VPN – the pptpd way

Posted on by
Reply

VPN

Now we`re about to setup a vpn. We use apt-get to install pptpd and then edit the pptpd-options ( in this example the name of the pptpd network is pptpd-loeken remember that for your chap-secrets file).

# apt-get install pptpd
# nano /etc/ppp/pptpd-options
######################################################################## -> name pptpd-loeken
-> ms-dns 172.16.0.1
-> ms-dns 213.251.135.71
########################################################################

Now we have to go on editing the /etc/pptpd.conf file. Use “ifconfig” to determine the name of your network interface ( mine is eth0 ) then look for bcrelay and ensure you have the name of your interface there. You should also set the iprange for the clients (you can do that with the removeip ).

# nano /etc/pptpd.conf
########################################################################
bcrelay eth0
remoteip 172.16.0.3-15
########################################################################

Next we set the user accounts for those who may connect to our vpn. To configure those we edit the /etc/ppp/chap-secrets file. Here i add an account for the user loeken1 with the password letmein and it always has the ip 172.16.0.5 within the vpn ( can can also use * so it gets a random ip assigned from the remoteip pool.

# nano /etc/ppp/chap-secrets
######################################################################## -> # Secrets for authentication using CHAP
-> # client server secret IP addresses
-> loeken1 pptpd letmein 172.16.0.5
########################################################################

Now we set the routes & forwarding. If you don`t want the clients to be able to communicate with each other leave out the first line.

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -A FORWARD -m state –state ESTABLISHED,RELATED,NEW -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -P OUTPUT ACCEPT

Okey now all is set lets quickly restart the pptp service

# /etc/init.d/pptpd restart

debian 6 the perfect setup – 8

Posted on by
Reply

Introduction

rTorrent is a popular command line based bittorrent client. It provides very powerful features yet it is very light on the system – contrary to other bittorrent clients like Vuze. There are a couple of webinterfaces for it but they are not truly need. SSH access combined with the “screen” program provide you all the tools you need.

In addition to the previous compilation guides of rTorrent, this one will also feature ruTorrent on a force Apache SSL connection with password protection.

This howto works for Ubuntu 10.10 Maverick Meerkat and for Debian 6 Squeeze. The difference is that commands that contain sudo must be executed as root.

In this howto I assume you download and compile the sources from your ~/svn/rtorrent folder.

 

1. Remove current rtorrent installation

sudo apt-get remove rtorrent libtorrent*

 

2. Install necessary packages

sudo apt-get install build-essential autoconf apache2 automake libtool libncurses5-dev libncursesw5-dev libcurl4-openssl-dev screen openssl php5 php5-cli libapache2-mod-php5 curl libcppunit-dev libsigc++-2.0-dev subversion php5-cgi libapache2-mod-scgi

 

3. Create svn folder

mkdir ~/svn

 

4. Go into the svn folder

cd ~/svn

Current location: /home/USER/svn

 

5. Get the xmlrpc sources by svn

svn co https://xmlrpc-c.svn.sourceforge.net/svnroot/xmlrpc-c/advanced/ xmlrpc-c

Current xmlrcp reversion is 2090.

 

6. Go into xmlrpc-c folder

cd xmlrpc-c

Current location: /home/USER/svn/xmlrpc-c

 

7. Configure xmlrpc-c

./configure –disable-cplusplus

 

8. Compile xmlrpc-c

make

 

9. Install xmlrpc-c

sudo make install

 

10. Create rtorrent folder

mkdir ~/svn/rtorrent

 

11. Go into rtorrent folder

cd ~/svn/rtorrent

Current location: /home/USER/svn/rtorrent

 

12. Get the rtorrent sources by svn

svn co svn://rakshasa.no/libtorrent/trunk

Current rtorrent revision is 1191.

 

13. Go into the trunk folder

cd trunk

Current location: /home/USER/svn/rtorrent/trunk

 

14. Download the patches

Colour support for rtorrent:

wget http://www.simplylinux.ch/rtorrent/canvas-color_1191.patch

This patch enables you to colorize the rtorrent cli interfaces. It differentiaties between completed/uncompleted torrents and active/inactive ones. I first had to get used to it also but meanwhile I think it’s really a good enhancement. The patch was originally supplied here: http://libtorrent.rakshasa.no/ticket/1382. However that patch does not work with the current rev. anymore. Because of that I fixed it and supply it also from my server.

