Start Installation
1. Untar or unzip the distribution files to a secure directory:
# cd /root
# wget http://sourceforge.net/projects/ispcp/files/ispCP%20Omega/ispCP%20Omega%201.0.4/ispcp-omega-1.0.4.tar.gz/download
# tar xvzf ispcp-omega-1.0.4.tar.gz
2. Change to the newly created directory:
# cd ./ispcp-omega-1.0.4
3. Install the required modules
First update your system:
For Ubuntu 8.10 and lower :
# apt-get update && apt-get upgrade
For Ubuntu 9.04 and higher :
# aptitude update && aptitude safe-upgrade
Then install all needed packages:
# aptitude install $(cat ./docs/Ubuntu/ubuntu-packages-`lsb_release -cs`)
During the Install process you might encounter some config screens,
here’s what you should fill in there (some screens described here might
not show up anymore in newer versions of the services to be
configured):
On the courier screen select 'no' to web directories.
When you get to the postfix screen select 'internet site', eventually type in 'root'
for mail. If you've set your system up correctly on install your domain should already be
on screen in the next step, otherwise fill in the host domain name of your server.
Eventually select 'no' to force sync updates.
Proftpd should be configured as standalone (i.e. not inetd)
If you get to the rootkithunter screen, select two times 'yes'
4. (optional) Check the ispcp.conf and adapt it to your requirements.
An overview over the variables you can find in the FAQ on
http://isp-control.net
5. Build the System by using :
# make -f Makefile.ubuntu install
6. Copy all the directories into your system (you may make backups)
# cp -Rv /tmp/ispcp/* /
7. Now it’s time to set up the frontend. Change into the engine directory:
# cd /var/www/ispcp/engine/setup
7a. Set the MySQL password, if not set:
# mysqladmin -u root password YOUR_PASSWORD
8. Start the engine setup:
# perl ispcp-setup
9. Install ispCP ω step-by-step
If you get no error, all went good; if you get one, look at
http://isp-control.net to solve the problem.
10. There is an error in some courier-versions. Courier won’t stop, if you use
/etc/init.d/courier-authdaemon stop, so change it:
# nano /etc/init.d/courier-authdaemon
change: ${libexecdir}/authlib/authdaemon stop
with: killall authdaemond.plain
11. Clean the temporary folders:
# rm -fR /tmp/ispcp
This is how I would enable spamassassin, along with amavis
and clamav. Unlike the amavis configuration with maia or the one that
partially comes with ispcp, this method uses amavis as pre-queue
filter. That makes it possible to reject spam mails instead of only
tagging them…
apt-get install amavisd-new clamav spamassassin clamav-daemon lzop rpm pax unrar zoo arj p7zip-full lha arc cabextract ripoleadd the following lines to /etc/postfix/master.cf after:
smtp inet n - - - - smtpd-o smtpd_proxy_filter=localhost:10024
-o content_filter=
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o reveive_override_options=no_unknown_recipient_checksremove the following from /etc/postfix/master.cf:
amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_override_options=no_address_mappings
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
/etc/master.cf will look like:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o smtpd_proxy_filter=localhost:10024
-o content_filter=
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o reveive_override_options=no_unknown_recipient_checks
#submission inet n - - - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# For AOL-Accounts
587 inet n - - - - smtpd
-o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
# ====================================================================
# ispCP ω (OMEGA) a Virtual Hosting Control System
#
# @copyright 2001-2006 by moleSoftware GmbH
# @copyright 2006-2008 by ispCP | http://isp-control.net
# @version SVN: $Id$
# @link http://isp-control.net
# @author ispCP Team
# ====================================================================
# AMaViS => Antivir / Antispam
# ispCP autoresponder
ispcp-arpl unix - n n - - pipe
flags=O user=vmail argv=/var/www/ispcp/engine/messager/ispcp-arpl-msgr
# TLS - Activate, if TLS is avaiable/used
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
change /etc/amavis/conf.d/01-debian:
uncomment
#$lha = 'lha'; #disabled (non-free, no security support)
#$unrar = ['rar', 'unrar']; #disabled (non-free, no security support)comment
$lha = undef;
$unrar = undef;change /etc/amavis/conf.d/20-debian_defaults:
$sa_tag2_level_deflt = 5.8;
$sa_kill_level_deflt = 6.41;
$final_virus_destiny = D_REJECT; # (data not lost, see virus quarantine)
$final_banned_destiny = D_REJECT; # D_REJECT when front-end MTA
$final_spam_destiny = D_REJECT;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
change /etc/amavis/conf.d/15-content_filter_mode:
uncomment
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
change /etc/amavis/conf.d/50-user:
$max_servers = 5;
change in /etc/group:
amavis:x:112:
to
amavis:x:112:clamav
to uid may be different
/etc/init.d/clamav-daemon restart
/etc/init.d/amavis restart
/etc/init.d/postfix restart
Consider using a ramdisk for the amavis temporary directory…
this will boost performance… and let you use a higher $max_servers
count…
Hello …
I did exactly as you told us to do …
But then SMTP didn’t worked (couldn’t send mails … but i could
receive) and in the ispc pannel, at Server Status, SMTP was down…
Make ispCP more Secure
Make ispCP more Secure
Here you can find some stuff to make your Server more Secure.
