\n\n# This file describes the network interfaces available on your system\n# and how to activate them. For more information, see interfaces(5).\n# The loopback network interface\nauto lo\niface lo inet loopback\n# The primary network interface\nauto eth0\niface eth0 inet static\n address 192.168.0.100\n netmask 255.255.255.0\n network 192.168.0.0\n broadcast 192.168.0.255\n gateway 192.168.0.1<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nThen restart your network:<\/p>\n \/etc\/init.d\/networking restart<\/em><\/strong><\/p><\/blockquote>\nThen edit \/etc\/hosts. Make it look like this:<\/p>\n vi \/etc\/hosts<\/em><\/strong><\/p><\/blockquote>\n\n\n\n\n127.0.0.1 localhost.localdomain localhost\n192.168.0.100 hosting.unila.ac.id hosting\n# The following lines are desirable for IPv6 capable hosts\n::1 ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\nff02::3 ip6-allhosts<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nNow run<\/p>\n echo hosting.unila.ac.id > \/etc\/hostname
\n\/etc\/init.d\/hostname.sh start<\/em><\/strong><\/p><\/blockquote>\nAfterwards, run<\/p>\n hostname
\nhostname -f<\/em><\/strong><\/p><\/blockquote>\nBoth should show hosting.unila.ac.id <\/strong><\/em> now.<\/p>\n4.\u00a0 Edit \/etc\/apt\/sources.list And Update Your Linux Installation<\/h3>\nEdit \/etc\/apt\/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:<\/p>\n My Repository Update is pointing to kambing.ui.edu\u00a0 located on INHERENT.<\/p>\n vi \/etc\/apt\/sources.list<\/strong><\/em><\/p><\/blockquote>\n## REPOSITORY UTAMA
\ndeb http:\/\/kambing.ui.edu\/ubuntu hardy main restricted universe multiverse
\ndeb-src http:\/\/kambing.ui.edu\/ubuntu hardy main restricted universe multiverse<\/p>\n## INI UNTUK MAJOR BUG FIX UPDATES
\ndeb http:\/\/kambing.ui.edu\/ubuntu hardy-updates main restricted universe multiverse
\ndeb-src http:\/\/kambing.ui.edu\/ubuntu hardy-updates main restricted universe multiverse<\/p>\n ## INI UNTUK UBUNTU SECURITY UPDATES
\ndeb http:\/\/kambing.ui.edu\/ubuntu hardy-security main restricted universe multiverse
\ndeb-src http:\/\/kambing.ui.edu\/ubuntu hardy-security main restricted universe multiverse<\/em><\/p><\/blockquote>\n apt-get update<\/em><\/strong><\/p><\/blockquote>\nto update the apt package database and<\/p>\n apt-get upgrade<\/em><\/strong><\/p><\/blockquote>\nto install the latest updates (if there are any).<\/p>\n 5.\u00a0 Change The Default Shell<\/h3>\n\/bin\/sh is a symlink to \/bin\/dash, however we need \/bin\/bash, not \/bin\/dash. Therefore we do this:<\/p>\n ln -sf \/bin\/bash \/bin\/sh
\n<\/em><\/strong><\/p><\/blockquote>\nIf you don’t do this, the ISPConfig installation will fail.<\/p>\n 6.\u00a0 Disable AppArmor<\/h3>\nAppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).<\/p>\n We can disable it like this:<\/p>\n \/etc\/init.d\/apparmor stop
