Weblog entry #2 for satchmo
See all weblog entries made by satchmo.
#2
Server Howto
Posted by satchmo on Fri 28 Oct 2005 at 11:57
Debian Server Install
Network Information
Static ip : 192.168.0.1
Mask: 255.255.255.0
Gateway: 192.168.0.50
Services
Apache2
MySQL
IMAP Mailserver
Samba Fileserver
DNS
Applications
FTP Server
IMAP Mail Server + fetchmail & webmail access
Phpmyadmin (MySQL Administration)
Phpsysinfo
Gkrellmd
Mrtg
Ddclient
webalizer
Aim
To build a secure stable server used for the above roles.
Base System Install
I downloaded the ‘Netinst’ iso image from the debian mirror. This provides a basic small system perfect for building a nice secure, scalable server.
1. Start the install with ‘linux26’ to enable a 2.6 kernel.
2. Choose your language and keymap settings.
By default the network card will get it’s information via DHCP, if you want to assign a static ip address you can go ‘back’ at this stage and choose to configure the network manually. (or start the install with ‘linux26 disable-dhcp’)
3. Choose a hostname for the system – this is simply a name or label. Ie: server1
4. Choose a domain name
The installer will now partition the disks. I would recommend choosing the ‘Multiuser Workstation’
The system will now install the base system.
5. Install the GRUB boot loader to the master boot record
Installation of the base system is now complete, remove any boot media and reboot.
Configuring the system
1. Select your timezone
2. Choose a Root password (Keep this secure!!)
3. Create a ‘normal’ standard user account (perhaps yourself?!?)
Use your normal account for logging into the box and always ‘su’ if you need root privileges.
Apt Configuration
1. As we’re connected to the internet we can safely choose ‘http’ as our APT access method. This will fetch all software from a debian mirror.
Debian Software Selection
Do not choose any packages to install here, we require a more finely tuned application listing.
The system will now download essential software from the APT repository, sit back and wait!
Configuring Exim4
This machine is going to handle incoming outgoing email so choose the first option: ‘internet site; mail is sent and received directly using SMTP’
Choose a postmaster recipient, possibly yourself or ‘root’ or both!
The basic system is now complete!!
1. Login as yourself (standard user account)
2. ‘su’ to root
3. rm /etc/motd - delete the crappy /etc/motd file (Message of The Day)
4. run ‘apt-get update’ to make sure your apt-cache is recent.
5. run ‘apt-get install rcconf’
6. run ‘apt-get install gkrellmd’
7. run ‘apt-get install webalizer’
8. run ‘apt-get install links’
Installing and configuring the Apache2 Web server
1. run ‘apt-get install apache2’
2. add php4 support to apache2 by running: ‘apt-get install libapache2-mod-php4’
3. Also install SSL support by running ‘apt-get install apache-ssl’
Installing phpsysinfo
1. run ‘apt-get install phpsysinfo’
Installing MySQL Database Server
1. run ‘apt-get install mysql-server’
2. run ‘apt-get install phpmyadmin’
Installing IMAP Mail server (Dovecot)
1. run ‘apt-get install dovecot’
2. edit the config file: run ‘nano /etc/dovecot.conf’
3. choose protocols to use in our case just ‘imap’ & ‘imapd’, save and close
4. run ‘dovecot’
Installing Webmail
1. run ‘apt-get install ilohamaill’
2. run ‘cd /var/www’ & ‘ln /usr/share/Ilohamail webmail
Fetchmail
Fetchmail is a program that grabs all email from a POP or IMAP server and re-distributes them to local system mailboxes. It’s a very versatile program and well worth using. Simply create a .fetchmailrc file similar to the following:
set postmaster "your-username"
set no bouncemail
# You need a set of lines like this for each account you want to download
# email from. So this is a first account
poll your.mailserver.net with proto POP3
user 'remote-user' there is 'your-username' here
pass "your-password"
smtphost mail.lancs.ac.uk
fetchall
# options keep # makes it not download your mail, use for testing
Place this file in your home dir and test it by running fetchmail –v
If it works ok you now can automate fetchmail so it is running all the time and also starts if the machine is restarted.
Add a crontab entry (crontab –e) with the following line:
*/3 * * * * fetchmail –s # Run Fetchmail every 3 minutes.
Samba File Server
Adding samba services can be useful if you have some windows boxes that are going to use the server.
1. Run ‘apt-get install samba smbfs’
2. Choose a workgroup name for the server to exist in.
3. Edit the /etc/samba/smb.conf to add shares. Eg;
# Sample Share
[Resource]
comment = Resource Area
writable = no
locking = no
path = /hd2/resource
public = yes
** Edit line 76 to be the following: security = share **
4. Restart the Samba daemon by running: ‘/etc/init.d/samba restart’
DDClient (DynDNS.org Updater)
Run ‘apt-get install ddclient’
DNSMasq
Run ‘apt-get install dnsmasq’
DNSMasq uses the hosts file (/etc/hosts) simply add machines to the host file to enable dns services.
