本教程将介绍在 CentOS 8(64 位)服务器上安装 ISPConfig 3.2。ISPConfig 是一个网络托管控制面板,允许您通过网络浏览器配置以下服务:Apache 网络服务器、PHP、Postfix 邮件服务器、MySQL、BIND 名称服务器、PureFTPd、SpamAssassin、ClamAV、Mailman 等等。
要安装这样的系统,您将需要以下内容:
在本教程中,我使用主机名server1.example.co
m和 IP 地址192.168.0.100
和网关192.168.0.1
。这些设置可能因您而异。
如果服务器的键盘布局与您的键盘不匹配,您可以使用 localectl 命令切换到正确的键盘(在我的情况下为德语键盘布局的“de”:
localectl set-keymap de
要获取所有可用键盘映射的列表,请运行:
localectl list-keymaps
我想在本教程的最后安装 ISPConfig,ISPConfig 附带了 Bastille 防火墙脚本,我将用作防火墙,因此我现在禁用默认的 CentOS 防火墙。当然,您可以随意打开 CentOS 防火墙并根据您的需要进行配置(但是您以后不应使用任何其他防火墙,因为它很可能会干扰 CentOS 防火墙)。
dnf -y install net-tools wget rsyslog curl systemctl stop firewalld.service systemctl disable firewalld.service
停止和禁用 CentOS 防火墙。在这里出现错误是可以的,这只是表明没有安装防火墙。
然后你应该检查防火墙是否真的被禁用了,为此,请运行以下命令:
iptables -L
输出应如下所示:
[root@server1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
或者使用 firewall-cmd 命令:
firewall-cmd --state
[root@server1 ~]# firewall-cmd --state not running [root@server1 ~]#
现在我将安装网络配置编辑器和基于 shell 的编辑器“nano”,我将在接下来的步骤中使用它们来编辑配置文件:
dnf -y install nano wget NetworkManager-tui yum-utils
如果您在安装过程中没有配置网卡,您现在可以进行配置。
nmtui
选择您的网络接口:
然后填写您的网络详细信息 - 禁用 DHCP 并填写静态 IP 地址、网络掩码、您的网关和一两个名称服务器,然后点击Ok:
接下来选择确定以确认您在网络设置中所做的更改
和Quit关闭 nmtui 网络配置工具。
ifconfig
现在检查安装程序是否正确获取了您的 IP 地址:
[root@server1 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::20c:29ff:feee:b665 prefixlen 64 scopeid 0x20<link> inet6 2003:e1:bf22:1b00:20c:29ff:feee:b665 prefixlen 64 scopeid 0x0<global> ether 00:0c:29:ee:b6:65 txqueuelen 1000 (Ethernet) RX packets 2874 bytes 1369892 (1.3 MiB) RX errors 0 dropped 546 overruns 0 frame 0 TX packets 968 bytes 160901 (157.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
如果你的网卡没有显示在那里,那么它不会在启动时启用,在这种情况下,打开文件/etc/sysconfig/network-scripts/ifcfg-eth0
nano /etc/sysconfig/network-scripts/ifcfg-ens33
并将 ONBOOT 设置为是:
[...] ONBOOT=yes [...]
