Loading...
 

Servidor seeds4c.org 2014-2 (Ubuntu 14.04) 


Page contents:

1.1. Introducció 

Virtual server with Ubuntu 14.04 & ISPConfig3, to replace older seeds4c.org with Ubuntu 12.04 with some issues with sending emails since may 2014.

1.2. Domain 

http://seeds4c.org
Temporarily: semillaspec.org

user: root
pass: (demanar al xavi)

S.O: Ubuntu 14.04 server 64 bit (from an initial 64bit desktop version)
2Gb RAM (aprox), 512Mb SWAP, 2 cpu, 50 Gb hard drive.

1.2.1. Initial Configuration 

1.2.1.1. Locale Configuration 

You get these messages Awhen installing any package:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "ca_ES.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").


You need to add the locale for your language:

Comanda a executar en un terminal
sudo apt-get install language-pack-ca-base


In Ubuntu 14.04, there seems no need to change locales manually, they are already changed in the previous step automagically.

1.2.1.2. Convert Ubuntru desktop into Ubuntu server 

Followed this steps:
http://www.darrinhodges.com/converting-ubuntu-12-04-lts-desktop-to-server/

The required steps are:

sudo apt-get install tasksel
sudo tasksel remove ubuntu-desktop (Note: this may take a few minutes to complete)
sudo tasksel install server
apt-get install linux-server linux-image-server
apt-get --purge remove lightdm


I got an error message about the processing of linux-server package:

dpkg: problemes de dependències impedeixen la configuració de linux-server:
 linux-server depèn de linux-generic (= 3.13.0.29.35); tot i així:
  El paquet linux-generic encara no està configurat.

dpkg: error processing package linux-server (--configure):
 problemes de dependències - es deixa sense configurar
S'han trobat errors en processar:
 linux-image-3.13.0-29-generic
 linux-image-extra-3.13.0-29-generic
 linux-image-generic
 linux-generic
 linux-image-server
 linux-server


To fix it, run these commands:

sudo chmod -x /usr/share/initramfs-tools/hooks/fixrtc
sudo apt-get -f install
sudo apt-get install linux-server linux-image-server


Providing all that went well, you can edit your /etc/default/grub configuration file to update the following settings:

GRUB_TIMEOUT=5
( Comment out ‘GRUB_HIDDEN_TIMEOUT’ )
GRUB_CMDLINE_LINUX_DEFAULT=”"
GRUB_TERMINAL=console ( only for PC )
sudo update-grub


However, I got this error message:

root@seeds4c:~# update-grub
/usr/sbin/grub-probe: error: no s'ha pogut aconseguir el camí canònic de «/var/lib/vz/private/131».


Then we can reboot the server

sudo reboot now

1.2.2. Installing ISP-Config 3 

Manual ISPConfig3.
Bought:
Image 130518 Recibo Del Pago PayPal Manual ISPConfig3

20Mb. Reduced version to 150 dpi (4.7Mb):
Image ISPConfig 3 Manual 150dpi

Also available some version online here:

ISPConfig 3 Manual - Compuland - 25/10/2011 (20Mb)
http://www.compuland.com.br/helio/ispconfig_3_manual.pdf


3rd part, from step 9:
http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p3

root@r:~# apt-get install ssh openssh-server


Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.2.251 and the DNS servers 192.168.1.200, 192.168.1.225 and 8.8.8.8 - starting with Ubuntu 12.04, you cannot edit /etc/resolv.conf directly anymore, but have to specify your nameservers in your network configuration - see man resolvconf for more details):

root@seeds4c:~# cat /etc/network/interfaces
# This configuration file is auto-generated.
#
# WARNING: Do not edit this file, your changes will be lost.
# Please create/edit /etc/network/interfaces.head and
# /etc/network/interfaces.tail instead, their contents will be
# inserted at the beginning and at the end of this file, respectively.
#
# NOTE: it is NOT guaranteed that the contents of /etc/network/interfaces.tail
# will be at the very end of this file.
#

# Auto generated lo interface
auto lo
iface lo inet loopback

# Auto generated venet0 interface
auto venet0
iface venet0 inet manual
	up ifconfig venet0 up
	up ifconfig venet0 127.0.0.2
	up route add default dev venet0
	down route del default dev venet0
	down ifconfig venet0 down


iface venet0 inet6 manual
	up route -A inet6 add default dev venet0
	down route -A inet6 del default dev venet0

auto venet0:0
iface venet0:0 inet static
	address 37.247.124.71
	netmask 255.255.255.255

root@seeds4c:~# cat /etc/hosts
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

