Tutoriel N° 2bb
Migration Ovh Release 3 / Ubuntu 14.04 IspConfig3
Suite à l'envoi récent d'un mail d'ovh qui indique arrêter la Release3, j'ai décidé de migrer mon système sur une distribution Ubuntu 14.04 avec le panel IspConfig 3!
Votre serveur continuera de tourner, mais vous ne pourrez plus le réinstaller avec Ovh Release3 si besoin après le 30 Novembre 2018 !
Mes objectifs:
1/ Apache2, PHP, Mysql, Postfix
2/ Php 5.3.29 avec choix multiples versions
3/ Ispconfig3 comme Panel à la place de webmin/virtualmin
4/ Ajouter un domaine, les dns, un compte ftp
Je me suis inspiré de ces sources:
Installation php multiple avec php 5.3.29
http://www.casper-development.be/ajouter-autre-version-de-php-ispconfig-debian-8-php-5-3/
Installation Apache2, PHP, Mysql, Postfix, Ispconfig3
https://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3
Convention et codes couleurs:
Rouge: modification à effectuer dans le fichier à éditer
Vert: Commande shell dans un terminal en ssh sur votre vps
A/ On reinstall son VPS avec Ubuntu 14.04 dans le manager OVH
B/ Installation de base
passwd root ==> on change le mot de passe root
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install nano -y
sudo apt-get install curl -y
updatedb
nano /etc/ssh/sshd_config
on ajoute à la fin: MaxAuthTries 3
nano /etc/apt/sources.list
on diese tout et on remplace:
# deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20140416.2)]/ trusty main restricted
#deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20130423.2)]/ trusty main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ trusty main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ trusty universe
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty universe
deb http://de.archive.ubuntu.com/ubuntu/ trusty-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ trusty multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty multiverse
deb http://de.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb-src http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb-src http://security.ubuntu.com/ubuntu trusty-security universe
deb http://security.ubuntu.com/ubuntu trusty-security multiverse
deb-src http://security.ubuntu.com/ubuntu trusty-security multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu trusty partner
# deb-src http://archive.canonical.com/ubuntu trusty partner
## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu trusty main
# deb-src http://extras.ubuntu.com/ubuntu trusty main
#deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20130423.2)]/ trusty main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ trusty main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ trusty universe
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty universe
deb http://de.archive.ubuntu.com/ubuntu/ trusty-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ trusty multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty multiverse
deb http://de.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb-src http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb-src http://security.ubuntu.com/ubuntu trusty-security universe
deb http://security.ubuntu.com/ubuntu trusty-security multiverse
deb-src http://security.ubuntu.com/ubuntu trusty-security multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu trusty partner
# deb-src http://archive.canonical.com/ubuntu trusty partner
## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu trusty main
# deb-src http://extras.ubuntu.com/ubuntu trusty main
apt-get update
apt-get upgrade
reboot
C/ Installation PHP 5.3.29 [Optionnel si vous avez besoin d'une version anterieure]
mkdir /opt/php-5.3.29
mkdir /usr/local/src/php5-build
cd /usr/local/src/php5-build
wget http://fr2.php.net/get/php-5.3.29.tar.bz2/from/this/mirror -O php-5.3.29.tar.bz2
tar jxf php-5.3.29.tar.bz2
cd php-5.3.29/
apt-get install build-essential -y
apt-get build-dep php5 -y
==> mot de passe root mysql à définir
apt-get install libfcgi-dev libfcgi0ldbl libjpeg62-dbg libmcrypt-dev libssl-dev libc-client2007e libc-client2007e-dev -y
ln -s /usr/lib/libc-client.a /usr/lib/x86_64-linux-gnu/libc-client.a
mkdir /usr/include/freetype2
mkdir /usr/include/freetype2/freetype
ln -s /usr/include/freetype2/freetype.h /usr/include/freetype2/freetype/freetype.h
cd /usr/local/src/php5-build/php-5.3.29/
sudo apt-get install -y autoconf g++ make openssl libssl-dev libcurl4-openssl-dev
sudo apt-get install -y libcurl4-openssl-dev pkg-config
sudo apt-get install -y libsasl2-dev
sudo apt-get install libxml2-dev
sudo apt-get install libbz2-dev
sudo apt-get install libjpeg-turbo8-dev
sudo apt-get install libpng-dev
sudo apt-get install libmysqlclient-dev
apt-get install libssl-dev libsslcommon2-dev
apt-cache search mysql | grep dev
sudo apt-get install tasksel -y
find / -type f -name libXpm* ==> pour connaître le chemin exact ci dessous
ln -s /usr/lib/x86_64-linux-gnu/libXpm.so.4.11.0 /usr/lib/
ln -s /usr/lib/x86_64-linux-gnu/libXpm.a /usr/lib/
./configure
--prefix=/opt/php-5.3.29-cgi
--with-zlib-dir
--with-xpm-dir=/usr
--enable-mbstring
--with-libxml-dir=/usr
--enable-soap
--enable-calendar
--with-curl
--with-mcrypt
--with-zlib
--with-gd
--disable-rpath
--enable-inline-optimization
--with-bz2
--with-zlib
--enable-sockets
--enable-sysvsem
--enable-sysvshm
--enable-pcntl
--enable-mbregex
--enable-exif
--enable-bcmath
--with-mhash
--enable-zip
--with-pcre-regex
--with-mysql
--with-pdo-mysql
--with-mysqli
--with-jpeg-dir=/usr
--with-png-dir=/usr
--enable-gd-native-ttf
--with-openssl
--with-fpm-user=www-data
--with-fpm-group=www-data
--enable-ftp
--with-imap=/usr
--with-imap-ssl
--with-kerberos
--with-gettext
--with-xmlrpc
--with-xsl
--enable-cgi
make && make install
cp /usr/local/src/php5-build/php-5.3.29/php.ini-production /opt/php-5.3.29-cgi/lib/php.ini
D/ Installation suite avec POSTFIX
apt-get install ntp ntpdate
service sendmail stop; update-rc.d -f sendmail remove
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
=> Create a self signed SSL ... ==> Y OK OK OK
nano /etc/postfix/master.cf
on ajoute au dessus de #submission sans toucher au reste
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
service spamassassin stop
update-rc.d -f spamassassin remove
E/ Installation suite avec APACHE2 et PHP
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp -y
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
php5enmod mcrypt
a2enmod userdir suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest
nano /etc/apache2/mods-available/suphp.conf
<IfModule mod_suphp.c>
#<FilesMatch ".ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
suPHP_AddHandler application/x-httpd-suphp
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
#<FilesMatch ".ph(p3?|tml)$">
# SetHandler application/x-httpd-suphp
#</FilesMatch>
suPHP_AddHandler application/x-httpd-suphp
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
nano /etc/mime.types
[...]