\n<\/strong><\/em><\/p><\/blockquote>\nupdate-rc.d -f apparmor remove<\/em><\/strong><\/p><\/blockquote>\nTill told me that he also had to do this step (which was not necessary on my installation), so if you want to go sure, do this on your system as well:<\/p>\n apt-get remove apparmor apparmor-utils<\/em><\/strong><\/p><\/blockquote>\n7. \u00a0 Install Some Software<\/h3>\nNow we install a few packages that are needed later on. Run<\/p>\n apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential<\/p>\n (This command must go into one line<\/strong>!)<\/p>\n8.\u00a0 Quota<\/h3>\n(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)<\/p>\n To install quota, run<\/p>\n apt-get install quota<\/em><\/strong><\/p><\/blockquote>\nEdit \/etc\/fstab. Mine looks like this (I added ,usrquota,grpquota to the partition with the mount point \/):<\/p>\n vi \/etc\/fstab<\/em><\/strong><\/p><\/blockquote>\n\n\n\n\n# \/etc\/fstab: static file system information.\n#\n# <file system> <mount point> <type> <options> <dump> <pass>\nproc \/proc proc defaults 0 0\n# \/dev\/sda1\nUUID=6af53069-0d51-49be-b275-aeaea8d780c5 \/ ext3 relatime,errors=remount-ro,usrquota,grpquota 0 1\n# \/dev\/sda5\nUUID=d8e1f66c-1442-423e-b442-8ae66eded9d7 none swap sw 0 0\n\/dev\/scd0 \/media\/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0\n\/dev\/fd0 \/media\/floppy0 auto rw,user,noauto,exec,utf8 0 0<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nTo enable quota, run these commands:<\/p>\n touch \/quota.user \/quota.group
\nchmod 600 \/quota.*
\nmount -o remount \/<\/em><\/strong><\/p><\/blockquote>\nquotacheck -avugm
\nquotaon -avug<\/em><\/strong><\/p><\/blockquote>\n9.\u00a0 DNS Server<\/h3>\nRun<\/p>\n apt-get install bind9<\/em><\/strong><\/p><\/blockquote>\nFor security reasons we want to run BIND chrooted so we have to do the following steps:<\/p>\n \/etc\/init.d\/bind9 stop<\/strong><\/em><\/p><\/blockquote>\nEdit the file \/etc\/default\/bind9 so that the daemon will run as the unprivileged user bind, chrooted to \/var\/lib\/named. Modify the line: OPTIONS=”-u bind” so that it reads OPTIONS=”-u bind -t \/var\/lib\/named”:<\/p>\n vi \/etc\/default\/bind9<\/em><\/strong><\/p><\/blockquote>\n\n\n\n\nOPTIONS=\"-u bind -t \/var\/lib\/named\"\n# Set RESOLVCONF=no to not run resolvconf\nRESOLVCONF=yes<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nCreate the necessary directories under \/var\/lib:<\/p>\n mkdir -p \/var\/lib\/named\/etc
\nmkdir \/var\/lib\/named\/dev
\nmkdir -p \/var\/lib\/named\/var\/cache\/bind
\nmkdir -p \/var\/lib\/named\/var\/run\/bind\/run<\/em><\/strong><\/p><\/blockquote>\nThen move the config directory from \/etc to \/var\/lib\/named\/etc:<\/p>\n mv \/etc\/bind \/var\/lib\/named\/etc<\/em><\/strong><\/p><\/blockquote>\nCreate a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):<\/p>\n ln -s \/var\/lib\/named\/etc\/bind \/etc\/bind<\/em><\/strong><\/p><\/blockquote>\nMake null and random devices, and fix permissions of the directories:<\/p>\n mknod \/var\/lib\/named\/dev\/null c 1 3
\nmknod \/var\/lib\/named\/dev\/random c 1 8
\nchmod 666 \/var\/lib\/named\/dev\/null \/var\/lib\/named\/dev\/random
\nchown -R bind:bind \/var\/lib\/named\/var\/*
\nchown -R bind:bind \/var\/lib\/named\/etc\/bind<\/em><\/strong><\/p><\/blockquote>\nWe need to modify \/etc\/default\/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD=”” so that it reads: SYSLOGD=”-a \/var\/lib\/named\/dev\/log”:<\/p>\n vi \/etc\/default\/syslogd<\/em><\/strong><\/p><\/blockquote>\n#\n# Top configuration file for syslogd\n#\n\n#\n# Full documentation of possible arguments are found in the manpage\n# syslogd(8).\n#\n\n#\n# For remote UDP logging use SYSLOGD=\"-r\"\n#\nSYSLOGD=\"-a \/var\/lib\/named\/dev\/log\"<\/pre>\netc\/init.d\/sysklogd restart<\/p>\n Start up BIND, and check \/var\/log\/syslog for errors:<\/p>\n \/etc\/init.d\/bind9 start<\/p>\n 10.\u00a0 MySQL<\/h3>\nIn order to install MySQL, we run<\/p>\n apt-get install mysql-server mysql-client libmysqlclient15-dev<\/strong><\/em><\/p><\/blockquote>\nYou will be asked to provide a password for the MySQL root user – this password is valid for the user root@localhost as well as \/\/ <![CDATA[<\/p>\n var prefix = 'ma' + 'il' + 'to';
