El servidor perfecto:Ubuntu 20.04 con Apache, PHP, MariaDB, PureFTPD, BIND, Postfix, Dovecot e ISPConfig 3.2

Para instalar postfix, debemos asegurarnos de que sendmail no esté instalado y ejecutándose. Para detener y eliminar sendmail, ejecute este comando:

service sendmail stop; update-rc.d -f sendmail remove

El mensaje de error:

Failed to stop sendmail.service: Unit sendmail.service not loaded.

Está bien, solo significa que no se instaló sendmail, por lo que no había nada que eliminar.

Ahora podemos instalar Postfix, Dovecot, MariaDB (como reemplazo de MySQL), rkhunter y binutils con un solo comando:

apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo patch

Se le harán las siguientes preguntas:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

Es importante que use un subdominio como "nombre de correo del sistema" como server1.example.com o server1.yourdomain.com y no un dominio que desee usar como dominio de correo electrónico (por ejemplo, yourdomain.tld) ​​más adelante.

A continuación, abra los puertos TLS/SSL y de envío en Postfix:

nano /etc/postfix/master.cf

Descomente las secciones de envío y smtps de la siguiente manera:agregue la línea -o smtpd_client_restrictions=permit_sasl_authenticated, rechace ambas secciones y deje todo lo comentado a partir de entonces:

[...]
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

NOTA: ¡Los espacios en blanco delante de las líneas "-o .... " son importantes!

Reinicie Postfix después:

service postfix restart

Queremos que MySQL escuche en todas las interfaces, no solo en localhost. Por lo tanto, editamos /etc/mysql/mariadb.conf.d/50-server.cnf y comentamos la línea bind-address =127.0.0.1:

nano /etc/mysql/mariadb.conf.d/50-server.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1

[...]

Ahora establecemos una contraseña de root en MariaDB. Ejecutar:

mysql_secure_installation

Se le harán estas preguntas:

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Configure el método de autenticación de contraseña en MariaDB como nativo para que podamos usar PHPMyAdmin más tarde para conectarnos como usuario root:

echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root

Edite el archivo /etc/mysql/debian.cnf y configure la contraseña raíz de MYSQL/MariaDB allí dos veces en las filas que comienzan con contraseña.

nano /etc/mysql/debian.cnf

La contraseña raíz de MySQL que debe agregarse se muestra en rojo. En este ejemplo, la contraseña es "howtoforge". Reemplace la palabra "howtoforge" con la contraseña que configuró para el usuario root de MySQL con el comando mysql_secure_installation.

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = howtoforge
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = howtoforge
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

Abra el archivo /etc/security/limits.conf con un editor:

nano /etc/security/limits.conf

y agregue estas líneas al final del archivo.

mysql soft nofile 65535
mysql hard nofile 65535

A continuación, cree un nuevo directorio /etc/systemd/system/mysql.service.d/ con el comando mkdir.

mkdir /etc/systemd/system/mysql.service.d/

y agregue un nuevo archivo dentro:

nano /etc/systemd/system/mysql.service.d/limits.conf

pegue las siguientes líneas en ese archivo:

[Service]
LimitNOFILE=infinity

Guarde el archivo y cierre el editor nano.

Luego recargamos systemd y reiniciamos MariaDB:

systemctl daemon-reload
service mariadb restart

Ahora verifique que la red esté habilitada. Ejecutar

netstat -tap | grep mysql

La salida debería verse así:

[email protected]:~# netstat -tap | grep mysql
tcp6       0      0 [::]:mysql              [::]:*                  LISTEN      51836/mysqld
[email protected]:~#

7. Instale Amavisd-new, SpamAssassin y Clamav

Para instalar amavisd-new, SpamAssassin y ClamAV, ejecutamos

apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

La configuración de ISPConfig 3 usa amavisd que carga la biblioteca de filtros SpamAssassin internamente, por lo que podemos detener SpamAssassin para liberar RAM:

service spamassassin stop
update-rc.d -f spamassassin remove

Para iniciar el uso de ClamAV:

freshclam
service clamav-daemon start

El siguiente error se puede ignorar en la primera ejecución de freshclam.

ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

8. Instale Apache, PHP, phpMyAdmin, FCGI, SuExec, Pera

Apache 2.4, PHP 7.4, phpMyAdmin, FCGI, suExec y Pear se pueden instalar de la siguiente manera:

apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.4 php7.4-common php7.4-gd php7.4-mysql php7.4-imap phpmyadmin php7.4-cli php7.4-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear libruby libapache2-mod-python php7.4-curl php7.4-intl php7.4-pspell php7.4-sqlite3 php7.4-tidy php7.4-xmlrpc php7.4-xsl memcached php-memcache php-imagick php7.4-zip php7.4-mbstring php-soap php7.4-soap php7.4-opcache php-apcu php7.4-fpm libapache2-reload-perl

Verá la siguiente pregunta:

Web server to reconfigure automatically: <-- apache2

Configure database for phpmyadmin with dbconfig-common? <-- Yes

MySQL application password for phpmyadmin: <-- Press enter

A continuación, ejecute el siguiente comando para habilitar los módulos de Apache suexec, rewrite, ssl, actions e include (además de dav, dav_fs y auth_digest si desea utilizar WebDAV):

a2enmod suexec rewrite ssl actions include cgi alias proxy_fcgi

a2enmod dav_fs dav auth_digest headers

Para garantizar que el servidor no pueda ser atacado a través de la vulnerabilidad HTTPOXY, deshabilitaré el encabezado HTTP_PROXY en apache globalmente. Cree un nuevo archivo httpoxy.conf con nano:

nano /etc/apache2/conf-available/httpoxy.conf

Pegue este contenido en el archivo:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

Habilite el archivo de configuración ejecutando:

a2enconf httpoxy

Reinicie Apache después:

service apache2 restart

Si desea alojar archivos de Ruby con la extensión .rb en sus sitios web creados a través de ISPConfig, debe comentar la línea application/x-ruby rb en /etc/mime.types:

nano /etc/mime.types

[...]
#application/x-ruby                             rb
[...]

(Esto es necesario solo para archivos .rb; los archivos de Ruby con la extensión .rbx funcionan de inmediato).

Reinicie Apache después:

service apache2 restart

9. Instale Let's Encrypt

ISPConfig 3.2 tiene soporte integrado para la autoridad de certificación SSL gratuita Let's encrypt. La función Let's Encrypt le permite crear certificados SSL gratuitos para su sitio web en ISPConfig.

Ahora agregaremos soporte para Let's encrypt.

apt-get install certbot

apt-get -y install mailman

newlist mailman

nano /etc/aliases

[...]
## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

newaliases

service postfix restart

ln -s /etc/mailman/apache.conf /etc/apache2/conf-available/mailman.conf

a2enconf mailman

service apache2 restart

service mailman start

apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool

nano /etc/default/pure-ftpd-common

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

echo 1 > /etc/pure-ftpd/conf/TLS

mkdir -p /etc/ssl/private/

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/pure-ftpd.pem

service pure-ftpd-mysql restart

nano /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/server1--vg-root / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
/dev/mapper/server1--vg-swap_1 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0

mount -o remount /

quotacheck -avugm
quotaon -avug

[email protected]:/tmp# quotacheck -avugm
quotacheck: Scanning /dev/mapper/server1--vg-root [/] done
quotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.
quotacheck: Checked 13602 directories and 96597 files
quotacheck: Old file not found.
quotacheck: Old file not found.
[email protected]:/tmp# quotaon -avug
/dev/mapper/server1--vg-root [/]: group quotas turned on
/dev/mapper/server1--vg-root [/]: user quotas turned on

apt-get -y install bind9 dnsutils haveged

systemctl enable haveged
systemctl start haveged

apt-get -y install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl

echo "deb https://deb.goaccess.io/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/goaccess.list
wget -O - https://deb.goaccess.io/gnugpg.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/goaccess.gpg add -
sudo apt-get update
sudo apt-get install goaccess

nano /etc/cron.d/awstats

#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

apt-get -y install jailkit

apt-get -y install fail2ban

nano /etc/fail2ban/jail.local

[pure-ftpd]
enabled  = true
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix]
enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 3

service fail2ban restart

apt-get install ufw

apt-get -y install roundcube roundcube-core roundcube-mysql roundcube-plugins roundcube-plugins-extra javascript-common libjs-jquery-mousewheel php-net-sieve tinymce

Configure database for roundcube with dbconfig-common? <-- Yes
MySQL application password for roundcube: <-- Press enter

nano /etc/apache2/conf-enabled/roundcube.conf

# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
Alias /roundcube /var/lib/roundcube
Alias /webmail /var/lib/roundcube
[...]
<Directory /var/lib/roundcube>
AddType application/x-httpd-php .php
[...]

service apache2 restart

nano /etc/roundcube/config.inc.php

$config['default_host'] = 'localhost';

$config['smtp_server'] = 'localhost';

$config['smtp_port']  = 25;

cd /tmp 
wget -O ispconfig.tar.gz https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ispconfig.tar.gz
cd ispconfig3*/install/

php -q install.php

# php -q install.php

--------------------------------------------------------------------------------
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
--------------------------------------------------------------------------------

>> Initial configuration

Operating System: Ubuntu 20.04.1 LTS (Focal Fossa)

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- Hit Enter

Installation mode (standard,expert) [standard]: <-- Hit Enter

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.canomi.com]: <-- Hit Enter

MySQL server hostname [localhost]: <-- Hit Enter

MySQL server port [3306]: <-- Hit Enter

MySQL root username [root]: <-- Hit Enter

MySQL root password []: <-- Enter your MySQL root password

MySQL database to create [dbispconfig]: <-- Hit Enter

MySQL charset [utf8]: <-- Hit Enter

Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
.......................................................................++
........................................................................................................................................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
State or Province Name (full name) [Some-State]: <-- Enter the name of the  state
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server1.example.com
Email Address []: <-- Hit Enter
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Jailkit
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Metronome XMPP Server
writing new private key to 'localhost.key'
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) [server1.canomi.com]: <-- Enter the server hostname, in my case: server1.example.com
Email Address []: <-- Hit Enter

Configuring Ubuntu Firewall
Configuring Fail2ban
[INFO] service OpenVZ not detected
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:

Admin password [admin]:

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter

Generating RSA private key, 4096 bit long modulus
.......................++
................................................................................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
State or Province Name (full name) [Some-State]: <-- Enter the name of the  state
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server1.example.com
Email Address []: <-- Hit Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- Hit Enter
An optional company name []: <-- Hit Enter
writing RSA key

Symlink ISPConfig LE SSL certs to postfix? (y,n) [y]:  <-- Hit Enter

Symlink ISPConfig LE SSL certs to pureftpd? Creating dhparam file takes some times. (y,n) [y]:  <-- Hit Enter

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................+.........................................................................................................................................................................+...................

Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.