#application/x-ruby rb
[...]
#application/x-ruby rb
[...]
apt-get install php5-xcache
apt-get install libapache2-mod-fastcgi php5-fpm
a2enmod actions fastcgi alias
service apache2 restart
service postfix restart
F/ Installation suite BIND, FTP, ...
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool -y
nano /etc/default/pure-ftpd-common
VIRTUALCHROOT=true
echo 1 > /etc/pure-ftpd/conf/TLS
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:<-- Enter your State or Province Name.
Locality Name (eg, city) []:<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:<-- Enter your Email Address.
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
apt-get install bind9 dnsutils -y
apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl -y
on commente tout
nano /etc/cron.d/awstats
apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold -y
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz
tar xvfz jailkit-2.17.tar.gz
cd jailkit-2.17
./debian/rules binary
cd ..
dpkg -i jailkit_2.17-1_*.deb
rm -rf jailkit-2.17*
apt-get install fail2ban -y
nano /etc/fail2ban/jail.local
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5
[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5
[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
nano /etc/fail2ban/filter.d/pureftpd.conf
[Definition]
failregex = .*pure-ftpd: (.*@<HOST>) [WARNING] Authentication failed for user.*
ignoreregex =
failregex = .*pure-ftpd: (.*@<HOST>) [WARNING] Authentication failed for user.*
ignoreregex =
nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login (auth failed|Aborted login (tried to use disabled|Disconnected (auth failed|Aborted login (d+ authentication attempts).*rip=(?P<host>S*),.*
ignoreregex =
ignoreregex =
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
service fail2ban restart
apt-get install squirrelmail -y
squirrelmail-configure
Command >> <-- D
dovecot
[Enter]
S
[Enter]
Q
cd /etc/apache2/conf-available/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload
nano /etc/apache2/conf-available/squirrelmail.conf
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
====> on ajoute apres ca
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
Options FollowSymLinks
<IfModule mod_php5.c>
====> on ajoute apres ca
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
mkdir /var/lib/squirrelmail/tmp
chown www-data /var/lib/squirrelmail/tmp
a2enconf squirrelmail
service apache2 reload
http://your-ip/squirrelmail
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php
ISPConfig Port [8080]: 5050
do you want secure ssl ==> No
http://your_ip:5050
admin
password que vous avez choisi en root
system > system > Additionnal PHP versions
php name: php5.3.29
Puis dans l’onglet FastCGI Settings :
Path to the PHP FastCGI binary : /opt/php-5.3.29-cgi/bin/php-cgi
Path to the php.ini directory : /opt/php-5.3.29-cgi/lib
/etc/init.d/pure-ftpd-mysql start
http://your_ip/phpmyadmin
root
pawword_root
cree un compte sftp
sites > Shell-user > add new shell user
cree un compte ftp
==> il cree le user defaultuser
defaultuser
mot_de_passe_ftp
Ma config php.ini pour php 5.3.29
nano /opt/php-5.3.29-cgi/lib/php.ini
short_open_tag = On
date.timezone = 'Europe/Paris'
max_execution_time = 3000
max_input_time = 120
;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
allow_url_include = 1
allow_url_include = On
register_globals = On
display_errors = Off
log_errors = Off
; Add X-PHP-Originaiting-Script: that will include uid of the script followed by the filename
mail.add_x_header = Off
date.timezone = 'Europe/Paris'
max_execution_time = 3000
max_input_time = 120
;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
allow_url_include = 1
allow_url_include = On
register_globals = On
display_errors = Off
log_errors = Off
; Add X-PHP-Originaiting-Script: that will include uid of the script followed by the filename
mail.add_x_header = Off
service apache2 restart
C fini !
Je complèterai ce tutoriel avec l'ajout de https avec Letsencrypt ainsi que la signature DKIM pour les emails !
==> Gestion certificat avec letenscrypt:
https://www.shareannonce.com/david/tutorial/2c1
Je ne traite pas de la prise en main d'IspConfig mais c'est tres intuitif ! eventuellement vous trouverez de la doc sur google !