Absolutely no warranty, use it at your own risk.
1.) Disable the Apache ServerSignature like this one
Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8
Put only these lines in your httpd.conf (Under Debian Etch you have to put this in your apache2.conf)
# Disable ServerInfo ServerSignature Off ServerTokens Prod
2.) Disable Debugging functions
An attacker may use this flaw to trick your legitimate web users to
give him their credentials. Add the following lines for each virtual
host in your configuration file (/etc/apache2/ispcp/…) or directly in
the template file (/etc/ispcp/apache/parts/custom.conf.tpl) to disable
the Debugging
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond
%{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* – [F] </IfModule>
Reload the Apache configuration and check if your configuration is active:
# /etc/init.d/apache2 reload # telnet yourdomain.com 80 Trying
xxx.yyy.zzz.rrr… Connected to yourdomain.com. Escape character is ‘^]’.
TRACE / HTTP/1.0 Host: foo A: b
HTTP/1.1
301 Moved Permanently Date: … Server: Apache Location:
http://www.yourdomain.com/ Content-Length: … Connection: close
Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head>
<title>301 Moved Permanently</title>
</head><body> <h1>Moved Permanently</h1>
<p>The document has moved <a
href=”http://www.yourdomain.com/”>here</a>.</p>
</body></html> Connection closed by foreign host.
3.) Secure Proftpd a little more
You can add a little more security to Proftp by editing it’s configuration file and adding:
DefaultRoot ~ IdentLookups off
You can also disable displaying of ftp banner.It’s displayed by default when someone connects to Your server like this:
Verbindung mit 62.75.xx.xx wurde hergestellt. 220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx] Benutzer (62.75.xx.xx:(none)):
Here can you see the ProFTPD Version → 1.3.0 To Disable the Banner add, the following line to the proftpd.conf:
ServerIdent off
You can find more information about it here: http://proftpd.org/localsite/Userguide/linked/userguide.html
4.) Enable SSL in ProFTPD
For a secure File Transfer you can add SSL to your ProFTPD
Create a SSL Certificate:
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl.crt -keyout /etc/proftpd/ssl.key
Open your proftpd.conf to enable SSL
# vi /etc/proftpd/proftpd.conf
enable the last lines like this and set TLSEngine ‘on’
# # SSL via TLS # <IfModule mod_tls.c> TLSEngine on # on for
use of TLS TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
TLSProtocol SSLv23 # SSLv23 or TLSv1 TLSOptions NoCertRequest # either
to request the certificate or not TLSRSACertificateFile
/etc/proftpd/ssl.crt # SSL certfile TLSRSACertificateKeyFile
/etc/proftpd/ssl.key # SSL keyfile TLSVerifyClient off # client
verification </IfModule>
Restart proftpd to bring the effect:
# /etc/init.d/proftpd restart
5.) Change the SMTP-Banner
If you want to change this Postfix SMTP-Banner:
Connected to your-domain.tld. Escape character is ‘^]’. 220 your-domain.tld. ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
Open your “/etc/postfix/main.cf” and change the SMTP-Banner here to what you want
smtpd_banner = $ myhostname ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
6. Install & Configure fail2ban
Fail2Ban automatic blocks an IP-Address after some failed Logins.
It works with Apache,SSH,FTP and Mail.
Install fail2ban per apt-get
# apt-get install fail2ban
After the installation you can configure fail2ban with these two configs under /etc/fail2ban/
/etc/fail2ban/fail2ban.conf /etc/fail2ban/jail.conf
Open your jail.conf to enable the blocks for some Services.
# vi /etc/fail2ban/jail.conf
Now you can enable or disable the Services you want to protect. By default SSH is enabled.
If you want to enable Apache,
change:
# # HTTP servers # [apache] enabled = false port = http filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 6
to
# # HTTP servers # [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache2/users/*access.log maxretry = 6
For FTP (proftpd)
[proftpd] enabled = false port = ftp filter = proftpd logpath = /var/proftpd/proftp.log maxretry = 6
change it to
[proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log maxretry = 3
You can change the maximal retry´s before ban with
maxretry = X
If you want to change the bantime,
bantime = 600 (is set in seconds)
Warning: fail2ban use Firewall ruls to block the IP.