127.0.0.1 localhost.localdomain localhost
# Auto-generated hostname. Please do not remove this comment.
37.247.124.71 seeds4c.org  seeds4c
::1		localhost ip6-localhost ip6-loopback




Now run

echo seeds4c.org > /etc/hostname 
service hostname restart


Afterwards, run

hostname 
hostname -f


Both should show seeds4c.org now.

apt-get install nano
nano /etc/apt/sources.list


Update the list of sources to this one:

Contents of /etc/apt/sources.list after edition
deb http://archive.ubuntu.com/ubuntu trusty main restricted universe
deb-src http://archive.ubuntu.com/ubuntu trusty main restricted universe
deb http://archive.ubuntu.com/ubuntu trusty-updates main restricted universe
deb-src http://archive.ubuntu.com/ubuntu trusty-updates main restricted universe
deb http://security.ubuntu.com/ubuntu trusty-security main restricted universe multiverse
deb-src http://security.ubuntu.com/ubuntu trusty-security main restricted universe multiverse
#deb http://archive.canonical.com/ubuntu trusty partner


Install launchpad-getkeys to fetch authentication keys for repositories, by downloading just the lanuchpad-getkeys package (info taken from http://www.ubuntuupdates.org/package/webupd8/trusty/main/base/launchpad-getkeys ), and not the whole webup8 repository for the server:

run as root
wget http://ppa.launchpad.net/nilarimogard/webupd8/ubuntu/pool/main/l/launchpad-getkeys/launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb
dpkg -i launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb
rm launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb

whole output in the command line
root@seeds4c:~# wget http://ppa.launchpad.net/nilarimogard/webupd8/ubuntu/pool/main/l/launchpad-getkeys/launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb
--2014-06-11 03:17:02--  http://ppa.launchpad.net/nilarimogard/webupd8/ubuntu/pool/main/l/launchpad-getkeys/launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb
Resolent ppa.launchpad.net (ppa.launchpad.net)... 91.189.95.83
S'està connectant a ppa.launchpad.net (ppa.launchpad.net)|91.189.95.83|:80… conectat.
HTTP: Petició enviada, esperant resposta... 200 OK
Longitud: 2810 (2,7K) [application/x-debian-package]
S'està desant a: «launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb»

100%[============================================================================>] 2.810       --.-K/s   en 0s      

2014-06-11 03:17:02 (289 MB/s) - s'ha desat «launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb» [2810/2810]

root@seeds4c:~# dpkg -i launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb 
S'està seleccionant el paquet launchpad-getkeys prèviament no seleccionat.
(S'està llegint la base de dades… hi ha 26327 fitxers i directoris instaŀlats actualment.)
Preparing to unpack launchpad-getkeys_0.3.2-1~webupd8~oneiric_all.deb ...
Unpacking launchpad-getkeys (0.3.2-1~webupd8~oneiric) ...
S'està configurant launchpad-getkeys (0.3.2-1~webupd8~oneiric)…
root@seeds4c:~# launchpad-getkeys

Please wait... launchpad-getkeys is running an update so 
it can detect the missing GPG keys

Trying to import all the missing keys
gpg: s'ha creat l'anell «/etc/apt/secring.gpg»
gpg: requesting key 437D05B5 from hkp server keyserver.ubuntu.com
gpg: /etc/apt/trustdb.gpg: s'ha creat la base de dades de confiança
gpg: key 437D05B5: public key "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>" imported
gpg: no s'han trobat claus amb confiança absoluta
gpg: Nombre total processat: 1
gpg:               importades: 1
gpg: requesting key 437D05B5 from hkp server keyserver.ubuntu.com
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>" not changed
gpg: Nombre total processat: 1
gpg:              no modificades: 1
gpg: requesting key 437D05B5 from hkp server keyserver.ubuntu.com
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>" not changed
gpg: Nombre total processat: 1
gpg:              no modificades: 1

launchpad-getkeys has finished importing all missing GPG keys. 
Try running sudo apt-get update - you shouldn't see any key 
errors anymore




9 Change The Default Shell 


/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash


Use dash as the default system shell (/bin/sh)? < - - No

If you don't do this, the ISPConfig installation will fail.

