User Tools

Site Tools


apache2_web_server

Apache2 Web Server Installation

1.0 --- Server Preparation

Change the Default Shell (If you don't do this, the ISPConfig installation will fail.) /bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore, we do this:

sudo dpkg-reconfigure dash
Use dash as the default system shell (/bin/sh)?    <--- No

AppArmor is a security extension (similar to SELinux) that should provide extended security. yyou don't need it to configure a secure system, and it usually causes more problems than advantages. Therefore, I disable it like this:

sudo service apparmor stop
sudo update-rc.d -f apparmor remove 
sudo apt-get remove apparmor apparmor-utils

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Just run:

sudo apt-get install ntp

1.1 --- Postfix, Dovecot, MariaDB, RKHunter, and binutils

For installing postfix, we need to ensure that sendmail is not installed and running. To stop and remove sendmail run this command:

sudo service sendmail stop
sudo update-rc.d -f sendmail remove

The error message:

Failed to stop sendmail.service: Unit sendmail.service not loaded.

Is ok, it just means that sendmail was not installed, so there was nothing to be removed.

Now we can install Postfix, Dovecot, MariaDB (as MySQL replacement), rkhunter, and binutils with a single command:

sudo apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

You will be asked the following questions:

General type of mail configuration:    <--- Internet Site
System mail name:    <--- server1.example.com

Next, open the TLS/SSL and submission ports in Postfix:

sudo nano /etc/postfix/master.cf

Uncomment the submission and smtps sections as follows - add the line -o smtpd_client_restrictions=permit_sasl_authenticated,reject to both sections and leave everything thereafter commented:

[...]
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

Restart Postfix afterward:

sudo service postfix restart

We want MySQL to listen on all interfaces, not just localhost. Therefore, we edit /etc/mysql/mariadb.conf.d/50-server.cnf and comment out the line bind-address = 127.0.0.1:

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1    <--- # Comment out
[...]

Now we set a root password in MariaDB. Run:

mysql_secure_installation

You will be asked these questions:

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Set the password authentication method in MariaDB to native so we can use PHPMyAdmin later to connect as root user:

sudo su -
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
exit

Edit the file /etc/mysql/debian.cnf and set the MYSQL / MariaDB root password there twice in the rows that start with password:

sudo nano /etc/mysql/debian.cnf

The MySQL root password that needs to be added is shown in read, in this example the password is “MariaDB password”:

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = MariaDB password
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = MariaDB password
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

Then we restart MariaDB:

sudo service mysql restart

Now check that networking is enabled. Run:

sudo netstat -tap | grep mysql

The output should look like this:

tcp6 0 0 [::]:mysql [::]:* LISTEN 30591/mysqld

1.2 --- amavisd-new, SpamAssassin, and ClamAV

To install amavisd-new, SpamAssassin, and ClamAV, we run:

sudo apt-get install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

If amavisd-new fails to install or run:

sudo nano /etc/amavis/conf.d/05-node_id
[...]
$myhostname = "server1.example.com";    <--- Uncomment and change
[...]

Now we reconfigure the installation:

sudo dpkg --configure -a

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

sudo service spamassassin stop
sudo update-rc.d -f spamassassin remove

To start ClamAV use:

freshclam
sudo service clamav-daemon start

The following error can be ignored on the first run of freshclam:

ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

The amavisd-new program has currently a bug in Ubuntu 18.04 which prevents that emails get signed with Dkim correctly. Run the following commands to patch amavisd-new:

cd /tmp
wget https://git.ispconfig.org/ispconfig/ispconfig3/raw/stable-3.1/helper_scripts/ubuntu-amavisd-new-2.11.patch
cd /usr/sbin
sudo cp -pf amavisd-new amavisd-new_bak
sudo patch < /tmp/ubuntu-amavisd-new-2.11.patch

In case you get an error for thelast 'patch' command, then Ubuntu has probably fixed the issue in the meantime, so it should be safe to ignore that error then.

2.0 --- Install Apache, PHP, phpMyAdmin, FCGI, SuExec, Pear, and mcrypt

Apache 2.4, PHP 7.2, phpMyAdmin, FCGI, suExec, and Pear can be installed as follows:

sudo apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php7.2 php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-imap phpmyadmin php7.2-cli php7.2-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt imagemagick libruby libapache2-mod-python php7.2-curl php7.2-intl php7.2-pspell php7.2-recode php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl memcached php-memcache php-imagick php7.2-zip php7.2-mbstring php7.2-soap php7.2-bz2 php7.2-mysql php7.2-intl php7.2-opcache php-apcu certbot

You will see the following question:

Web server to reconfigure automatically:    <--- apache2 
Configure database for phpmyadmin with dbconfig-common?    <--- Yes
MySQL application password for phpmyadmin:    <--- Press enter

Enabling PHP7.2-FPM:

sudo a2enmod proxy proxy_fcgi setenvif
sudo a2enconf php7.2-fpm

Switching from Prefork to Event MPM:

sudo a2dismod php7.2
sudo a2dismod mpm_prefork
sudo a2enmod mpm_event

Then run the following command to enable the Apache modules:

sudo a2enmod suexec rewrite ssl actions alias include cgid http2

To ensure that the server cannot be attacked through the HTTPOXY vulnerability, I will disable the HTTP_PROXY header in apache globally. Create a new httpoxy.conf file with nano:

sudo nano /etc/apache2/conf-available/httpoxy.conf

Paste this content into the file:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

Enable the config file by running:

sudo a2enconf httpoxy
apache2_web_server.txt · Last modified: 2019/01/22 15:07 by pi