具有Apache,PHP,Postfix,Dovecot,Pure-FTPD,BIND和ISPConfig 3.2(Beta)的Perfect Server CentOS 8

具有Apache,PHP,Postfix,Dovecot,Pure-FTPD,BIND和ISPConfig 3.2(Beta)的Perfect Server CentOS 8

本教程显示了在CentOS 8(64位)服务器上ISPConfig 3.2的安装ISPConfig是一个Web托管控制面板,允许您通过Web浏览器配置以下服务:Apache Web服务器,PHP,Postfix邮件服务器,MySQL,BIND域名服务器,PureFTPd,SpamAssassin,ClamAV,Mailman等。

1要求

要安装这样的系统,您将需要以下内容:

  • Centos 8最低服务器系统,可以是如我们的Centos 8最低服务器教程中所述从头安装的服务器,也可以是安装了最低Centos 8设置的托管公司的虚拟服务器或根服务器。
  • 快速的Internet连接。

2初步说明

在本教程中,我使用IP地址为192.168.0.100且网关为192.168.0.1的主机名server1.example.com,这些设置可能对您有所不同,因此您必须在适当的地方进行替换。

3准备服务器

设置键盘布局

如果服务器的键盘布局与您的键盘不匹配,则可以使用localectl命令切换到右侧键盘(在我的情况下为德语键盘布局为“ de”):

localectl set-keymap de

要获取所有可用键盘映射的列表,请运行:

localectl list-keymaps

我想在本教程的最后安装ISPConfig,ISPConfig附带了将用作防火墙的Bastille防火墙脚本,因此,我现在禁用默认的CentOS防火墙,当然,您可以自由地打开CentOS防火墙并进行配置它可以满足您的需要(但是您以后不应再使用任何其他防火墙,因为它很可能会干扰CentOS防火墙)。

跑 …

dnf -y install net-tools wget rsyslogsystemctl stop firewalld.servicesystemctl disable firewalld.service

在这里出现错误就可以了,这只表明没有安装防火墙。要停止并禁用CentOS防火墙。

然后,您应该检查防火墙是否已被禁用,请运行以下命令:

iptables -L

输出应如下所示:

[[email protected] ~]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination
Chain FORWARD (policy ACCEPT)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination

或使用firewall-cmd命令:

firewall-cmd --state
[[email protected] ~]# firewall-cmd --statenot running[[email protected] ~]#

现在,我将安装网络配置编辑器和基于外壳的编辑器“ nano”,将在接下来的步骤中使用它们来编辑配置文件:

dnf -y install nano wget NetworkManager-tui yum-utils

如果在安装过程中未配置网卡,则可以立即执行。

nmtui

…并转到编辑连接:

选择您的网络接口:

选择网络接口

广告

然后填写您的网络详细信息-禁用DHCP并填写一个静态IP地址,一个网络掩码,您的网关和一个或两个名称服务器,然后单击“确定”:

设置网络掩码

接下来,选择确定以确认您在网络设置中所做的更改

确认网络设置

然后退出以关闭nmtui网络配置工具。

广告

退出nmtui

你应该跑

ifconfig

现在检查安装程序是否正确设置了您的IP地址:

[[email protected] ~]# ifconfigens33: flags=4163  mtu 1500        inet 192.168.0.100  netmask 255.255.255.0  broadcast 192.168.0.255        inet6 fe80::20c:29ff:feee:b665  prefixlen 64  scopeid 0x20        inet6 2003:e1:bf22:1b00:20c:29ff:feee:b665  prefixlen 64  scopeid 0x0        ether 00:0c:29:ee:b6:65  txqueuelen 1000  (Ethernet)        RX packets 2874  bytes 1369892 (1.3 MiB)        RX errors 0  dropped 546  overruns 0  frame 0        TX packets 968  bytes 160901 (157.1 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10        loop  txqueuelen 1000  (Local Loopback)        RX packets 0  bytes 0 (0.0 B)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 0  bytes 0 (0.0 B)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

如果您的网卡未显示在此处,则说明它在启动时未启用。在这种情况下,请打开文件/ etc / sysconfig / network-scripts / ifcfg-eth0

nano /etc/sysconfig/network-scripts/ifcfg-ens33

并将ONBOOT设置为yes:

[...]ONBOOT=yes[...]

