Use Ubuntu 16.04 to build an all-around Server
This article explains how to install Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot, and ISPConfig 16.04 on Ubuntu 3.1 to build a website, email, email list, DNS, and FTP server. ISPConfig 3 is a VM control panel that allows you to configure the following services through a web browser: Apache or nginx web server, Postfix email service, Courier or Dovecot IMAP/POP3 Service, MySQL, BIND or MyDNS Domain Name Service, PureFTPd, SpamAssassin, ClamAV, and more services.
Note: The ISPConfig 3.1 version used in this tutorial is currently in the testing status, and ISPConfig 3.1 will be released on April 9, June 2016. The old ISPConfig old stable 3.0.5p9 cannot be used in Ubuntu 16.04, and is not compatible with PHP 7.
1. Preliminary description
In this tutorial, the IP address used is 192.168.1.100 and the host name server1.example.com of the gateway 192.168.1.1. These settings may be different from yours, so you must change them according to your situation. Before further discussion, you need to have a basic minimum installation.
2. edit/etc/apt/sources. list and update Linux.
Edit/etc/apt/sources. list. Comment out or delete the installation disc from the file, and ensure that the library is enabled. It should be set like this:
nano /etc/apt/sources.list
The content is as follows:
#
# Deb cdrom: [Ubuntu-Server 16.04 LTS _ Xenial Xerus _-Release amd64 (20160420)]/xenial main restricted
# Deb cdrom: [Ubuntu-Server 16.04 LTS _ Xenial Xerus _-Release amd64 (20160420)]/xenial main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade
# Newer versions of the distribution.
Deb http://de.archive.ubuntu.com/ubuntu/ xenial main restricted
# Deb-src http://de.archive.ubuntu.com/ubuntu/ xenial main restricted
# Major bug fix updates produced after the final release of
# Distribution.
Deb http://de.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
# Deb-src http://de.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
# N. B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
# Team, and may not be under a free licence. Please satisfy yourself as
# Your rights to use the software. Also, please note that software in
# Universe will not receive any review or updates from the Ubuntu security
# Team.
Deb http://de.archive.ubuntu.com/ubuntu/ xenial universe
# Deb-src http://de.archive.ubuntu.com/ubuntu/ xenial universe
Deb http://de.archive.ubuntu.com/ubuntu/ xenial-updates universe
# Deb-src http://de.archive.ubuntu.com/ubuntu/ xenial-updates universe
# N. B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
# Team, and may not be under a free licence. Please satisfy yourself as
# Your rights to use the software. Also, please note that software in
# Multiverse will not receive any review or updates from the Ubuntu
# Security team.
Deb http://de.archive.ubuntu.com/ubuntu/ xenial multiverse
# Deb-src http://de.archive.ubuntu.com/ubuntu/ xenial multiverse
Deb http://de.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
# Deb-src http://de.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
# N. B. software from this repository may not have been tested
# Extensively as that contained in the main release, although it except des
# Newer versions of some applications which may provide useful features.
# Also, please note that software in backports will not receive any review
# Or updates from the Ubuntu security team.
Deb http://de.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
# Deb-src http://de.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
# Uncomment the following two lines to add software from Canonical's
# 'Parter' repository.
# This software is not part of Ubuntu, but is offered by Canonical and
# Respective vendors as a service to Ubuntu users.
# Deb http://archive.canonical.com/ubuntu xenial partner
# Deb-src http://archive.canonical.com/ubuntu xenial partner
Deb http://security.ubuntu.com/ubuntu xenial-security main restricted
# Deb-src http://security.ubuntu.com/ubuntu xenial-security main restricted
Deb http://security.ubuntu.com/ubuntu xenial-security universe
# Deb-src http://security.ubuntu.com/ubuntu xenial-security universe
Deb http://security.ubuntu.com/ubuntu xenial-security multiverse
# Deb-src http://security.ubuntu.com/ubuntu xenial-security multiverse
Then run:
apt-get update
Update apt software packages and databases:
apt-get upgrade
Install the latest update (if any ). If you see a new kernel installed as part of the update, reboot the system:
reboot
3. Change the default shell
dpkg-reconfigure dash
Use dash as the default system shell (/bin/sh )?
If you do not do this, the ISPConfig installation will fail.
-------------------------------------- Split line --------------------------------------
Ubuntu 16.04 LTS was officially released and downloaded for 5 years of technical support
Ubuntu 16.04 USB flash drive installation graphic tutorial
15 things to be configured after installing Ubuntu 16.04 LTS
Ubuntu 16.04 LTS released Canonical today to announce new system features
Upgrade Ubuntu 15.10 To Ubuntu 16.04
Install Lua game engine in Ubuntu 16.04
How to Use the Snap package for Ubuntu 16.04 LTS
Ubuntu 16.04 requires your help to make GNOME Software more beautiful
-------------------------------------- Split line --------------------------------------
4. Disable AppArmor
AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion, you don't need it to configure a secure system, which usually leads to more problems than advantages (think about it after you have done a week, troubleshooting, because it is expected that some services will not work normally, and then you will find everything is normal, but the AppArmor configuration is causing problems ). Therefore, I disable it (this is required if you want to install ISPConfig later ).