并重新启动服务器。
检查您的/etc/resolv.conf是否列出了您之前配置的所有名称服务器:
cat /etc/resolv.conf
如果缺少名称服务器,请运行
nmtui
并再次添加缺少的名称服务器。
现在,进入配置…
调整 /etc/hosts 和 /etc/hostname
接下来,我们将编辑/etc/hosts。让它看起来像这样:
nano /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 192.168.0.100 server1.example.com server1 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
在 /etc/hostname 文件中设置主机名。该文件应包含完全限定的域名(例如在我的例子中是 server1.example.com),而不仅仅是像“server1”这样的短名称。使用 nano 编辑器打开文件:
nano /etc/hostname
并在文件中设置主机名。
server1.example.com
保存文件并退出nano。
将 SELinux 设置为宽松
SELinux 是 CentOS 的安全扩展,应该提供扩展的安全性。ISPConfig 不附带 SELinux 规则集,因此我将其设置为 permissive(如果您想稍后安装 ISPConfig,这是必须的)。
编辑/etc/selinux/config并设置SELINUX=permissive:
nano /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
之后我们必须重新启动系统:
reboot
首先,我们导入软件包的 GPG 密钥:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
然后我们在 CentOS 系统上启用 EPEL 存储库,因为我们将在本教程中安装的许多软件包在官方 CentOS 8 存储库中不可用:
dnf -y install epel-release
激活Power Tools:
dnf config-manager --set-enabled powertools
然后我们更新系统上现有的包:
dnf -y update
现在我们安装一些稍后需要的软件包:
dnf -y groupinstall 'Development Tools'
(如果您选择了与我不同的分区方案,则必须调整本章,以便配额适用于您需要的分区。)
要安装配额,我们运行以下命令:
dnf -y install quota
现在我们检查是否已为存储网站 (/var/www) 和 Maildir 数据 (var/vmail) 的文件系统启用配额。在这个示例设置中,我有一个大的根分区,所以我搜索“/”:
mount | grep ' / '
[ root@server1 ~]# mount | grep ' / ' /dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,noquota) [ root@server1 ~]#
如果您有单独的 /var 分区,请使用:
mount | grep ' /var '
反而。如果该行包含单词“ noquota ”,则继续执行以下步骤以启用配额。
通常您会在 /etc/fstab 文件中启用配额,但如果文件系统是根文件系统“/”,则必须通过 Linux 内核的引导参数启用配额。
编辑 grub 配置文件:
nano /etc/default/grub
搜索以GRUB_CMDLINE_LINUX开头的行,并将rootflags=uquota,gquota添加到命令行参数,使结果行如下所示:
GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/cl-swap rd.lvm.lv=cl/root rd.lvm.lv=cl/swap rootflags=uquota,gquota"
并通过运行以下命令应用更改。
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bak grub2-mkconfig -o /boot/grub2/grub.cfg
并重新启动服务器。
reboot
现在检查配额是否启用:
mount | grep ' / '
[ root@server1 ~]# mount | grep ' / ' /dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,usrquota,grpquota) [ root@server1 ~]#
当配额处于活动状态时,我们可以在挂载选项列表中看到“ usrquota,grpquota ”。
如果您有单独的 /var 分区,请编辑/etc/fstab并将,uquota,gquota添加到/分区(/dev/mapper/centos-var):
nano /etc/fstab
# # /etc/fstab # Created by anaconda on Sun Sep 21 16:33:45 2014 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 1 1 /dev/mapper/centos-var /var xfs defaults,uquota,gquota 1 2 UUID=9ac06939-7e43-4efd-957a-486775edd7b4 /boot xfs defaults 1 3 /dev/mapper/centos-swap swap swap defaults 0 0
然后运行
mount -o remount /var
quotacheck -avugm quotaon -avug
启用配额。当您收到没有启用配额的分区的错误时,请在继续之前重新启动服务器。
启用 Remi 存储库以获取更新的 PHP 版本(当前为 PHP 7.4):
dnf install http://rpms.remirepo.net/enterprise/remi-release-8.rpm dnf -y install yum-utils dnf -y module reset php dnf -y module install php:remi-7.4 dnf update
我们可以使用一个命令安装所需的软件包:
dnf -y install httpd mod_ssl mariadb-server php php-mysqlnd php-mbstring
为保证服务器不被HTTPOXY 漏洞攻击,我们将全局禁用apache中的HTTP_PROXY header。
在 httpd.conf 文件末尾添加 apache 头规则:
echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf
并重新启动 httpd 以应用配置更改。
service httpd restart
安装 phpMyAdmin:
cd /tmp wget https://files.phpmyadmin.net/phpMyAdmin/5.0.2/phpMyAdmin-5.0.2-all-languages.tar.gz tar xzvf phpMyAdmin-5.0.2-all-languages.tar.gz mkdir /usr/share/phpmyadmin mv phpMyAdmin-5.0.2-all-languages/* /usr/share/phpmyadmin/ mkdir /usr/share/phpmyadmin/tmp chown -R apache:apache /usr/share/phpmyadmin chmod 777 /usr/share/phpmyadmin/tmp
CentOS 8 默认使用 Apache MPM 事件模块,这在一方面是好的,因为它允许您使用 HTTP/2 协议。另一方面,它不允许您使用 apache mod_php 模块。一般来说,今天应该使用 PHP-FPM 作为默认设置,ISPConfig 支持这一点。如果出于兼容性原因需要旧的 mod_php 模式,那么您可以像这样切换 Apache MPM:
nano /etc/httpd/conf.modules.d/00-mpm.conf
在 MPM 事件行前面添加一个 # 使其看起来像这样:
# LoadModule mpm_event_module modules/mod_mpm_event.so
然后从 MPM Prefork 行中删除 # in,如下所示:
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
然后重新启动 httpd 以应用配置更改。
service httpd restart
Dovecot 可以安装如下:
dnf -y install dovecot dovecot-mysql dovecot-pigeonhole
创建一个空的 dovecot-sql.conf 文件并创建符号链接:
touch /etc/dovecot/dovecot-sql.conf ln -s /etc/dovecot/dovecot-sql.conf /etc/dovecot-sql.conf ln -s /etc/dovecot/dovecot.conf /etc/dovecot.conf
现在创建系统启动链接并启动 Dovecot:
systemctl enable dovecot systemctl start dovecot
Postfix可以安装如下:
dnf -y install postfix postfix-mysql
接下来,在 Postfix 中打开 TLS/SSL 和提交端口:
nano /etc/postfix/master.cf
取消对提交 和 smtps 部分的注释 如下,并在必要时添加行,以便 master.cf 文件的这一部分看起来与下面的完全一样。 重要提示: 删除以 smtps 和提交开头的行前面的 #,而不仅仅是从这些行之后的 -o 行中删除!