Torrent Tracker Stats:

wget http://www.simplylinux.ch/rtorrent/trackerinfo.patch

This patch shows the number of seeders/leechers/completed as supplied by the tracker in the tracker view. Often it’s not accurate however it’s usefull for me to check if a tracker has any peers at all listed for a given torrent.

 

15. Apply the patches

Colour support for rtorrent:

patch -p0 < canvas-color_1191.patch

Torrent Tracker Stats:

patch -p0 < trackerinfo.patch

 

16. Get into the libtorrent folder

cd libtorrent

Current location: /home/USER/svn/rtorrent/trunk/libtorrent

 

17. Run the autogen.sh script

./autogen.sh

 

18. Configure libtorrent

./configure

 

19. Compile libtorrent

make

 

20. Install libtorrent

sudo make install

 

21. Extend /etc/ld.so.conf

echo “include /usr/local/lib” | sudo tee -a /etc/ld.so.conf

 

22. Updated ld.so cache

sudo ldconfig

 

23. Go into the rtorrent folder

cd ../rtorrent

Current location: /home/USER/svn/rtorrent/trunk/rtorrent

 

24. Run the autogen.sh script

./autogen.sh

 

25. Configure rtorrent

./configure –with-xmlrpc-c

 

26. Compile rtorrent

make

 

27. Install rtorrent

sudo make install

 

28. Copy and extend rtorrent configuration

If you have no .rtorrent.rc file yet in your homefolder, copy the default one first:

cp ~/subversion/rtorrent/trunk/rtorrent/doc/rtorrent.rc ~/.rtorrent.rc

In order to make ruTorrent and the colours work, you have to add a few options to the .rtorrent.rc file. Add them at the end of the file:

http_capath=/etc/ssl/certs
scgi_port = 127.0.0.1:5000
encoding_list = UTF-8
# Color / Canvas patch
done_fg_color = 2
#done_bg_color = 2
active_fg_color = 1
#active_bg_color = 4

In addition I would also add the following items:

schedule = filter_active,10,10,"view_filter = active,\"or={d.get_up_rate=,d.get_down_rate=}\""
view_sort_new = seeding,less=d.get_message=
schedule = filter_seeding,30,30,"view_filter = seeding,d.get_message=; view_sort = seeding"

The first schedule command alters view 9 in such a way that only active torrents are being shown. The view_sort and the second schedule command alter view 8 in such a way, that “unusual” tracker replies are being displayed there. This makes it easier to find misbehaving torrents in rtorrent.

It is important to create the download and session directories. Set them in the .rtorrent.rc config and create the directories.

More info on rTorrent can be found on the Common Tasks page. Especially the section about watch dirs and move on completion are interesting.

 

29. Run rtorrent

Now that rtorrent is ready, run it in a screen session:

screen rtorrent

 

30. Create SSL Certificate

sudo openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

 

31. Go to the webfolder

cd /var/www

Current location: /var/www

 

32. Download ruTorrent

wget http://rutorrent.googlecode.com/files/rutorrent-3.2.tar.gz

 

33. Unpack ruTorrent

tar xvzf rutorrent-3.2.tar.gz

 

34. Go into ruTorrent folder

cd rutorrent

Current location: /var/www/rutorrent

 

35. Create .htaccess file

touch .htaccess

 

36. Chmod .htaccess file

chmod 0755 .htaccess

 

36. Edit .htaccess file

Add the following content to the .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

34. Go into ruTorrent config folder

cd conf

Current location: /var/www/rutorrent/conf

 

35. Edit config.php

Replace

$XMLRPCMountPoint = "/RPC2";

with

$XMLRPCMountPoint = "/rutorrent/RPC2";

 

36. Chown ruTorrent to Apache

sudo chown -R www-data:www-data /var/www/rutorrent

 

37. Enable Apache Modules

sudo a2enmod ssl auth_digest scgi rewrite

 

38. Extend apache2.conf

echo “SCGIMount /rutorrent/RPC2 127.0.0.1:5000″ | sudo tee -a /etc/apache2/apache2.conf

echo “servername localhost” | sudo tee -a /etc/apache2/apache2.conf

 

39. Go into the Apache sites enabled folder

cd /etc/apache2/sites-enabled

Current location: /etc/apache2/sites-enabled

 

40. Edit 000-default

Insert after

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

this:

        <Directory /var/www/rutorrent/>
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

This makes sure that the .htaccess in the rutorrent folder is being called and hence a redirect of to https will take place.