A ban is per default for 10 minutes active. After this time the IP is unblocked automatically.
The fail2ban Log is under
/var/log/fail2ban.log
7.) SSL for Mailservice (Courier)
First we need to install the courier-ssl packages.
# apt-get install courier-imap-ssl courier-pop-ssl
A default Certificate will be created during the installation. So we need to change them.
Open the /etc/courier/imapd.cnf
# vi /etc/courier/imapd.cnf
and change the attributes to your needs.
And then the same with /etc/courier/pop3d.cnf
# vi /etc/courier/pop3d.cnf
After these changes, first backup the old Certificate before we generate some new.
# cd /etc/courier/ && mv pop3d.pem pop3d.pem.orig && mv imapd.pem imapd.pem.orig
Now we can generate the new one:
# dpkg-reconfigure courier-pop-ssl && dpkg-reconfigure courier-imap-ssl
Done – your Mailservice is now ready for SSL.
Change your Client to use POP3-SSL on port 995 and IMAP-SSL on port 993
8.) Make SSH safer
Every Scriptkiddy checks your Server for a open Port 22 and test to login with the root account.
We will change these things to the good with an other Port and disable the root login via ssh.
First we need a user on the system for a later login. If there is already one, jump over to the next step. If not, create it:
# adduser new_username
Open your sshd_config to change the settings:
# vi /etc/ssh/sshd_config
Change the Port from
Port 22
to
Port 222
Change this line:
PermitRootLogin yes
to
PermitRootLogin no
Restart the SSH-Server
# /etc/init.d/ssh restart
Close your connection and connect again to your Server on Port 222 with your new Username.
To become root, only do a:
# su
9.) Prevent DOS-Attacks
To prevent simple Denial-of-Service attacks you can use the mod_evasive
module. Download the actual version from
http://www.zdziarski.com/projects/mod_evasive/ and unpack it. Make
sure, that apache2-prefork-dev is installed.
# apt-get install apache2-prefork-dev # wget
http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar -xzf mod_evasive_1.10.1.tar.gz # cd mod_evasive
Install it with Apache Extensions Module (apxs).
# apxs2 -i -a -c mod_evasive20.c
The module will be built and installed into your httpd.conf.
Optionally you can change some specific directives in your
/etc/apache2/apache2.conf file. Just add the following lines and change
them to your needs.
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount
2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod
10 </IfModule>
ATTENTION: This config may produce “403 Forbidden” Errors on regular sites (to example: typo3, gallery,…)
You can also add the following directives:
DOSEmailNotify you@yourdomain.com DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’” DOSLogDir “/var/lock/mod_evasive”
After all, just restart your Apache to load the module.
# sudo /etc/init.d/apache2 restart
10.) Securing Open DNS server (BIND 9)
After a clean install of a Debian server, dnsstuff.com reports the
server as an open dns server(anyone can query the server about any
domain ⇒ high load and high transfer). 2 steps for fixing this problem:
a. first edit /etc/bind/named.conf.options (or /etc/named/named.conf for other distros, options paragraph) and add:
recursion no; transfer-format many-answers; //this is for speed up the transfer to a secondary dns
b. we need to modify the template used by ISPCP to generate to zone
files, on Debian this is /etc/ispcp/bind/parts/cfg_entry.tpl. The file
after modification should looks like:
zone “{DMN_NAME}” { type master; file “{DB_DIR}/{DMN_NAME}.db”; notify YES; allow-query { any; }; };
Restart BIND:
/etc/init.d/bind9 restart
Authentication will be done by saslauthd. We have to change a few
things to make it work properly. Because Postfix runs chrooted in
/var/spool/postfix we have to do the following:
=================
mkdir -p /var/spool/postfix/var/run/saslauthd
============
Now we have to edit /etc/default/saslauthd in order to activate
saslauthd. Set START to yes and change the line OPTIONS="-c -m
/var/run/saslauthd" to OPTIONS="-c -m
/var/spool/postfix/var/run/saslauthd -r":
vi /etc/default/saslauthd
Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):
adduser postfix sasl
==================
Now restart Postfix and start saslauthd:
/etc/init.d/postfix restart
/etc/init.d/saslauthd start
=====================
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH PLAIN LOGIN
everything is fine.
The output on my system looks like this:
root@server:/etc/postfix/ssl# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
220 server.example.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@server:/etc/postfix/ssl#
Type
quit
========
reboot
==========
Sent to any email I tried to hotmail and gmail and proved that I received the email and sent to all Besatp is pleased
references:
http://www.isp-control.net/documentation/doku.php?id=start:installation:ubuntu
http://isp-control.net/forum/thread-5789-page-5.html
http://www.xpv.cn/home/makeispcpmoresecure.html
http://isp-control.net/forum/printthread.php?tid=9283
mirindafanta 