Install:
[bash]apt-get install openssh-server[/bash]
(enable ssh)
[bash]apt-get install open-vm-tools htop vnstat net-tools ntp locate[/bash]
If this is a virtual machine disable SMBus:
[bash]echo blacklist i2c_piix4 >> /etc/modprobe.d/blacklist.conf[/bash]
[bash]update-initramfs -u -k all[/bash]
[bash]nano /etc/hosts[/bash]
[code language=”text”]127.0.0.1 localhost.localdomain localhost[/code]
[bash]nano /etc/apt/sources.list[/bash]
[code language=”text”]deb http://ftp.us.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch main contrib non-free
deb http://security.debian.org/debian-security stretch/updates main contrib non-free
deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free[/code]
(just add: “contrib non-free” to the end of existing entries)
[bash]apt-get update[/bash]
[bash]dpkg-reconfigure dash[/bash]
Select no
[bash]reboot[/bash]
[bash]apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo[/bash]
[bash]mysql_secure_installation[/bash]
[bash]nano /etc/postfix/master.cf[/bash]
remove comments on
submission inet n
smtps inet n – y – – smtpd
[bash]service postfix restart[/bash]
[bash]nano /etc/mysql/mariadb.conf.d/50-server.cnf[/bash]
add comment on:
#bind-address
check other steps???
[bash]apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey[/bash]
[bash]service spamassassin stop[/bash]
[bash]systemctl disable spamassassin[/bash]
[bash]apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php7.0-mcrypt mcrypt imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring memcached libapache2-mod-passenger php7.0-soap[/bash]
[bash]a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers[/bash]
[bash]nano /etc/apache2/conf-available/httpoxy.conf[/bash]
[code language=”text”]<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>[/code]
[bash]a2enconf httpoxy[/bash]
[bash]service apache2 restart[/bash]
[bash]cd /usr/local/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto –install-only[/bash]
[bash]apt-get -y install php7.0-fpm[/bash]
[bash]a2enmod actions proxy_fcgi alias[/bash]
[bash]service apache2 restart[/bash]
[bash]apt-get -y install php7.0-opcache php-apcu[/bash]
[bash]service apache2 restart[/bash]
[bash]apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool[/bash]
[bash]openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048[/bash]
[bash]nano /etc/default/pure-ftpd-common[/bash]
VIRTUALCHROOT=true
[bash]echo 1 > /etc/pure-ftpd/conf/TLS[/bash]
[bash]mkdir -p /etc/ssl/private/[/bash]
(this creates a self signed)
[bash]openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem[/bash]
[bash]chmod 600 /etc/ssl/private/pure-ftpd.pem[/bash]
[bash]nano /etc/fstab[/bash]
rrors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
[bash]mount -o remount /
quotacheck -avugm
quotaon -avug[/bash]
[bash]apt-get install bind9 dnsutils haveged webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl[/bash]
[bash]nano /etc/cron.d/awstats[/bash]
comment out all
[bash]apt-get install build-essential autoconf automake libtool flex bison debhelper binutils[/bash]
[bash]cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.20.tar.gz
tar xvfz jailkit-2.20.tar.gz
cd jailkit-2.20
echo 5 > debian/compat
./debian/rules binary[/bash]
[bash]cd ..
dpkg -i jailkit_2.20-1_*.deb
rm -rf jailkit-2.20*[/bash]
[bash]apt-get install fail2ban[/bash]
[bash]nano /etc/fail2ban/jail.local[/bash]
[code language=”text”][pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3[/code]
[bash]service fail2ban restart[/bash]
[bash]apt-get install ufw roundcube roundcube-core roundcube-mysql roundcube-plugins[/bash]
[bash]nano /etc/roundcube/config.inc.php[/bash]
[code language=”text”]$config[‘default_host’] = ‘localhost’;
$config[‘smtp_server’] = ‘localhost’;[/code]
[bash]nano /etc/apache2/conf-enabled/roundcube.conf[/bash]
[code language=”text”]Alias /webmail /var/lib/roundcube[/code]
[bash]cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/[/bash]
[bash]php -q install.php[/bash]
creates smtpd.key
‘localhost.key? followup
[bash]mysql -u root -p[/bash]
[code language=”text”]CREATE USER ‘admin’@’%’ IDENTIFIED BY ‘password’;
GRANT ALL PRIVILEGES ON *.* TO ‘admin’@’%’ WITH GRANT OPTION;
quit;[/code]
email spf check:
[bash]apt-get install postfix-policyd-spf-python[/bash]
[bash]nano /etc/postfix/main.cf[/bash]
add the end of smtpd_recipient_restrictions
[code language=”text”]check_policy_service unix:private/policy-spf[/code]
add at end of file
[code language=”text”]policy-spf_time_limit = 3600s[/code]
[bash]nano /etc/postfix/master.cf[/bash]
add at end:
[code language=”text”]policy-spf unix – n n – – spawn
user=nobody argv=/usr/bin/policyd-spf[/code]
[bash]/etc/init.d/postfix reload[/bash]
enable spamassign update:
[bash]nano /etc/cron.daily/spamassassin[/bash]
Replace SSL (self-signed) with signed certificate:
PureFTP:
[bash]nano /etc/ssl/private/pure-ftpd.pem[/bash]
Mail Services:
[bash]nano /etc/postfix/smtpd.cert
nano /etc/postfix/smtpd.key[/bash]
ISP Config CP:
[bash]nano /usr/local/ispconfig/interface/ssl/ispserver.crt
nano /usr/local/ispconfig/interface/ssl/ispserver.csr
nano /usr/local/ispconfig/interface/ssl/ispserver.key[/bash]