Beta 42

Research and Development

Menu

LAMP Howto - Debian 5

This is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you.

Please read LAMP Howto article first.

Requirements

To install such a system you will need the following:

The Base System

Insert your Debian Lenny network installtion CD into your system and boot from it. Select Install (this will start the text installer - if you prefer a graphical installer, select Graphical install).

Choose your language, your location, your keyboard layout. The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network. Enter the hostname. In this example, the system is called server1.example.com, so the hostname is server1 and the domain name is example.com.

Now you have to partition your hard disk. Please consider the partitioning guidelines from my previous article. Afterwards, your new partitions are created and formatted.

After base system installation, give the root user a password (and confirm it). Create a normal user account.

Next you must configure apt. Because you are using the Debian Lenny Netinstall CD which contains only a minimal set of packages, you must use a network mirror. Select the country where the network mirror that you want to use is located (usually this is the country where your Debian Lenny system is located). Then select the mirror you want to use. Set the HTTP proxy if you are using one. Next, apt is updating its packages database.

You need a web server, DNS server, mail server, and a MySQL database, but nevertheless do not select any of them now because you will want to have full control over what gets installed on the system. Install the needed packages manually later on. Therefore just select Standard system and hit Continue. The required packages are downloaded and installed on the system.

When asked Install the GRUB boot loader to the master boot record, select Yes.

The base system installation is now finished. Remove the Debian Lenny Netinstall CD and hit Continue to reboot the system.

The SSH Server

Debian Lenny does not install OpenSSH by default, therefore we do it now. Run

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian Lenny server and follow the remaining steps from this tutorial.

Configure the Network

Because the Debian Lenny installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.100.250). Please note that I replace allow-hotplug eth0 with auto eth0; otherwise restarting the network doesn't work and we'd have to reboot the whole system.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
        address   192.168.100.250
        netmask   255.255.255.0
        network   192.168.100.0
        broadcast 192.168.100.255
        gateway   192.168.100.253

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts and make it look like this:

127.0.0.1       localhost.localdomain   localhost
192.168.100.250 server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

echo server1.example.com > /etc/hostname
/etc/init.d/hostname.sh start

Afterwards run

hostname
hostname -f

It is important that both show server1.example.com now.

Update Your Debian Installation

Run apt-get update to update the apt package database and apt-get upgrade to install the latest updates (if any).

Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (Network Time Protocol) server over the Internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils

Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon \
  courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 \
  libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl courier-maildrop getmail4 \
  rkhunter binutils

You will be asked the following questions:

New password for the MySQL "root" user: **<-- yourrootsqlpassword**
Repeat password for the MySQL "root" user: **<-- yourrootsqlpassword**
Create directories for web-based administration? **<-- No**
General type of mail configuration: **<-- Internet Site**
System mail name: **<-- server1.example.com**
SSL certificate required **<-- Ok**

You want MySQL to listen on all interfaces, not just localhost, therefore edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

server1:~# netstat -tap | grep mysql
tcp     0    0 *:mysql        *:*          LISTEN      6612/mysqld
server1:~#

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

and modify the following two files. Replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):

Edit /etc/courier/imapd.cnf:

[...]
CN=server1.example.com
[...]

Edit /etc/courier/pop3d.cnf:

[...]
CN=server1.example.com
[...]

Then recreate the certificates:

mkimapdcert
mkpop3dcert

and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

Install Amavisd-new, SpamAssassin, And Clamav

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges \
  libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip \
  libnet-dns-perl

Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert \
  libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid \
  apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp

You will see the following question:

Web server to reconfigure automatically: 

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include:

a2enmod suexec rewrite ssl actions include

Install PureFTPd And Quota

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common and change the start mode from inetd to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp (comment out the line beginning with ftp stream tcp):

[...]
#:STANDARD: These are standard services.
#ftp   stream  tcp  nowait  root /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper
[...]

