本教程将介绍在 CentOS 8(64 位)服务器上安装 ISPConfig 3.2。ISPConfig 是一个网络托管控制面板,允许您通过网络浏览器配置以下服务:Apache 网络服务器、PHP、Postfix 邮件服务器、MySQL、BIND 名称服务器、PureFTPd、SpamAssassin、ClamAV、Mailman 等等。
[TOC]
1 要求
要安装这样的系统,您将需要以下内容:
2 初步说明
在本教程中,我使用主机名server1.example.com 和 IP 地址192.168.0.100和网关192.168.0.1。这些设置可能因您而异。
3 准备服务器
设置键盘布局
如果服务器的键盘布局与您的键盘不匹配,您可以使用 localectl 命令切换到正确的键盘(在我的情况下为德语键盘布局的“de”:
要获取所有可用键盘映射的列表,请运行:
我想在本教程的最后安装 ISPConfig,ISPConfig 附带了 Bastille 防火墙脚本,我将用作防火墙,因此我现在禁用默认的 CentOS 防火墙。当然,您可以随意打开 CentOS 防火墙并根据您的需要进行配置(但是您以后不应使用任何其他防火墙,因为它很可能会干扰 CentOS 防火墙)。
dnf -y install net-tools wget rsyslog curlsystemctl stop firewalld.servicesystemctl disable firewalld.service
复制代码
停止和禁用 CentOS 防火墙。在这里出现错误是可以的,这只是表明没有安装防火墙。
然后你应该检查防火墙是否真的被禁用了,为此,请运行以下命令:
输出应如下所示:
[root@server1 ~]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination
复制代码
Chain FORWARD (policy ACCEPT)target prot opt source destination
复制代码
Chain OUTPUT (policy ACCEPT)target prot opt source destination
复制代码
或者使用 firewall-cmd 命令:
[root@server1 ~]# firewall-cmd --statenot running[root@server1 ~]#
复制代码
现在我将安装网络配置编辑器和基于 shell 的编辑器“nano”,我将在接下来的步骤中使用它们来编辑配置文件:
dnf -y install nano wget NetworkManager-tui yum-utils
复制代码
如果您在安装过程中没有配置网卡,您现在可以进行配置。
选择您的网络接口:
然后填写您的网络详细信息 - 禁用 DHCP 并填写静态 IP 地址、网络掩码、您的网关和一两个名称服务器,然后点击 Ok:
接下来选择确定以确认您在网络设置中所做的更改
和 Quit 关闭 nmtui 网络配置工具。
现在检查安装程序是否正确获取了您的 IP 地址:
[root@server1 ~]# ifconfigens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::20c:29ff:feee:b665 prefixlen 64 scopeid 0x20<link> inet6 2003:e1:bf22:1b00:20c:29ff:feee:b665 prefixlen 64 scopeid 0x0<global> ether 00:0c:29:ee:b6:65 txqueuelen 1000 (Ethernet) RX packets 2874 bytes 1369892 (1.3 MiB) RX errors 0 dropped 546 overruns 0 frame 0 TX packets 968 bytes 160901 (157.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
复制代码
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
复制代码
如果你的网卡没有显示在那里,那么它不会在启动时启用,在这种情况下,打开文件/etc/sysconfig/network-scripts/ifcfg-eth0
nano /etc/sysconfig/network-scripts/ifcfg-ens33
复制代码
并将 ONBOOT 设置为是:
并重新启动服务器。
检查您的/etc/resolv.conf 是否列出了您之前配置的所有名称服务器:
如果缺少名称服务器,请运行
并再次添加缺少的名称服务器。
现在,进入配置...
