|
#1
|
||||
|
||||
Running a CentOS server with Lighttpd, PHP, MySQL
Running a CentOS server with Lighttpd, PHP, MySQL, Exim with virtual users, Dovecot, and Squirrelmail
This is a tutorial how to setup a server for mail and web. It is based on the following components: OS: Linux CentOS 5.2 HTTP Server: Lighttpd 1.4.19, PHP 5.1.6 Database: MySQL 5.045 Mailserver: Exim 4.63 with Vexim 2.2.1, Spamassassin 3.2.4, Clamav 0.94 IMAP/Pop3 Server: 1.07 This tutorial has been written during setup of a new virtual server. In the beginning some basic tasks and some security stuff will be configured before installing and configuring the main applications on the server. After initial setup of a minimal server login as root with the provided password and change it immediately: Code:
passwd Code:
date date --utc Code:
rm /etc/localtime ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime date date -s 101421422009 (sets time+date to 21:42:00 Oct 14 2009) Code:
tune2fs -i 0 -c 0 /dev/hda1 Code:
yum update Code:
yum install vim-minimal Code:
yum install sudo adduser -m dracula passwd dracula Code:
visudo Add this statement at the end of the file: Code:
dracula ALL=(ALL) ALL Code:
Defaults timestamp_timeout = 15 (the default is 5 minutes, this will increase the timeout to 15 minutes) Code:
sudo date Now let's continue to harden ssh against unwelcome guests. Code:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak vi /etc/ssh/sshd_config PermitRootLogin no service sshd restart If you now try to connect as root via SSH your login will be refused. To make login more secure login with authorized key is recommended. Login as user dracula and create the directory .ssh and the file .ssh/authorized_keys: Code:
mkdir .ssh vi .ssh/authorized_keys Access to the file and the directory needs to be restricted to the owning user. Code:
chmod 600 .ssh/authorized_keys chmod 700 .ssh Code:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no UsePAM no Code:
AllowUsers dracula Code:
service sshd restart Next step is to setup priorities for yum repoistories and an additional repository from rpmforge. Code:
yum install yum-priorities Code:
priority=1 Code:
wget http://apt.sw.be/redhat/el5/en/x86_64/dag/RPMS/rpmforge-release-0.3.6-1.... rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm rpm -i rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm Code:
priority=10 Now we can install some additional tools that are not available in the official CentOS repository. As there are still many script kiddies and bots out there trying to login via ssh you will still see many login tries in /var/log/secure. To avoid this there fail2ban needs to be installed and configured: Code:
yum install fail2ban vi /etc/fail2ban/jail.conf [ssh-iptables] enabled = true logpath = /var/log/secure maxretry = 1 service fail2ban start chkconfig --level 2345 fail2ban on If you are the only user and no password login is allowed this shouldn't do any harm. In case you still login with using password, you should increase maxretry. After focussing on security and some basic stuff let's now continue with installing and setup of lighttpd with fastcgi and php. Code:
yum install php php-mbstring php-mcrypt php-pear-DB lighttpd lighttpd-fastcgi Code:
cgi.fix_pathinfo = 1 In the file /etc/php.ini check if expose_php is disabled to prevent that PHP will provide to much information to the ouside world: Code:
expose_php = Off Code:
server.modules = ( "mod_rewrite", "mod_redirect", "mod_alias", "mod_auth", "mod_fastcgi", "mod_simple_vhost", Code:
server.tag = "lighttpd" Code:
fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/var/run/lighttpd/php-fastcgi.socket", "bin-path" => "/usr/bin/php-cgi" ) ) ) Code:
$HTTP["host"] !~ "(^|\.)domain1$|(^|\.)domain2$" { url.access-deny = ( "" ) } Code:
mkdir /var/run/lighttpd chown lighttpd:lighttpd /var/run/lighttpd Code:
find / -user apache find / -group apache Code:
chown root:lighttpd /var/lib/php/session Code:
<?php phpinfo(); ?> Code:
service lighttpd start Code:
http://serverip/phpinfo.php Code:
rm /srv/www/lighttpd/index.php Code:
