完美的服务器-Ubuntu 17.10(Artful Aardvark),带Apache、PHP、MySQL、PureFTPD、BIND、Postfix、Dovecot和ISPConfig 3.1

本教程展示了如何使用Apache2、Postfix、Dovecot、Bind和PureFTPD安装Ubuntu 17.10(Artful Aardvark)网络托管服务器,为ISPConfig 3.1的安装做好准备。由此产生的系统将提供Web、邮件、邮件列表、DNS和FTP服务器。

ISPConfig 3是一个web托管控制面板,允许您通过web浏览器配置以下服务:Apache或nginx web服务器、Postfix邮件服务器、Courier或Dovecot IMAP/POP3服务器、MySQL、BIND或MyDNS名称服务器、PureFTPd、SpamAssassin、ClamAV等等。此设置涵盖了Apache(而不是Nginx)、BIND(而不是MyDNS)和Dovecot(而不是Courier)的安装。

本教程是关于Ubuntu 17.10的,这是一个非LTS(长期支持)版本。大多数用户更喜欢LTS版本作为服务器,它可以在更长的时间内获得更新和安全补丁。最新的LTS版本是Ubuntu 16.04,本教程也存在于Ubuntu 16.04版本中。如果您需要最新的软件包(并且支持期短没有问题),请仔细考虑,然后继续本教程。如果您需要长期支持,请使用Ubuntu 16.04完美服务器教程。

1.初步说明
在本教程中,我使用主机名server1.example.com,IP地址为192.168.0.100,网关为192.168.0.1。这些设置可能因您而异,因此您必须在适当的情况下进行替换。在继续之前,您需要按照教程中的说明,对Ubuntu 17.10进行基本的最低安装。

2.编辑/etc/apt/sources.list并更新您的Linux安装
编辑/etc/apt/sources.list。注释掉或从文件中删除安装CD,并确保启用了宇宙和多元宇宙存储库。之后应该是这样的:

nano /etc/apt/sources.list

#

# deb cdrom:[Ubuntu-Server 17.10 _Artful Aardvark_ - Release amd64 (20171017.1)]/ artful main restricted

#deb cdrom:[Ubuntu-Server 17.10 _Artful Aardvark_ - Release amd64 (20171017.1)]/ artful main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ artful main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu/ artful main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ artful-updates main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu/ artful-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ artful universe
# deb-src http://de.archive.ubuntu.com/ubuntu/ artful universe
deb http://de.archive.ubuntu.com/ubuntu/ artful-updates universe
# deb-src http://de.archive.ubuntu.com/ubuntu/ artful-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ artful multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ artful multiverse
deb http://de.archive.ubuntu.com/ubuntu/ artful-updates multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ artful-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ artful-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ artful-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu artful partner
# deb-src http://archive.canonical.com/ubuntu artful partner

deb http://security.ubuntu.com/ubuntu artful-security main restricted
# deb-src http://security.ubuntu.com/ubuntu artful-security main restricted
deb http://security.ubuntu.com/ubuntu artful-security universe
# deb-src http://security.ubuntu.com/ubuntu artful-security universe
deb http://security.ubuntu.com/ubuntu artful-security multiverse
# deb-src http://security.ubuntu.com/ubuntu artful-security multiverse

然后运行

apt-get update

更新apt包数据库

apt-get upgrade

安装最新更新(如果有的话)。如果你看到一个新的内核作为更新的一部分被安装,你应该在之后重新启动系统:

reboot

3.更改默认外壳
/bin/sh是/bin/dash的符号链接,但是我们需要/bin/bash,而不是/bin/dash。因此,我们这样做:

dpkg-reconfigure dash

使用破折号作为默认系统shell(/bin/sh)?<-没有

如果不这样做,ISPConfig安装将失败。

4.禁用AppArmor
AppArmor是一个安全扩展(类似于SELinux),应该提供扩展的安全性。在我看来,你不需要它来配置一个安全的系统,而且它通常会带来更多的问题而不是优势(想想看,在你做了一周的故障排除后,因为一些服务没有按预期工作,然后你发现一切正常,只有AppArmor造成了问题)。因此,我禁用了它(如果您以后想安装ISPConfig,这是必须的)。