并重新启动服务器。

检查/etc/resolv.conf是否列出了先前配置的所有名称服务器:

cat /etc/resolv.conf

如果缺少名称服务器,请运行

nmtui

并再次添加缺少的名称服务器。

现在,进入配置…广告

调整/ etc / hosts和/ etc / hostname

接下来,我们将编辑/ etc / hosts,使其如下所示:

nano /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4192.168.0.100   server1.example.com     server1::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

在/ etc / hostname文件中设置主机名,该文件应包含完全限定的域名(例如,在我的情况下为server1.example.com),而不仅仅是“ server1”之类的简称,请使用nano编辑器打开文件:

nano /etc/hostname

并在文件中设置主机名。

server1.example.com

保存文件并退出nano。

将SELinux设置为宽松

SELinux是CentOS的安全性扩展,应提供扩展的安全性ISPConfig不附带SELinux规则集,因此我将其设置为宽松(如果以后要安装ISPConfig,这是必须的)。

编辑/ etc / selinux / config并设置SELINUX =允许:

nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

之后,我们必须重新引导系统:

reboot

4启用其他存储库并安装某些软件

首先,我们导入软件包的GPG密钥:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

然后,在CentOS系统上启用EPEL存储库,因为我们将在本教程中安装的许多软件包在官方CentOS 8存储库中不可用:

dnf -y install epel-release

激活电动工具:

dnf config-manager --set-enabled PowerTools

然后,我们更新系统上的现有软件包:

dnf -y update

现在,我们安装了稍后需要的一些软件包:

dnf -y groupinstall 'Development Tools'

5个配额

(如果选择的分区方案与我选择的分区方案不同,则必须调整本章,以便将配额应用于需要的分区。)

要安装配额,我们运行以下命令:

dnf -y install quota

现在,我们检查是否已经为存储网站(/ var / www)和Maildir数据(var / vmail)的文件系统启用了配额。在此示例设置中,我有一个大的根分区,因此我搜索“ /’:

mount | grep ' / '
[[email protected] ~]# mount | grep ' / '/dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,noquota)[[email protected] ~]#

如果您有一个单独的/ var分区,请使用:

mount | grep ' /var '

相反,如果该行包含单词“Noquota”,然后按照以下步骤启用配额。

在/(根)分区上启用配额

通常,您将在/ etc / fstab文件中启用配额,但是如果文件系统是根文件系统“ /”,则必须通过Linux内核的引导参数启用配额。

编辑grub配置文件:

nano /etc/default/grub

搜索以GRUB_CMDLINE_LINUX开头的行,并在命令行参数中添加rootflags = uquota,gquota,以使结果行如下所示:

GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/cl-swap rd.lvm.lv=cl/root rd.lvm.lv=cl/swap rootflags=uquota,gquota"

并通过运行以下命令来应用更改。

cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bakgrub2-mkconfig -o /boot/grub2/grub.cfg

并重新启动服务器。

reboot

现在检查是否启用了配额:

mount | grep ' / '
[[email protected] ~]# mount | grep ' / '/dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,usrquota,grpquota)[[email protected] ~]#

启用配额后,我们可以看到“usrquota,grpquota“在安装选项列表中。

在单独的/ var分区上启用配额

如果您有一个单独的/ var分区,请编辑/ etc / fstab并将uquota,gquota添加到/分区(/ dev / mapper / centos-var):

nano /etc/fstab
## /etc/fstab# Created by anaconda on Sun Sep 21 16:33:45 2014## Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info#/dev/mapper/centos-root /                       xfs     defaults        1 1/dev/mapper/centos-var /var                     xfs     defaults,uquota,gquota        1 2UUID=9ac06939-7e43-4efd-957a-486775edd7b4 /boot                   xfs     defaults        1 3/dev/mapper/centos-swap swap                    swap    defaults        0 0

然后跑

mount -o remount /var
quotacheck -avugmquotaon -avug

当出现错误,即没有启用配额的分区时,请重新引导服务器,然后再继续操作。

6安装Apache,PHP,MySQL和phpMyAdmin

启用Remi存储库以获取更新的PHP版本(当前为PHP 7.4):

dnf install http://rpms.remirepo.net/enterprise/remi-release-8.rpmdnf -y install yum-utilsdnf -y module reset phpdnf -y module install php:remi-7.4dnf update