调整 /etc/hosts 和 /etc/hostname
接下来,我们将编辑/etc/hosts。让它看起来像这样:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4192.168.0.100 server1.example.com server1
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
复制代码
在 /etc/hostname 文件中设置主机名。该文件应包含完全限定的域名(例如在我的例子中是 server1.example.com),而不仅仅是像“server1”这样的短名称。使用 nano 编辑器打开文件:
并在文件中设置主机名。
保存文件并退出 nano。
将 SELinux 设置为宽松
SELinux 是 CentOS 的安全扩展,应该提供扩展的安全性。ISPConfig 不附带 SELinux 规则集,因此我将其设置为 permissive(如果您想稍后安装 ISPConfig,这是必须的)。
编辑/etc/selinux/config 并设置 SELINUX=permissive:
# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=permissive# SELINUXTYPE= can take one of these two values:# targeted - Targeted processes are protected,# mls - Multi Level Security protection.SELINUXTYPE=targeted
复制代码
之后我们必须重新启动系统:
4 启用附加存储库并安装一些软件
首先,我们导入软件包的 GPG 密钥:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
复制代码
然后我们在 CentOS 系统上启用 EPEL 存储库,因为我们将在本教程中安装的许多软件包在官方 CentOS 8 存储库中不可用:
dnf -y install epel-release
复制代码
激活 Power Tools:
dnf config-manager --set-enabled powertools
复制代码
然后我们更新系统上现有的包:
现在我们安装一些稍后需要的软件包:
dnf -y groupinstall 'Development Tools'
复制代码
5 配额
(如果您选择了与我不同的分区方案,则必须调整本章,以便配额适用于您需要的分区。)
要安装配额,我们运行以下命令:
现在我们检查是否已为存储网站 (/var/www) 和 Maildir 数据 (var/vmail) 的文件系统启用配额。在这个示例设置中,我有一个大的根分区,所以我搜索“/”:
[ root@server1 ~]# mount | grep ' / ' /dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,noquota) [ root@server1 ~]#
复制代码
如果您有单独的 /var 分区,请使用:
反而。如果该行包含单词“ noquota ”,则继续执行以下步骤以启用配额。
在 /(根)分区上启用配额
通常您会在 /etc/fstab 文件中启用配额,但如果文件系统是根文件系统“/”,则必须通过 Linux 内核的引导参数启用配额。
编辑 grub 配置文件:
搜索以 GRUB_CMDLINE_LINUX 开头的行,并将 rootflags=uquota,gquota 添加到命令行参数,使结果行如下所示:
GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/cl-swap rd.lvm.lv=cl/root rd.lvm.lv=cl/swap rootflags=uquota,gquota"
复制代码
并通过运行以下命令应用更改。
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bak grub2-mkconfig -o /boot/grub2/grub.cfg
复制代码
并重新启动服务器。
现在检查配额是否启用:
[ root@server1 ~]# mount | grep ' / ' /dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,usrquota,grpquota) [ root@server1 ~]#
复制代码
当配额处于活动状态时,我们可以在挂载选项列表中看到“ usrquota,grpquota ”。
在单独的 /var 分区上启用配额
如果您有单独的 /var 分区,请编辑/etc/fstab 并将,uquota,gquota 添加到/分区(/dev/mapper/centos-var):
## /etc/fstab# Created by anaconda on Sun Sep 21 16:33:45 2014## Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info#/dev/mapper/centos-root / xfs defaults 1 1/dev/mapper/centos-var /var xfs defaults,uquota,gquota 1 2UUID=9ac06939-7e43-4efd-957a-486775edd7b4 /boot xfs defaults 1 3/dev/mapper/centos-swap swap swap defaults 0 0
复制代码
然后运行
quotacheck -avugm quotaon -avug
复制代码
启用配额。当您收到没有启用配额的分区的错误时,请在继续之前重新启动服务器。
6 安装 Apache、PHP、MySQL 和 phpMyAdmin
启用 Remi 存储库以获取更新的 PHP 版本(当前为 PHP 7.4):
dnf install http://rpms.remirepo.net/enterprise/remi-release-8.rpmdnf -y install yum-utilsdnf -y module reset phpdnf -y module install php:remi-7.4dnf update
复制代码
我们可以使用一个命令安装所需的软件包:
dnf -y install httpd mod_ssl mariadb-server php php-mysqlnd php-mbstring
复制代码
为保证服务器不被 HTTPOXY 漏洞攻击,我们将全局禁用 apache 中的 HTTP_PROXY header。
在 httpd.conf 文件末尾添加 apache 头规则:
echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf
复制代码
并重新启动 httpd 以应用配置更改。
安装 phpMyAdmin:
cd /tmpwget https://files.phpmyadmin.net/phpMyAdmin/5.0.2/phpMyAdmin-5.0.2-all-languages.tar.gztar xzvf phpMyAdmin-5.0.2-all-languages.tar.gzmkdir /usr/share/phpmyadminmv phpMyAdmin-5.0.2-all-languages/* /usr/share/phpmyadmin/mkdir /usr/share/phpmyadmin/tmpchown -R apache:apache /usr/share/phpmyadminchmod 777 /usr/share/phpmyadmin/tmp
复制代码
可选:更改 Apache MPM 模块
CentOS 8 默认使用 Apache MPM 事件模块,这在一方面是好的,因为它允许您使用 HTTP/2 协议。另一方面,它不允许您使用 apache mod_php 模块。一般来说,今天应该使用 PHP-FPM 作为默认设置,ISPConfig 支持这一点。如果出于兼容性原因需要旧的 mod_php 模式,那么您可以像这样切换 Apache MPM:
nano /etc/httpd/conf.modules.d/00-mpm.conf
复制代码
在 MPM 事件行前面添加一个 # 使其看起来像这样:
# LoadModule mpm_event_module modules/mod_mpm_event.so
复制代码
然后从 MPM Prefork 行中删除 # in,如下所示:
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
复制代码
然后重新启动 httpd 以应用配置更改。
7 安装 Dovecot
Dovecot 可以安装如下:
dnf -y install dovecot dovecot-mysql dovecot-pigeonhole
复制代码
创建一个空的 dovecot-sql.conf 文件并创建符号链接:
touch /etc/dovecot/dovecot-sql.conf ln -s /etc/dovecot/dovecot-sql.conf /etc/dovecot-sql.conf ln -s /etc/dovecot/dovecot.conf /etc/dovecot.conf
复制代码
现在创建系统启动链接并启动 Dovecot:
systemctl enable dovecotsystemctl start dovecot
复制代码
8 安装后缀
Postfix 可以安装如下:
dnf -y install postfix postfix-mysql
复制代码
接下来,在 Postfix 中打开 TLS/SSL 和提交端口:
nano /etc/postfix/master.cf
复制代码
取消对提交 和 smtps 部分的注释 如下,并在必要时添加行,以便 master.cf 文件的这一部分看起来与下面的完全一样。 重要提示: 删除以 smtps 和提交开头的行前面的 #,而不仅仅是从这些行之后的 -o 行中删除!
