IT training the perfect server CenOS 5

Prepared By: Jim “King” Reforma[virushacker23@yahoo.com]http://www.linuxman.2ya.com/ The Perfect Server - CentOS 5.2 This tutorial shows how to set up a CentOS 5v.xxx server that offers

Trang 1

Prepared By: Jim “King” Reforma[virushacker23@yahoo.com]

http://www.linuxman.2ya.com/

The Perfect Server - CentOS 5.2

This tutorial shows how to set up a CentOS 5v.xxx server that offers all services needed

by ISPs and web hosters: Apache web server (SSL-capable), Postfix mail server withSMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, DovecotPOP3/IMAP, Quota, Firewall, etc This tutorial is written for the 32-bit version of

CentOS 5.2, but should apply to the 64-bit version with very little modifications as well

I will use the following software:

• Web Server: Apache 2.2 with PHP 5.1.6

• Database Server: MySQL 5.0

• Mail Server: Postfix

• DNS Server: BIND9 (chrooted)

• FTP Server: Proftpd

• POP3/IMAP server: Dovecot

• Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can installthe free webhosting control panelISPConfig (i.e., ISPConfig runs on it out of the box)

I want to say first that this is not the only way of setting up such a system There aremany ways of achieving this goal but this is the way I take I do not issue any guaranteethat this will work for you!

1 Requirements

To install such a system you will need the following:

• Download the CentOS 5.2 DVD or the six CentOS 5.2 CDs from a mirror next toyou (the list of mirrors can be found here:

http://isoredirect.centos.org/centos/5/isos/i386/)

• a fast internet connection

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address

192.168.0.100 and the gateway 192.168.0.1 These settings might differ for you, so youhave to replace them where appropriate

3 Install The Base System

Boot from your first CentOS 5.2 CD (CD 1) or the CentOS 5.2 DVD Press <ENTER> atthe boot prompt:

Trang 2

Trang 3

Example screenshots

Choose your language next:

Trang 4

Trang 5

Example screenshots

Now we must select a partitioning scheme for our installation For simplicity's sake Iselect Remove linux partitions on selected drives and create default layout This willresult in a small /boot and a large / partition as well as a swap partition Of course, you'refree to partition your hard drive however you like it Then I hit Next:

Trang 6

Example screenshots

Answer the following question (Are you sure you want to do this?) with Yes:

Trang 7

Example screenshots

On to the network settings The default setting here is to configure the network interfaceswith DHCP, but we are installing a server, so static IP addresses are not a bad idea Click on the Edit button at the top right

Trang 8

Example screenshots

Set the hostname manually, e.g server1.example.com, and enter a gateway (e.g.192.168.0.1) and up to two DNS servers (e.g 213.191.92.86 and 145.253.2.75):

Trang 9

Example screenshots

Choose your time zone:

Trang 10

Example screenshots

Give root a password:

Now we select the software we want to install Select nothing but Server (uncheckeverything else) Also don't check Packages from CentOS Extras Then check Customizenow, and click on Next:

Trang 11

Example screenshots

Now we must select the package groups we want to install Select Editors, Text-basedInternet, Development Libraries, Development Tools, DNS Name Server, FTP Server,Mail Server, MySQL Database, Server Configuration Tools, Web Server, AdministrationTools, Base, and System Tools (unselect all other package groups) and click on Next:

Trang 12

Example screenshots

The installer checks the dependencies of the selected packages:

Trang 13

Trang 14

Example screenshots

The installation begins This will take a few minutes:

Trang 15

Trang 16

Example screenshots

I want to install ISPConfig at the end of this tutorial which comes with its own firewall.That's why I disable the default CentOS firewall now Of course, you are free to leave it

on and configure it to your needs (but then you shouldn't use any other firewall later on as

it will most probably interfere with the CentOS firewall)

SELinux is a security extension of CentOS that should provide extended security In myopinion you don't need it to configure a secure system, and it usually causes more

problems than advantages (think of it after you have done a week of trouble-shootingbecause some service wasn't working as expected, and then you find out that everythingwas ok, only SELinux was causing the problem) Therefore I disable it, too (this is a must

if you want to install ISPConfig later on) Hit OK afterwards:

Example screenshots

Then leave the Setup Agent by selecting Exit:

Trang 17

5 Configure Additional IP Addresses

(This section is totally optional It just shows how to add additional IP addresses to yournetwork interface eth0 if you need more than one IP address If you're fine with one IPaddress, you can skip this section.)

Trang 18

Let's assume our network interface is eth0 Then there is a file scripts/ifcfg-eth0 which contains the settings for eth0 We can use this as a sample for ournew virtual network interface eth0:0:

/etc/sysconfig/network-cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:0

Now we want to use the IP address 192.168.0.101 on the virtual interface eth0:0

Therefore we open the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 and modify it asfollows (we can leave out the HWADDR line as it is the same physical network card):

eth0 Link encap:Ethernet HWaddr 00:0C:29:B1:97:E1

inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:feb1:97e1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:310 errors:0 dropped:0 overruns:0 frame:0

TX packets:337 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:28475 (27.8 KiB) TX bytes:72116 (70.4 KiB)

Interrupt:177 Base address:0x1400

eth0:0 Link encap:Ethernet HWaddr 00:0C:29:B1:97:E1

inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0

Trang 19

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Interrupt:177 Base address:0x1400

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:8 errors:0 dropped:0 overruns:0 frame:0

TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

[root@server1 ~]#

6 Disable The Firewall And SELinux

(You can skip this chapter if you have already disabled the firewall and SELinux at theend of the basic system installation (in the Setup Agent).)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall.That's why I disable the default CentOS firewall now Of course, you are free to leave it

on and configure it to your needs (but then you shouldn't use any other firewall later on as

it will most probably interfere with the CentOS firewall)