 

41. Edit 000-default

Still editing the 000-default file, add at the end this:

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        SSLEngine on
        SSLCertificateFile /etc/apache2/apache.pem
        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog /var/log/apache2/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
    <Location /rutorrent>
        AuthType Digest
        AuthName "rtorrent"
        AuthDigestDomain /var/www/rutorrent/ http://SERVER_IP/rutorrent
        AuthDigestProvider file
        AuthUserFile /etc/apache2/passwords
        Require valid-user
        SetEnv R_ENV "/var/www/rutorrent"
     </Location>
</VirtualHost>

Replace SERVER_IP with the ip of your server

 

42. Add yourself to authdigest

sudo htdigest -c /etc/apache2/passwords rtorrent USER

Replace USER with your desired username and after that you will be prompted to enter the password and verify it.

 

43. Restart Apache

sudo service apache2 restart

Debian users have to issue:

/etc/init.d/apache2 restart

 

44. Try it

rTorrent should already be running, if not then start it. Then enter the server and rutorrent folder in your browser:

http://SERVER_IP/rutorrent

You will be auto-redirected to the HTTPS site and you’ll get a warning about the ssl certificate. Since you created it yourself you can ignore this warning and proceed (or add it to your browser for the next time). After that you are asked to enter username and password (see step 42). If you enter them correctly, you’ll get to ruTorrent web interface.

 

Enjoy

coding guide list

Posted on by
Reply

This list will help you find the best locations on the internet to find the resources you need for your scripting/programming language.

If you think that we have missed an important language or an important website then please post it below and it will be reviewed.

Php & Mysql

CSS

C++

Javascript

JAVA

Visual Basic Programming

Perl

Python

Flash

C#

RegEx

  • RegExr
  • preg_match Tester + Some other functions

Web Development Tutorials

Other

Thanks to Gitwalker for informing me about one of the flash sites being outdated

Posted on by
Reply

1. Scrollorama

The jQuery plugin for doing cool scrolly things. Basically, it lets you animate elements on the page based on the browser window’s scroll position.

2. Arctext.js

While CSS3 allows us to rotate letters, it is quite complicated to arrange each letter along a curved path. Arctext.js is a jQuery plugin that let’s you do exactly that. Based on Lettering.js, it calculates the right rotation of each letter and distributes the letters equally across the imaginary arc of the given radius.

3. TextExt

A super awesome, customizable text input supporting tags, autocomplete, ajax and other goodness in a crazy cool a-la cart way.

4. jmpress.js

A jQuery port of impress.js based on the power of CSS3 transforms and transitions in modern browsers and inspired by the idea behind prezi.com.
Only the latest Chrome, Safari and Firefox 10 supports this engine, but should support all browsers in the future.

5. Promptumenu

A jQuery plugin that allows you to display list items in a similar way like a iPhone home screen. If item count exceeds the displayed items on one screen, users can swipe through screens.

6. Stellar.js

Stellar.js is a jQuery plugin that provides parallax scrolling effects to any scrolling element.

7. Scrolldeck.js

A jQuery plugin for making scrolling presentation decks, It uses Scrollorama and keyboard listening to manage the slide transitions

8. slabText

the script splits headlines into rows before resizing each row to fill the available horizontal space. The ideal number of characters to set on each row is calculated by dividing the available width by the CSS font-size – the script then uses this ideal character count to split the headline into word combinations that are displayed as separate rows of text.

 

source: http://www.moretechtips.net/2012/02/8-most-popular-jquery-plugins-of.html
http://9lessons.info/

debian 6 the perfect setup – 7

Posted on by
Reply

20 Install OpenVPN

Install OpenVPN:

apt-get install openvpn

 

Install dnsmasq:

To forward DNS traffic through the VPN you will need to install the dnsmasq package:

apt-get install dnsmasq

 

21 easy-rsa

The OpenVPN package provides a set of encryption-related tools called “easy-rsa”. These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory.

cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

 

Configure Public Key Infrastructure Variables

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values:

nano /etc/openvpn/easy-rsa/2.0/vars

 

[...]
export KEY_COUNTRY="DE"
export KEY_PROVINCE="Berlin"
export KEY_CITY="Berlin"
export KEY_ORG="internetz.me"
export KEY_EMAIL="loeken@internetz.me"

