-ming php5-mysql php5-ps php5-pspell php5-readline php5-recode php5-snmp php5-sqlite php5-tidy php5-xcache php5-xmlrpc php5-xsl |
You can search them with;
1 |
sudo apt-cache search php5-* |
Install APC;
1 |
sudo apt-get install php-apc |
Fix some parameters in your /etc/php5/fpm/php.ini;
1 |
cgi.fix_pathinfo=0 |
Restart php5-fpm;
1 |
sudo service php5-fpm reload |
Install fcgiwrap;
1 |
sudo apt-get install fcgiwrap |
install PHPMyAdmin;
1 |
sudo apt-get install phpmyadmin |
Do not select lighthttpd or apache2 and click “OK” to continue (Nginx is neither of these).
Select “No” to phpmyadmin with dbconfig-common;
<nginx configuration for phpmyadmin>
1 |
apt-get install mailman |
Setup new maillist called Mailman before mailman can be used.
sudo newlist mailman
Add the following lines to /etc/aliases;
1 2 3 4 5 6 7 8 9 10 11 |
## mailman mailing list mailman: "|/var/lib/mailman/mail/mailman post mailman" mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman" mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman" mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman" mailman-join: "|/var/lib/mailman/mail/mailman join mailman" mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman" mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman" mailman-request: "|/var/lib/mailman/mail/mailman request mailman" mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman" mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman" |
Run;
1 |
sudo newaliases |
Restart postfix;
1 |
sudo service postfix restart |
Then start mailman;
1 |
sudo service mailman restart |
<insert mailman nginx configuration>
Install PureFTPd and Quota;
1 |
sudo apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool |
edit /etc/default/pure-ftpd-common;
1 |
vim /etc/default/pure-ftpd-common |
Make sure that start mode is set to standalone and VIRTUALCHROOT=true;
1 2 3 4 5 |
[...] STANDALONE_OR_INETD=standalone [...] VIRTUALCHROOT=true [...] |
If you want to run TLS FTP sessions then complete the following;
1 |
echo 1 > /etc/pure-ftpd/conf/TLS |
In order to use TLS we need to setup a new certificate;
1 |
mkdir -p /etc/ssl/private/ |
Generate an SSL certificate with;
1 |
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem |
Change permissions on the certificate key;
1 |
chmod 600 /etc/ssl/private/pure-ftpd.pem |
Restart pureFTPd;
1 |
sudo service pure-ftpd-mysql restart |
Setup quota’s and fstab;
1 |
LABEL=cloudimg-rootfs / ext4 defaults,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 0 |
The kernel supplied with the Amazon Ubuntu image doesn’t support quota’s (the modules have been removed) so we’ll need to add the support back into the kernel with the following package;
1 |
sudo apt-get install linux-image-extra-virtual |
Add the following kernel modules to /etc/modules to load on boot
- quota_v2
- quota_v1
Example /etc/modules
1 2 3 4 5 6 7 8 9 10 |
# /etc/modules: kernel modules to load at boot time. # # This file contains the names of kernel modules that should be loaded # at boot time, one per line. Lines beginning with "#" are ignored. # Parameters can be specified after the module name. # LP: #450463 acpiphp quota_v2 quota_v1 |
Reboot and check the modules loaded correctly;
1 |
cat /proc/modules | grep -i quota |
This should return;
1 2 3 |
quota_v1 12802 0 - Live 0x0000000000000000 quota_v2 13431 2 - Live 0x0000000000000000 quota_tree 18219 1 quota_v2, Live 0x0000000000000000 |
Check that quota is enabled after reboot;
1 2 3 |
quotaon -pa group quota on / (/dev/disk/by-uuid/b14a2934-26c6-4d70-a4ee-d7b02e1c5d67) is on user quota on / (/dev/disk/by-uuid/b14a2934-26c6-4d70-a4ee-d7b02e1c5d67) is on |
Install bind;
1 |
sudo apt-get install bind9 dnsutils |
Install Vlogger, Webalizer and AWStats
1 |
sudo apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl |
Open /etc/cron.d/awstats and comment out everything;
1 2 3 4 5 6 |
#MAILTO=root #*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh # Generate static reports: #10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh |
Install Jailkit
Jailkit is needed to jail SSH users (Recommended). Important: Jailkit can only be installed before ISPConfig!