10 Disable AppArmor 

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

service apparmor stop 
update-rc.d -f apparmor remove 
apt-get remove apparmor apparmor-utils



However it seems that apparmor is not installed by default so far. So nothing to do.

root@seeds4c:~# service apparmor stop 
apparmor: unrecognized service
root@seeds4c:~# update-rc.d -f apparmor remove 
 Removing any system startup links for /etc/init.d/apparmor ...
root@seeds4c:~# apt-get remove apparmor apparmor-utils
S'està llegint la llista de paquets… Fet 
S'està construint l'arbre de dependències       
S'està llegint la informació de l'estat… Fet
Package 'apparmor' is not installed, so not removed
Package 'apparmor-utils' is not installed, so not removed
0 actualitzats, 0 nous a instaŀlar, 0 a suprimir i 0 no actualitzats.

11 Synchronize the System Clock 


It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate


and your system time will always be in sync.

Change time zone to match your local time zone 

root@seeds4c:~# date
dc jun 11 03:25:25 EDT 2014
root@seeds4c:~# sudo dpkg-reconfigure tzdata

Current default time zone: 'Europe/Madrid'
Local time is now:      dc jun 11 09:25:53 CEST 2014.
Universal Time is now:  Wed Jun 11 07:25:53 UTC 2014.


root@seeds4c:~# date
ds mai 18 12:25:52 CEST 2013
root@seeds4c:~#

Continue with section 4 

Continue with Section 4
http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p4

For installing postfix we need to stop and remove sendmail

service sendmail stop; update-rc.d -f sendmail remove


Now we can install Postfix, Dovecot, MySQL, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo


You will be asked the following questions:

New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

[ Rootkit Hunter version 1.4.0 ]
File updated: searched for 169 files, found 136

Next open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/master.cf


Uncomment the submission and smtps sections as follows - add the line -o smtpd_client_restrictions=permit_sasl_authenticated,reject to both sections and leave everything thereafter commented:

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]


Restart Postfix afterwards:

service postfix restart


We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

nano /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]


Then we restart MySQL:

service mysql restart


Now check that networking is enabled. Run

netstat -tap | grep mysql


The output should look like this:

root@seeds4c:/etc/init.d# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      21298/mysqld


13 Install Amavisd-new, SpamAssassin, And Clamav 

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl


The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove


14 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt 

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp


The PHP5 mcrypt module has to be enabled manually:

php5enmod mcrypt


You will see the following question:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest


Next open /etc/apache2/mods-available/suphp.conf...

nano /etc/apache2/mods-available/suphp.conf


... and comment out the < FilesMatch "\.ph(p3?|tml)$"> section and add the line AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml - otherwise all PHP files will be run by SuPHP:

<IfModule mod_suphp.c>
    #<FilesMatch "\.ph(p3?|tml)$">
    #    SetHandler application/x-httpd-suphp
    #</FilesMatch>
        AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
        suPHP_AddHandler application/x-httpd-suphp

    <Directory />
        suPHP_Engine on
    </Directory>

    # By default, disable suPHP for debian packaged web applications as files
    # are owned by root and cannot be executed by suPHP because of min_uid.
    <Directory /usr/share>
        suPHP_Engine off
    </Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
#       suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
#       suPHP_RemoveHandler <mime-type>
</IfModule>


Restart Apache afterwards:

service apache2 restart


If you want to host Ruby files with the extension .rb on your web sites created through ISPConfig, you must comment out the line application/x-ruby rb in /etc/mime.types:

nano /etc/mime.types

[...]
#application/x-ruby                             rb
[...]


(This is needed only for .rb files; Ruby files with the extension .rbx work out of the box.)

Restart Apache afterwards:

service apache2 restart


14.1 Xcache 

Xcache is a free and open PHP opcode cacher for caching and optimizing PHP intermediate code. It's similar to other PHP opcode cachers, such as eAccelerator and APC. It is strongly recommended to have one of these installed to speed up your PHP page.

Xcache can be installed as follows:

apt-get install php5-xcache


Now restart Apache:

service apache2 restart

14.2 PHP-FPM 

Starting with the upcoming ISPConfig 3.0.5, there will be an additional PHP mode that you can select for usage with Apache: PHP-FPM. If you plan to use this PHP mode, it makes sense to configure your system for it now so that later on when you upgrade to ISPConfig 3.0.5, your system is prepared (the latest ISPConfig version at the time of this writing is ISPConfig 3.0.4.4).