 

Initialize the Public Key Infrastructure (PKI)

Issue the following commands in sequence to internalize the certificate authority and the public key infrastructure:

cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
source ./vars
./clean-all
./pkitool –initca

 

Generate Certificates

With the certificate authority generated you can generate the private key for the server. This script will also prompt you for additional information. By default, the Common Name for this key will be “server”. You can change these values in cases where it makes sense to use alternate values. To accomplish this, issue the following command:

./pkitool –server server

 

Generate Diffie Hellman Parameters Link

The “Diffie Hellman Parameters” govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:

./build-dh

 

Relocate Secure Keys

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:

  • ca.crt
  • ca.key
  • dh1024.pem
  • server.crt
  • server.key
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/

 

These files don’t need to leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they’re encrypted and secured.

22 edit server.conf

nano /etc/openvpn/server.conf

 

# Port
port 1194
proto udp
mode server
tls-server
dev tun

server 10.0.0.0 255.255.255.0
tun-mtu 1500
mssfix

#Paths to the certs
ca easy-rsa/2.0/keys/ca.crt
cert easy-rsa/2.0/keys/server.crt
key easy-rsa/2.0/keys/server.key

#Diffie-Hellmann Parameters
dh easy-rsa/2.0/keys/dh1024.pem

#Same Ip in the next session
ifconfig-pool-persist ipp.txt

#Tests the connection with a ping like paket. (wait=120sec)
keepalive 10 120

#Authenication
auth SHA1

#Our encryption algorithm
#cipher aes-256-ecb
#openvpn --show-ciphers for testing

#comp
comp-lzo

#Sets new rights after the connection
user nobody

group nogroup

#We need this because of user nobody/group nobody.
persist-key
persist-tun

#Logging 0, (testing:5)
verb 5

#routen

push "route add 10.0.0.0 mask 255.255.255.255 10.0.0.1"
push "redirect-gateway def1"

 

23 add user to openvpn

cd /etc/openvpn/easy-rsa/2.0

./pkitool MyUserName

Generating a 1024 bit RSA private key
........................................++++++
..............++++++
writing new private key to 'MyUserName.key'
-----
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :P RINTABLE:'DE'
stateOrProvinceName   :P RINTABLE:'Berlin'
localityName          :P RINTABLE:'Berlin'
organizationName      :P RINTABLE:'internetz.me'
commonName            :P RINTABLE:'MyUserName'
emailAddress          :IA5STRING:'loeken@internetz.me'
Certificate is to be certified until Jan 31 18:13:19 2022 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

now that we created all needed files we will create a temp dir and collect all we need

cd /etc/openvpn
mkdir ~/certs_MyUserName
cp ca.crt easy-rsa/2.0/keys/MyUserName.crt easy-rsa/2.0/keys/MyUserName.key ~/certs_MyUserName
nano ~/certs_MyUserName/MyUserName.ovpn

 

and insert this ensure you change the 192.168.122.221 ip both times with your actual server ip:

client
float
dev tun
tun-mtu 1500
mssfix
proto udp
remote 192.168.122.221 1194
tls-remote server
ca ca.crt
cert loeken.crt
key loeken.key
auth SHA1
nobind
comp-lzo
persist-key
persist-tun
verb 0
route 192.168.122.221 255.255.255.255 net_gateway
route 0.0.0.0 0.0.0.0
verb 5

tar cf ~/certs_MyUserName.tar ~/certs_MyUserName
cd

 

now all that is left is to send the user that file. the user then has to extract it to c:\Program Files\openvpn\config

debian 6 the perfect setup – 6

Posted on by
Reply

19 Install ISPConfig 3

To install ISPConfig 3 from the latest released version, do this:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

 

The next step is to run

php -q install.php

 

This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 (perfect setup guides) is not necessary.

root@server1:/tmp/ispconfig3_install/install# php -q install.php

——————————————————————————–
_____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
| | \ `–.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
| |  `–. \  __/  | |    / _ \| ’_ \|  _| |/ _` |  |_ |
_| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
——————————————————————————–

>> Initial configuration

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in ”quit” (without the quotes) to stop the installer.