[...]submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATINGsmtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING[...]
复制代码
然后关闭 Sendmail 并启动 Postfix 和 MariaDB (MySQL):
systemctl enable mariadb.service systemctl start mariadb.service
复制代码
systemctl enable postfix.service systemctl restart postfix.service
复制代码
我们禁用 sendmail 以确保它不会启动,以防它安装在您的服务器上。所以错误消息“无法发出方法调用:未加载单元 sendmail.service”。可以忽略。
9 安装 Getmail
Getmail 可以按如下方式安装:
dnf install python2cd /tmpwget http://pyropus.ca/software/getmail/old-versions/getmail-5.14.tar.gztar xvfz getmail-5.14.tar.gzcd getmail-5.14python2 setup.py buildpython2 setup.py install
复制代码
10 设置 MySQL 密码并配置 phpMyAdmin
为 MySQL 根帐户设置密码:
mysql_secure_installation
复制代码
[root@server1 tmp]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDBSERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
复制代码
In order to log into MariaDB to secure it, we'll need the currentpassword for the root user. If you've just installed MariaDB, andyou haven't set the root password yet, the password will be blank,so you should just press enter here.
复制代码
Enter current password for root (enter for none):OK, successfully used password, moving on...
复制代码
Setting the root password ensures that nobody can log into the MariaDBroot user without the proper authorisation.
Set root password? [Y/n] <-- ENTERNew password: <-- yourrootsqlpasswordRe-enter new password: <-- yourrootsqlpasswordPassword updated successfully!Reloading privilege tables.. ... Success!
By default, a MariaDB installation has an anonymous user, allowing anyoneto log into MariaDB without having to have a user account created forthem. This is intended only for testing, and to make the installationgo a bit smoother. You should remove them before moving into aproduction environment.
Remove anonymous users? [Y/n] <-- ENTER ... Success!
Normally, root should only be allowed to connect from 'localhost'. Thisensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] <-- ENTER ... Success!
By default, MariaDB comes with a database named 'test' that anyone canaccess. This is also intended only for testing, and should be removedbefore moving into a production environment.
Remove test database and access to it? [Y/n] <-- ENTER - Dropping test database... ... Success! - Removing privileges on test database... ... Success!
Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.
Reload privilege tables now? [Y/n] <-- ENTER ... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDBinstallation should now be secure.
Thanks for using MariaDB!
[root@server1 tmp]#
复制代码
现在我们配置 phpMyAdmin。创建这个 phpMyAdmin 配置文件:
nano /etc/httpd/conf.d/phpmyadmin.conf
复制代码
将此内容添加到文件中:
# phpMyAdmin - Web based MySQL browser written in php## Allows only localhost by default## But allowing phpMyAdmin to anyone other than localhost should be considered# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpmyadminAlias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin/> <IfModule mod_authz_core.c> # Apache 2.4 # <RequireAny> # Require ip 127.0.0.1 # Require ip ::1 # </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from All Allow from 127.0.0.1 Allow from ::1 </IfModule></Directory>
复制代码
接下来,我们将 phpMyAdmin 中的身份验证从 cookie 更改为 http:
cp -pf /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php nano /usr/share/phpmyadmin/config.inc.php
复制代码
[...]/* Authentication type */$cfg['Servers'][$i]['auth_type'] = 'http';[...]