1 |
sudo apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold |
1 2 3 4 5 |
cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz tar xvfz jailkit-2.17.tar.gz cd jailkit-2.17 sudo ./debian/rules binary |
You can now install the Jailkit .deb package as follows:
1 2 3 4 |
cd .. sudo dpkg -i jailkit_2.17-1_*.deb sudo rm -rf jailkit-2.17* cd .. |
Install fail2ban (Recommended);
1 |
sudo apt-get install fail2ban |
Setup fail2ban to monitor PureFTPd and Dovecot;
1 |
sudo vim /etc/fail2ban/jail.local |
Add the following;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/syslog maxretry = 3 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [postfix-sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail.log maxretry = 3 |
Now create the following filters;
1 |
sudo vim /etc/fail2ban/filter.d/pureftpd.conf |
1 2 3 |
[Definition] failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.* ignoreregex = |
1 |
sudo vim /etc/fail2ban/filter.d/dovecot-pop3imap.conf |
1 2 3 |
[Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.* ignoreregex = |
Restart fail2ban to load the rules;
1 |
sudo service fail2ban restart |
Install webmail software
1 |
<insert webmail configuration - roundcube> |
Remove apache2;
1 2 3 |
sudo service apache2 stop sudo apt-get remove apache2 sudo update-rd.d apache2 remove |
Restart nginx;
1 |
sudo service nginx restart |
Install ISPConfig;
1 2 3 4 |
cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xfz ISPConfig-3-stable.tar.gz cd ispconfig3_install/install/ |
Run the php installer;
1 |
sudo php -q install.php |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
-------------------------------------------------------------------------------- _____ ___________ _____ __ _ ____ |_ _/ ___| ___ \ / __ \ / _(_) /__ \ | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ / | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \ \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/ __/ | |___/ -------------------------------------------------------------------------------- >> Initial configuration Operating System: 14.04.1 LTS (Trusty Tahr) Following will be a few questions for primary configuration so be careful. Default values are in [brackets] and can be accepted with <ENTER>. Tap in "quit" (without the quotes) to stop the installer. Select language (en,de) [en]: Installation mode (standard,expert) [standard]: expert Full qualified hostname (FQDN) of the server, eg server1.domain.tld [www.example.com]: MySQL server hostname [localhost]: example.abcdefghighk.ap-southeast-2.rds.amazonaws.com MySQL root username [root]: exampleadmin MySQL root password []: your-root-password MySQL database to create [dbispconfig]: MySQL charset [utf8]: The next two questions are about the internal ISPConfig database user and password. It is recommended to accept the defaults which are 'ispconfig' as username and a random password. If you use a different password, use only numbers and chars for the password. ISPConfig mysql database username [ispconfig]: ISPConfig mysql database password [5b06854d5cbf0eff8c055729c55978e3]: Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: Apache and nginx detected. Select server to use for ISPConfig: (apache,nginx) [apache]: nginx Adding ISPConfig server record to database. Configure Mail (y,n) [y]: Configuring Postfix Generating a 4096 bit RSA private key .....................................................................................................................................................................++ ...................++ writing new private key to 'smtpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]:Victoria Locality Name (eg, city) []:Melbourne Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organizational Unit Name (eg, section) []:Infrastructure Common Name (e.g. server FQDN or YOUR name) []:www.example.com Email Address []:infrastructure@example.com Configuring Mailman Configuring Dovecot Configuring Spamassassin Configuring Amavisd Configuring Getmail * Stopping Postfix Mail Transport Agent postfix ...done. * Starting Postfix Mail Transport Agent postfix ...done. Stopping amavisd: amavisd-new. Starting amavisd: amavisd-new. * Stopping ClamAV daemon clamd ...done. * Starting ClamAV daemon clamd ...done. dovecot stop/waiting dovecot start/running, process 15884 Configure Jailkit (y,n) [y]: y Configuring Jailkit Configure FTP Server (y,n) [y]: y Configuring Pureftpd Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -b -E -A -D -H -u 1000 -Y 1 -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B Configure DNS Server (y,n) [y]: y Configuring BIND Hint: If this server shall run the ISPConfig interface, select 'y' in the 'Configure nginx Server' option. Configure nginx Server (y,n) [y]: y Configuring nginx Configuring Apps vhost Configure Firewall Server (y,n) [y]: y Configuring Bastille Firewall Install ISPConfig Web Interface (y,n) [y]: y Installing ISPConfig ISPConfig Port [8080]: Enable SSL for the ISPConfig web interface (y,n) [y]: y Generating RSA private key, 4096 bit long modulus .++ ....++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]:Victoria Locality Name (eg, city) []:Melbourne Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organizational Unit Name (eg, section) []:Infrastructure Common Name (e.g. server FQDN or YOUR name) []:www.example.com Email Address []:infrastructure@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: writing RSA key Configuring DBServer Installing ISPConfig crontab no crontab for root no crontab for getmail * Reloading nginx configuration nginx ...done. Installation completed. |
If you have not updated you DNS records for the host you specified in the beginning you will not be able to log into ISPConfig due to security restrictions set on the MySQL databases.
If you are having trouble logging into the interface with username: admin and password admin you can do the following;
If you see the following error in /var/log/nginx/error.log
Access denied for user ‘ispconfig’@’%’ to database ‘dbispconfig’ in /usr/local/ispconfig/interface/lib/classes/db_mysql.inc.php on line 70
Update your public DNS then login to the database using the RDS admin user and run
flush hosts;
If you can’t update your public DNS you can do the following;
You can remove this security (Though not recommended) by doing the following;
% is a wild card so any host can effectively log into your RDS database if they have the correct credentials.
update mysql.db set Host = “%” where Host = “www.example.com”;
update mysql.user set Host = “%” where Host = “www.example.com”;
flush hosts;
flush privileges;
This should allow you to log in.