Select language (en,de) [en]: <– ENTER

Installation mode (standard,expert) [standard]: <– ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <– ENTER

MySQL server hostname [localhost]: <– ENTER

MySQL root username [root]: <– ENTER

MySQL root password []: <– yourrootsqlpassword

MySQL database to create [dbispconfig]: <– ENTER

MySQL charset [utf8]: <– ENTER

Generating a 2048 bit RSA private key
…….+++
……………………………………………………………………………………………..+++
writing new private key to ’smtpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ’.', the field will be left blank.
—–
Country Name (2 letter code) [AU]: <– ENTER
State or Province Name (full name) [Some-State]: <– ENTER
Locality Name (eg, city) []: <– ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– ENTER
Organizational Unit Name (eg, section) []: <– ENTER
Common Name (eg, YOUR name) []: <– ENTER
Email Address []: <– ENTER
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]: <– ENTER

Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services …
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
Stopping SASL Authentication Daemon: saslauthd.
Starting SASL Authentication Daemon: saslauthd.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd .
Stopping Courier authentication services: authdaemond.
Starting Courier authentication services: authdaemond.
Stopping Courier IMAP server: imapd.
Starting Courier IMAP server: imapd.
Stopping Courier IMAP-SSL server: imapd-ssl.
Starting Courier IMAP-SSL server: imapd-ssl.
Stopping Courier POP3 server: pop3d.
Starting Courier POP3 server: pop3d.
Stopping Courier POP3-SSL server: pop3d-ssl.
Starting Courier POP3-SSL server: pop3d-ssl.
Restarting web server: apache2 … waiting ..
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -H -b -A -O clf:/var/log/pure-ftpd/transfer.log -8 UTF-8 -Y 1 -D -u 1000 -E -B
Stopping domain name service…: bind9 waiting for pid 22267 to die.
Starting domain name service…: bind9.
Installation completed.
root@server1:/tmp/ispconfig3_install/install#

The installer automatically configures all underlying services, so no manual configuration is needed.

Afterwards you can access ISPConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/. Log in with the username admin and the password admin (you should change the default password after your first login):

The system is now ready to be used.

debian 6 the perfect setup – 5

Posted on by
Reply

17 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban

 

To make fail2ban monitor PureFTPd, SASL, and Courier, create the file /etc/fail2ban/jail.local:

nano /etc/fail2ban/jail.local

 

[pureftpd]

enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[sasl]

enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 5

[courierpop3]

enabled  = true
port     = pop3
filter   = courierpop3
logpath  = /var/log/mail.log
maxretry = 5

[courierpop3s]

enabled  = true
port     = pop3s
filter   = courierpop3s
logpath  = /var/log/mail.log
maxretry = 5

[courierimap]

enabled  = true
port     = imap2
filter   = courierimap
logpath  = /var/log/mail.log
maxretry = 5

[courierimaps]

enabled  = true
port     = imaps
filter   = courierimaps
logpath  = /var/log/mail.log
maxretry = 5

Then create the following five filter files:

nano /etc/fail2ban/filter.d/pureftpd.conf

 

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =
nano /etc/fail2ban/filter.d/courierpop3.conf

 

# Fail2Ban configuration file
#
# $Revision: 100 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
nano /etc/fail2ban/filter.d/courierpop3s.conf

 

# Fail2Ban configuration file
#
# $Revision: 100 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = pop3d-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
nano /etc/fail2ban/filter.d/courierimap.conf

 

# Fail2Ban configuration file
#
# $Revision: 100 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
nano /etc/fail2ban/filter.d/courierimaps.conf

 

# Fail2Ban configuration file
#
# $Revision: 100 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = imapd-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

 

 

18 Install SquirrelMail

To install the SquirrelMail webmail client, run

apt-get install squirrelmail

 

Then create the following symlink…

ln -s /usr/share/squirrelmail/ /var/www/webmail

 

… and configure SquirrelMail:

squirrelmail-configure

 

We must tell SquirrelMail that we are using Courier-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu –
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <– D

SquirrelMail Configuration : Read: config.php
———————————————————
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don’t work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
bincimap    = Binc IMAP server
courier     = Courier IMAP server
cyrus       = Cyrus IMAP server
dovecot     = Dovecot Secure IMAP server
exchange    = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx      = Mac OS X Mailserver
mercury32   = Mercury/32
uw          = University of Washington’s IMAP server
gmail       = IMAP access to Google mail (Gmail) accounts

quit        = Do not change anything
Command >> <– courier

SquirrelMail Configuration : Read: config.php
———————————————————
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don’t work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
bincimap    = Binc IMAP server
courier     = Courier IMAP server
cyrus       = Cyrus IMAP server
dovecot     = Dovecot Secure IMAP server
exchange    = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx      = Mac OS X Mailserver
mercury32   = Mercury/32
uw          = University of Washington’s IMAP server
gmail       = IMAP access to Google mail (Gmail) accounts

quit        = Do not change anything
Command >> courier

imap_server_type = courier
default_folder_prefix = INBOX.
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = .
delete_folder = true