To use PHP-FPM with Apache, we need the mod_fastcgi Apache module (please don't mix this up with mod_fcgid - they are very similar, but you cannot use PHP-FPM with mod_fcgid). We can install PHP-FPM and mod_fastcgi as follows:

apt-get install libapache2-mod-fastcgi php5-fpm


But it seems that it's not available for me:

root@seeds4c:/home# apt-get install libapache2-mod-fastcgi php5-fpm
S'està llegint la llista de paquets… Fet 0%
S'està construint l'arbre de dependències       
S'està llegint la informació de l'estat… Fet%
El paquet libapache2-mod-fastcgi no té versió disponible, però un altre paquet
en fa referència. Això normalment vol dir que el paquet falta,
s'ha tornat obsolet o només és disponible des d'una altra font.

E: El paquet «libapache2-mod-fastcgi» no té candidat d'instaŀlació
root@seeds4c:/home#


If you have it, then make sure you enable the module and restart Apache:

a2enmod actions fastcgi alias
/etc/init.d/apache2 restart

15 Install Mailman Skipped 

[+]

Continue with section 5 

http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p5
PureFTPd and quota can be installed, but I skip quota this time (2014, to avoid issues with dimensis monitoring and backing up software). Then I use the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql

(quota quotatool skipped)

Edit the file /etc/default/pure-ftpd-common...

nano /etc/default/pure-ftpd-common


... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

Contents of /etc/default/pure-ftpd-common
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]


Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS


In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/


Afterwards, we can generate the SSL certificate as follows:

root@r:~# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 2048 bit RSA private key
.+++
..............+++
writing new private key to '/etc/ssl/private/pure-ftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Catalonia
Locality Name (eg, city) []:Barcelona
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Seeds for change (Seeds4c)        
Organizational Unit Name (eg, section) []:Seed Bank
Common Name (e.g. server FQDN or YOUR name) []:seeds4c.org
Email Address []:xavier.depedro@vhir.org
root@r:~#


Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem


Then restart PureFTPd:

service pure-ftpd-mysql restart


I Skip the following part of editing fstab since I will not be using quota to avoid issues in dimensis backup system.

Edit /etc/fstab. The one from the guy from the tutorial looked like this (He added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

nano /etc/fstab

contents of the file of the guy that wrote the tutorial, but not in r.dimensis.com
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=4b58d345-1c55-4ac5-940e-7245938656a6 /boot           ext2    defaults        0       2
/dev/mapper/server1-swap_1 none            swap    sw              0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0


However, in seeds4c.org, instead, our fstab looks like:

proc  /proc       proc    defaults    0    0
none  /dev/pts    devpts  rw,gid=5,mode=620    0    0
none  /run/shm    tmpfs   defaults    0    0


So there is no root partition...

To enable quota, if I had changed the root partition line in fstab, I would have run these commands:

mount -o remount /
quotacheck -avugm
quotaon -avug


So that I skip this part in seeds4c.org

17 Install BIND DNS Server 

BIND can be installed as follows:

apt-get install bind9 dnsutils


18 Install Vlogger, Webalizer, And AWstats 

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl


Open /etc/cron.d/awstats afterwards...

nano /etc/cron.d/awstats


... and comment out everything in that file:

#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh


19 Install Jailkit 

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz
tar xvfz jailkit-2.17.tar.gz
cd jailkit-2.17
./debian/rules binary


You can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.17-1_*.deb 
rm -rf jailkit-2.17*



20 Install fail2ban 

This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban


To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

nano /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled  = true
port     = smtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 3


Then create the following two filter files:

nano /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =


Add the missing ignoreregex line in the postfix-sasl file:

echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf


Restart fail2ban afterwards:

service fail2ban restart

Continue with section 6 

http://www.howtoforge.com/perfect-server-ubuntu-14.04-apache2-php-mysql-pureftpd-bind-dovecot-ispconfig-3-p6

21 Webmail with Squirrelmail 
[+]

22. Optional: Script to cross-check the installations. 

I have introduced a script here which will verify, whether you have made any typos error. This will verify that all the necessary installations are completed as per the tutorial. Script is as follows:

#!/bin/bash
###################################################################################################################################################
###################################################################################################################################################
#### #####
#### This script is created by Srijan Kishore to cross-check the complete installation of tutorial #####
#### #####
###################################################################################################################################################
###################################################################################################################################################

cd /tmp

###################################################################################################################################################
#### Installations done in Tutorial #####
###################################################################################################################################################

echo "amavisd-new
apache2
apache2-doc
apache2-suexec
apache2-utils
apt-listchanges
arj
autoconf
automake1.9
awstats
bind9
binutils
bison
build-essential
bzip2
cabextract
clamav
clamav-daemon
clamav-docs
daemon
debhelper
dnsutils
dovecot-imapd
dovecot-mysql
dovecot-pop3d
dovecot-sieve
fail2ban
flex
geoip-database
getmail4
imagemagick
jailkit
libapache2-mod-fastcgi
libapache2-mod-fcgid
libapache2-mod-php5
libapache2-mod-python
libapache2-mod-suphp
libauthen-sasl-perl
libclass-dbi-mysql-perl
libio-socket-ssl-perl
libio-string-perl
libnet-dns-perl
libnet-ident-perl
libnet-ldap-perl
libruby
libtool
lzop
mailman
mcrypt
memcached
mysql-client
mysql-server
nomarch
ntp
ntpdate
openssl
php5
php5-cgi
php5-cli
php5-common
php5-curl
php5-fpm
php5-gd
php5-imagick
php5-imap
php5-intl
php5-mcrypt
php5-memcache
php5-memcached
php5-ming
php5-mysql
php5-ps
php5-pspell
php5-recode
php5-snmp
php5-sqlite
php5-tidy
php5-xcache
php5-xmlrpc
php5-xsl
php-auth
phpmyadmin
php-pear
postfix
postfix-doc
postfix-mysql
rkhunter
spamassassin
squirrelmail
sudo
unzip
vlogger
webalizer
zip
zoo" > tutorial_install


##################################################################################################################################################
#### List of all packages installed by you on your server #####
##################################################################################################################################################

dpkg -l |grep ii| cut -d ' ' -f3 > server_installed

##################################################################################################################################################
#### Difference between the tutorial & your server's installation #####
##################################################################################################################################################

diff server_installed tutorial_install | grep ">" | cut -d ' ' -f2 > missing_packages

if [ $? -eq 0 ]

echo "You missed to install these packages 
` cat missing_packages` "
then 
echo "You need to install these packages. To install these packages you need to run the command apt-get install package_name"

echo " You can cross check the particular installation as follows:
dpkg -l | grep package_name | cut -d ' ' -f3

If it is showing the package_name then you can ignore the package."

else

echo "Congratulations you have installed all the packages successfully"

fi

rm -rf missing_packages server_installed tutorial_install


chmod +x ubuntu_package_check.sh

./ubuntu_package_check.sh

23. Install ISPConfig 3 

To install ISPConfig 3 from the latest released version, do this:

cd /tmp 
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz 
tar xfz ISPConfig-3-stable.tar.gz 
cd ispconfig3_install/install/

The next step is to run

php -q install.php


This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 (perfect setup guides) is not necessary.

Submitted by falko (Contact Author) (Forums) on Thu, 2014-04-24 18:03. ::


21 Install SquirrelMail
 
To install the SquirrelMail webmail client, run

apt-get install squirrelmail

Then configure SquirrelMail:

squirrelmail-configure

We must tell SquirrelMail that we are using Dovecot-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0) 
--------------------------------------------------------- 
Main Menu -- 
1.  Organization Preferences 
2.  Server Settings 
3.  Folder Defaults 
4.  General Options 
5.  Themes 
6.  Address Books 
7.  Message of the Day (MOTD) 
8.  Plugins 
9.  Database 
10. Languages 

D.  Set pre-defined settings for specific IMAP servers 

C   Turn color on 
S   Save data 
Q   Quit 

Command >> <-- D 


SquirrelMail Configuration : Read: config.php 
--------------------------------------------------------- 
While we have been building SquirrelMail, we have discovered some 
preferences that work better with some servers that don't work so 
well with others.  If you select your IMAP server, this option will 
set some pre-defined settings for that server. 

Please note that you will still need to go through and make sure 
everything is correct.  This does not change everything.  There are 
only a few settings that this will change. 