复制代码
然后我们为 Apache 创建系统启动链接并启动它:
systemctl enable httpd systemctl restart httpd
复制代码
现在,您可以将浏览器定向到http://server1.example.com/phpmyadmin/或http://192.168.0.100/phpmyadmin/并使用用户名 root 和新的 MySQL 根密码登录。
11 安装 Amavisd-new、SpamAssassin、ClamAV 和 Postgrey
要安装 amavisd-new、SpamAssassin 和 ClamAV,请运行以下命令:
dnf -y install amavisd-new spamassassin clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd unzip bzip2 perl-DBD-mysql postgrey re2c
复制代码
然后我们启动 freshclam、amavisd 和 clamd.amavisd:
sa-update freshclam systemctl enable amavisd.service systemctl start amavisd.service systemctl start clamd@amavisd.service systemctl enable postgrey.service systemctl start postgrey.service
复制代码
在下一步中,我们配置 postgrey。在编辑器中打开文件 /etc/sysconfig/postgrey:
nano /etc/sysconfig/postgrey
复制代码
并更改行:
POSTGREY_TYPE="--unix=/var/spool/postfix/postgrey/socket"
复制代码
到
POSTGREY_TYPE="--inet=10023"
复制代码
保存文件并重启 postgrey:
要配置 amavisd,请编辑文件 /etc/clamd.d/amavisd.conf:
nano /etc/clamd.d/amavisd.conf
复制代码
并更改行:
LocalSocket /run/clamd.amavisd/clamd.sock
复制代码
到
LocalSocket /var/spool/amavisd/clamd.sock
复制代码
保存更改的配置文件并重新启动 ClamAV:
systemctl restart clamd@amavisd.service
复制代码
现在我们必须为 freshclam 服务创建一个系统单元。创建一个新文件/usr/lib/systemd/system/freshclam.service:
nano /usr/lib/systemd/system/freshclam.service
复制代码
并在该文件中输入以下内容:
[Unit]Description = ClamAV ScannerAfter = network.target
[Service]Type = forking# if you want to scan more than one in a day change the number 1 with your desired number in below line.ExecStart = /usr/bin/freshclam -d -c 1Restart = on-failurePrivateTmp =true
[Install]WantedBy=multi-user.target
复制代码
保存文件,然后启用并启动服务。
systemctl enable freshclam.service systemctl start freshclam.service systemctl status freshclam.service
复制代码
12 使用 mod_php、mod_fcgi/PHP、PHP-FPM 安装 Apache
ISPConfig 3 允许您在每个网站的基础上使用 mod_php、mod_fcgi/PHP、cgi/PHP 和 PHP-FPM。
我们可以使用 mod_php、mod_fcgid 和 PHP 安装 Apache2,如下所示:
dnf -y install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel php-fpm php-intl php-imagick php-pspell wget
复制代码
接下来,我们打开/etc/php.ini ...
...并更改错误报告(以便不再显示通知),设置时区并取消注释 cgi.fix_pathinfo=1:
[...];error_reporting = E_ALL & ~E_DEPRECATEDerror_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT[...]; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok; what PATH_INFO is. For more information on PAppp.tldTH_INFO, see the cgi specs. Setting; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting; of zero causes PHP to behave as before. Default is 1. You should fix your scripts; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.; http://www.php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfocgi.fix_pathinfo=1[...]date.timezone = 'Europe/Berlin'[...]
复制代码
启用 httpd 和 PHP-FPM 以在启动时启动并启动 PHP-FPM 服务。
systemctl start php-fpm.servicesystemctl enable php-fpm.servicesystemctl enable httpd.service
复制代码
最后,我们重启 Apache:
systemctl restart httpd.service
复制代码
现在我们将添加对 Let's encrypt 的支持。ISPConfig 现在使用 acme.sh 作为 Let's Encrypt 客户端。使用以下命令安装 acme.sh:
curl https://get.acme.sh | sh -s
复制代码
13 mod_python 的安装
Apache 模块 mod_python 不能作为 RPM 包使用,因此我们将从源代码编译它。第一步是安装 python 开发文件并将当前的 mod_python 版本下载为.tar.gz 文件
dnf -y install python3-devel
复制代码
cd /usr/local/src/wget http://dist.modpython.org/dist/mod_python-3.5.0.tgztar xfz mod_python-3.5.0.tgzcd mod_python-3.5.0
复制代码
然后配置和编译模块。
./configure --with-python=/usr/bin/python3make
复制代码
编译模块中存在一个错误,该错误将导致安装失败并显示错误“ version =”fatal: Not a git repository (or any of the parent directory): .git ”。要解决该问题,请运行此 sed 命令(命令是一行!)。
sed -e 's/(git describe --always)/(git describe --always 2>\/dev\/null)/g' -e 's/`git describe --always`/`git describe --always 2>\/dev\/null`/g' -i $( find . -type f -name Makefile\* -o -name version.sh )
复制代码
然后使用此命令安装模块。
并在 Apache 中启用该模块:
echo 'LoadModule python_module modules/mod_python.so' > /etc/httpd/conf.modules.d/10-python.confsystemctl restart httpd.service
复制代码
14 安装 PureFTPd
可以使用以下命令安装 PureFTPd:
然后创建系统启动链接并启动 PureFTPd:
systemctl enable pure-ftpd.service systemctl start pure-ftpd.service
复制代码
现在我们配置 PureFTPd 以允许 FTP 和 TLS 会话。FTP 是一种非常不安全的协议,因为所有密码和所有数据都以明文形式传输。通过使用 TLS,可以对整个通信进行加密,从而使 FTP 更加安全。
TLS 需要 OpenSSL;要安装 OpenSSL,我们只需运行:
打开/etc/pure-ftpd/pure-ftpd.conf ...
nano /etc/pure-ftpd/pure-ftpd.conf
复制代码
如果要允许 FTP 和 TLS 会话,请 通过删除 TLS 行前面的 #将 TLS 设置为 1。强烈建议启用 TLS。
[...]# This option can accept three values :# 0 : disable SSL/TLS encryption layer (default).# 1 : accept both traditional and encrypted sessions.# 2 : refuse connections that don't use SSL/TLS security mechanisms,# including anonymous sessions.# Do _not_ uncomment this blindly. Be sure that :# 1) Your server has been compiled with SSL/TLS support (--with-tls),# 2) A valid certificate is in place,# 3) Only compatible clients will log in.
