這篇教程指導你如何完美安裝配置ubuntu 服務器版本,並安裝配置一般的服務:
apache (ssl) positfix 郵件服務器 smtp-auth tls bind dns服務器,proftpd ftp服務器
mysql數據庫 courierpop3/imap 郵件服務, 磁盤限額,防火牆等等。雖然這篇教程
是在32位的ubutnu 8.04上安裝的,但應該也適用於64位版本的。下面是相關軟件的版本:
* Web 服務器: Apache 2.2 PHP 5.2.4? Ruby
* Database 服務器: MySQL 5.0
* Mail 服務器: Postfix
* DNS 服務器: BIND9
* FTP 服務器: proftpd
* POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.
* Webalizer 網站訪問分析
安裝完成之後你會有個穩定的服務器系統。
1 準備必要的東西
要安裝需要準備下面的資料:
* Ubuntu 8.04 LTS 服務器版cd,
可以到這裏下載: ftp://releases.ubuntu.com/releases/
* 比較快的互聯網
2 注意點
在這篇教程裏面服務器名叫server1.example.com ip 192.168.0.100 網關 192.168.0.1,
你的設置可能跟這個不同,替換成你需要設置的參數就可以了。
3 基本系統
插入你的ubuntu安裝關盤,從光盤啓動,選擇安裝語言:
選擇安裝ubuntu服務器:
再次選擇語言:
選擇區域:
選擇鍵盤 基本選擇標準101鍵盤,或者根據你的鍵盤選擇
安裝會自動校驗光盤 硬件 配置網絡
輸入主機名,在這個教程裏面,我的主機名叫 server.example.com 所以我輸入server1
下面要分區了,爲了簡單步驟我選擇整個硬盤,你也可以選擇手動分區,使用lvm卷等
選擇需要分區的硬盤
當問你是否要保存硬盤改變時選擇yes
然後你的心得分區就會被創建並被格式化,下面開始安裝
創建一個用戶比如 administrator 不要選擇ubuntu保留的用戶名
下面配置包安裝管理器,proxy那裏不要設置,除非你有使用proxy
我們需要安裝dns mail lamp 服務器,但是我從來不選擇他們,因爲我喜歡完全控制我的系統,
只安裝那些我需要的。 我們會在後面手工安裝它們。唯一我選擇的是openssh服務器,因爲我要馬上
使用ssh在安裝完成後登陸。ssh可以用? PuTTY
安裝繼續
安裝grub
基礎系統就安裝完成了。拿出cd重新啓動系統。
進入下一步
4 啓用root用戶
當重啓之後你可以用剛剛你設置的用戶明登陸了。比如administrator。因爲我們要以root用戶執行下面的
步驟,所以我們現在需要啓用root用戶。執行下面的命令
sudo passwd root
輸入一個root密碼,下面我們以root執行
su
5 安裝ssh服務器(可選)
如果你一開始沒有裝,這個時候你就可以裝了。
apt-get install ssh openssh-server
從現在開始你就可以從你的工作臺上用ssh客戶端比如 PuTTY 來連接服務器執行下面的安裝了。
6 安裝vim-full(可選)
在這篇教程裏我使用的文字編輯器是vi。缺省的vi有點奇怪的問題,要修復這個問題,我們安裝vim-full
apt-get install vim-full
(你不一定非的使用vi,你也可以使用joe or nano.)
7 配置網絡
我們安裝時使用的是缺省配置,獲得ip是使用dhcp獲得的,作爲一個服務器應該有一個靜態 ip,編輯
/etc/network/interfaces 調整相關參數以符合你的需要,我在教程裏使用的是192.168.0.100:
vi /etc/network/interfaces
# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).# The loopback network interfaceauto loiface lo inet loopback# The primary network interfaceauto eth0iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1
重啓網絡:
/etc/init.d/networking restart
編輯/etc/hosts.
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost192.168.0.100 server1.example.com server1# The following lines are desirable for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts
現在執行
echo server1.example.com > /etc/hostname
/etc/init.d/hostname.sh start
然後執行
hostname
hostname -f
兩個都應該顯示server1.example.com now.