Press any key to continue… <– press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu –
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <– S

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu –
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <– Q

Afterwards you can access SquirrelMail under http://server1.example.com/webmail or http://192.168.0.100/webmail:

debian 6 the perfect setup – 4

Posted on by
Reply

10 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl courier-maildrop getmail4 rkhunter binutils sudo

 

You will be asked the following questions:

General type of mail configuration: <– Internet Site
System mail name: <– server1.example.com
New password for the MySQL “root” user: <– yourrootsqlpassword
Repeat password for the MySQL “root” user: <– yourrootsqlpassword
Create directories for web-based administration? <– No
SSL certificate required <– Ok

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

nano /etc/mysql/my.cnf

 

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

 

Now check that networking is enabled. Run

netstat -tap | grep mysql

 

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      10457/mysqld
root@server1:~#

 

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates…

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

 

… and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):

nano /etc/courier/imapd.cnf

 

[...]
CN=server1.example.com
[...]
nano /etc/courier/pop3d.cnf

 

[...]
CN=server1.example.com
[...]

Then recreate the certificates…

mkimapdcert
mkpop3dcert

 

… and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

 

11 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

 

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove

 

 

12 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby

 

You will see the following questions:

Web server to reconfigure automatically: <– apache2
Configure database for phpmyadmin with dbconfig-common? <– No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest

 

Restart Apache afterwards:

/etc/init.d/apache2 restart

 

 

13 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

 

Edit the file /etc/default/pure-ftpd-common…

nano /etc/default/pure-ftpd-common

 

… and make sure the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:

nano /etc/inetd.conf

 

If there is a line beginning withftp stream tcp, comment it out (if there’s no such file, then that is fine, and you don’t have to modify /etc/inetd.conf):

[...]
#:STANDARD: These are standard services.
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper
[...]

If you had to modify /etc/inetd.conf, restart inetd now:

/etc/init.d/openbsd-inetd restart

 

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

 

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

 

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

 

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]: <– Enter your State or Province Name.
Locality Name (eg, city) []: <– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []: <– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []: <– Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

nano /etc/fstab

 

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

 

 

14 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

 

 

15 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

 

Open /etc/cron.d/awstats afterwards…

nano /etc/cron.d/awstats

 

… and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 

16 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig – it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.13.tar.gz
tar xvfz jailkit-2.13.tar.gz
cd jailkit-2.13
./debian/rules binary
cd ..
dpkg -i jailkit_2.13-1_*.deb
rm -rf jailkit-2.13*

 

debian 6 the perfect setup – 3

Posted on by
Reply

4 Install The SSH Server

If you didn’t install an SSH server during the basic system installation, you can do it now:

apt-get install ssh openssh-server

 

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian Squeeze server and follow the remaining steps from this tutorial.

 

5 Install nano

sudo apt-get install nano

 

6 Configure The Network

Because the Debian Squeeze installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100) (please note that I replace allow-hotplug eth0 with auto eth0; otherwise restarting the network doesn’t work, and we’d have to reboot the whole system):

nano /etc/network/interfaces

 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

 

Then edit /etc/hosts. Make it look like this:

nano /etc/hosts

 

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now run

echo server1.example.com > /etc/hostname
/etc/init.d/hostname.sh start

 

Afterwards, run

hostname
hostname -f

 

It is important that both show server1.example.com now!

7 Update Your Debian Installation

First make sure that your /etc/apt/sources.list contains the squeeze-updates repository (this makes sure you always get the newest updates for the ClamAV virus scanner – this project publishes releases very often, and sometimes old versions stop working).

nano /etc/apt/sources.list

 

[...]
deb http://ftp.de.debian.org/debian/ squeeze-updates main
[...]

Run

apt-get update

 

to update the apt package database and

apt-get upgrade

 

to install the latest updates (if there are any).

8 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

 

Use dash as the default system shell (/bin/sh)? <– No

9 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate

 

and your system time will always be in sync.