TLS 1[...]
复制代码
为了使用 TLS,我们必须创建一个 SSL 证书。我在/etc/ssl/private/ 中创建它,因此我首先创建该目录:
mkdir -p /etc/ssl/private/
复制代码
之后,我们可以生成 SSL 证书,如下所示:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
复制代码
Country Name (2 letter code) [XX]: <-- Enter your Country Name (e.g., "DE").State or Province Name (full name) []:<-- Enter your State or Province Name.Locality Name (eg, city) [Default City]:<-- Enter your City.Organization Name (eg, company) [Default Company Ltd]:<-- Enter your Organization Name (e.g., the name of your company).Organizational Unit Name (eg, section) []:<-- Enter your Organizational Unit Name (e.g. "IT Department").Common Name (eg, your name or your server's hostname) []:<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").Email Address []:<-- Enter your Email Address.
复制代码
更改 SSL 证书的权限:
chmod 600 /etc/ssl/private/pure-ftpd.pem
复制代码
创建一个 DHParam 文件:
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
复制代码
最后,重启 PureFTPd:
systemctl restart pure-ftpd.service
复制代码
而已。您现在可以尝试使用您的 FTP 客户端进行连接;但是,您应该将 FTP 客户端配置为使用 TLS。
15 安装绑定
我们可以按如下方式安装 BIND:
dnf -y install bind bind-utils hasged
复制代码
备份现有的/etc/named.conf 文件并创建一个新文件,如下所示:
cp /etc/named.conf /etc/named.conf_bak cat /dev/null > /etc/named.conf nano /etc/named.conf
复制代码
//// named.conf//// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS// server as a caching only nameserver (as a localhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ for example named configuration files.//options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-recursion {"none";}; recursion no;};logging { channel default_debug { file "data/named.run"; severity dynamic; };};zone "." IN { type hint; file "named.ca";};include "/etc/named.conf.local";
复制代码
创建文件/etc/named.conf.local 被包括在年底的/etc/named.conf(/etc/named.conf.local 稍后会得到由 ISPConfig 如果你创建 ISPConfig DNS 区域填充):
touch /etc/named.conf.local
复制代码
然后我们创建启动链接并启动 BIND:
systemctl enable named.service systemctl start named.service systemctl enable hasged.service systemctl start hasged.service
复制代码
16 安装 AWStats
AWStats 可以按如下方式安装:
dnf -y install awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder
复制代码
CentOS 8 不再提供替代的网络统计应用程序“webalizer”,因此您将只能使用 AWStats。
17 安装 Jailkit
Jailkit 用于 chroot SSH 用户和 cronjobs。它可以安装如下:
ln -s /usr/bin/python2 /usr/bin/python cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.21.tar.gz tar xvfz jailkit-2.21.tar.gz cd jailkit- 2.21 ./configure make make install cd .. rm -rf jailkit-2.21*
复制代码
18 安装 Fail2Ban
这是可选的但建议使用,因为 ISPConfig 监视器会尝试显示日志。
dnf -y install iptables-services fail2ban fail2ban-systemd systemctl stop firewalld.service systemctl mask firewalld.service systemctl disable firewalld.service
复制代码
接下来我们创建 /etc/fail2ban/jail.local 文件并启用对 ssh、电子邮件和 ftp 服务的监控。
nano /etc/fail2ban/jail.local
复制代码
在 jail.local 文件中添加以下内容:
[sshd] enabled = true action = iptables[name=sshd, port=ssh, protocol=tcp]
[pure-ftpd] enabled = true action = iptables[name=FTP, port=ftp, protocol=tcp] maxretry = 3
[ dovecot] enabled = true action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] maxretry = 5
[postfix-sasl] enabled = true action = iptables-multiport[name= postfix-sasl, port="smtp,smtps,submission", protocol=tcp] maxretry = 3
复制代码
然后为 fail2ban 创建系统启动链接并启动它:
systemctl enable fail2ban.service systemctl start fail2ban.service
复制代码
19 安装 rkhunter
rkhunter 可以如下安装:
20 安装 mailman
如果您喜欢在服务器上使用 Mailman 管理邮件列表,请立即安装 mailman。ISPConfig 支持 Mailman,因此您可以稍后通过 ISPConfig 创建新的邮件列表。