我们可以使用一个命令安装所需的软件包:

dnf -y install httpd mod_ssl mariadb-server php php-mysqlnd php-mbstring

为了确保服务器不会受到HTTPOXY漏洞的攻击,我们将全局禁用apache中的HTTP_PROXY标头。

在httpd.conf文件的末尾添加apache标头规则:

echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf

并重新启动httpd以应用配置更改。

service httpd restart

安装phpMyAdmin:

cd /tmpwget https://files.phpmyadmin.net/phpMyAdmin/5.0.2/phpMyAdmin-5.0.2-all-languages.tar.gztar xzvf phpMyAdmin-5.0.2-all-languages.tar.gzmkdir /usr/share/phpmyadminmv phpMyAdmin-5.0.2-all-languages/* /usr/share/phpmyadmin/mkdir /usr/share/phpmyadmin/tmpchown -R apache:apache /usr/share/phpmyadminchmod 777 /usr/share/phpmyadmin/tmp

可选:更改Apache MPM模块

CentOS 8默认使用Apache MPM Event模块,这在一方面是好的,因为它允许您使用HTTP / 2协议;另一方面,它不允许您使用apache mod_php模块。今天应该使用PHP-FPM作为默认值,并且ISPConfig支持。如果出于兼容性原因需要使用旧的mod_php模式,则可以像这样切换Apache MPM:

nano /etc/httpd/conf.modules.d/00-mpm.conf

在MPM事件行的前面添加#号,如下所示:

# LoadModule mpm_event_module modules/mod_mpm_event.so

然后从MPM Prefork行中删除#in,所以看起来像这样:

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

然后重新启动httpd以应用配置更改。

service httpd restart

7安装鸽舍

Dovecot可以按以下方式安装:

dnf -y install dovecot dovecot-mysql dovecot-pigeonhole

创建一个空的dovecot-sql.conf文件并创建符号链接:

touch /etc/dovecot/dovecot-sql.confln -s /etc/dovecot/dovecot-sql.conf /etc/dovecot-sql.confln -s /etc/dovecot/dovecot.conf /etc/dovecot.conf

现在创建系统启动链接并启动Dovecot:

systemctl enable dovecotsystemctl start dovecot

8安装Postfix

Postfix可以如下安装:

dnf -y install postfix postfix-mysql

接下来,在Postfix中打开TLS / SSL和提交端口:

nano /etc/postfix/master.cf

取消注释commit和smtps部分,如下所示,并在必要时添加几行,以便master.cf文件的这一部分看起来与下面的部分完全相同。 重要: 删除以smtps开头并提交的行前面的#,而不仅仅是从这些行之后的-o行中删除!

[...]submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATINGsmtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING[...]

然后关闭Sendmail并启动Postfix和MariaDB(MySQL):

systemctl enable mariadb.servicesystemctl start mariadb.service
systemctl enable postfix.servicesystemctl restart postfix.service

我们禁用sendmail以确保它不会在服务器上安装的情况下启动。因此错误消息“无法发出方法调用:单元sendmail.service未加载。”可以忽略。

9安装Getmail

可以按以下方式安装Getmail:

dnf install python2cd /tmpwget http://pyropus.ca/software/getmail/old-versions/getmail-5.14.tar.gztar xvfz getmail-5.14.tar.gzcd getmail-5.14python2 setup.py buildpython2 setup.py install

10设置MySQL密码并配置phpMyAdmin

设置MySQL根帐户的密码:

mysql_secure_installation
[[email protected] tmp]# mysql_secure_installationNOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDBSERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the currentpassword for the root user. If you've just installed MariaDB, andyou haven't set the root password yet, the password will be blank,so you should just press enter here.
Enter current password for root (enter for none):OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDBroot user without the proper authorisation.Set root password? [Y/n] <-- ENTERNew password: <-- yourrootsqlpasswordRe-enter new password: <-- yourrootsqlpasswordPassword updated successfully!Reloading privilege tables.. ... Success!By default, a MariaDB installation has an anonymous user, allowing anyoneto log into MariaDB without having to have a user account created forthem. This is intended only for testing, and to make the installationgo a bit smoother. You should remove them before moving into aproduction environment.Remove anonymous users? [Y/n] <-- ENTER ... Success!Normally, root should only be allowed to connect from 'localhost'.  Thisensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] <-- ENTER ... Success!By default, MariaDB comes with a database named 'test' that anyone canaccess. This is also intended only for testing, and should be removedbefore moving into a production environment.Remove test database and access to it? [Y/n] <-- ENTER - Dropping test database... ... Success! - Removing privileges on test database... ... Success!Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.Reload privilege tables now? [Y/n] <-- ENTER ... Success!Cleaning up...All done! If you've completed all of the above steps, your MariaDBinstallation should now be secure.Thanks for using MariaDB![[email protected] tmp]#

现在我们配置phpMyAdmin创建以下phpMyAdmin配置文件:

nano /etc/httpd/conf.d/phpmyadmin.conf

将此内容添加到文件中:

# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL

Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /phpmyadmin /usr/share/phpmyadmin


   
     # Apache 2.4
  #  
     #  Require ip 127.0.0.1
     #  Require ip ::1
  #  
   
   
     # Apache 2.2
     Order Deny,Allow
     Deny from All
     Allow from 127.0.0.1
     Allow from ::1
   

            

接下来,我们将phpMyAdmin中的身份验证从cookie更改为http:

cp -pf /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.phpnano /usr/share/phpmyadmin/config.inc.php
[...]
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';
[...]

然后,我们为Apache创建系统启动链接并启动它:

systemctl enable httpdsystemctl restart httpd

现在,您可以将浏览器定向到http://server1.example.com/phpmyadmin/或http://192.168.0.100/phpmyadmin/,并使用用户名root和新的root MySQL密码登录。

11安装新的Amavisd,SpamAssassin,ClamAV和Postgrey

要安装amavisd-new,SpamAssassin和ClamAV,请运行以下命令:

dnf -y install amavisd-new spamassassin clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd unzip bzip2 perl-DBD-mysql postgrey re2c

然后,我们开始进行Freshclam,amavisd和clamd.amavisd的操作:

sa-updatefreshclamsystemctl enable amavisd.servicesystemctl start amavisd.servicesystemctl start [email protected]systemctl enable postgrey.servicesystemctl start postgrey.service

12使用mod_php,mod_fcgi / PHP,PHP-FPM安装Apache

ISPConfig 3允许您在每个网站上使用mod_php,mod_fcgi / PHP,cgi / PHP和PHP-FPM。

我们可以使用mod_php,mod_fcgid和PHP安装Apache2,如下所示:

dnf -y install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel php-fpm php-intl php-imagick php-pspell wget

接下来,我们打开/etc/php.ini ...

nano /etc/php.ini

...并更改错误报告(以使通知不再显示),设置时区并取消注释cgi.fix_pathinfo = 1:

[...]
;error_reporting = E_ALL & ~E_DEPRECATED
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
[...]
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PAppp.tldTH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://www.php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo
cgi.fix_pathinfo=1[...]date.timezone = 'Europe/Berlin'
[...]

启用httpd和PHP-FPM以在启动时开始并启动PHP-FPM服务。

systemctl start php-fpm.servicesystemctl enable php-fpm.servicesystemctl enable httpd.service

最后,我们重新启动Apache:

systemctl restart httpd.service

现在,我们将添加对“让我们加密”的支持。

mkdir /opt/certbotcd /opt/certbotwget https://dl.eff.org/certbot-autochmod a+x ./certbot-auto

现在,运行certbot-auto命令,该命令将下载并安装软件及其依赖项。

./certbot-auto

然后该命令将告诉您“在配置文件中未找到名称”,并询问是否继续,请在此处选择“ c”取消,因为证书将由ispconfig创建。

在CentOS上安装certbot

Apache模块mod_python不能作为RPM软件包使用,因此我们将从源代码进行编译,第一步是安装python开发文件并将当前的mod_python版本下载为.tar.gz文件。

dnf -y install python3-devel
cd /usr/local/src/wget http://dist.modpython.org/dist/mod_python-3.5.0.tgztar xfz mod_python-3.5.0.tgzcd mod_python-3.5.0

