The Perfect Setup - Fedora Core 3

This is a detailed description about the steps to be taken to setup a Fedora Core 3 based server that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.). In addition to that I will show how to use Debian's package manager apt on an rpm-based system because it takes care of package dependencies automagically which can save a lot of trouble.

I will use the following software:

• Web Server: Apache 2.0.x
• Mail Server: Postfix (easier to configure than sendmail; has a shorter history of security holes than sendmail)
• DNS Server: BIND9
• FTP Server: proftpd
• POP3/IMAP servers
• Webalizer for web site statistics

In the end you should have a system that works reliably and is ready for the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

• Download the 4 Fedora Core 3 CD iso images from a mirror near you (the list of mirrors can be found here:http://fedora.redhat.com/download/mirrors.html), e.g. ftp://ftp.tu-chemnitz.de/pub/linux/fedora-core/3/i386/iso/FC3-i386-disc1.iso,ftp://ftp.tu-chemnitz.de/pub/linux/fedora-core/3/i386/iso/FC3-i386-disc2.iso, ftp://ftp.tu-chemnitz.de/pub/linux/fedora-core/3/i386/iso/FC3-i386-disc3.iso and ftp://ftp.tu-chemnitz.de/pub/linux/fedora-core/3/i386/iso/FC3-i386-disc4.iso, or download the DVD iso image, e.g.ftp://ftp.tu-chemnitz.de/pub/linux/fedora-core/3/i386/iso/FC3-i386-DVD.iso
• an internet connection...

1 The Base System

Boot from your Fedora Core 3 CD (CD 1) or DVD.

It can take a long time to test the installation media so we skip this test here:

The welcome screen of the Fedora installer appears:

Choose your language next:

Select your keyboard layout:

We want to install a server so we choose Server here:

Now we have to partition our hard disk. You can choose to let the Fedora installer do the partitioning, or you can do it yourself. I want to create a small /boot partition (less than 100 MB) with the file system ext3, a swappartition and a huge / partition (again with ext3):

Now the boot loader GRUB will be installed. You can leave the default settings unchanged and click on Next:

On to the network settings. The default setting here seems to be to configure the network interfaces with DHCP, but we are installing a server, so static IP addresses are not a bad idea... Click on the Edit button at the top right. In the window that pops up uncheck Configure using DHCP and give your network card a static IP address (in this tutorial I'm using the IP address 192.168.0.100 for demonstration purposes):

Set the hostname manually, e.g. server1.example.com, and enter a gateway (e.g. 192.168.0.1) and up to three DNS servers (e.g. 145.253.2.75 and 193.174.32.18):

On the next screen we select No firewall (there's a firewall coming with ISPConfig that we want to use) and disable SELinux:

Click on Proceed (remember, we are going to use the ISPConfig firewall):

Select the default language for the system:

Choose your time zone:

Give root a password:

Now we are to select the package groups we want to install. Select Editors, Text Based Internet, Server Configuration Tools, Web Server, Mail Server, DNS Name Server, FTP Server, MySQL Database, Network Servers, Development Tools, Administration Tools and System Tools and click on Next:

The installer tells you which CDs it will need to install the selected packages:

The installation begins. This will take a few minutes:

Finally, the installation is complete, and you can remove your CD/DVD from the computer and reboot it:

2 Installing And Configuring The Rest Of The System

Configure Additional IP Addresses

Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0which looks like this:

DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.0.255 IPADDR=192.168.0.100 NETMASK=255.255.255.0 NETWORK=192.168.0.0 ONBOOT=yes TYPE=Ethernet

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this:

DEVICE=eth0:0 BOOTPROTO=static BROADCAST=192.168.0.255 IPADDR=192.168.0.101 NETMASK=255.255.255.0 NETWORK=192.168.0.0 ONBOOT=yes TYPE=Ethernet

Afterwards we have to restart the network:

/etc/init.d/network restart

Setting The Hostname

echo server1.example.com > /etc/hostname 
/bin/hostname -F /etc/hostname

Install apt For Fedora

apt is the packaging system used on Debian. Since it cares much better for package dependencies than rpm it would be nice if we could use it on our new Fedora system. This would save us a lot of hassle. Fortunately, apt has been ported to a lot of rpm based distributions, and is also available for Fedora Core 3 (you will love it... :-)).