8 編輯 /etc/apt/sources.list 更新安裝
編輯 /etc/apt/sources.list. 註釋掉或者刪除安裝cd,添加一些互聯網倉庫,國內cn99的比較快,
我這裏只是舉個例子,大家可以直接按照自己的需要添加互聯網倉庫:
vi /etc/apt/sources.list
##deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ Release i386 (20080423.2)]/ hardy main restricted#deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_-Release i386 (20080423.2)]/ hardy main restricted# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to# newer versions of the distribution.deb http://de.archive.ubuntu.com/ubuntu/ hardy main restricteddeb-src http://de.archive.ubuntu.com/ubuntu/ hardy main restricted## Major bug fix updates produced after the final release of the## distribution.deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricteddeb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu## team, and may not be under a free licence. Please satisfy yourself as to## your rights to use the software. Also, please note that software in## universe WILL NOT receive any review or updates from the Ubuntu security## team.deb http://de.archive.ubuntu.com/ubuntu/ hardy universedeb-src http://de.archive.ubuntu.com/ubuntu/ hardy universedeb http://de.archive.ubuntu.com/ubuntu/ hardy-updates universedeb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu## team, and may not be under a free licence. Please satisfy yourself as to## your rights to use the software. Also, please note that software in## multiverse WILL NOT receive any review or updates from the Ubuntu## security team.deb http://de.archive.ubuntu.com/ubuntu/ hardy multiversedeb-src http://de.archive.ubuntu.com/ubuntu/ hardy multiversedeb http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiversedeb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse## Uncomment the following two lines to add software from the ‘backports’## repository.## N.B. software from this repository may not have been tested as## extensively as that contained in the main release, although it includes## newer versions of some applications which may provide useful features.## Also, please note that software in backports WILL NOT receive any review## or updates from the Ubuntu security team.# deb http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe
#multiverse# deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe
#multiverse## Uncomment the following two lines to add software from Canonical’s## ‘partner’ repository. This software is not part of Ubuntu, but is## offered by Canonical and the respective vendors as a service to Ubuntu## users.# deb http://archive.canonical.com/ubuntu hardy partner# deb-src http://archive.canonical.com/ubuntu hardy partnerdeb http://security.ubuntu.com/ubuntu hardy-security main restricteddeb-src http://security.ubuntu.com/ubuntu hardy-security main restricteddeb http://security.ubuntu.com/ubuntu hardy-security universedeb-src http://security.ubuntu.com/ubuntu hardy-security universedeb http://security.ubuntu.com/ubuntu hardy-security multiversedeb-src http://security.ubuntu.com/ubuntu hardy-security multiverse
接着運行更新包數據庫
apt-get update
安裝最新的包
apt-get upgrade
9 改變缺省的shell
/bin/sh 是一個符號鏈接,聯結至/bin/dash, 我們比較常用的是/bin/bash, not /bin/dash. 所以我們這麼做:
ln -sf /bin/bash /bin/sh
有好多腳本是用bash寫的,所以,建議大家用bash作爲缺省shell
10 禁用 AppArmor
AppArmor是一個安裝擴展,類似紅帽的selinux . 在我的觀念裏面,你不需要他就可以配置一個非常安全
的系統,而且這個擴展經常導致這樣或那樣奇怪的問題。因此我禁用了這個擴展。
像這樣來禁用他:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
11 安裝一些相關的包
有一些包是非常通用的,建議直接裝上,執行:
apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev
libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf
automake1.9 libtool bison autotools-dev g++ build-essential
這些命令是要使用互聯網鏈接的,如果你沒有聯網,可能就裝不了。
12 磁盤限額
如果你使用的是一個分區,那麼你一定要使用磁盤限額,以免整個系統的空間被哪個傢伙全喫掉。
安裝quota執行
apt-get install quota
編輯 /etc/fstab. 最起碼像這樣(我在/下分區上添加了,usrquota,grpquota? ):
vi /etc/fstab
# /etc/fstab: static file system information.## <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc defaults 0 0# /dev/sda1UUID=6af53069-0d51-49be-b275-aeaea8d780c5 / ext3relatime,errors=remount-ro,usrquota,grpquota 0 1# /dev/sda5UUID=d8e1f66c-1442-423e-b442-8ae66eded9d7 none swap sw 0 0/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
激活quota, 執行這些命令:
touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
13 DNS 服務器
運行
apt-get install bind9
因爲一些安裝問題,我們需要chrooted bind(這個相當與虛擬一個新的linux給dns使用),執行下面的步驟