Eg. 192.168.0.1 server1 server1.example.com webmail.fit.com
FTP Server
Run ‘apt-get install proftpd’
Network Information
Static ip : 192.168.0.1
Mask: 255.255.255.0
Gateway: 192.168.0.50
Services
Apache2
MySQL
IMAP Mailserver
Samba Fileserver
DNS
Applications
FTP Server
IMAP Mail Server + fetchmail & webmail access
Phpmyadmin (MySQL Administration)
Phpsysinfo
Gkrellmd
Mrtg
Ddclient
webalizer
Aim
To build a secure stable server used for the above roles.
Base System Install
I downloaded the ‘Netinst’ iso image from the debian mirror. This provides a basic small system perfect for building a nice secure, scalable server.
1. Start the install with ‘linux26’ to enable a 2.6 kernel.
2. Choose your language and keymap settings.
By default the network card will get it’s information via DHCP, if you want to assign a static ip address you can go ‘back’ at this stage and choose to configure the network manually. (or start the install with ‘linux26 disable-dhcp’)
3. Choose a hostname for the system – this is simply a name or label. Ie: server1
4. Choose a domain name
The installer will now partition the disks. I would recommend choosing the ‘Multiuser Workstation’
The system will now install the base system.
5. Install the GRUB boot loader to the master boot record
Installation of the base system is now complete, remove any boot media and reboot.
Configuring the system
1. Select your timezone
2. Choose a Root password (Keep this secure!!)
3. Create a ‘normal’ standard user account (perhaps yourself?!?)
Use your normal account for logging into the box and always ‘su’ if you need root privileges.
Apt Configuration
1. As we’re connected to the internet we can safely choose ‘http’ as our APT access method. This will fetch all software from a debian mirror.
Debian Software Selection
Do not choose any packages to install here, we require a more finely tuned application listing.
The system will now download essential software from the APT repository, sit back and wait!
Configuring Exim4
This machine is going to handle incoming outgoing email so choose the first option: ‘internet site; mail is sent and received directly using SMTP’
Choose a postmaster recipient, possibly yourself or ‘root’ or both!
The basic system is now complete!!
1. Login as yourself (standard user account)
2. ‘su’ to root
3. rm /etc/motd - delete the crappy /etc/motd file (Message of The Day)
4. run ‘apt-get update’ to make sure your apt-cache is recent.
5. run ‘apt-get install rcconf’
6. run ‘apt-get install gkrellmd’
7. run ‘apt-get install webalizer’
8. run ‘apt-get install links’
Installing and configuring the Apache2 Web server
1. run ‘apt-get install apache2’
2. add php4 support to apache2 by running: ‘apt-get install libapache2-mod-php4’
3. Also install SSL support by running ‘apt-get install apache-ssl’
Installing phpsysinfo
1. run ‘apt-get install phpsysinfo’
Installing MySQL Database Server
1. run ‘apt-get install mysql-server’
2. run ‘apt-get install phpmyadmin’
Installing IMAP Mail server (Dovecot)
1. run ‘apt-get install dovecot’
2. edit the config file: run ‘nano /etc/dovecot.conf’
3. choose protocols to use in our case just ‘imap’ & ‘imapd’, save and close
4. run ‘dovecot’
Installing Webmail
1. run ‘apt-get install ilohamaill’
2. run ‘cd /var/www’ & ‘ln /usr/share/Ilohamail webmail
Fetchmail
Fetchmail is a program that grabs all email from a POP or IMAP server and re-distributes them to local system mailboxes. It’s a very versatile program and well worth using. Simply create a .fetchmailrc file similar to the following:
set postmaster "your-username"
set no bouncemail
# You need a set of lines like this for each account you want to download
# email from. So this is a first account
poll your.mailserver.net with proto POP3
user 'remote-user' there is 'your-username' here
pass "your-password"
smtphost mail.lancs.ac.uk
fetchall
# options keep # makes it not download your mail, use for testing
Place this file in your home dir and test it by running fetchmail –v
If it works ok you now can automate fetchmail so it is running all the time and also starts if the machine is restarted.
Add a crontab entry (crontab –e) with the following line:
*/3 * * * * fetchmail –s # Run Fetchmail every 3 minutes.
Samba File Server
Adding samba services can be useful if you have some windows boxes that are going to use the server.
1. Run ‘apt-get install samba smbfs’
2. Choose a workgroup name for the server to exist in.
3. Edit the /etc/samba/smb.conf to add shares. Eg;
# Sample Share
[Resource]
comment = Resource Area
writable = no
locking = no
path = /hd2/resource
public = yes
** Edit line 76 to be the following: security = share **
4. Restart the Samba daemon by running: ‘/etc/init.d/samba restart’
DDClient (DynDNS.org Updater)
Run ‘apt-get install ddclient’
DNSMasq
Run ‘apt-get install dnsmasq’
DNSMasq uses the hosts file (/etc/hosts) simply add machines to the host file to enable dns services.