Please select your IMAP server: 
    bincimap    = Binc IMAP server 
    courier     = Courier IMAP server 
    cyrus       = Cyrus IMAP server 
    dovecot     = Dovecot Secure IMAP server 
    exchange    = Microsoft Exchange IMAP server 
    hmailserver = hMailServer 
    macosx      = Mac OS X Mailserver 
    mercury32   = Mercury/32 
    uw          = University of Washington's IMAP server 
    gmail       = IMAP access to Google mail (Gmail) accounts 

    quit        = Do not change anything 
Command >> <-- dovecot 


SquirrelMail Configuration : Read: config.php 
--------------------------------------------------------- 
While we have been building SquirrelMail, we have discovered some 
preferences that work better with some servers that don't work so 
well with others.  If you select your IMAP server, this option will 
set some pre-defined settings for that server. 

Please note that you will still need to go through and make sure 
everything is correct.  This does not change everything.  There are 
only a few settings that this will change. 

Please select your IMAP server: 
    bincimap    = Binc IMAP server 
    courier     = Courier IMAP server 
    cyrus       = Cyrus IMAP server 
    dovecot     = Dovecot Secure IMAP server 
    exchange    = Microsoft Exchange IMAP server 
    hmailserver = hMailServer 
    macosx      = Mac OS X Mailserver 
    mercury32   = Mercury/32 
    uw          = University of Washington's IMAP server 
    gmail       = IMAP access to Google mail (Gmail) accounts 

    quit        = Do not change anything 
Command >> dovecot 

              imap_server_type = dovecot 
         default_folder_prefix = <none> 
                  trash_folder = Trash 
                   sent_folder = Sent 
                  draft_folder = Drafts 
            show_prefix_option = false 
          default_sub_of_inbox = false 
show_contain_subfolders_option = false 
            optional_delimiter = detect 
                 delete_folder = false 

Press any key to continue... <-- press a key 


SquirrelMail Configuration : Read: config.php (1.4.0) 
--------------------------------------------------------- 
Main Menu -- 
1.  Organization Preferences 
2.  Server Settings 
3.  Folder Defaults 
4.  General Options 
5.  Themes 
6.  Address Books 
7.  Message of the Day (MOTD) 
8.  Plugins 
9.  Database 
10. Languages 

D.  Set pre-defined settings for specific IMAP servers 

C   Turn color on 
S   Save data 
Q   Quit 

Command >> <-- S 


SquirrelMail Configuration : Read: config.php (1.4.0) 
--------------------------------------------------------- 
Main Menu -- 
1.  Organization Preferences 
2.  Server Settings 
3.  Folder Defaults 
4.  General Options 
5.  Themes 
6.  Address Books 
7.  Message of the Day (MOTD) 
8.  Plugins 
9.  Database 
10. Languages 

D.  Set pre-defined settings for specific IMAP servers 

C   Turn color on 
S   Save data 
Q   Quit 

Command >> <-- Q

Now we will configure SquirrelMail so that you can use it from within your web sites (created through ISPConfig) by using the /squirrelmail or /webmail aliases. So if your website is www.example.com, you will be able to access SquirrelMail using www.example.com/squirrelmail or www.example.com/webmail.

SquirrelMail's Apache configuration is in the file /etc/squirrelmail/apache.conf, but this file isn't loaded by Apache because it is not in the /etc/apache2/conf-available/ directory. Therefore we create a symlink called squirrelmail.conf in the /etc/apache2/conf-available/ directory that points to /etc/squirrelmail/apache.conf and reload Apache afterwards:

cd /etc/apache2/conf-available/ 
ln -s ../../squirrelmail/apache.conf squirrelmail.conf 
service apache2 reload

Now open /etc/apache2/conf.d/squirrelmail.conf...

 vi /etc/apache2/conf-available/squirrelmail.conf

... and add the following lines to the <Directory /usr/share/squirrelmail></Directory> container that make sure that mod_php is used for accessing SquirrelMail, regardless of what PHP mode you select for your website in ISPConfig:

[...]
<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    AddType application/x-httpd-php .php
    php_flag magic_quotes_gpc Off
    php_flag track_vars On
    php_admin_flag allow_url_fopen Off
    php_value include_path .
    php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
    php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
[...]
Create the directory /var/lib/squirrelmail/tmp...

mkdir /var/lib/squirrelmail/tmp

... and make it owned by the user www-data:

chown www-data /var/lib/squirrelmail/tmp

Next we need to enable the squirrelmail with apache2.

a2enconf squirrelmail



Reload Apache again:

service apache2 reload

That's it already - /etc/apache2/conf-available/squirrelmail.conf defines an alias called /squirrelmail that points to SquirrelMail's installation directory /usr/share/squirrelmail.