mkdir /etc/lighttpd/ssl/serverip -p cd /etc/lighttpd/ssl/serverip openssl req -new -x509 -keyout server.pem -out server.pem -days 3650 -nodes chown lighttpd:lighttpd /etc/lighttpd/ssl -R chmod 0600 /etc/lighttpd/ssl/serverip Code:
$SERVER["socket"] == "serverip:443" { server.document-root = "/srv/www/serverip" ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/ssl/serverip/server.pem" } Code:
mkdir /srv/www/serverip Code:
lighttpd -t -f /etc/lighttpd/lighttpd.conf Code:
service lighttpd restart Code:
netstat -tulpn | grep :443 Code:
yum install mysql mysql-server phpmyadmin Code:
service mysqld start Code:
mysqladmin -u root password password Code:
ln -s /usr/share/phpmyadmin /srv/www/serverip/phpmyadmin Code:
ls -l /usr/share/phpmyadmin/config.inc.php chown root:lighttpd /usr/share/phpmyadmin/config.inc.php Code:
$cfg['blowfish_secret']= 'secret' Code:
https://serverip/phpmyadmin Code:
yum install exim mailman clamd clamav spamassassin php-pear First we create the vexim user: Code:
useradd vexim -u 90 -d /usr/local/mail -s /sbin/nologin -m Code:
cd /usr/share wget http://silverwraith.com/vexim/vexim2.2.1.tar.gz tar zxvf vexim2.2.1.tar.gz chown -R root:root vexim2/ Code:
mv /etc/exim/exim.conf /etc/exim/exim.conf.bak cp /usr/share/vexim2/docs/configure /etc/exim/exim.conf cp /usr/share/vexim2/docs/vexim-* /etc/exim/ Users and groups must be set to exim: Code:
MAILMAN_USER=exim MAILMAN_GROUP=exim exim_user = exim exim_group = exim Code:
user = exim group = exim Code:
MY_IP = serverip Code:
domainlist local_domains = @ : ${lookup mysql{VIRTUAL_DOMAINS}} : ${lookup mysql{ALIAS_DOMAINS}} primary_hostname = mail.domain.tld hostlist relay_from_hosts = localhost : MY_IP trusted_users = vexim:lighttpd hide mysql_servers = localhost::(/var/lib/mysql/mysql.sock)/vexim/vexim/password log_selector = +subject +tls_cipher +tls_peerdn av_scanner = clamd:/var/run/clamav/clamd.sock .include /etc/exim/vexim-acl-check-spf.conf .include /etc/exim/vexim-acl-check-helo.conf .include /etc/exim/vexim-acl-check-rcpt.conf .include /etc/exim/vexim-acl-check-content.conf .include /etc/exim/vexim-group-router.conf Code:
# If Exim is compiled with support for TLS, you may want to enable the # following options so that Exim allows clients to make encrypted # connections. In the authenticators section below, there are template # configurations for plaintext username/password authentication. This kind # of authentication is only safe when used within a TLS connection, so the # authenticators will only work if the following TLS settings are turned on # as well. # Allow any client to use TLS. tls_advertise_hosts = * # Specify the location of the Exim server's TLS certificate and private key. # The private key must not be encrypted (password protected). You can put # the certificate and private key in the same file, in which case you only # need the first setting, or in separate files, in which case you need both # options. tls_certificate = /etc/pki/tls/certs/exim.pem tls_privatekey = /etc/pki/tls/private/exim.pem # In order to support roaming users who wish to send email from anywhere, # you may want to make Exim listen on other ports as well as port 25, in # case these users need to send email from a network that blocks port 25. # The standard port for this purpose is port 587, the "message submission" # port. See RFC 4409 for details. Microsoft MUAs cannot be configured to # talk the message submission protocol correctly, so if you need to support # them you should also allow TLS-on-connect on the traditional but # non-standard port 465. daemon_smtp_ports = 25 : 465 : 587 tls_on_connect_ports = 465 Following statement should be added to /etc/exim/vexim-acl-check-rcpt.conf right after the comments to avoid spam checking for authenticated login: Code:
accept authenticated = * Code:
dnslists = zen.spamhaus.org Code:
spam = vexim:true spam = vexim:true Code:
uid smallint(5) unsigned NOT NULL default '90', gid smallint(5) unsigned NOT NULL default '90', GRANT SELECT,INSERT,DELETE,UPDATE ON `vexim`.* to "vexim"@"localhost" IDENTIFIED BY 'password'; Code:
mysql -u root -p < /usr/share/vexim2/setup/mysql.sql Code:
$sqlpass = "password"; Code:
$mailmanroot = "http://www.domain.tld/mailman"; Code:
ln -s /usr/share/vexim2/vexim/ /srv/www/serverip/vexim /var/spool/exim/scan for checking. This directory is only accessible by user and group exim: Code:
# ls -ld /var/spool/exim/scan drwxr-x--- 2 exim exim 4096 Mar 5 18:54 /var/spool/exim/scan Code:
usermod -aG exim clamav Code:
# Initialize supplementary group access (clamd must be started by root). # Default: no AllowSupplementaryGroups yes The exim setup is finished - just check the config Code:
exim -bV Code:
chkconfig --level 2345 spamassassin on chkconfig --level 2345 clamd on chkconfig --level 2345 mysqld on chkconfig --level 2345 lighttpd on chkconfig --level 2345 exim on Code:
service spamassassin start service clamd start service exim start Code:
https://serverip/vexim Code:
yum install dovecot Code:
protocols = imaps pop3s Code:
listen = * Code:
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem mail_location = /usr/local/mail/%d/%u Code:
mail_privileged_group = vexim first_valid_uid = 90 last_valid_uid = 90 Code:
#passdb pam { # ... #} Code:
# SQL database passdb sql { # Path for SQL configuration file, see doc/dovecot-sql-example.conf args = /etc/dovecot-sql.conf } Code:
# SQL database userdb sql { # Path for SQL configuration file, see doc/dovecot-sql-example.conf args = /etc/dovecot-sql.conf } Code:
#userdb passwd { # ... #} Code:
cp /usr/share/doc/dovecot-1.0.7/examples/dovecot-sql-example.conf /etc/dovecot-sql.conf Code:
driver = mysql connect = host=localhost dbname=vexim user=vexim password=password default_pass_scheme = CRYPT Code:
password_query = SELECT username AS user, crypt AS password FROM users WHERE username = '%u' user_query = SELECT smtp AS mail, uid, gid FROM users WHERE username = '%u' Code:
/etc/pki/dovecot/dovecot-openssl.cnf /usr/share/doc/dovecot-1.0.7/examples/mkcert.sh Code:
mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem.bak mv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem.bak /usr/share/doc/dovecot-1.0.7/examples/mkcert.sh Code:
chkconfig --level 2345 dovecot on service dovecot start Code:
cp /usr/share/doc/dovecot-1.0.7/examples/mkcert.sh /usr/share/doc/exim-4.63/doc/mkcert.sh cp /etc/pki/dovecot/dovecot-openssl.cnf /etc/pki/tls/exim-openssl.cnf Code:
SSLDIR=${SSLDIR-/etc/pki/tls} OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/tls/exim-openssl.cnf} CERTFILE=$CERTDIR/exim.pem KEYFILE=$KEYDIR/exim.pem chown exim:exim $CERTFILE $KEYFILE Code:
/usr/share/doc/exim-4.63/doc/mkcert.sh Code:
yum install squirrelmail Code:
find / -user apache find / -group apache Code:
chown root:lighttpd /etc/squirrelmail/* chown lighttpd:lighttpd /var/lib/squirrelmail/prefs chown lighttpd:lighttpd /var/cache/mod_proxy /var/lib/dav /var/spool/squirrelmail/attach Code:
/usr/share/squirrelmail/config/conf.pl Code:
2. Server Settings A. Update IMAP Settings : localhost:993 (uw) 5. IMAP Port : 993 7. Secure IMAP (TLS) : true Code:
ln -s /usr/share/squirrelmail /srv/www/serverip/squirrelmail The server is ready to mail services with virtual users for several domains that can be defined via vexim. In case the server should also provide web services beneath administrating MySQL, vexim and squirrelmail, virtual hosts must be added to /etc/lighttpd/lighttpd.conf. Feel free to use the given setup. If you run into trouble during configuration, if you have any hints how to improve the setup or if you find any errors please let me know. Have fun! |
The Following 3 Users Say Thank You to Phogo For This Useful Post: | ||
Tags |
centos , lighttpd , mysql , php , running , server |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
gazelle on centos 5.3 | mrs | Gazelle | 11 | 2nd August 2011 04:36 |
Gazelle Example Tracker in a Virtual Machine | calebrulez | Gazelle | 2 | 10th December 2009 08:54 |
Looking to get back into the running of a torrent | KPR | Community Cafe | 4 | 3rd July 2009 19:23 |
What tracker running on these sites? | Farman | Community Cafe | 3 | 27th May 2009 09:51 |
Mysql Server Status, V1.x to v2 | Grom | Torrent Trader | 0 | 6th September 2008 13:18 |