Debian 9 and ISPConfig

15 Feb

February 15, 2019 Matthew

Install:

apt-get install openssh-server

(enable ssh)

apt-get install open-vm-tools htop vnstat net-tools ntp locate

If this is a virtual machine disable SMBus:

echo blacklist i2c_piix4 >> /etc/modprobe.d/blacklist.conf

update-initramfs -u -k all

nano /etc/hosts

127.0.0.1       localhost.localdomain   localhost

nano /etc/apt/sources.list

deb http://ftp.us.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch main contrib non-free

deb http://security.debian.org/debian-security stretch/updates main contrib non-free
deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free

(just add: “contrib non-free” to the end of existing entries)

apt-get update

dpkg-reconfigure dash

Select no

reboot

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

mysql_secure_installation

nano /etc/postfix/master.cf

remove comments on

submission inet n
smtps inet n – y – – smtpd

service postfix restart

nano /etc/mysql/mariadb.conf.d/50-server.cnf

add comment on:
#bind-address

check other steps???

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey

service spamassassin stop

systemctl disable spamassassin

apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php7.0-mcrypt mcrypt  imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring memcached libapache2-mod-passenger php7.0-soap

a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers

nano /etc/apache2/conf-available/httpoxy.conf

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

a2enconf httpoxy

service apache2 restart

cd /usr/local/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto --install-only

apt-get -y install php7.0-fpm

a2enmod actions proxy_fcgi alias

service apache2 restart

apt-get -y install php7.0-opcache php-apcu

service apache2 restart

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

nano /etc/default/pure-ftpd-common

VIRTUALCHROOT=true

echo 1 > /etc/pure-ftpd/conf/TLS

mkdir -p /etc/ssl/private/

(this creates a self signed)

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/pure-ftpd.pem

nano /etc/fstab

rrors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1

mount -o remount /
quotacheck -avugm
quotaon -avug

apt-get install bind9 dnsutils haveged webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl

nano /etc/cron.d/awstats

comment out all

apt-get install build-essential autoconf automake libtool flex bison debhelper binutils

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.20.tar.gz
tar xvfz jailkit-2.20.tar.gz
cd jailkit-2.20
echo 5 > debian/compat
./debian/rules binary

cd ..
dpkg -i jailkit_2.20-1_*.deb
rm -rf jailkit-2.20*

apt-get install fail2ban

nano /etc/fail2ban/jail.local

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3

service fail2ban restart

apt-get install ufw roundcube roundcube-core roundcube-mysql roundcube-plugins

nano /etc/roundcube/config.inc.php

$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';

nano /etc/apache2/conf-enabled/roundcube.conf

Alias /webmail /var/lib/roundcube

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

php -q install.php

creates smtpd.key
‘localhost.key? followup

mysql -u root -p

CREATE USER 'admin'@'%' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION;
quit;

email spf check:

apt-get install postfix-policyd-spf-python

nano /etc/postfix/main.cf

add the end of smtpd_recipient_restrictions

check_policy_service unix:private/policy-spf

add at end of file

policy-spf_time_limit = 3600s

nano /etc/postfix/master.cf

add at end:

policy-spf  unix  -       n       n       -       -       spawn
user=nobody argv=/usr/bin/policyd-spf

/etc/init.d/postfix reload

enable spamassign update:

nano /etc/cron.daily/spamassassin

Replace SSL (self-signed) with signed certificate:

PureFTP:

nano /etc/ssl/private/pure-ftpd.pem

Mail Services:

nano /etc/postfix/smtpd.cert
nano /etc/postfix/smtpd.key

ISP Config CP:

nano /usr/local/ispconfig/interface/ssl/ispserver.crt
nano /usr/local/ispconfig/interface/ssl/ispserver.csr
nano /usr/local/ispconfig/interface/ssl/ispserver.key