然后配置和编译模块。

./configure --with-python=/usr/bin/python3make

要解决此问题,请运行以下sed命令(命令是一行!)。

sed -e 's/(git describe --always)/(git describe --always 2>/dev/null)/g' -e 's/`git describe --always`/`git describe --always 2>/dev/null`/g' -i $( find . -type f -name Makefile* -o -name version.sh )

然后使用此命令安装模块。

make install

并在Apache中启用该模块:

echo 'LoadModule python_module modules/mod_python.so' > /etc/httpd/conf.modules.d/10-python.confsystemctl restart httpd.service

14安装PureFTPd

可以使用以下命令安装PureFTPd:

dnf -y install pure-ftpd

然后创建系统启动链接并启动PureFTPd:

systemctl enable pure-ftpd.servicesystemctl start pure-ftpd.service

现在我们将PureFTPd配置为允许FTP和TLS会话,FTP是一种非常不安全的协议,因为所有密码和所有数据都以明文形式传输,通过使用TLS,可以加密整个通信,从而使FTP更加安全。

TLS需要OpenSSL;要安装OpenSSL,我们只需运行:

dnf install openssl

打开/etc/pure-ftpd/pure-ftpd.conf ...

nano /etc/pure-ftpd/pure-ftpd.conf

如果要允许FTP和TLS会话,请通过删除TLS行前面的#将TLS设置为1,强烈建议启用TLS。

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1
[...]

为了使用TLS,我们必须创建一个SSL证书,我在/ etc / ssl / private /中创建它,因此我首先创建该目录:

mkdir -p /etc/ssl/private/

之后,我们可以生成SSL证书,如下所示:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

国家名称(2个字母代码) [XX]:<-输入您的国家/地区名称(例如“ DE”)。州或省(全名) []:<-输入您的州或省名称。地区名称(例如城市) [Default City]:<-输入您的City.Organization名称(例如公司) [Default Company Ltd]:<-输入您的组织名称(例如,您的公司名称)。组织单位名称(例如,部分) []:<-输入您的组织单位名称(例如“ IT部门”)。通用名称(例如,您的名称或服务器的主机名) []:<-输入系统的标准域名(例如“ server1.example.com”)。电子邮件地址 []:<-输入您的电子邮件地址。

更改SSL证书的权限:

chmod 600 /etc/ssl/private/pure-ftpd.pem

创建一个DHParam文件:

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

最后,重新启动PureFTPd:

systemctl restart pure-ftpd.service

就是这样,您现在可以尝试使用FTP客户端进行连接;但是,您应该将FTP客户端配置为使用TLS。

15安装BIND

我们可以按以下方式安装BIND:

dnf -y install bind bind-utils haveged

备份现有的/etc/named.conf文件并创建一个新文件,如下所示:

cp /etc/named.conf /etc/named.conf_bakcat /dev/null > /etc/named.confnano /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
				allow-recursion {"none";};
        recursion no;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.conf.local";

创建文件/etc/named.conf.local,该文件包含在/etc/named.conf的末尾(如果在ISPConfig中创建DNS区域,则稍后将由ISPConfig填充/etc/named.conf.local):

touch /etc/named.conf.local

然后,我们创建启动链接并启动BIND:

systemctl enable named.servicesystemctl start named.servicesystemctl enable haveged.servicesystemctl start haveged.service

16安装AWStats

可以按以下方式安装AWStats:

dnf -y install awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder

替代的Web统计应用程序'webalizer'不再适用于CentOS 8,因此您将只能使用AWStats。

17安装Jailkit

Jailkit用于chroot SSH用户和cronjobs,可以如下安装:

ln -s /usr/bin/python2 /usr/bin/pythoncd /tmpwget http://olivier.sessink.nl/jailkit/jailkit-2.21.tar.gztar xvfz jailkit-2.21.tar.gzcd jailkit-2.21./configuremakemake installcd ..rm -rf jailkit-2.21*

18安装Fail2Ban

这是可选的,但建议这样做,因为ISPConfig监视器尝试显示日志。

dnf -y install iptables-services fail2ban fail2ban-systemdsystemctl stop firewalld.servicesystemctl mask firewalld.servicesystemctl disable firewalld.service