在我们可以启动 Mailman 之前,必须创建一个名为 mailman 的邮件列表:
touch /var/lib/mailman/data/aliasespostmap /var/lib/mailman/data/aliases/usr/lib/mailman/bin/newlist mailmanln -s /usr/lib/mailman/mail/mailman /usr/bin/mailman
复制代码
[root@server1 tmp]# /usr/lib/mailman/bin/newlist mailmanEnter the email of the person running the list: <-- admin email address, e.g. listadmin@example.comInitial mailman password: <-- admin password for the mailman listTo finish creating your mailing list, you must edit your /etc/aliases (orequivalent) file by adding the following lines, and possibly running the`newaliases' program:
## mailman mailing listmailman: "|/usr/lib/mailman/mail/mailman post mailman"mailman-admin: "|/usr/lib/mailman/mail/mailman admin mailman"mailman-bounces: "|/usr/lib/mailman/mail/mailman bounces mailman"mailman-confirm: "|/usr/lib/mailman/mail/mailman confirm mailman"mailman-join: "|/usr/lib/mailman/mail/mailman join mailman"mailman-leave: "|/usr/lib/mailman/mail/mailman leave mailman"mailman-owner: "|/usr/lib/mailman/mail/mailman owner mailman"mailman-request: "|/usr/lib/mailman/mail/mailman request mailman"mailman-subscribe: "|/usr/lib/mailman/mail/mailman subscribe mailman"mailman-unsubscribe: "|/usr/lib/mailman/mail/mailman unsubscribe mailman"
Hit enter to notify mailman owner... <-- ENTER
[root@server1 tmp]#
复制代码
之后打开/etc/aliases ...
...并添加以下几行:
[...]mailman: "|/usr/lib/mailman/mail/mailman post mailman"mailman-admin: "|/usr/lib/mailman/mail/mailman admin mailman"mailman-bounces: "|/usr/lib/mailman/mail/mailman bounces mailman"mailman-confirm: "|/usr/lib/mailman/mail/mailman confirm mailman"mailman-join: "|/usr/lib/mailman/mail/mailman join mailman"mailman-leave: "|/usr/lib/mailman/mail/mailman leave mailman"mailman-owner: "|/usr/lib/mailman/mail/mailman owner mailman"mailman-request: "|/usr/lib/mailman/mail/mailman request mailman"mailman-subscribe: "|/usr/lib/mailman/mail/mailman subscribe mailman"mailman-unsubscribe: "|/usr/lib/mailman/mail/mailman unsubscribe mailman"
复制代码
运行:
之后并重新启动 Postfix:
systemctl restart postfix.service
复制代码
现在打开 Mailman Apache 配置文件/etc/httpd/conf.d/mailman.conf ...
nano /etc/httpd/conf.d/mailman.conf
复制代码
...并添加行 ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/。注释掉 Alias /pipermail/ /var/lib/mailman/archives/public/并添加一行 Alias /pipermail /var/lib/mailman/archives/public/:
## httpd configuration settings for use with mailman.#
ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/<Directory /usr/lib/mailman/cgi-bin/> AllowOverride None Options ExecCGI Order allow,deny Allow from all</Directory>
#Alias /pipermail/ /var/lib/mailman/archives/public/Alias /pipermail /var/lib/mailman/archives/public/<Directory /var/lib/mailman/archives/public> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all AddDefaultCharset Off</Directory>
# Uncomment the following line, to redirect queries to /mailman to the# listinfo page (recommended).
# RedirectMatch ^/mailman[/]*$ /mailman/listinfo
复制代码
重启阿帕奇:
systemctl restart httpd.service
复制代码
为 Mailman 创建系统启动链接并启动它:
systemctl enable mailman.service systemctl start mailman.service
复制代码
安装 ISPConfig 3 后,您可以按如下方式访问 Mailman:
您可以为所有 Apache 虚拟主机使用别名/cgi-bin/mailman(请注意,必须为所有要访问 Mailman 的虚拟主机禁用 suExec 和 CGI!),这意味着您可以访问 Mailman 管理界面以获取列表在http://<vhost>/cgi-bin/mailman/admin/<listname>,邮件列表用户的网页可以在http://<vhost>/cgi-bin/mailman/listinfo/<listname>..