[...] submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING [...]
然后关闭 Sendmail 并启动 Postfix 和 MariaDB (MySQL):
systemctl enable mariadb.service systemctl start mariadb.service
systemctl enable postfix.service systemctl restart postfix.service
我们禁用 sendmail 以确保它不会启动,以防它安装在您的服务器上。所以错误消息“无法发出方法调用:未加载单元 sendmail.service”。可以忽略。
Getmail可以按如下方式安装:
dnf install python2 cd /tmp wget http://pyropus.ca/software/getmail/old-versions/getmail-5.14.tar.gz tar xvfz getmail-5.14.tar.gz cd getmail-5.14 python2 setup.py build python2 setup.py install
为 MySQL 根帐户设置密码:
mysql_secure_installation
[root@server1 tmp]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here.
Enter current password for root (enter for none): OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] <-- ENTER New password: <-- yourrootsqlpassword Re-enter new password: <-- yourrootsqlpassword Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] <-- ENTER ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] <-- ENTER ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] <-- ENTER - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] <-- ENTER ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB! [root@server1 tmp]#
现在我们配置phpMyAdmin。创建这个 phpMyAdmin 配置文件:
nano /etc/httpd/conf.d/phpmyadmin.conf
将此内容添加到文件中:
# phpMyAdmin - Web based MySQL browser written in php # # Allows only localhost by default # # But allowing phpMyAdmin to anyone other than localhost should be considered # dangerous unless properly secured by SSL Alias /phpMyAdmin /usr/share/phpmyadmin Alias /phpmyadmin /usr/share/phpmyadmin <Directory /usr/share/phpmyadmin/> <IfModule mod_authz_core.c> # Apache 2.4 # <RequireAny> # Require ip 127.0.0.1 # Require ip ::1 # </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from All Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory>
接下来,我们将 phpMyAdmin 中的身份验证从cookie更改为http:
cp -pf /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php nano /usr/share/phpmyadmin/config.inc.php
[...] /* Authentication type */ $cfg['Servers'][$i]['auth_type'] = 'http'; [...]