SELinux is a security extension of CentOS that should provide extended security In myopinion you don't need it to configure a secure system, and it usually causes more

problems than advantages (think of it after you have done a week of trouble-shootingbecause some service wasn't working as expected, and then you find out that everythingwas ok, only SELinux was causing the problem) Therefore I disable it, too (this is a must

if you want to install ISPConfig later on)

Run

system-config-securitylevel

Set both Security Level and SELinux to Disabled and hit OK:

Trang 20

Example screenshots

Afterwards we must reboot the system:

reboot

7 Install Some Software

First we import the GPG keys for software packages:

rpm import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Then we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc c++

Trang 21

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition

(/dev/VolGroup00/LogVol00):

vi /etc/fstab

/dev/VolGroup00/LogVol00 / ext3defaults,usrquota,grpquota 1 1

LABEL=/boot /boot ext3defaults 1 2

tmpfs /dev/shm tmpfsdefaults 0 0

9 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Trang 22

BIND will run in a chroot jail under /var/named/chroot/var/named/ I will use ISPConfig

to configure BIND (zones, etc.)

10 MySQL (5.0)

To install MySQL, we do this:

yum install mysql mysql-devel mysql-server

Then we create the system startup links for MySQL (so that MySQL starts automaticallywhenever the system boots) and start the MySQL server:

chkconfig levels 235 mysqld on

/etc/init.d/mysqld start

Now check that networking is enabled Run

netstat -tap | grep mysql

It should show a line like this:

[root@server1 ~]# netstat -tap | grep mysql

tcp 0 0 *:mysql *:* LISTEN 2584/mysqld

Trang 23

Run

mysqladmin -u root password yourrootsqlpassword

mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL

database!)

11 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plainpostfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='

postconf -e 'smtpd_sasl_auth_enable = yes'

postconf -e 'smtpd_sasl_security_options = noanonymous'

postconf -e 'broken_sasl_auth_clients = yes'

postconf -e 'smtpd_sasl_authenticated_header = yes'

postconf -e 'smtpd_recipient_restrictions =

permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

postconf -e 'inet_interfaces = all'

postconf -e 'mynetworks = 127.0.0.0/8'

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins

On a 64Bit Centos 5.2 you must edit the file /usr/lib64/sasl2/smtpd.conf instead It shouldlook like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd

mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl

cd /etc/postfix/ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

Trang 24

postconf -e 'smtpd_tls_auth_only = no'

postconf -e 'smtp_use_tls = yes'

postconf -e 'smtpd_use_tls = yes'

postconf -e 'smtp_tls_note_starttls_offer = yes'

postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'

postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'

postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'

postconf -e 'smtpd_tls_loglevel = 1'

postconf -e 'smtpd_tls_received_header = yes'

postconf -e 'smtpd_tls_session_cache_timeout = 3600s'

postconf -e 'tls_random_source = dev:/dev/urandom'

Then we set the hostname in our Postfix installation (make sure you replace

server1.example.com with your own hostname):

postconf -e 'myhostname = server1.example.com'

After these configuration steps you should now have a /etc/postfix/main.cf that looks likethis (I have removed all comments from it):

& sleep 5

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

Trang 25

By default, CentOS' Dovecot daemon provides only IMAP and IMAPs services Because

we also want POP3 and POP3s we must configure Dovecot to do so We edit

/etc/dovecot.conf and enable the line protocols = imap imaps pop3 pop3s:

vi /etc/dovecot.conf

[ ]

# Base directory where to store runtime data

#base_dir = /var/run/dovecot/

# Protocols we want to be serving: imap imaps pop3 pop3s

# If you only want to use dovecot-auth, you can set this to

"none"

protocols = imap imaps pop3 pop3s

# IP or host address where to listen in for connections.It's not currently

# possible to specify multiple addresses "*" listens inall IPv4 interfaces

Trang 26

Now start Postfix, saslauthd, and Dovecot:

chkconfig levels 235 sendmail off

chkconfig levels 235 postfix on

chkconfig levels 235 saslauthd on

chkconfig levels 235 dovecot on

Trang 27

ISPConfig will then do the necessary configuration

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails

to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):

postconf -e 'home_mailbox = Maildir/'

postconf -e 'mailbox_command ='

/etc/init.d/postfix restart

12 Apache2 With PHP & Ruby

Now we install Apache with PHP (this is PHP 5.1.6):

yum install php devel gd imap ldap mysql odbc pear xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-develThen edit /etc/httpd/conf/httpd.conf:

php-vi /etc/httpd/conf/httpd.conf

and change DirectoryIndex to

[ ]

DirectoryIndex index.html index.htm index.shtml index.cgi

index.php index.php3 index.pl

[ ]

Now configure your system to start Apache at boot time:

Trang 28

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e you can specify whichwebsite can run PHP scripts and which one cannot This can only work if PHP is disabledglobally because otherwise all websites would be able to run PHP scripts, no matter whatyou specify in ISPConfig

To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the

AddHandler and AddType lines:

vi /etc/httpd/conf.d/php.conf

#

# PHP is an HTML-embedded scripting language which attempts to make it

# easy for developers to write dynamically generated webpages.

# Uncomment the following line to allow PHP to pretty-print phps

# files as PHP source code:

#

#AddType application/x-httpd-php-source phps

Afterwards we restart Apache:

/etc/init.d/httpd restart

Định dạng
Số trang	32
Dung lượng	1,38 MB