rpm -ivh http://ftp.freshrpms.net/pub/freshrpms/fedora/linux/3/apt/apt-0.5.15cnc6-1.1.fc3.fr.i386.rpm

Edit /etc/apt/sources.list. It should contain the following lines:

rpm http://ayo.freshrpms.net fedora/linux/3/i386 core updates freshrpms rpm http://ayo.freshrpms.net fedora/linux/3/i386 tupdates rpm-src http://ayo.freshrpms.net fedora/linux/3/i386 core updates freshrpms rpm-src http://ayo.freshrpms.net fedora/linux/3/i386 tupdates rpm http://ayo.freshrpms.net fedora/linux/2/i386 core updates freshrpms rpm http://ayo.freshrpms.net fedora/linux/1/i386 core updates freshrpms

Run

apt-get update

Install Some Software

apt-get install which fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp

Quota

apt-get install quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to LABEL=/ (mount point /):

# This file is edited by fstab-sync - see 'man fstab-sync' for details LABEL=/ / ext3 defaults,usrquota,grpquota 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 LABEL=SWAP-sda3 swap swap defaults 0 0 /dev/hdc /media/cdrecorder auto pamconsole,ro,exec,noauto,managed 0 0 /dev/fd0 /media/floppy auto pamconsole,exec,noauto,managed 0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

DNS-Server

apt-get install bind-chroot
chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig --levels 235 named on
/etc/init.d/named start

Bind will run in a chroot jail under /var/named/chroot/var/named/.

MySQL

apt-get install mysql mysql-devel mysql-server

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap

It should show a line like this:

tcp 0 0 *:mysql *:* LISTEN 6621/mysqld

If it does not, edit /etc/my.cnf, comment out the option skip-networking:

# Don't listen on a TCP/IP port at all. This can be a security enhancement, # if all processes that need to connect to mysqld run on the same host. # All interaction with mysqld must be made via Unix sockets or named pipes. # Note that using this option without enabling named pipes on Windows # (via the "enable-named-pipe" option) will render mysqld useless! # #skip-networking

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

Postfix With SMTP-AUTH And TLS

apt-get install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix imap

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' > /usr/lib/sasl2/smtpd.conf
echo 'mech_list: plain login' >> /usr/lib/sasl2/smtpd.conf

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Now start Postfix, saslauthd, imap and pop3:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig imap on
chkconfig imaps on
chkconfig ipop3 on
chkconfig pop3s on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/xinetd restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

Apache With PHP

apt-get install php php-devel php-domxml php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xmlrpc php-rrdtool curl curl-devel perl-libwww-perl ImageMagick

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

Proftpd

apt-get install proftpd
chkconfig --levels 235 proftpd on
/etc/init.d/proftpd start

Webalizer

To install webalizer, just run

apt-get install webalizer

Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server do the following:

apt-get install rdate

rdate -s 128.2.136.71

Create /var/spool/cron/root:

# update time with ntp server 0 3,9,15,21 * * * /usr/bin/rdate -s 128.2.136.71 | logger -t NTP

Then run

chmod 600 /var/spool/cron/root
/etc/init.d/crond restart

Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

Installation using the Perl Shell

Login to your command line as root and run the following command to start the Perl shell:

perl -MCPAN -e shell

If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok.

Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.

The big advantage of the Perl shell compared to the two other methods described here is that it cares about dependencies when installing new modules. I.e., if it turns out that a prerequisite Perl module is missing when you install another module the Perl shell asks you if it should install the prerequisite module for you. You should answer that question with "Yes".

Run the following commands to install the modules needed by SpamAssassin:

install HTML::Parser
install DB_File
install Net::DNS (when prompted to enable tests, choose no)
install Digest::SHA1
q (to leave the Perl shell)

If a module is already installed on your system you will get a message similar to this one:

HTML::Parser is up to date.

Successful installation of a module looks like this:

/usr/bin/make install -- OK

The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Fedora's suExec is compiled with /var/www as Doc_Root. Run /usr/sbin/suexec -V, and the output should look like this:

To select /var/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.

Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /var/www as the home directory for websites.

Links

• http://fedora.redhat.com/
• http://www.ispconfig.org