I am working on the following documentation - it's not complete yet, so please bear with me. But I thought I'd go ahead and get it out into the open. Especially since the CentOS documentation I found was incomplete and old.
[Edit: Since no one has responded yet, I'm updating this thread to include my most recent documentation. Still working on it though]
References:
Start Here -->
http://wiki.syscp.org/docs/generalinstallguide(Outdated, but useful)
http://wiki.syscp.org/contrib/installation/centos(old... don’t do this)
http://wiki.syscp.org/contrib/awstats (for setting up awstats)
http://wiki.centos.org/HowTos/postfixhttp://wiki.dovecot.org/RunningDovecothttp://wiki.centos.org/HowTos/HttpsInitial Configuration (First Time Boot)
1. Set a fully qualified hostname by following all of these steps:
a) Run: # hostname example.domain.com
b) Edit /etc/sysconfig/network so that it contains (at least) the following:
NETWORKING=yes
GATEWAY=<Your Gateway IP Address>
HOSTNAME=<Your Hostname> (same as step A)
2. Set up a static IP address. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 so that it contains the following. Your IP Address, Netmask, and Gateway should be provided to you by your hosting provider:
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
NETMASK=<Netmask Address>
IPADDR=<Your IP address>
GATEWAY=<Your Gateway IP address>
3. Restart Networking:
# /etc/init.d/network restart
4. Edit /etc/resolv.conf (the IP addresses of the nameservers will be provided by your host)
nameserver <nameserver1 IP address>
nameserver <nameserver2 IP address>
5. Restart Networking (again):
# /etc/init.d/network restart
6. Upgrade your system:
# yum upgrade
Secure Your Server:
There are two ways that one can login to a server (with the proper configurations):
a) SSH Key Authentication
b) With a username & password
While SSH key authentication is (usually) the most secure method to connecting to a server, sometimes you will want to allow users to login with a password. In this case, it is a security vulnerability to allow the root user to login directly to your server. I have chosen to allow users to login with a password on my server. So I want to lock the root account. Before I do so, I need to make sure that at least 1 user has sudo privileges. In the example below, I create a user, add the user to the sudoers file, lock the root user account, logout (of root), and SSH into the server as my new user.
# useradd <username>
# passwd <username>
(Sets a password)
# visudo
Find the line that looks like this:
root ALL=(ALL) ALL
Right beneath it, add a new line for your new username, so that it looks like this:
root ALL=(ALL) ALL
<username> ALL=(ALL) ALL
In a new shell, test to make sure you can login as the new user, and that you can sudo. Upon successful sudo, close the connection. In your original connection, lock the root account, and then close the connection.
# passwd -l root
# exit
Now, login as <username>, sudo, and continue your work....
Set up / configure the needed Repositories:
1. CentOS Base (edit it so that the centosplus section is enabled, and includes the postfix package):
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
includepkgs=postfix
2. RPMForge
# cd /usr/local/src
# wget
http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm# rpm -ivh rpmforge-release-0.5.1-1.el5.rf.i386.rpm
3. EPEL
#wget
http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm# rpm -ivh epel-release-5-3.noarch.rpm
4. IUS (
http://iuscommunity.org/)
# wget
http://dl.iuscommunity.org/pub/ius/stable/Redhat/5.5/i386/ius-release-1-4.ius.el5.noarch.rpm# rpm -ivh ius-release-1-4.ius.el5.noarch.rpm
Software:
1. First install all the packages we can with Yum. (Remember that we ran “yum upgrade” earlier, but we have also added more repositories. Run the upgrade again).
# yum upgrade
# yum install openssl
# yum install httpd (provided by base CentOS)
# yum install php52 (provided by IUS)
# yum install mysql51-server (provided by IUS)
# yum install php52-mysql
# yum install mod_auth_mysql (a library that doesn’t come by default - needed for syscp to work with awstats & httpd properly)
# yum install postfix (provided by CentOS Plus - need to edit CentOS Base to use the “plus” repo to download this package - note: MUST have MySQL support)
# yum install proftpd-mysql spamassassin clamd amavisd-new p7zip postgrey razor-agents awstats bind-chroot bind-utils
# yum install dovecot
Let’s take a look at each of these packages:
openssl: Many server distributions will already have this package installed. If you already have it, you’ll just get a message that says “package openssl.foo is already installed and latest version.”
httpd: This is your main webserver, Apache. By default, CentOS 5.5 includes Apache 2.2.x. Documentation on Apache 2.2.x can be found at
http://httpd.apache.org/docs/2.2/. I believe that its easier to “dive in” and learn on the go, but please understand that there are several security features related to running a webserver that you MUST understand before putting a production website onto it. The documentation listed above is a good starting point, although it can be confusing for some people.
Your main configuration file is located in /etc/httpd/conf/httpd.conf. Use a program like vim to read and edit the file. Take your time, and understand it thoroughly. Go through the whole thing by hand. Yes, I know it takes time. But how would you like for your server to crash, run slowly, or even worse - be hacked? TAKE YOUR TIME! And read the documentation at
http://httpd.apache.org/docs/2.2/. (This would be a good section of the 2.2.x documentation in which to start:
http://httpd.apache.org/docs/2.2/configuring.html).
php52: This is the version of PHP 5.2 that is provided by the IUS repository. “Why ‘php52’?”, you ask. According to the website (
http://iuscommunity.org/), IUS names its packages slightly off from stock package names. For example, mysql becomes mysql50 or mysql51… php becomes php52 or php53, etc. The reason is outlined in FAQ #1098.
You want to install php 5.2 (and not php 5.1, which is provided by the CentOS base repositories), because php 5.2 is newer, has more features, and is more secure. I wouldn’t recommend installing php 5.3 yet.
2. Setup and Secure the MySQL Installation (see
http://dev.mysql.com/doc/refman/5.0/en/unix-post-installation.html for more details):
From the CLI, you need to su into the mysql user, then setup the initial mysql configuration:
# su mysql
# mysql_install_db
# exit (to leave the mysql user and return to root)
# chkconfig --level 3 mysqld on
This will configure mysql to start at boo
# /etc/init.d/mysqld start
# mysql_secure_installation
3. Edit /etc/postfix/main.cf, and put the following code at the bottom of the file:
# some UCE rules
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_policy_service inet:127.0.0.1:60000,
permit
smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
permit
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
permit
virtual_mailbox_base = /var/syscp/mail/
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
# Use dovecot LDA
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# SMTP-AUTH with dovecot-sasl
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#smtpd_sasl_local_domain = $myhostname
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
# TLS Mode for SMTP-service
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/certs/postfix.key
smtpd_tls_cert_file = /etc/postfix/certs/postfix.crt
smtpd_tls_CAFile = /etc/postfix/certs/postfix.crt
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# Amavis integration for spam and virus check
content_filter = smtp-amavis:[127.0.0.1]:10024
3. Install SysCP files:
# cd /var/www/html
# wget
http://files.syscp.org/releases/tgz/syscp-<latest-release>.tar.gz
You can find the latest release (and its URL) at
http://syscp.org/download.html. Make sure to download the “Source.”
# tar -xzf syscp-<latest-release>.tar.gz
หัวข้อ: Installing syscp 1.4 onto CentOS 5.5 (อ่าน 9963 ครั้ง)