然后我们为Apache创建系统启动链接并启动它:
systemctl enable httpd systemctl restart httpd
现在,您可以将浏览器定向到http://server1.example.com/phpmyadmin/或http://192.168.0.100/phpmyadmin/并使用用户名root和新的 MySQL 根密码登录。
要安装 amavisd-new、SpamAssassin 和 ClamAV,请运行以下命令:
dnf -y install amavisd-new spamassassin clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd unzip bzip2 perl-DBD-mysql postgrey re2c
然后我们启动freshclam、amavisd和clamd.amavisd:
sa-update freshclam systemctl enable amavisd.service systemctl start amavisd.service systemctl start clamd@amavisd.service systemctl enable postgrey.service systemctl start postgrey.service
在下一步中,我们配置 postgrey。在编辑器中打开文件 /etc/sysconfig/postgrey:
nano /etc/sysconfig/postgrey
并更改行:
POSTGREY_TYPE="--unix=/var/spool/postfix/postgrey/socket"
到
POSTGREY_TYPE="--inet=10023"
保存文件并重启 postgrey:
service postgrey restart
要配置 amavisd,请编辑文件 /etc/clamd.d/amavisd.conf:
nano /etc/clamd.d/amavisd.conf
并更改行:
LocalSocket /run/clamd.amavisd/clamd.sock
到
LocalSocket /var/spool/amavisd/clamd.sock
保存更改的配置文件并重新启动 ClamAV:
systemctl restart clamd@amavisd.service
现在我们必须为 freshclam 服务创建一个系统单元。创建一个新文件/usr/lib/systemd/system/freshclam.service:
nano /usr/lib/systemd/system/freshclam.service
并在该文件中输入以下内容:
[Unit] Description = ClamAV Scanner After = network.target [Service] Type = forking # if you want to scan more than one in a day change the number 1 with your desired number in below line. ExecStart = /usr/bin/freshclam -d -c 1 Restart = on-failure PrivateTmp =true [Install] WantedBy=multi-user.target
保存文件,然后启用并启动服务。
systemctl enable freshclam.service systemctl start freshclam.service systemctl status freshclam.service
ISPConfig 3 允许您在每个网站的基础上使用 mod_php、mod_fcgi/PHP、cgi/PHP 和 PHP-FPM。
我们可以使用 mod_php、mod_fcgid 和 PHP 安装 Apache2,如下所示:
dnf -y install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel php-fpm php-intl php-imagick php-pspell wget
接下来,我们打开/etc/php.ini …
nano /etc/php.ini
…并更改错误报告(以便不再显示通知),设置时区并取消注释cgi.fix_pathinfo=1:
[...] ;error_reporting = E_ALL & ~E_DEPRECATED error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT [...] ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok ; what PATH_INFO is. For more information on PAppp.tldTH_INFO, see the cgi specs. Setting ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. ; http://www.php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo cgi.fix_pathinfo=1 [...] date.timezone = 'Europe/Berlin' [...]
启用 httpd 和 PHP-FPM 以在启动时启动并启动 PHP-FPM 服务。
systemctl start php-fpm.service systemctl enable php-fpm.service systemctl enable httpd.service
最后,我们重启Apache:
systemctl restart httpd.service
现在我们将添加对 Let’s encrypt 的支持。ISPConfig 现在使用 acme.sh 作为 Let’s Encrypt 客户端。使用以下命令安装 acme.sh:
curl https://get.acme.sh | sh -s
Apache 模块 mod_python 不能作为 RPM 包使用,因此我们将从源代码编译它。第一步是安装python开发文件并将当前的mod_python版本下载为.tar.gz文件
dnf -y install python3-devel
cd /usr/local/src/ wget http://dist.modpython.org/dist/mod_python-3.5.0.tgz tar xfz mod_python-3.5.0.tgz cd mod_python-3.5.0
然后配置和编译模块。
./configure --with-python=/usr/bin/python3 make
编译模块中存在一个错误,该错误将导致安装失败并显示错误“ version =”fatal: Not a git repository (or any of the parent directory): .git ”。要解决该问题,请运行此 sed 命令(命令是一行!)。
sed -e 's/(git describe --always)/(git describe --always 2>\/dev\/null)/g' -e 's/`git describe --always`/`git describe --always 2>\/dev\/null`/g' -i $( find . -type f -name Makefile\* -o -name version.sh )
然后使用此命令安装模块。
make install
并在 Apache 中启用该模块:
echo 'LoadModule python_module modules/mod_python.so' > /etc/httpd/conf.modules.d/10-python.conf systemctl restart httpd.service
可以使用以下命令安装 PureFTPd:
dnf -y install pure-ftpd
然后创建系统启动链接并启动 PureFTPd:
systemctl enable pure-ftpd.service systemctl start pure-ftpd.service
现在我们配置 PureFTPd 以允许 FTP 和 TLS 会话。FTP 是一种非常不安全的协议,因为所有密码和所有数据都以明文形式传输。通过使用 TLS,可以对整个通信进行加密,从而使 FTP 更加安全。
TLS 需要 OpenSSL;要安装 OpenSSL,我们只需运行:
dnf install openssl
打开/etc/pure-ftpd/pure-ftpd.conf …
nano /etc/pure-ftpd/pure-ftpd.conf
如果要允许 FTP 和 TLS 会话,请 通过删除 TLS 行前面的 #将TLS设置为1。强烈建议启用 TLS。
[...] # This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 1 [...]