You can now access SquirrelMail from your web site as follows:

http://192.168.2.251/squirrelmail 
http://www.example.com/squirrelmail

You can also access it from the ISPConfig control panel vhost (after you have installed ISPConfig, see the next chapter) as follows (this doesn't need any configuration in ISPConfig):

http://server1.example.com:8080/squirrelmail

If you'd like to use the alias /webmail instead of /squirrelmail, simply open /etc/apache2/conf-available/squirrelmail.conf...

vi /etc/apache2/conf-available/squirrelmail.conf

... and add the line Alias /webmail /usr/share/squirrelmail:

Alias /squirrelmail /usr/share/squirrelmail
Alias /webmail /usr/share/squirrelmail
[...]
Then reload Apache:

service apache2 reload

Now you can access Squirrelmail as follows:

http:// 192.168.2.251/webmail 
http://www.example.com/webmail 
http://server1.example.com:8080/webmail (after you have installed ISPConfig, see the next chapter)


Click to enlarge



If you'd like to define a vhost like webmail.example.com where your users can access SquirrelMail, you'd have to add the following vhost configuration to /etc/apache2/conf-available/squirrelmail.conf:

vi /etc/apache2/conf-available/squirrelmail.conf

[...]
<VirtualHost 1.2.3.4:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName webmail.example.com
</VirtualHost>
Make sure you replace 1.2.3.4 with the correct IP address of your server. Of course, there must be a DNS record for webmail.example.com that points to the IP address that you use in the vhost configuration. Also make sure that the vhost webmail.example.com does not exist in ISPConfig (otherwise both vhosts will interfere with each other!).

Now reload Apache...

service apache2 reload

... and you can access SquirrelMail under http://webmail.example.com!

22. Optional: Script to cross-check the installations.
I have introduced a script here which will verify, whether you have made any typos error. This will verify that all the necessary installations are completed as per the tutorial. Script is as follows:

#!/bin/bash
###################################################################################################################################################
###################################################################################################################################################
#### #####
#### This script is created by Srijan Kishore to cross-check the complete installation of tutorial #####
#### #####
###################################################################################################################################################
###################################################################################################################################################

cd /tmp

###################################################################################################################################################
#### Installations done in Tutorial #####
###################################################################################################################################################

echo "amavisd-new
apache2
apache2-doc
apache2-suexec
apache2-utils
apt-listchanges
arj
autoconf
automake1.9
awstats
bind9
binutils
bison
build-essential
bzip2
cabextract
clamav
clamav-daemon
clamav-docs
daemon
debhelper
dnsutils
dovecot-imapd
dovecot-mysql
dovecot-pop3d
dovecot-sieve
fail2ban
flex
geoip-database
getmail4
imagemagick
jailkit
libapache2-mod-fastcgi
libapache2-mod-fcgid
libapache2-mod-php5
libapache2-mod-python
libapache2-mod-suphp
libauthen-sasl-perl
libclass-dbi-mysql-perl
libio-socket-ssl-perl
libio-string-perl
libnet-dns-perl
libnet-ident-perl
libnet-ldap-perl
libruby
libtool
lzop
mailman
mcrypt
memcached
mysql-client
mysql-server
nomarch
ntp
ntpdate
openssl
php5
php5-cgi
php5-cli
php5-common
php5-curl
php5-fpm
php5-gd
php5-imagick
php5-imap
php5-intl
php5-mcrypt
php5-memcache
php5-memcached
php5-ming
php5-mysql
php5-ps
php5-pspell
php5-recode
php5-snmp
php5-sqlite
php5-tidy
php5-xcache
php5-xmlrpc
php5-xsl
php-auth
phpmyadmin
php-pear
postfix
postfix-doc
postfix-mysql
rkhunter
spamassassin
squirrelmail
sudo
unzip
vlogger
webalizer
zip
zoo" > tutorial_install


##################################################################################################################################################
#### List of all packages installed by you on your server #####
##################################################################################################################################################

dpkg -l |grep ii| cut -d ' ' -f3 > server_installed

##################################################################################################################################################
#### Difference between the tutorial & your server's installation #####
##################################################################################################################################################

diff server_installed tutorial_install | grep ">" | cut -d ' ' -f2 > missing_packages

if [ $? -eq 0 ]

echo "You missed to install these packages 
` cat missing_packages` "
then 
echo "You need to install these packages. To install these packages you need to run the command apt-get install package_name"

echo " You can cross check the particular installation as follows:
dpkg -l | grep package_name | cut -d ' ' -f3