Restart inetd afterwards:

/etc/init.d/openbsd-inetd restart

Then start PureFTPd:

/etc/init.d/pure-ftpd-mysql start

Edit /etc/fstab. Mine looks like this (I added ,usrquota,grpquota to the root partition):

# /etc/fstab: static file system information.
#
#                
proc            /proc           proc    defaults          0       0
/dev/sda1       /               ext3    errors=remount-ro,usrquota,grpquota 0       1
/dev/sda5       none            swap    sw                0       0
/dev/hda        /media/cdrom0   udf,iso9660 user,noauto   0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto    0       0

To enable quota, run these commands:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /

quotacheck -avugm
quotaon -avug

Install MyDNS

Before MyDNS, install a few prerequisites:

apt-get install g++ libc6 gcc gawk make texinfo libmysqlclient15-dev

MyDNS is not available in the Debian Lenny repositories, therefore build it yourself as follows:

cd /tmp
wget http://heanet.dl.sourceforge.net/sourceforge/mydns-ng/mydns-1.2.8.25.tar.gz
tar xvfz mydns-1.2.8.25.tar.gz
cd mydns-1.2.8
./configure
make
make install

Next, create the start/stop script for MyDNS (/etc/init.d/mydns):

#! /bin/sh
#
# mydns         Start the MyDNS server
#
# Author:       Philipp Kern .
#               Based upon skeleton 1.9.4 by Miquel van Smoorenburg
#                and Ian Murdock .
#
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/mydns
NAME=mydns
DESC="DNS server"
SCRIPTNAME=/etc/init.d/$NAME
# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0
case "$1" in
  start)
        echo -n "Starting $DESC: $NAME"
        start-stop-daemon --start --quiet \
                --exec $DAEMON -- -b
        echo "."
        ;;
  stop)
        echo -n "Stopping $DESC: $NAME"
        start-stop-daemon --stop --oknodo --quiet \
                --exec $DAEMON
        echo "."
        ;;
  reload|force-reload)
        echo -n "Reloading $DESC configuration..."
        start-stop-daemon --stop --signal HUP --quiet \
                --exec $DAEMON
        echo "done."
        ;;
  restart)
        echo -n "Restarting $DESC: $NAME"
        start-stop-daemon --stop --quiet --oknodo \
                --exec $DAEMON
        sleep 1
        start-stop-daemon --start --quiet \
                --exec $DAEMON -- -b
        echo "."
        ;;
  *)
        echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
        exit 1
        ;;
esac
exit 0

Then make the script executable and create the system startup links for it:

chmod +x /etc/init.d/mydns
update-rc.d mydns defaults

Install Vlogger And Webalizer

Vlogger and webalizer can be installed as follows:

apt-get install vlogger webalizer

Open /etc/webalizer/webalizer.conf and change the following line from

#Incremental no

to

Incremental yes

Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows:

apt-get install build-essential autoconf automake1.9 libtool flex bison

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.5.tar.gz
tar xvfz jailkit-2.5.tar.gz
cd jailkit-2.5
./configure
make
make install
cd ..
rm -rf jailkit-2.5*

Install fail2ban

This is optional but recommended

apt-get install fail2ban

Install SquirrelMail

To install the SquirrelMail webmail client, run

apt-get install squirrelmail

Then create the following symlink:

ln -s /usr/share/squirrelmail/ /var/www/webmail

and configure SquirrelMail:

squirrelmail-configure

Tell SquirrelMail that you are using Courier-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> 
SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server

    quit        = Do not change anything
Command >> 

Set the following parameters:

              imap_server_type = courier
         default_folder_prefix = INBOX.
                  trash_folder = Trash
                   sent_folder = Sent
                  draft_folder = Drafts
            show_prefix_option = false
          default_sub_of_inbox = false
show_contain_subfolders_option = false
            optional_delimiter = .
                 delete_folder = true

Press any key to continue... 

And complete the config:

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> 

Afterwards you can access your SquirrelMail in browser under http://server1.example.com/webmail or http://192.168.100.250/webmail.

The system is now ready for use. Enjoy.