\nvar path = 'hr' + 'ef' + '=';
\nvar addy91680 = 'root' + '@';
\naddy91680 = addy91680 + 'hosting' + '.' + 'unila' + '.' + 'ac' + '.' + 'id';
\ndocument.write( '‘ );
\ndocument.write( addy91680 );
\ndocument.write( ” );
\n\/\/ ]]>root@hosting.unila.ac.id<\/a>
\nThis email address is being protected from spam bots, you need Javascript enabled to view it
\n, so we don’t have to specify a MySQL root password manually later on (as was the case with previous Ubuntu versions):<\/p>\nNew password for the MySQL “root” user: <– yourrootsqlpassword<\/em><\/strong>
\nRepeat password for the MySQL “root” user: <– yourrootsqlpassword<\/em><\/strong><\/p><\/blockquote>\nWe want MySQL to listen on all interfaces, not just localhost, therefore we edit \/etc\/mysql\/my.cnf and comment out the line bind-address = 127.0.0.1:<\/p>\n vi \/etc\/mysql\/my.cnf<\/em><\/strong><\/p><\/blockquote>\n\n\n\n\n[...]\n# Instead of skip-networking the default is now to listen only on\n# localhost which is more compatible and is not less secure.\n#bind-address = 127.0.0.1\n[...]<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nThen we restart MySQL:<\/p>\n \/etc\/init.d\/mysql restart<\/strong><\/em><\/p><\/blockquote>\nNow check that networking is enabled. Run<\/p>\n netstat -tap | grep mysql<\/em><\/strong><\/p><\/blockquote>\nThe output should look like this:<\/p>\n root@hosting:~#\u00a0netstat\u00a0-tap\u00a0|\u00a0grep\u00a0mysql
\ntcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00\u00a0*:mysql\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0*:*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0LISTEN\u00a0\u00a0\u00a0\u00a0\u00a0\u00a05869\/mysqld
\nroot@hosting:~#<\/em><\/strong><\/p><\/blockquote>\n11.\u00a0 Postfix With SMTP-AUTH And TLS<\/h3>\nIn order to install Postfix with SMTP-AUTH and TLS do the following steps:<\/p>\n apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail<\/em><\/strong><\/p><\/blockquote>\nYou will be asked two questions. Answer as follows:<\/p>\n General type of mail configuration: <– Internet Site
\nSystem mail name: <– hosting.unila.ac.id<\/p>\n Then run<\/p>\n dpkg-reconfigure postfix<\/em><\/strong><\/p><\/blockquote>\nAgain, you’ll be asked some questions:<\/p>\n General type of mail configuration: <– Internet Site
\nSystem mail name: <– hosting.unila.ac.id
\nRoot and postmaster mail recipient: <– [blank]
\nOther destinations to accept mail for (blank for none): <– hosting.unila.ac.id, localhost.example.com, localhost.localdomain, localhost
\nForce synchronous updates on mail queue? <– No
\nLocal networks: <– 127.0.0.0\/8
\nUse procmail for local delivery? <– Yes
\nMailbox size limit (bytes): <– 0
\nLocal address extension character: <– +
\nInternet protocols to use: <– all<\/p>\n Next, do this:<\/p>\n postconf -e ‘smtpd_sasl_local_domain =’
\npostconf -e ‘smtpd_sasl_auth_enable = yes’
\npostconf -e ‘smtpd_sasl_security_options = noanonymous’
\npostconf -e ‘broken_sasl_auth_clients = yes’