我们可以这样禁用它:

service apparmor stop
update-rc.d -f apparmor remove 
apt-get remove apparmor apparmor-utils

5.同步系统时钟
当您运行物理服务器时,最好通过互联网将系统时钟与NTP(网络时间协议)服务器同步。如果您运行虚拟服务器,则应跳过此步骤。跑

apt-get -y install ntp

您的系统时间将始终保持同步。

6.安装Postfix、Dovecot、MariaDB、rkhunter和binutils
为了安装postfix,我们需要确保sendmail没有安装和运行。要停止并删除sendmail,请运行以下命令:

service sendmail stop; update-rc.d -f sendmail remove

错误消息:

Failed to stop sendmail.service: Unit sendmail.service not loaded.

好的,这只是意味着没有安装sendmail,所以没有什么需要删除的。

现在我们可以用一个命令安装Postfix、Dovecot、MariaDB(作为MySQL的替代品)、rkhunter和binutils:

apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

您将被问到以下问题:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

重要的是,您应将子域用作“系统邮件名称”,如server1.example.com或server1.yourdomain.com,而不是稍后用作电子邮件域的域(例如yourdomain.tld)。

接下来,在Postfix中打开TLS/SSL和提交端口:

nano /etc/postfix/master.cf

按如下方式取消对提交和smtps部分的注释-添加行-o smtpd_client_restrictions=permit_sasl_authenticated,拒绝这两个部分,并对此后的所有内容进行注释:

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

注意:“-o……”行前的空格很重要!

之后重新启动Postfix:

service postfix restart

我们希望MySQL监听所有接口,而不仅仅是本地主机。因此,我们编辑/etc/mysql/mariadb.conf.d/50-server.cnf,注释掉行绑定地址=127.0.0.1,并添加行sql mode=“NO_ENGINE_SUBSTITUTION”:

nano /etc/mysql/mariadb.conf.d/50-server.cnf
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1

sql-mode="NO_ENGINE_SUBSTITUTION"

[...]

现在我们在MariaDB中设置根密码。运行:

mysql_secure_installation

您将被问到以下问题:

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

将MariaDB中的密码身份验证方法设置为native,以便我们以后可以使用PHPMyAdmin以root用户身份连接:

echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root

编辑/etc/mysql/debian.cnf文件,并在以密码开头的行中两次设置mysql/MariaDB根密码。

nano /etc/mysql/debian.cnf

需要添加的MySQL根密码显示为read,在本例中,密码为“howtoforge”。

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = howtoforge
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = howtoforge
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

然后我们重新启动MariaDB:

service mysql restart

现在检查网络是否已启用。跑

netstat -tap | grep mysql

输出应该如下所示:

root@server1:~# netstat -tap | grep mysql
tcp6 0 0 [::]:mysql [::]:* LISTEN 30591/mysqld
root@server1:~#

7.安装Amavisd new、SpamAssassin和Clamav
要安装amavisd-new、SpamAssassin和ClamAV,我们运行

apt-get -y install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

ISPConfig 3设置使用amavisd,它在内部加载SpamAssassin过滤器库,因此我们可以停止SpamAssassin以释放一些RAM:

service spamassassin stop
update-rc.d -f spamassassin remove

要启动ClamAV,请使用:

freshclam
service clamav-daemon start

首次运行freshclam时可以忽略以下错误。

ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

7.1安装Metronome XMPP服务器(可选)
Metronome XMPP服务器提供XMPP聊天服务器。此步骤是可选的,如果您不需要聊天服务器,则可以跳过此步骤。没有其他ISPConfig功能依赖于此软件。

使用apt安装以下软件包。

apt-get -y install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks
luarocks install lpc

为Metronome添加一个shell用户。

adduser --no-create-home --disabled-login --gecos 'Metronome' metronome

将Metronome下载到/opt目录并编译。

cd /opt; git clone https://github.com/maranda/metronome.git metronome
cd ./metronome; ./configure --ostype=debian --prefix=/usr
make
make install

Metronome现已安装到/opt/Metronome。

© 版权声明
THE END
喜欢就支持一下吧
点赞6 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称表情代码图片

    暂无评论内容