接下来,我们创建/etc/fail2ban/jail.local文件,并启用对ssh,电子邮件和ftp服务的监视。

nano /etc/fail2ban/jail.local

将以下内容添加到jail.local文件:

[sshd]enabled = trueaction = iptables[name=sshd, port=ssh, protocol=tcp][pure-ftpd]enabled = trueaction = iptables[name=FTP, port=ftp, protocol=tcp]maxretry = 3[dovecot]enabled = trueaction = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]maxretry = 5[postfix-sasl]enabled = trueaction = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]maxretry = 3

然后为fail2ban创建系统启动链接并启动它:

systemctl enable fail2ban.servicesystemctl start fail2ban.service

19安装rkhunter

rkhunter可以如下安装:

dnf -y install rkhunter

20安装Mailman

如果您想使用服务器上的Mailman管理邮件列表,请立即安装mailman。ISPConfig支持Mailman,因此以后可以通过ISPConfig创建新的邮件列表。

dnf -y install mailman

在启动Mailman之前,必须创建一个名为mailman的第一个邮件列表:

touch /var/lib/mailman/data/aliasespostmap /var/lib/mailman/data/aliases/usr/lib/mailman/bin/newlist mailmanln -s /usr/lib/mailman/mail/mailman /usr/bin/mailman

[[email protected] Tmp]#/ Usr / lib / mailman / bin / newlist mailman输入运行列表的人的电子邮件:<-admin电子邮件地址,例如 [email protected]初始邮递员密码:<-邮递员列表的管理员密码要完成创建邮件列表,必须通过添加以下行并可能运行“ newaliases”程序来编辑/ etc /别名(等效)文件:## mail listmailman:“ | / usr / lib / mailman / mail / mailman post mailman” mailman-admin:“ | / usr / lib / mailman / mail / mailman admin mailman” mailman-bounces:“ | / usr / lib / mailman / mail / mailman弹跳mailman“ mailman-confirm:” | / usr / lib / mailman / mail / mailman确认mailman“ mailman-join:” | / usr / lib / mailman / mail / mail / mailman加入mailman“ mailman-leave:” | / usr / lib / mailman / mail / mailman离开mailman“ mailman-owner:” | | / usr / lib / mailman / mail / mail / mailman所有者mailman“ mailman-request:” | | / usr / lib / mailman / mail / mail / mailman请求mailman“ mailman-subscribe:“ | / usr / lib / mailman / mail / mailman订阅mailman” mailman-unsubscribe:“ | / usr / lib / mailman / mail / mailman取消订阅mailman”点击回车以通知mailman所有者... <-输入[[email protected] Tmp]#

之后打开/ etc /别名...

nano /etc/aliases

...并添加以下行:

[...]
mailman:              "|/usr/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/usr/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/usr/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/usr/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/usr/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/usr/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/usr/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/usr/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/usr/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/usr/lib/mailman/mail/mailman unsubscribe mailman"

newaliases

之后,重新启动Postfix:

systemctl restart postfix.service

现在打开Mailman Apache配置文件/etc/httpd/conf.d/mailman.conf ...

nano /etc/httpd/conf.d/mailman.conf

...并添加ScriptAlias / cgi-bin / mailman // usr / lib / mailman / cgi-bin /行。注释掉Alias / pipermail // var / lib / mailman / archives / public /并添加Alias / pipermail / var / lib / mailman /存档/公共/:

#
#  httpd configuration settings for use with mailman.
#

ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/

    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all



#Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /pipermail /var/lib/mailman/archives/public/

    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    AddDefaultCharset Off


# Uncomment the following line, to redirect queries to /mailman to the
# listinfo page (recommended).

# RedirectMatch ^/mailman[/]*$ /mailman/listinfo

重新启动Apache:

systemctl restart httpd.service

创建Mailman的系统启动链接并启动它:

systemctl enable mailman.servicesystemctl start mailman.service

安装ISPConfig 3后,可以按以下方式访问Mailman:

您可以对所有Apache虚拟主机使用别名/ cgi-bin / mailman(请注意,必须对要访问Mailman的所有虚拟主机禁用suExec和CGI!),这意味着您可以访问Mailman管理界面以获取列表。在http:/// cgi-bin /邮递员/管理员/,有关邮件列表用户的网页可在http://下找到/ cgi-bin / mailman / listinfo /..