/etc/init.d/bind9 stop
編輯 /etc/default/bind9 以便超級線程可以以一個沒有權限的用戶運行,
比如bind,chrooted 到/var/lib/named. 修改這一行: OPTIONS=”-u bind” 加上選項OPTIONS=”-u bind -t /var/lib/named”:
vi /etc/default/bind9
OPTIONS=”-u bind -t /var/lib/named”# Set RESOLVCONF=no to not run resolvconfRESOLVCONF=yes
在 /var/lib下創建相關目錄:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
移動配置文件夾從/etc 到 /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
創建一個符號從舊的文件夾連接到新的配置文件夾,這是爲了避免當bind升級時出現問題。
ln -s /var/lib/named/etc/bind /etc/bind
創建一些不存在的隨便的設備,以修復文件夾的權限:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
我們需要修改/etc/default/syslogd 以便我們登陸系統的時候可以得到一些重要日誌信息。. 修改這一行: SYSLOGD=”"? SYSLOGD=”-a /var/lib/named/dev/log”:
vi /etc/default/syslogd
## Top configuration file for syslogd### Full documentation of possible arguments are found in the manpage# syslogd(8).### For remote UDP logging use SYSLOGD=”-r”#SYSLOGD=”-a /var/lib/named/dev/log”
重啓日誌進程:
/etc/init.d/sysklogd restart
啓動 BIND, 檢查/var/log/syslog彙報的錯誤:
/etc/init.d/bind9 start
14 MySQL數據庫
要安裝MySQL, 我們執行
apt-get install mysql-server mysql-client libmysqlclient15-dev
安裝中會要求你給root設置一個密碼,安裝完了之後,
root@localhost? 和 [email protected] 該E-mail地址已受到防止垃圾郵件機器人的保護,您必須啓用瀏覽器的Java Script才能看到。 的密碼都是剛剛設的這個,我們就不需要再重設root密碼了。:
New password for the MySQL “root” user: <– 你要設置的密碼
Repeat password for the MySQL “root” user: <– 再輸入一次你要輸入的密碼
我們需要mysql監聽所有的接口而不是隻有127.0.0.1 所以我們要編輯/etc/mysql/my.cnf
註釋掉這一行 bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf
[...]# Instead of skip-networking the default is now to listen only on# localhost which is more compatible and is not less secure.#bind-address = 127.0.0.1[...]
重啓MySQL:
/etc/init.d/mysql restart
檢查是否已經在網絡上開了服務端口. 執行
netstat -tap | grep mysql
結果看起來應該象這個:
root@server1:~# netstat -tap | grep mysql
tcp??????? 0????? 0 *:mysql???????????????? *:*???????????????????? LISTEN????? 5869/mysqld
root@server1:~#
15 安裝帶SMTP-AUTH 和 TLS模塊郵件服務器Postfix
按照下面的步驟安裝daismtp-auth 和 tls 模塊的郵件服務器:
apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail
按照下面回答提示的兩個問題:
General type of mail configuration: <– Internet Site
System mail name: <– server1.example.com
執行
dpkg-reconfigure postfix
還會提示下面的問題:
General type of mail configuration: <– Internet Site
System mail name: <– server1.example.com
Root and postmaster mail recipient: <– [blank]
Other destinations to accept mail for (blank for none):
<– server1.example.com, localhost.example.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? <– No
Local networks: <– 127.0.0.0/8
Use procmail for local delivery? <– Yes
Mailbox size limit (bytes): <– 0
Local address extension character: <– +
Internet protocols to use: <– all
接着執行下面的命令:
postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_sasl_authenticated_header = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
echo ‘pwcheck_method: saslauthd’ >> /etc/postfix/sasl/smtpd.conf
echo ‘mech_list: plain login’ >> /etc/postfix/sasl/smtpd.conf
然後我們創建tls認證:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
下面配置 TLS (確認你自己使用正確的 hostname 在 myhostname這一項上):
postconf -e ‘myhostname = server1.example.com’
postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1′
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’
最後/etc/postfix/main.cf 看起來像這樣:
cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version# Debian specific: Specifying a file name will cause the first# line of that file to be used as the name. The Debian default# is /etc/mailname.#myorigin = /etc/mailnamesmtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)biff = no# appending .domain is the MUA’s job.append_dot_mydomain = no# Uncomment the next line to generate “delayed mail” warnings#delay_warning_time = 4hreadme_directory = no# TLS parameterssmtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crtsmtpd_tls_key_file = /etc/postfix/ssl/smtpd.keysmtpd_use_tls = yessmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${data_directory}/smtp_scache# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for# information on enabling SSL in the smtp client.myhostname = server1.example.comalias_maps = hash:/etc/aliasesalias_database = hash:/etc/aliasesmyorigin = /etc/mailnamemydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhostrelayhost =mynetworks = 127.0.0.0/8mailbox_command = procmail -a “$EXTENSION”mailbox_size_limit = 0recipient_delimiter = +inet_interfaces = allinet_protocols = allsmtpd_sasl_local_domain =smtpd_sasl_auth_enable = yessmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yessmtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destinationsmtpd_tls_auth_only = nosmtp_use_tls = yessmtp_tls_note_starttls_offer = yessmtpd_tls_CAfile = /etc/postfix/ssl/cacert.pemsmtpd_tls_loglevel = 1smtpd_tls_received_header = yessmtpd_tls_session_cache_timeout = 3600stls_random_source = dev:/dev/urandom