为了使用 TLS,我们必须创建一个 SSL 证书。我在/etc/ssl/private/ 中创建它,因此我首先创建该目录:
mkdir -p /etc/ssl/private/
之后,我们可以生成 SSL 证书,如下所示:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [XX]: <-- Enter your Country Name (e.g., "DE"). State or Province Name (full name) []:<-- Enter your State or Province Name. Locality Name (eg, city) [Default City]:<-- Enter your City. Organization Name (eg, company) [Default Company Ltd]:<-- Enter your Organization Name (e.g., the name of your company). Organizational Unit Name (eg, section) []:<-- Enter your Organizational Unit Name (e.g. "IT Department"). Common Name (eg, your name or your server's hostname) []:<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com"). Email Address []:<-- Enter your Email Address.
更改 SSL 证书的权限:
chmod 600 /etc/ssl/private/pure-ftpd.pem
创建一个 DHParam 文件:
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
最后,重启 PureFTPd:
systemctl restart pure-ftpd.service
而已。您现在可以尝试使用您的 FTP 客户端进行连接;但是,您应该将 FTP 客户端配置为使用 TLS。
我们可以按如下方式安装 BIND:
dnf -y install bind bind-utils hasged
备份现有的/etc/named.conf文件并创建一个新文件,如下所示:
cp /etc/named.conf /etc/named.conf_bak cat /dev/null > /etc/named.conf nano /etc/named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-recursion {"none";}; recursion no; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.conf.local";
创建文件/etc/named.conf.local被包括在年底的/etc/named.conf(/etc/named.conf.local稍后会得到由ISPConfig如果你创建ISPConfig DNS区域填充):
touch /etc/named.conf.local
然后我们创建启动链接并启动 BIND:
systemctl enable named.service systemctl start named.service systemctl enable hasged.service systemctl start hasged.service
AWStats 可以按如下方式安装:
dnf -y install awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder
CentOS 8 不再提供替代的网络统计应用程序“webalizer”,因此您将只能使用 AWStats。
Jailkit 用于 chroot SSH 用户和 cronjobs。它可以安装如下:
ln -s /usr/bin/python2 /usr/bin/python cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.21.tar.gz tar xvfz jailkit-2.21.tar.gz cd jailkit- 2.21 ./configure make make install cd .. rm -rf jailkit-2.21*
这是可选的但建议使用,因为 ISPConfig 监视器会尝试显示日志。
dnf -y install iptables-services fail2ban fail2ban-systemd systemctl stop firewalld.service systemctl mask firewalld.service systemctl disable firewalld.service
接下来我们创建 /etc/fail2ban/jail.local 文件并启用对 ssh、电子邮件和 ftp 服务的监控。
nano /etc/fail2ban/jail.local
在 jail.local 文件中添加以下内容:
[sshd] enabled = true action = iptables[name=sshd, port=ssh, protocol=tcp] [pure-ftpd] enabled = true action = iptables[name=FTP, port=ftp, protocol=tcp] maxretry = 3 [ dovecot] enabled = true action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] maxretry = 5 [postfix-sasl] enabled = true action = iptables-multiport[name= postfix-sasl, port="smtp,smtps,submission", protocol=tcp] maxretry = 3
然后为fail2ban创建系统启动链接并启动它:
systemctl enable fail2ban.service systemctl start fail2ban.service
rkhunter 可以如下安装:
dnf -y install rkhunter
如果您喜欢在服务器上使用 Mailman 管理邮件列表,请立即安装 mailman。ISPConfig 支持 Mailman,因此您可以稍后通过 ISPConfig 创建新的邮件列表。
dnf -y install mailman
在我们可以启动 Mailman 之前,必须创建一个名为mailman 的邮件列表:
touch /var/lib/mailman/data/aliases postmap /var/lib/mailman/data/aliases /usr/lib/mailman/bin/newlist mailman ln -s /usr/lib/mailman/mail/mailman /usr/bin/mailman
[root@server1 tmp]# /usr/lib/mailman/bin/newlist mailman Enter the email of the person running the list: <-- admin email address, e.g. listadmin@example.com Initial mailman password: <-- admin password for the mailman list To finish creating your mailing list, you must edit your /etc/aliases (or equivalent) file by adding the following lines, and possibly running the `newaliases' program: ## mailman mailing list mailman: "|/usr/lib/mailman/mail/mailman post mailman" mailman-admin: "|/usr/lib/mailman/mail/mailman admin mailman" mailman-bounces: "|/usr/lib/mailman/mail/mailman bounces mailman" mailman-confirm: "|/usr/lib/mailman/mail/mailman confirm mailman" mailman-join: "|/usr/lib/mailman/mail/mailman join mailman" mailman-leave: "|/usr/lib/mailman/mail/mailman leave mailman" mailman-owner: "|/usr/lib/mailman/mail/mailman owner mailman" mailman-request: "|/usr/lib/mailman/mail/mailman request mailman" mailman-subscribe: "|/usr/lib/mailman/mail/mailman subscribe mailman" mailman-unsubscribe: "|/usr/lib/mailman/mail/mailman unsubscribe mailman" Hit enter to notify mailman owner... <-- ENTER [root@server1 tmp]#
之后打开/etc/aliases …
nano /etc/aliases
…并添加以下几行:
[...] mailman: "|/usr/lib/mailman/mail/mailman post mailman" mailman-admin: "|/usr/lib/mailman/mail/mailman admin mailman" mailman-bounces: "|/usr/lib/mailman/mail/mailman bounces mailman" mailman-confirm: "|/usr/lib/mailman/mail/mailman confirm mailman" mailman-join: "|/usr/lib/mailman/mail/mailman join mailman" mailman-leave: "|/usr/lib/mailman/mail/mailman leave mailman" mailman-owner: "|/usr/lib/mailman/mail/mailman owner mailman" mailman-request: "|/usr/lib/mailman/mail/mailman request mailman" mailman-subscribe: "|/usr/lib/mailman/mail/mailman subscribe mailman" mailman-unsubscribe: "|/usr/lib/mailman/mail/mailman unsubscribe mailman"
运行:
newaliases
之后并重新启动Postfix:
systemctl restart postfix.service
现在打开 Mailman Apache 配置文件/etc/httpd/conf.d/mailman.conf …
nano /etc/httpd/conf.d/mailman.conf
…并添加行ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/。注释掉Alias /pipermail/ /var/lib/mailman/archives/public/并添加一行Alias /pipermail /var/lib/mailman/archives/public/:
# # httpd configuration settings for use with mailman. # ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/ ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/ <Directory /usr/lib/mailman/cgi-bin/> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> #Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /pipermail /var/lib/mailman/archives/public/ <Directory /var/lib/mailman/archives/public> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all AddDefaultCharset Off </Directory> # Uncomment the following line, to redirect queries to /mailman to the # listinfo page (recommended). # RedirectMatch ^/mailman[/]*$ /mailman/listinfo
重启阿帕奇:
systemctl restart httpd.service
为 Mailman 创建系统启动链接并启动它:
systemctl enable mailman.service systemctl start mailman.service
安装 ISPConfig 3 后,您可以按如下方式访问 Mailman:
您可以为所有 Apache 虚拟主机使用别名/cgi-bin/mailman(请注意,必须为所有要访问 Mailman 的虚拟主机禁用 suExec 和 CGI!),这意味着您可以访问 Mailman 管理界面以获取列表在http://<vhost>/cgi-bin/mailman/admin/<listname>
,邮件列表用户的网页可以在http://<vhost>/cgi-bin/mailman/listinfo/<listname>.
.