在http://<vhost>/pipermail/<listname> 下,您可以找到邮件列表档案。
21 安装 Roundcube 网络邮件
要安装 RoundCube webmail 客户端,请使用 wget 将最新版本下载到 /tmp 文件夹:
cd /tmpwget https://github.com/roundcube/roundcubemail/releases/download/1.4.3/roundcubemail-1.4.3-complete.tar.gz
复制代码
解压 tar.gz 存档并将 RoundCube 源移动到 /usr/share/roundcubemail
tar xfz roundcubemail-1.4.3-complete.tar.gz mkdir /usr/share/ roundcubemail mv /tmp/roundcubemail-1.4.3/* /usr/share/roundcubemail/ chown -R root:root /usr/share/roundcubemail chown apache /usr/share/roundcubemail/temp chown apache /usr/share/roundcubemail/logs
复制代码
使用 nano 编辑器创建一个 roundcubemail.conf 配置文件:
nano /etc/httpd/conf.d/roundcubemail.conf
复制代码
并将以下内容添加到该文件中:
## Round Cube Webmail is a browser-based multilingual IMAP client#
Alias /roundcubemail /usr/share/roundcubemailAlias /webmail /usr/share/roundcubemail
# Define who can access the Webmail# You can enlarge permissions once configured
<Directory /usr/share/roundcubemail/> Options none AllowOverride Limit Require all granted</Directory>
# Define who can access the installer# keep this secured once configured
<Directory /usr/share/roundcubemail/installer> Options none AllowOverride Limit Require all granted</Directory>
# Those directories should not be viewed by Web clients.<Directory /usr/share/roundcubemail/bin/> Order Allow,Deny Deny from all</Directory><Directory /usr/share/roundcubemail/plugins/enigma/home/> Order Allow,Deny Deny from all</Directory>
复制代码
重启阿帕奇:
systemctl restart httpd.service
复制代码
现在我们需要一个 RoundCube 邮件数据库,我们将其初始化如下:
在 MariaDB 提示下使用:
CREATE DATABASE roundcubedb;CREATE USER roundcubeuser@localhost IDENTIFIED BY 'roundcubepassword';GRANT ALL PRIVILEGES on roundcubedb.* to roundcubeuser@localhost ;FLUSH PRIVILEGES;exit
复制代码
我以 RoundCube 数据库的详细信息为例,出于安全原因,请根据您的选择替换值。
现在我们将在浏览器中安装 RoundCube,地址为http://192.168.0.100/roundcubemail/installer
现在创建 config.inc.php 文件:
nano /usr/share/roundcubemail/config/config.inc.php
复制代码
<?php
/* Local configuration for Roundcube Webmail */
// ----------------------------------// SQL DATABASE// ----------------------------------// Database connection string (DSN) for read+write operations// Format (compatible with PEAR MDB2): db_provider://user:password@host/database// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'// or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'$config['db_dsnw'] = 'mysql://roundcubeuser:roundcubepassword@localhost/roundcubedb';
// ----------------------------------// IMAP// ----------------------------------// The IMAP host chosen to perform the log-in.// Leave blank to show a textbox at login, give a list of hosts// to display a pulldown menu or set one host as string.// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://// Supported replacement variables:// %n - hostname ($_SERVER['SERVER_NAME'])// %t - hostname without the first part// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)// %s - domain name after the '@' from e-mail address provided at login screen// For example %n = mail.domain.tld, %t = domain.tld// WARNING: After hostname change update of mail_host column in users table is// required to match old user data records with the new host.$config['default_host'] = 'localhost';$config['smtp_server'] = 'localhost';$config['smtp_port'] = 25;
// provide an URL where a user can get support for this Roundcube installation// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!$config['support_url'] = '';
// This key is used for encrypting purposes, like storing of imap password// in the session. For historical reasons it's called DES_key, but it's used// with any configured cipher_method (see below).$config['des_key'] = 'pb0UucO0eqjgvhrqYlFTBVjE';
// ----------------------------------// PLUGINS// ----------------------------------// List of active plugins (in plugins/ directory)$config['plugins'] = array();
// Set the spell checking engine. Possible values:// - 'googie' - the default (also used for connecting to Nox Spell Server, see 'spellcheck_uri' setting)// - 'pspell' - requires the PHP Pspell module and aspell installed// - 'enchant' - requires the PHP Enchant module// - 'atd' - install your own After the Deadline server or check with the people at http://www.afterthedeadline.com before using their API// Since Google shut down their public spell checking service, the default settings// connect to http://spell.roundcube.net which is a hosted service provided by Roundcube.// You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly.$config['spellcheck_engine'] = 'pspell';$config['enable_installer'] = true;
复制代码
然后在网络安装程序中按“继续”。在下一页上,按“初始化数据库”按钮。
最后,禁用 Roundecubemail 安装程序。更改 RoundCube config.inc.php 配置文件
nano /usr/share/roundcubemail/config/config.inc.php
复制代码
并更改行:
$config['enable_installer'] = true;
复制代码
到:
$config['enable_installer'] = false;
复制代码
Roundcube 现在在您服务器上的别名 /webmail 和 /roundcubemail 下可用:
http://192.168.0.100/webmail
复制代码
RoundCube 登录名是您稍后在 ISPConfig 中创建的电子邮件帐户的电子邮件地址和密码。
22 安装 ISPConfig 3.2
ISPConfig 安装程序将为您配置所有服务,如 Postfix、Dovecot 等。
您现在还可以让安装程序为 ISPConfig 控制面板创建 SSL 虚拟主机,以便可以使用 https://而不是 http://访问 ISPConfig 。要实现此目的,只需在看到以下问题时按 ENTER 键:Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:。
要安装 ISPConfig 3.2 nightly build,请执行以下操作:
cd /tmpwget -O ispconfig.tar.gz https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xfz ispconfig.tar.gz cd ispconfig3*/install/
复制代码
下一步是运行:
这将启动 ISPConfig 3 安装程序。安装程序将为您配置所有服务,如 Postfix、Dovecot 等。
[ root@server1 install]# php install.php
复制代码
--------------------------------------------------------------------------------_____ ___________ _____ __ _ ____|_ _/ ___| ___ \ / __ \ / _(_) /__ \| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/__/ ||___/--------------------------------------------------------------------------------
复制代码
Operating System: CentOS 8.2
复制代码
Following will be a few questions for primary configuration so be careful.Default values are in [brackets] and can be accepted with <ENTER>.Tap in "quit" (without the quotes) to stop the installer.