認證由saslauthd實現的,因爲postfix是chroot運行在/var /spool/postfix/下,我們需要做一些改變使其正常工作,
:
mkdir -p /var/spool/postfix/var/run/saslauthd
編輯/etc/default/saslauthd 激活sslauthd. 設置 START 爲yes 把OPTIONS=”-c -m /var/run/saslauthd”
改成 OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”:
vi /etc/default/saslauthd
## Settings for saslauthd daemon# Please read /usr/share/doc/sasl2-bin/README.Debian for details.## Should saslauthd run automatically on startup? (default: no)START=yes# Description of this saslauthd instance. Recommended.# (suggestion: SASL Authentication Daemon)DESC=”SASL Authentication Daemon”# Short name of this saslauthd instance. Strongly recommended.# (suggestion: saslauthd)NAME=”saslauthd”# Which authentication mechanisms should saslauthd use? (default: pam)## Available options in this Debian package:# getpwent — use the getpwent() library function# kerberos5 — use Kerberos 5# pam — use PAM# rimap — use a remote IMAP server# shadow — use the local shadow password file# sasldb — use the local sasldb database file# ldap — use LDAP (configuration is in /etc/saslauthd.conf)## Only one option may be used at a time. See the saslauthd man page# for more information.## Example: MECHANISMS=”pam”MECHANISMS=”pam”# Additional options for this mechanism. (default: none)# See the saslauthd man page for information about mech-specific options.MECH_OPTIONS=”"# How many saslauthd processes should we run? (default: 5)# A value of 0 will fork a new process for each connection.THREADS=5# Other options (default: -c -m /var/run/saslauthd)# Note: You MUST specify the -m option or saslauthd won’t run!## See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.# See the saslauthd man page for general information about these options.## Example for postfix users: “-c -m /var/spool/postfix/var/run/saslauthd”#OPTIONS=”-c -m /var/run/saslauthd”OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”
下面把postfix user 加到sasl組裏面,這一步使postfix有權限使用saslauthd
adduser postfix sasl
重啓Postfix 啓動saslauthd:
/etc/init.d/postfix restart
/etc/init.d/saslauthd start
下面看看smtp-auth 和tls工作了沒:
telnet localhost 25
看到提示了後執行:
ehlo localhost
如果你看到了下面的
250-STARTTLS
還有這個
250-AUTH LOGIN PLAIN
那就證明所有的都ok了。
在我的機器上顯示的像下面的:
root@server1:/etc/postfix/ssl# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@server1:/etc/postfix/ssl#
輸入
quit
返回系統shells.
16 安裝 Courier-IMAP/Courier-POP3
執行下面的命令安裝Courier-IMAP/Courier-IMAP-SSL (IMAPs 在端口 993上)
和Courier-POP3/Courier-POP3-SSL (POP3s 在端口 995上)pop3和imap是明文傳輸密碼的,這兩個包是爲了解決安全問提出現的:
apt-get install courier-authdaemon courier-base courier-imap
courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0
提示下面兩個問題:
Create directories for web-based administration? <– No
SSL certificate required <– Ok
17 安裝Apache/PHP5/Ruby
下面我們安裝Apache:
apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert
下面我們安裝PHP5 和 Ruby (兩個都是apache的模塊):
apt-get install libapache2-mod-php5 libapache2-mod-ruby php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
編輯edit /etc/apache2/mods-available/dir.conf:
vi /etc/apache2/mods-available/dir.conf
更改DirectoryIndex 這一行:
<IfModule mod_dir.c>#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htmDirectoryIndex index.html index.htm index.shtml index.cgi index.php </IfModule>
現在我們可以激活某些Apache 模塊了 (SSL, rewrite, suexec, and include):
a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
重新加載配置文件:
/etc/init.d/apache2 force-reload
17Proftpd
安裝Proftpd, run
apt-get install proftpd ucf
會提示你這個問題:
Run proftpd: <– standalone
爲了提高proftpd的安全性可以做下面的操作,更多信息可以看這裏: http://proftpd.org/localsite/Userguide/linked/userguide.html):
vi /etc/proftpd/proftpd.conf
[...]DefaultRoot ~IdentLookups offServerIdent on “FTP Server ready.”[...]
18 網站訪問統計分析
安裝webalizer,直接運行
apt-get install webalizer
19 同步系統時鐘
與互聯網上某個時間服務器同步是一個不錯的選擇。簡單的執行
apt-get install ntp ntpdate
以後你的系統時間就會自動同步了。