Eg. 192.168.0.1 server1 server1.example.com webmail.fit.com
FTP Server
Run ‘apt-get install proftpd’
Comments on this Entry
Posted by Anonymous (62.85.xx.xx) on Fri 28 Oct 2005 at 20:34
And where we can see answer for "To build a secure stable server used for the above roles. " ??? everyone can write in da mighty shell cmd like apt-get install blahblah. sux
[ Parent | Reply to this comment ]
Hey it is his blog, if he wants to keep install scripts here he can, and I hope constructive criticism is welcomed.
I'm more concerned that he has 'imapd' as a protocol, and not 'imaps'.
Ilohamail is okay, but Squirrelmail is far more complete, and worth the effort for most sites, unless you prefer one of the "suite" of programs that includes webmail, which are even more work typically.
"Secure" is a movable feast, I mean heck he chose Exim as an MTA, so obviously he is the scum of the universe as far as security goes, and probably only as secure as most of the Debian boxes out there. I mean it is Postfix or nothing for us purists (Who mentioned qmail?), and it still grates that it is written in C, I mean Wietse and the IBM security team are good, but they ain't perfect (AFAIK).
But somewhere in the process there should be a "netstat -anr" and a clear out of unneeded listening processes at the very least. portmapper really isn't THAT "core" ;)
I always stick in 'apticron' and 'cron-apt', and so get emailed when updates are around, and they are ready for me to type "apt-get -s upgrade", "apt-get upgrade", so I waste minimal time but still get to make a sanity check.
What no "ntp-simple" package? Sort that clock out once and for all, ntp-simple may not be what people who need accurate time want, but for most of us it is install and forget. We currently customise /etc/ntp.conf to use only servers allowed by the firewall, but doing it again I'd probably just allow outgoing NTP queries to anywhere now the firewall is properly stateful. Hey if you can't trust people on the NTP project to give you the right time....
I usually use expert26 (where it will work), but that might be my release candidate Debian installation CD, since it lets me choose stable/testing/unstable, and a few other nicieties. There really aren't that many scary extra questions in "expert" mode.
I make "source.list" use the name of the distro over the current release name ("sarge", not "stable") just in case the next admin is even more clueless than me.
But hey, I'm no Debian guru, and I'm still improving my "things to do to every install" script. I'm here to share and learn, not denigrate.
I'm more concerned that he has 'imapd' as a protocol, and not 'imaps'.
Ilohamail is okay, but Squirrelmail is far more complete, and worth the effort for most sites, unless you prefer one of the "suite" of programs that includes webmail, which are even more work typically.
"Secure" is a movable feast, I mean heck he chose Exim as an MTA, so obviously he is the scum of the universe as far as security goes, and probably only as secure as most of the Debian boxes out there. I mean it is Postfix or nothing for us purists (Who mentioned qmail?), and it still grates that it is written in C, I mean Wietse and the IBM security team are good, but they ain't perfect (AFAIK).
But somewhere in the process there should be a "netstat -anr" and a clear out of unneeded listening processes at the very least. portmapper really isn't THAT "core" ;)
I always stick in 'apticron' and 'cron-apt', and so get emailed when updates are around, and they are ready for me to type "apt-get -s upgrade", "apt-get upgrade", so I waste minimal time but still get to make a sanity check.
What no "ntp-simple" package? Sort that clock out once and for all, ntp-simple may not be what people who need accurate time want, but for most of us it is install and forget. We currently customise /etc/ntp.conf to use only servers allowed by the firewall, but doing it again I'd probably just allow outgoing NTP queries to anywhere now the firewall is properly stateful. Hey if you can't trust people on the NTP project to give you the right time....
I usually use expert26 (where it will work), but that might be my release candidate Debian installation CD, since it lets me choose stable/testing/unstable, and a few other nicieties. There really aren't that many scary extra questions in "expert" mode.
I make "source.list" use the name of the distro over the current release name ("sarge", not "stable") just in case the next admin is even more clueless than me.
But hey, I'm no Debian guru, and I'm still improving my "things to do to every install" script. I'm here to share and learn, not denigrate.
[ Parent | Reply to this comment ]
Thanks for your comment 'Anonymous', but Simonw is right. It's basically for my own use to remind me on a nice quick and easy server install. Its not an 'article'and definatley not meant to be a 'concise' document. I am more than welcome to accept some constructive criticism, but saying that it 'sux' is really not helpful. :)
[ Parent | Reply to this comment ]
Posted by Anonymous (67.167.xx.xx) on Thu 1 Dec 2005 at 15:58
Hi satchmo,
I found your blog to be helpful. I was able to at least get my Samba server up and running quickly. Now that it works, I can go through and fine tune stuff.
Thank you!
Chris
chrisz [at] smartautomation [d0t] com
I found your blog to be helpful. I was able to at least get my Samba server up and running quickly. Now that it works, I can go through and fine tune stuff.
Thank you!
Chris
chrisz [at] smartautomation [d0t] com
[ Parent | Reply to this comment ]
Thanks!!
Satchmo
Satchmo
[ Parent | Reply to this comment ]