复制代码
Select language (en,de) [en]: <-- Hit Enter
复制代码
Installation mode (standard,expert) [standard]: <-- Hit Enter
复制代码
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- Hit Enter
复制代码
MySQL server hostname [localhost]: <-- Hit Enter
复制代码
MySQL server port [3306]: <-- Hit Enter
复制代码
MySQL root username [root]: <-- Hit Enter
复制代码
MySQL root password []: <-- Ente the MySQL root password here
复制代码
MySQL database to create [dbispconfig]: <-- Hit Enter
复制代码
MySQL charset [utf8]: <-- Hit Enter
复制代码
Configuring PostgreyConfiguring PostfixGenerating a 4096 bit RSA private key................................++.....................................................................................................................................................................................................................................................................................................................................................++writing new private key to 'smtpd.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]: <-- Enter 2 Letter country code, e.g. USState or Province Name (full name) []: <-- Enter anme of State or ProvinceLocality Name (eg, city) [Default City]: <-- Name of cityOrganization Name (eg, company) [Default Company Ltd]: <-- Company nameOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (eg, your name or your server's hostname) []: <-- Enter server hostname here, in my case: server1.example.comEmail Address []: <-- Enter Email addressConfiguring mailmanConfiguring DovecotConfiguring SpamassassinConfiguring AmavisdConfiguring GetmailConfiguring JailkitConfiguring PureftpdConfiguring BINDConfiguring ApacheConfiguring vlogger[INFO] service OpenVZ not detectedConfiguring Bastille Firewall[INFO] service Metronome XMPP Server not detectedConfiguring Fail2banConfiguring Apps vhostInstalling ISPConfigISPConfig Port [8080]: <-- Hit Enter
复制代码
Admin password [fad579a6]: <-- Enter new password for ISPConfig admin user
复制代码
Re-enter admin password []: <-- Repeat the password
复制代码
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter
复制代码
Generating RSA private key, 4096 bit long modulus.................................................................................++.....++e is 65537 (0x10001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]: <-- Enter 2 Letter country code, e.g. USState or Province Name (full name) []: <-- Enter anme of State or ProvinceLocality Name (eg, city) [Default City]: <-- Name of cityOrganization Name (eg, company) [Default Company Ltd]: <-- Company nameOrganizational Unit Name (eg, section) []: <-- Hit EnterCommon Name (eg, your name or your server's hostname) []: <-- Enter server hostname here, in my case: server1.example.comEmail Address []: <-- Enter Email address
复制代码
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: <-- Hit EnterAn optional company name []: <-- Hit Enterwriting RSA key
复制代码
Configuring DBServerInstalling ISPConfig crontabInstalling ISPConfig crontabno crontab for rootno crontab for getmailDetect IP addressesRestarting services ...Installation completed.
复制代码
安装程序会自动配置所有底层服务,因此无需手动配置。
23 第一次 ISPConfig 登录
之后您可以在http(s)://server1.example.com:8080/或http(s)://192.168.0.100:8080/下访问 ISPConfig 3 (http 或 https 取决于您在安装过程中选择的内容)。
使用用户名 admin 和密码 admin 登录(首次登录后应更改默认密码):
23.1 ISPConfig 3 手册
为了学习如何使用 ISPConfig 3,我强烈建议您下载 ISPConfig 3 手册。
下载地址:
https://www.howtoforge.com/download-the-ispconfig-3-manual
复制代码
在 300 多页中,它涵盖了 ISPConfig(管理员、经销商、客户)背后的概念,解释了如何安装和更新 ISPConfig 3,包括 ISPConfig 中所有表单和表单字段的参考以及有效输入的示例,并提供教程用于 ISPConfig 3 中最常见的任务。它还列出了如何使您的服务器更安全,并在最后附有故障排除部分。
24 下载为虚拟机
此设置可作为 ova/ovf 格式(与 VMWare 和 Virtualbox 兼容)的虚拟机下载,供 howtoforge 订阅者使用。
VM 的登录详细信息
请在第一次登录时更改两个密码。
评论