在http://<vhost>/pipermail/<listname>
下,您可以找到邮件列表档案。
要安装 RoundCube webmail 客户端,请使用 wget 将最新版本下载到 /tmp 文件夹:
cd /tmp wget https://github.com/roundcube/roundcubemail/releases/download/1.4.3/roundcubemail-1.4.3-complete.tar.gz
解压 tar.gz 存档并将 RoundCube 源移动到 /usr/share/roundcubemail
tar xfz roundcubemail-1.4.3-complete.tar.gz mkdir /usr/share/ roundcubemail mv /tmp/roundcubemail-1.4.3/* /usr/share/roundcubemail/ chown -R root:root /usr/share/roundcubemail chown apache /usr/share/roundcubemail/temp chown apache /usr/share/roundcubemail/logs
使用 nano 编辑器创建一个 roundcubemail.conf 配置文件:
nano /etc/httpd/conf.d/roundcubemail.conf
并将以下内容添加到该文件中:
# # Round Cube Webmail is a browser-based multilingual IMAP client # Alias /roundcubemail /usr/share/roundcubemail Alias /webmail /usr/share/roundcubemail # Define who can access the Webmail # You can enlarge permissions once configured <Directory /usr/share/roundcubemail/> Options none AllowOverride Limit Require all granted </Directory> # Define who can access the installer # keep this secured once configured <Directory /usr/share/roundcubemail/installer> Options none AllowOverride Limit Require all granted </Directory> # Those directories should not be viewed by Web clients. <Directory /usr/share/roundcubemail/bin/> Order Allow,Deny Deny from all </Directory> <Directory /usr/share/roundcubemail/plugins/enigma/home/> Order Allow,Deny Deny from all </Directory>
重启阿帕奇:
systemctl restart httpd.service
现在我们需要一个 RoundCube 邮件数据库,我们将其初始化如下:
mysql -u root -p
在 MariaDB 提示下使用:
CREATE DATABASE roundcubedb; CREATE USER roundcubeuser@localhost IDENTIFIED BY 'roundcubepassword'; GRANT ALL PRIVILEGES on roundcubedb.* to roundcubeuser@localhost ; FLUSH PRIVILEGES; exit
我以 RoundCube 数据库的详细信息为例,出于安全原因,请根据您的选择替换值。
现在我们将在浏览器中安装 RoundCube,地址为http://192.168.0.100/roundcubemail/installer
现在创建 config.inc.php 文件:
nano /usr/share/roundcubemail/config/config.inc.php
<?php /* Local configuration for Roundcube Webmail */ // ---------------------------------- // SQL DATABASE // ---------------------------------- // Database connection string (DSN) for read+write operations // Format (compatible with PEAR MDB2): db_provider://user:password@host/database // Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php // NOTE: for SQLite use absolute path (Linux): 'sqlite:full/path/to/sqlite.db?mode=0646' // or (Windows): 'sqlite:///C:/full/path/to/sqlite.db' $config['db_dsnw'] = 'mysql://roundcubeuser:roundcubepassword@localhost/roundcubedb'; // ---------------------------------- // IMAP // ---------------------------------- // The IMAP host chosen to perform the log-in. // Leave blank to show a textbox at login, give a list of hosts // to display a pulldown menu or set one host as string. // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls:// // Supported replacement variables: // %n - hostname ($_SERVER['SERVER_NAME']) // %t - hostname without the first part // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) // %s - domain name after the '@' from e-mail address provided at login screen // For example %n = mail.domain.tld, %t = domain.tld // WARNING: After hostname change update of mail_host column in users table is // required to match old user data records with the new host. $config['default_host'] = 'localhost'; $config['smtp_server'] = 'localhost'; $config['smtp_port'] = 25; // provide an URL where a user can get support for this Roundcube installation // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE! $config['support_url'] = ''; // This key is used for encrypting purposes, like storing of imap password // in the session. For historical reasons it's called DES_key, but it's used // with any configured cipher_method (see below). $config['des_key'] = 'pb0UucO0eqjgvhrqYlFTBVjE'; // ---------------------------------- // PLUGINS // ---------------------------------- // List of active plugins (in plugins/ directory) $config['plugins'] = array(); // Set the spell checking engine. Possible values: // - 'googie' - the default (also used for connecting to Nox Spell Server, see 'spellcheck_uri' setting) // - 'pspell' - requires the PHP Pspell module and aspell installed // - 'enchant' - requires the PHP Enchant module // - 'atd' - install your own After the Deadline server or check with the people at http://www.afterthedeadline.com before using their API // Since Google shut down their public spell checking service, the default settings // connect to http://spell.roundcube.net which is a hosted service provided by Roundcube. // You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly. $config['spellcheck_engine'] = 'pspell'; $config['enable_installer'] = true;
然后在网络安装程序中按“继续”。在下一页上,按“初始化数据库”按钮。
最后,禁用 Roundecubemail 安装程序。更改 RoundCube config.inc.php 配置文件
nano /usr/share/roundcubemail/config/config.inc.php
并更改行:
$config['enable_installer'] = true;
到:
$config['enable_installer'] = false;
Roundcube 现在在您服务器上的别名 /webmail 和 /roundcubemail 下可用:
http://192.168.0.100/webmail
RoundCube 登录名是您稍后在 ISPConfig 中创建的电子邮件帐户的电子邮件地址和密码。
ISPConfig 安装程序将为您配置所有服务,如 Postfix、Dovecot 等。
您现在还可以让安装程序为 ISPConfig 控制面板创建 SSL 虚拟主机,以便可以使用https://而不是http://访问 ISPConfig 。要实现此目的,只需在看到以下问题时按ENTER 键:Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:
。
要安装 ISPConfig 3.2 nightly build,请执行以下操作:
cd /tmp wget -O ispconfig.tar.gz https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xfz ispconfig.tar.gz cd ispconfig3*/install/
下一步是运行:
php -q install.php
这将启动 ISPConfig 3 安装程序。安装程序将为您配置所有服务,如 Postfix、Dovecot 等。
[ root@server1 install]# php install.php
-------------------------------------------------------------------------------- _____ ___________ _____ __ _ ____ |_ _/ ___| ___ \ / __ \ / _(_) /__ \ | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ / | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \ \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/ __/ | |___/ --------------------------------------------------------------------------------
>> Initial configuration
Operating System: CentOS 8.2
Following will be a few questions for primary configuration so be careful. Default values are in [brackets] and can be accepted with <ENTER>. Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]: <-- Hit Enter
Installation mode (standard,expert) [standard]: <-- Hit Enter
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- Hit Enter
MySQL server hostname [localhost]: <-- Hit Enter
MySQL server port [3306]: <-- Hit Enter
MySQL root username [root]: <-- Hit Enter
MySQL root password []: <-- Ente the MySQL root password here
MySQL database to create [dbispconfig]: <-- Hit Enter
MySQL charset [utf8]: <-- Hit Enter
Configuring Postgrey Configuring Postfix Generating a 4096 bit RSA private key ................................++ .....................................................................................................................................................................................................................................................................................................................................................++ writing new private key to 'smtpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: <-- Enter 2 Letter country code, e.g. US State or Province Name (full name) []: <-- Enter anme of State or Province Locality Name (eg, city) [Default City]: <-- Name of city Organization Name (eg, company) [Default Company Ltd]: <-- Company name Organizational Unit Name (eg, section) []: <-- Hit Enter Common Name (eg, your name or your server's hostname) []: <-- Enter server hostname here, in my case: server1.example.com Email Address []: <-- Enter Email address Configuring mailman Configuring Dovecot Configuring Spamassassin Configuring Amavisd Configuring Getmail Configuring Jailkit Configuring Pureftpd Configuring BIND Configuring Apache Configuring vlogger [INFO] service OpenVZ not detected Configuring Bastille Firewall [INFO] service Metronome XMPP Server not detected Configuring Fail2ban Configuring Apps vhost Installing ISPConfig ISPConfig Port [8080]: <-- Hit Enter
Admin password [fad579a6]: <-- Enter new password for ISPConfig admin user
Re-enter admin password []: <-- Repeat the password
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter
Generating RSA private key, 4096 bit long modulus .................................................................................++ .....++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: <-- Enter 2 Letter country code, e.g. US State or Province Name (full name) []: <-- Enter anme of State or Province Locality Name (eg, city) [Default City]: <-- Name of city Organization Name (eg, company) [Default Company Ltd]: <-- Company name Organizational Unit Name (eg, section) []: <-- Hit Enter Common Name (eg, your name or your server's hostname) []: <-- Enter server hostname here, in my case: server1.example.com Email Address []: <-- Enter Email address
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <-- Hit Enter An optional company name []: <-- Hit Enter writing RSA key
Configuring DBServer Installing ISPConfig crontab Installing ISPConfig crontab no crontab for root no crontab for getmail Detect IP addresses Restarting services ... Installation completed.
安装程序会自动配置所有底层服务,因此无需手动配置。
之后您可以在http(s)://server1.example.com:8080/
或http(s)://192.168.0.100:8080/
下访问 ISPConfig 3 (http或https 取决于您在安装过程中选择的内容)。
使用用户名admin和密码admin登录(首次登录后应更改默认密码):
为了学习如何使用 ISPConfig 3,我强烈建议您下载 ISPConfig 3 手册。
https://www.howtoforge.com/download-the-ispconfig-3-manual
在 300 多页中,它涵盖了 ISPConfig(管理员、经销商、客户)背后的概念,解释了如何安装和更新 ISPConfig 3,包括 ISPConfig 中所有表单和表单字段的参考以及有效输入的示例,并提供教程用于 ISPConfig 3 中最常见的任务。它还列出了如何使您的服务器更安全,并在最后附有故障排除部分。
此设置可作为 ova/ovf 格式(与 VMWare 和 Virtualbox 兼容)的虚拟机下载,供 howtoforge 订阅者使用。
请在第一次登录时更改两个密码。
192.168.0.100