We can disable it like this:
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
5. Synchronize the system clock
This is a good idea when you run a physical server system clock on the Internet to synchronize NTP (Network Time Protocol) servers. If you are running a virtual server, skip this step. Run:
apt-get -y install ntp ntpdate
And your system time will always be synchronized.
6. Install Postfix, Dovecot, MariaDB, phpMyAdmin, rkhunter, and binutils.
To install postfix, we need to ensure that sendmail is not installed and running. Run the following command to stop and delete sendmail:
service sendmail stop; update-rc.d -f sendmail remove
Error message:
Failed to stop sendmail.service: Unit sendmail.service not loaded.
Yes, it only means that sendmail is not installed, so nothing is deleted.
Now we can install Postfix, Dovecot, MariaDB (such as a MySQL alternative), rkhunter and binutil with a command:
apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
You will be asked the following questions:
General type of mail configuration: System mail name:
You use a subdomain as the email domain name (for example, yourdomain. tld) to use "system email name" like server1.example.com or server1.yourdomain.com. The domain name is not very important.
Next, open the TLS/SSL extension and the submit Port:
nano /etc/postfix/master.cf
Cancel the submission and SMTPS Section as follows:-Add a row-o
Smtpd_client_restrictions = permit_sasl_authenticated and reject are set in two rows:
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
Note: The space is preceded by "-o ......" Line is very important!
Restart Postfix:
service postfix restart
We want MySQL to listen to all interfaces, not just local hosts. Therefore, we edit:
/Etc/mysql/mariadb. conf. d/50-server.cnf and comment out bind-address = 127.0.0.1:
nano /etc/mysql/mariadb.conf.d/50-server.cnf
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]
Now, set the root password in MariaDB. Run:
mysql_secure_installation
You will be asked the following questions:
Enter current password for root (enter for none): <-press enter
Set root password? [Y/n] <-y
New password: <-Enter the new MariaDB root password here
Re-enter new password: <-Repeat the password
Remove anonymous users? [Y/n] <-y
Disallow root login remotely? [Y/n] <-y
Reload privilege tables now? [Y/n] <-y
Restart MariaDB:
service mysql restart
Check whether the Internet connection is enabled. Run:
netstat -tap | grep mysql
The output should be like this:
root@server1:~# netstat -tap | grep mysql
tcp6 0 0 [::]:mysql [::]:* LISTEN 5230/mysqld
root@server1:~#
7. Install Amavisd-new, SpamAssassin, and Clamav
Install amavisd-new, SpamAssassin, and ClamAV. Run the following command:
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey
ISPConfig3 sets the load of amavisd used, and then SpamAssassin filters out the library, so we can stop SpamAssassin to release some memory:
service spamassassin stop
update-rc.d -f spamassassin remove
Edit the ClamAV configuration file:
nano /etc/clamav/clamd.conf
Modify row:
AllowSupplementaryGroups false
Is:
AllowSupplementaryGroups true
Save the file. To start using ClamAV:
freshclam
service clamav-daemon start
The warning below is the first run of freshclam. After we started the clamd daemon, we updated the database to be ignored.
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory
7.1 install Metronome XMPP server (optional)
The Metronome XMPP server provides an XMPP chat server. This step is optional. If you do not need a chat server, you can skip this step. No other ISPConfig function depends on the software.
Use apt to install the following software packages.
apt-get install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks
luarocks install lpc
Add a shell user to metemedime
adduser --no-create-home --disabled-login --gecos 'Metronome' metronome
Download the metemedime/opt directory and compile it.
cd /opt; git clone https://github.com/maranda/metronome.git metronome
cd ./metronome; ./configure --ostype=debian --prefix=/usr
make
make install
Metemedime has been installed in/opt/metemedime.
8. install Apache, PHP, phpMyAdmin, FCGI, SuExec, Pear, and mcrypt:
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php-auth php7.0-mcrypt mcrypt imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext
You will see the following questions:
Web server to reconfigure automatically: <-- apache2 Configure database for phpmyadmin with dbconfig-common? <-- Yes MySQL application password for phpmyadmin: <-- Press enter use the following command to configure the Apache module:a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest headers
Restart apache2:
service apache2 restart
If you want to create your website extension. RB Ruby file through ISPConfig, you must comment out the/etc/mime. types line and run:
nano /etc/mime.types
[...]
#application/x-ruby rb
[...]
service apache2 restart
8.1 install PHP Opcode cache
apt-get install php7.0-opcache php-apcu
service apache2 restart
8.2 install PHP-FPM
apt-get install libapache2-mod-fastcgi php7.0-fpm
a2enmod actions fastcgi alias
service apache2 restart
Other PHP versions 8.3
There may be a server (optional through ISPConfig) that can run in multiple PHP versions through FastCGI and PHP-FPM. To learn how to build additional PHP versions (PHP-FPM and FastCGI) and how to configure ISPConfig, see this tutorial: how to use multiple PHP versions (PHP-FPM & FastCGI) with ISPConfig3 (Ubuntu 12.10) (applicable to Ubuntu 16.04 as well ).
10.1 install HHVM (HipHop virtual machine)
sudo apt-get install hhvm
9. Install Let's Encrypt
apt-get install git
cd /opt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/
sudo -H ./letsencrypt-auto --help
For more details, please continue to read the highlights on the next page: