SerwerWeb.pl

In today's tutorial I will describe the process of preparing a fully functioning web server along with free panel for managing the ISPConfig.
Guidance has been prepared under the latest version of Ubuntu 18.04

For starters make changes in the system hostname. This step was describing in this guide.

We log on as root command:

sudo -s

I enter the password. Then install our favorite text file editor, for example, nano:

apt-get install nano

The next step is to set repositories in /etc/apt/sources.list

we command them:

nano /etc/apt/sources.list

The file should look like this:

#

# deb cdrom:[Ubuntu-Server 18.04 LTS _Bionic Beaver_ - Release amd64 (20180425.1)]/ bionic main restricted

#deb cdrom:[Ubuntu-Server 18.04 LTS _Bionic Beaver_ - Release amd64 (20180425.1)]/ bionic main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ bionic main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ bionic universe
# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic universe
deb http://de.archive.ubuntu.com/ubuntu/ bionic-updates universe
# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ bionic multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://de.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu bionic partner
# deb-src http://archive.canonical.com/ubuntu bionic partner

deb http://security.ubuntu.com/ubuntu bionic-security main restricted
# deb-src http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
# deb-src http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse
# deb-src http://security.ubuntu.com/ubuntu bionic-security multiverse

Then we make an update repositories and system updates:

apt-get update
apt-get upgrade

To be sure proper operation of the system and save all the changes make the system reboot command:

reboot

After the restart, re-log in to the root account on the system and make changes in the system shell.
We can make this command:

dpkg-reconfigure dash

The Communication select the option that is not well:

Use dash as the default system shell (/bin/sh)? 
Turn off AppArmor
 
AppArmor is a security extension (Similar to SELinux), which should provide enhanced security. check, is installed, and, if necessary, remove it. I do not think we need it to set up a secure system and usually causes more problems than benefits.
 
Deactivation will be done by issuing the command:
 
service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
 
We synchronize the time on a server with the NTP server
 
apt-get -y install ntp ntpdate
 
Install Postfix, Dovecot, MariaDB, phpMyAdmin, rkhunter, Binutils
 
Minor point here to install the necessary posfixa uninstall sendmail. We can make this command:
 
service sendmail stop; update-rc.d -f sendmail remove
 
Then install all packages:
 
apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo
 
The installer will ask you for an 2 options you select as below:
 
General type of mail configuration: 
Run TLS / SSL postfix
 
edit file:
 
nano /etc/postfix/master.cf
 
And since we comment section smtpd_client_restrictions=permit_sasl_authenticated,reject 
 
The whole should look like this:
 
[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]
 
After making changes to make to restart posfixa
 
service postfix restart
 
We want to, aby MariaDB / MySQL is not only on localhost. Therefore we edit the file /etc/mysql/mariadb.conf.d/50-server.cnf (for MariaDB or /etc/mysql/my.cnf (for MySQL) and comment out the line bind-address = 127.0.0.1:
 
nano /etc/mysql/mariadb.conf.d/50-server.cnf
 
We add # przy bind-address
 
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]
 
Set the root password mysql server and pass the basic configuration with the command:
 
mysql_secure_installation
 
We answer questions like:
 
Enter current password for root (enter for none): 
We set the password authentication method for native, so that we can later PHPMyAdmin to connect as the root user:
 
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
 
File Modification /etc/mysql/debian.cnf and set the root password
 
nano /etc/mysql/debian.cnf
 
Below the modified file looks like this:
 
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = HASLO ROOT
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = HASLO ROOT
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
 
Edit your /etc/mysql/my.cnf and monitoring local MySQL Hashing
 
nano /etc/mysql/my.cnf
 
The file should look like this:
 
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]
 
We make a server restart mysql command:
 
service mysql restart
 
Installation Amavisd-new, SpamAssassin, And ClamAV
 
apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey
 
To update antivirus signatures ClamAV and start the clamd spend the following commands:
 
freshclam
service clamav-daemon start
 
Virus database update can take a while, please be patient to wait.
 
You can ignore the following error when you first start freshclam.
 
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
 
Amavisd-new program now contains an error in Ubuntu 18.04, which prevents proper signing e-mails with DKIM. Run the following command, to attach amavisd-new.
 
cd /tmp
wget https://git.ispconfig.org/ispconfig/ispconfig3/raw/stable-3.1/helper_scripts/ubuntu-amavisd-new-2.11.patch
cd /usr/sbin
cp -pf amavisd-new amavisd-new_bak
patch 
We make install Nginx, PHP 7.2 (PHP-FPM), and Fcgiwrap
 
Nginx install command:
 
apt-get install nginx
 
We remove the Apache web server:
 
service apache2 stop
update-rc.d -f apache2 remove
 
Start the server Nginx
 
service nginx start
 
install PHP 
 
apt-get -y install php7.2-fpm
 
Then we are retrieving PHP modules and their installation will be done.
 
apt-cache search php7.2
 
apt-get -y install php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-imap php7.2-cli php7.2-cgi php-pear mcrypt imagemagick libruby php7.2-curl php7.2-intl php7.2-pspell php7.2-recode php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl memcached php-memcache php-imagick php-gettext php7.2-zip php7.2-mbstring php-soap php7.2-soap
 
Edit the php.ini file
 
we make changes 2 lines 
 
nano /etc/php/7.2/fpm/php.ini
 
And change:
 
cgi.fix_pathinfo=0
 
And
 
date.timezone="Europe/Warsaw"
 
We do php reload command:
 
service php7.2-fpm reload
 
Install the package FCIWRAP thanks to him ISPConfig will take care of the correct configuration vhost.
 
apt-get -y install fcgiwrap
 
We install and configure phpMyAdmin
 
apt-get -y install phpmyadmin php-mbstring php-gettext
 
and configure
 
Web server to reconfigure automatically: 
Instalacja Let's Encrypt
 
apt-get -y install certbot
certbot register
 
ISPConfig also allows you to manage (create / modify / delete) Mailman mailing lists. If you want to use this feature, Mailman install as follows:
 
apt-get -y install mailman
 
Select at least one language, for example, .:
 
Languages to support: 
We command and answer questions
 
newlist mailman
 
root@server1:~# newlist mailman
Enter the email of the person running the list: 
Hit enter to notify mailman owner... 
root@server1:~#
 
edit / etc / aliases and add:
 
nano /etc/aliases

## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"
 
reload, restatartujemy run postfix and mailman
 
newaliases
service postfix restart
service mailman start
 
Install pure-ftpd and Quota
 
apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool
 
Edit / etc / default / pure-ftpd-common and set in the following manner
 
nano /etc/default/pure-ftpd-common
 
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
 
Run TLS and SSL for FTP Server:
 
echo 1 > /etc/pure-ftpd/conf/TLS
 
mkdir -p /etc/ssl/private/
 
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
 
We give your details as below:
 
Country Name (2 letter code) [AT]: 
We give chmod and restart the FTP server
 
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
 
Installing a DNS server BIND
 
apt-get -y install bind9 dnsutils haveged
 
systemctl enable haveged
service haveged start
 
Installation Vlogger, Webalizer, and AWStats
 
apt-get -y install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
 
We do /etc/cron.d/awstats editing a file and comment on it in the manner described below:
 
nano /etc/cron.d/awstats
 
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
 
Installation Jailkit
 
apt-get -y install build-essential autoconf automake1.11 libtool flex bison debhelper binutils
 
cd /tmp 
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
echo 5 > debian/compat
 
The current version Jailkit 2.19 It has a syntax error, which makes it impossible to compile. To fix this, open debian / changelog using nano:
 
nano debian/changelog
 
And add the following line in the 5, followed by a blank line:
 
 -- Olivier   Wed, 18 Nov 2015 20:38:44 +0100
 
We make recompilation
 
./debian/rules binary
cd ..
dpkg -i jailkit_2.19-1_*.deb
rm -rf jailkit-2.19*
 
UFW and install fail2ban
 
apt-get -y install fail2ban
 
apt-get -y install ufu
 
Then create a file:/etc / fail2ban / jail.local with the following content:
 
nano /etc/fail2ban/jail.local
 
[pure-ftpd]
enabled  = true
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,Fail2Ban is an application,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix]
enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 3
 
We make reloading services
 
s
 
ervice fail2ban restart
 
Installing Roundcube Webmail
 
apt-get -y install roundcube roundcube-core roundcube-mysql roundcube-plugins javascript-common libjs-jquery-mousewheel php-net-sieve tinymce
 
When you choose the configuration as follows:
 
Configure database for roundcube with dbconfig-common? 
/Etc/roundcube/config.inc.php edit the file and change the default host
 
nano /etc/roundcube/config.inc.php
 
$config['default_host'] = 'localhost';
 
Installing ISPConfig 3.1
 
To be sure, we stop Apache, We remove it and restart Nginx
 
service apache2 stop
update-rc.d -f apache2 remove
service nginx restart
 
We grab the latest version of the pedal and it unpack ISPConfig.
 
cd /tmp 
wget -O ispconfig.tar.gz https://git.ispconfig.org/ispconfig/ispconfig3/repository/archive.tar.gz?ref=stable-3.1
tar xfz ispconfig.tar.gz
cd ispconfig3*/install/
 
Run the installation script:
 
php -q install.php
 
We answer questions like:
 
--------------------------------------------------------------------------------
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Ubuntu 18.04 LTS (Bionic Beaver)

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with .
Tap in "quit" (without the quotes) to stop the installer.


Select language (in,de) [in]: 
Finished script has been installed and is available at https://ipserwera:8080
 
The default data to the panel admin login password is admin
 
In this way we have a fully operational and configured web server once the mail server databases and ftp.
 
Source: https://www.howtoforge.com/tutorial/perfect-server-ubuntu-18.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/
 
Related entries:
SFTP Client Installation in Ubuntu alternative to WinSCP
Installing the OSA Studio 27.0 w Ubuntu 18.04 and 20.04
Installation of the Telegram messenger in Ubuntu and CentOS
Installing Google Chrome in Ubuntu 20.04
Installing the Webmin panel on Ubuntu 22.04