在http下:/// pipermail / 您可以找到邮件列表档案。

21安装Roundcube Webmail

要安装RoundCube Webmail客户端,请使用wget将最新版本下载到/ tmp文件夹:

cd /tmpwget https://github.com/roundcube/roundcubemail/releases/download/1.4.3/roundcubemail-1.4.3-complete.tar.gz

解压缩tar.gz归档文件并将RoundCube源移动到/ usr / share / roundcubemail

tar xfz roundcubemail-1.4.3-complete.tar.gzmkdir /usr/share/roundcubemailmv /tmp/roundcubemail-1.4.3/* /usr/share/roundcubemail/chown -R root:root /usr/share/roundcubemailchown apache /usr/share/roundcubemail/tempchown apache /usr/share/roundcubemail/logs

使用nano编辑器创建一个roundcubemail.conf配置文件:

nano /etc/httpd/conf.d/roundcubemail.conf

并将以下内容添加到该文件:

#
# Round Cube Webmail is a browser-based multilingual IMAP client
#

Alias /roundcubemail /usr/share/roundcubemailAlias /webmail /usr/share/roundcubemail

# Define who can access the Webmail
# You can enlarge permissions once configured


        Options none
        AllowOverride Limit
        Require all granted


# Define who can access the installer
# keep this secured once configured


        Options none
        AllowOverride Limit
        Require all granted



# Those directories should not be viewed by Web clients.

    Order Allow,Deny
    Deny from all


    Order Allow,Deny
    Deny from all

重新启动Apache:

systemctl restart httpd.service

现在我们需要一个用于RoundCube邮件的数据库,我们将按以下方式对其进行初始化:

mysql -u root -p

在MariaDB提示符下使用:

CREATE DATABASE roundcubedb;CREATE USER [email protected] IDENTIFIED BY 'roundcubepassword';GRANT ALL PRIVILEGES on roundcubedb.* to [email protected] ;FLUSH PRIVILEGES;exit

我以RoundCube数据库的详细信息为例,出于安全原因,请根据您的选择替换这些值。

现在,我们将在浏览器中的以下位置安装RoundCube:http://192.168.0.100/roundcubemail/installer

具有Apache,PHP,Postfix,Dovecot,Pure-FTPD,BIND和ISPConfig 3.2(Beta)的Perfect Server CentOS 8

现在创建config.inc.php文件:

nano /usr/share/roundcubemail/config/config.inc.php

然后在Web安装程序中按“继续”。在下一页上,按“初始化数据库”按钮。

最后,禁用Roundecubemail安装程序,更改RoundCube config.inc.php配置文件

nano /usr/share/roundcubemail/config/config.inc.php

并更改行:

$config['enable_installer'] = true;

至:

$config['enable_installer'] = false;

Roundcube现在在服务器上的别名/ webmail和/ roundcubemail下可用:

http://192.168.0.100/webmail

RoundCube登录名是您稍后在ISPConfig中创建的电子邮件帐户的电子邮件地址和密码。

22安装ISPConfig 3.2

ISPConfig安装程序将为您配置所有服务,例如Postfix,Dovecot等。

现在,您还可以让安装程序为ISPConfig控制面板创建SSL虚拟主机,以便可以使用https://而不是http://来访问ISPConfig。要实现此目的,请在看到以下问题时按ENTER:您是否需要到ISPConfig Web界面的安全(SSL)连接(y,n) [y]:。

要安装ISPConfig 3.2 Beta,请执行以下操作:

cd /tmp wget -O ispconfig.tar.gz http://www.ispconfig.org/downloads/ISPConfig-3.2b2.tar.gztar xfz ispconfig.tar.gzcd ispconfig3*/install/