\npostconf -e ‘smtpd_sasl_authenticated_header = yes’
\npostconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
\npostconf -e ‘inet_interfaces = all’
\necho ‘pwcheck_method: saslauthd’ >> \/etc\/postfix\/sasl\/smtpd.conf
\necho ‘mech_list: plain login’ >> \/etc\/postfix\/sasl\/smtpd.conf<\/strong><\/em><\/p><\/blockquote>\nAfterwards we create the certificates for TLS:<\/p>\n mkdir \/etc\/postfix\/ssl<\/em><\/strong>
\n cd \/etc\/postfix\/ssl\/<\/em><\/strong><\/p><\/blockquote>\nopenssl genrsa -des3 -rand \/etc\/hosts -out smtpd.key 1024<\/em><\/strong><\/p>\nchmod 600 smtpd.key<\/em><\/strong><\/p><\/blockquote>\nopenssl req -new -key smtpd.key -out smtpd.csr<\/em><\/strong>openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt<\/em><\/strong><\/p>\nopenssl rsa -in smtpd.key -out smtpd.key.unencrypted<\/em><\/strong><\/p>\nmv -f smtpd.key.unencrypted smtpd.key<\/em><\/strong><\/p><\/blockquote>\nopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650<\/em><\/strong><\/p><\/blockquote>\nNext we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):<\/p>\n postconf -e ‘myhostname = hosting.unila.ac.id’<\/strong><\/em><\/p>\npostconf -e ‘smtpd_tls_auth_only = no’
\npostconf -e ‘smtp_use_tls = yes’
\npostconf -e ‘smtpd_use_tls = yes’
\npostconf -e ‘smtp_tls_note_starttls_offer = yes’
\npostconf -e ‘smtpd_tls_key_file = \/etc\/postfix\/ssl\/smtpd.key’
\npostconf -e ‘smtpd_tls_cert_file = \/etc\/postfix\/ssl\/smtpd.crt’
\npostconf -e ‘smtpd_tls_CAfile = \/etc\/postfix\/ssl\/cacert.pem’
\npostconf -e ‘smtpd_tls_loglevel = 1’
\npostconf -e ‘smtpd_tls_received_header = yes’
\npostconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
\npostconf -e ‘tls_random_source = dev:\/dev\/urandom’<\/strong><\/em><\/p><\/blockquote>\nThe file \/etc\/postfix\/main.cf should now look like this:<\/p>\n cat \/etc\/postfix\/main.cf<\/em><\/strong><\/p><\/blockquote>\n\n\n\n\n# See \/usr\/share\/postfix\/main.cf.dist for a commented, more complete version\n\n\n# Debian specific: Specifying a file name will cause the first\n# line of that file to be used as the name. The Debian default\n# is \/etc\/mailname.\n#myorigin = \/etc\/mailname\n\nsmtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)\nbiff = no\n\n# appending .domain is the MUA's job.\nappend_dot_mydomain = no\n\n# Uncomment the next line to generate \"delayed mail\" warnings\n#delay_warning_time = 4h\n\nreadme_directory = no\n\n# TLS parameters\nsmtpd_tls_cert_file = \/etc\/postfix\/ssl\/smtpd.crt\nsmtpd_tls_key_file = \/etc\/postfix\/ssl\/smtpd.key\nsmtpd_use_tls = yes\nsmtpd_tls_session_cache_database = btree:${data_directory}\/smtpd_scache\nsmtp_tls_session_cache_database = btree:${data_directory}\/smtp_scache\n\n# See \/usr\/share\/doc\/postfix\/TLS_README.gz in the postfix-doc package for\n# information on enabling SSL in the smtp client.\n\nmyhostname = hosting.unila.ac.id\nalias_maps = hash:\/etc\/aliases\nalias_database = hash:\/etc\/aliases\nmyorigin = \/etc\/hosting.unila.ac.id, localhost.unila.ac.id, localhost.localdomain, localhost\nrelayhost =\nmynetworks = 127.0.0.0\/8\nmailbox_command = procmail -a \"$EXTENSION\"\nmailbox_size_limit = 0\nrecipient_delimiter = +\ninet_interfaces = all\ninet_protocols = all\nsmtpd_sasl_local_domain =\nsmtpd_sasl_auth_enable = yes\nsmtpd_sasl_security_options = noanonymous\nbroken_sasl_auth_clients = yes\nsmtpd_sasl_authenticated_header = yes\nsmtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination\nsmtpd_tls_auth_only = no\nsmtp_use_tls = yes\nsmtp_tls_note_starttls_offer = yes\nsmtpd_tls_CAfile = \/etc\/postfix\/ssl\/cacert.pem\nsmtpd_tls_loglevel = 1\nsmtpd_tls_received_header = yes\nsmtpd_tls_session_cache_timeout = 3600s\ntls_random_source = dev:\/dev\/urandom<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nAuthentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in \/var\/spool\/postfix we have to do the following:<\/p>\n \n <!– document.write('<\/p>\n ‘); \/\/–><\/p>\n sr_adspace_id = 4098007; sr_adspace_width = 300; sr_adspace_height = 250; sr_adspace_type = “graphic”; sr_ad_new_window = true; window.google_render_ad();<\/p>\n _qoptions={ qacct:”p-25K88fxDSEn9Y”, labels:”IDG Tech Network” }; ![\"Quantcast\"](\"http:\/\/pixel.quantserve.com\/pixel\/p-25K88fxDSEn9Y.gif\") <\/a> <\/div>\n <!– document.write('<\/div>\n ‘); \/\/–><\/p><\/div>\n<\/div>\n<\/div>\n mkdir -p \/var\/spool\/postfix\/var\/run\/saslauthd<\/p>\n Now we have to edit \/etc\/default\/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS=”-c -m \/var\/run\/saslauthd” to OPTIONS=”-c -m \/var\/spool\/postfix\/var\/run\/saslauthd -r”:<\/p>\n vi \/etc\/default\/saslauthd<\/p>\n \n\n\n\n#\n# Settings for saslauthd daemon\n# Please read \/usr\/share\/doc\/sasl2-bin\/README.Debian for details.\n#\n\n# Should saslauthd run automatically on startup? (default: no)\nSTART=yes\n\n# Description of this saslauthd instance. Recommended.\n# (suggestion: SASL Authentication Daemon)\nDESC=\"SASL Authentication Daemon\"\n\n# Short name of this saslauthd instance. Strongly recommended.\n# (suggestion: saslauthd)\nNAME=\"saslauthd\"\n\n# Which authentication mechanisms should saslauthd use? (default: pam)\n#\n# Available options in this Debian package:\n# getpwent -- use the getpwent() library function\n# kerberos5 -- use Kerberos 5\n# pam -- use PAM\n# rimap -- use a remote IMAP server\n# shadow -- use the local shadow password file\n# sasldb -- use the local sasldb database file\n# ldap -- use LDAP (configuration is in \/etc\/saslauthd.conf)\n#\n# Only one option may be used at a time. See the saslauthd man page\n# for more information.\n#\n# Example: MECHANISMS=\"pam\"\nMECHANISMS=\"pam\"\n\n# Additional options for this mechanism. (default: none)\n# See the saslauthd man page for information about mech-specific options.\nMECH_OPTIONS=\"\"\n\n# How many saslauthd processes should we run? (default: 5)\n# A value of 0 will fork a new process for each connection.\nTHREADS=5\n\n# Other options (default: -c -m \/var\/run\/saslauthd)\n# Note: You MUST specify the -m option or saslauthd won't run!\n#\n# See \/usr\/share\/doc\/sasl2-bin\/README.Debian for Debian-specific information.\n# See the saslauthd man page for general information about these options.\n#\n# Example for postfix users: \"-c -m \/var\/spool\/postfix\/var\/run\/saslauthd\"\n#OPTIONS=\"-c -m \/var\/run\/saslauthd\"\nOPTIONS=\"-c -m \/var\/spool\/postfix\/var\/run\/saslauthd -r\"<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nNext add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):<\/p>\n adduser postfix sasl <\/em><\/strong><\/p><\/blockquote>\nNow restart Postfix and start saslauthd:<\/p>\n \/etc\/init.d\/postfix restart
| |
|
|
|
|
|