下一步是运行:

php -q install.php

这将启动ISPConfig 3安装程序,该安装程序将为您配置所有服务,如Postfix,Dovecot等。

[[email protected] install]# php install.php
--------------------------------------------------------------------------------_____ ___________ _____ __ _ ____|_ _/ ___| ___  / __  / _(_) /__ | |  `--.| |_/ / | / / ___ _ __ | |_ _ __ _ _/ /| | `--.  __/ | | / _ | '_ | _| |/ _` | |_ |_| |_/__/ / | | __/ (_) | | | | | | | (_| | ___ \___/____/_| ____/___/|_| |_|_| |_|__, | ____/__/ ||___/--------------------------------------------------------------------------------
>> Initial configuration
Operating System: CentOS 8.2
Following will be a few questions for primary configuration so be careful.Default values are in [brackets] and can be accepted with .Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]: <-- Hit Enter
Installation mode (standard,expert) [standard]: <-- Hit Enter
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- Hit Enter
MySQL server hostname [localhost]: <-- Hit Enter
MySQL server port [3306]: <-- Hit Enter
MySQL root username [root]: <-- Hit Enter
MySQL root password []: <-- Ente the MySQL root password here
MySQL database to create [dbispconfig]: <-- Hit Enter
MySQL charset [utf8]: <-- Hit Enter
Configuring PostgreyConfiguring PostfixGenerating a 4096 bit RSA private key................................++.....................................................................................................................................................................................................................................................................................................................................................++writing new private key to 'smtpd.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]: <-- Enter 2 Letter country code, e.g. USState or Province Name (full name) []: <-- Enter anme of State or ProvinceLocality Name (eg, city) [Default City]: <-- Name of cityOrganization Name (eg, company) [Default Company Ltd]: <-- Company nameOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (eg, your name or your server's hostname) []: <-- Enter server hostname here, in my case: server1.example.comEmail Address []: <-- Enter Email addressConfiguring mailmanConfiguring DovecotConfiguring SpamassassinConfiguring AmavisdConfiguring GetmailConfiguring JailkitConfiguring PureftpdConfiguring BINDConfiguring ApacheConfiguring vlogger[INFO] service OpenVZ not detectedConfiguring Bastille Firewall[INFO] service Metronome XMPP Server not detectedConfiguring Fail2banConfiguring Apps vhostInstalling ISPConfigISPConfig Port [8080]: <-- Hit Enter
Admin password [fad579a6]: <-- Enter new password for ISPConfig admin user
Re-enter admin password []: <-- Repeat the password
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter
Generating RSA private key, 4096 bit long modulus.................................................................................++.....++e is 65537 (0x10001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]: <-- Enter 2 Letter country code, e.g. USState or Province Name (full name) []: <-- Enter anme of State or ProvinceLocality Name (eg, city) [Default City]: <-- Name of cityOrganization Name (eg, company) [Default Company Ltd]: <-- Company nameOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (eg, your name or your server's hostname) []: <-- Enter server hostname here, in my case: server1.example.comEmail Address []: <-- Enter Email address
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: <-- Hit EnterAn optional company name []: <-- Hit Enterwriting RSA key
Configuring DBServerInstalling ISPConfig crontabInstalling ISPConfig crontabno crontab for rootno crontab for getmailDetect IP addressesRestarting services ...Installation completed.

安装程序会自动配置所有基础服务,因此不需要手动配置。

23首次ISPConfig登录

之后,您可以在http(s)://server1.example.com:8080/或http(s)://192.168.0.100:8080/下访问ISPConfig 3(http或https取决于您在安装过程中选择的内容)。

使用用户名admin和密码admin登录(您应该在首次登录后更改默认密码):

ISPConfig登录

23.1 ISPConfig 3手册

为了学习如何使用ISPConfig 3,我强烈建议下载ISPConfig 3手册。

在300多个页面上,它涵盖了ISPConfig(管理员,代理商,客户端)的概念,解释了如何安装和更新ISPConfig 3,包括ISPConfig中所有表单和表单字段的参考以及有效输入的示例,并提供了教程。 ISPConfig 3中最常见的任务。它还列出了如何使服务器更安全,并在最后提供了一个故障排除部分。

24下载为虚拟机

该设置可通过ova / ovf格式(与VMWare和Virtualbox兼容)下载为虚拟机,供howtoforge订户使用。

虚拟机的登录详细信息

  • 根密码是:howtoforge
  • ISPConfig“管理员”用户的密码为:howtoforge
  • 还有一个名为“ howtoforge”和密码的shell用户:howtoforge

请在首次登录时更改两个密码。

  • 虚拟机的IP地址为192.168.0.100
Sidebar