If it is showing the package_name then you can ignore the package."

else

echo "Congratulations you have installed all the packages successfully"

fi

rm -rf missing_packages server_installed tutorial_install
chmod +x ubuntu_package_check.sh

./ubuntu_package_check.sh



23. Install ISPConfig 3
To install ISPConfig 3 from the latest released version, do this:

cd /tmp 
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz 
tar xfz ISPConfig-3-stable.tar.gz 
cd ispconfig3_install/install/

The next step is to run

php -q install.php

This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 (perfect setup guides) is not necessary.

root@server1:/tmp/ispconfig3_install/install# php -q install.php 


-------------------------------------------------------------------------------- 
 _____ ___________   _____              __ _         ____ 
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \ 
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ / 
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ | 
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \ 
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/ 
                                              __/ | 
                                             |___/ 
-------------------------------------------------------------------------------- 


>> Initial configuration 

Operating System: 14.04 UNKNOWN 

    Following will be a few questions for primary configuration so be careful. 
    Default values are in [brackets] and can be accepted with <ENTER>. 
    Tap in "quit" (without the quotes) to stop the installer. 


Select language (en,de) [en]: <-- ENTER 

Installation mode (standard,expert) [standard]: <-- ENTER 

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <-- ENTER 

MySQL server hostname [localhost]: <-- ENTER 

MySQL root username [root]: <-- ENTER 

MySQL root password []: <-- yourrootsqlpassword 

MySQL database to create [dbispconfig]: <-- ENTER 

MySQL charset [utf8]: <-- ENTER 

Generating a 4096 bit RSA private key 
............................................................................++ 
.....................++ 
writing new private key to 'smtpd.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]: <-- ENTER 
State or Province Name (full name) [Some-State]: <-- ENTER 
Locality Name (eg, city) []: <-- ENTER 
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER 
Organizational Unit Name (eg, section) []: <-- ENTER 
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER 
Email Address []: <-- ENTER 
Configuring Jailkit 
Configuring Dovecot 
Configuring Spamassassin 
Configuring Amavisd 
Configuring Getmail 
Configuring Pureftpd 
Configuring BIND 
Configuring Apache 
Configuring Vlogger 
Configuring Apps vhost 
Configuring Bastille Firewall 
Configuring Fail2ban 
Installing ISPConfig 
ISPConfig Port [8080]: <-- ENTER 

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- ENTER 

Generating RSA private key, 4096 bit long modulus 
..........++ 
......++ 
e is 65537 (0x10001) 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]: <-- ENTER 
State or Province Name (full name) [Some-State]: <-- ENTER 
Locality Name (eg, city) []: <-- ENTER 
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER 
Organizational Unit Name (eg, section) []: <-- ENTER 
Common Name (e.g. server FQDN or YOUR name) []: <-- ENTER 
Email Address []: <-- ENTER 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: <-- ENTER 
An optional company name []: <-- ENTER 
writing RSA key 
Configuring DBServer 
Installing ISPConfig crontab 
no crontab for root 
no crontab for getmail 
Restarting services ... 
Rather than invoking init scripts through /etc/init.d, use the service(8) 
utility, e.g. service mysql restart 

Since the script you are attempting to invoke has been converted to an 
Upstart job, you may also use the stop(8) and then start(8) utilities, 
e.g. stop mysql ; start mysql. The restart(8) utility is also available. 
mysql stop/waiting 
mysql start/running, process 2817 
 * Stopping Postfix Mail Transport Agent postfix 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
   ...done. 
 * Starting Postfix Mail Transport Agent postfix 
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
/usr/sbin/postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps 
   ...done. 
Stopping amavisd: amavisd-new. 
Starting amavisd: amavisd-new. 
 * Stopping ClamAV daemon clamd 
   ...done. 
 * Starting ClamAV daemon clamd 
   ...done. 
Rather than invoking init scripts through /etc/init.d, use the service(8) 
utility, e.g. service dovecot restart 

Since the script you are attempting to invoke has been converted to an 
Upstart job, you may also use the stop(8) and then start(8) utilities, 
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available. 
dovecot stop/waiting 
dovecot start/running, process 3962 
 * Restarting web server apache2 
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:443 has no VirtualHosts 
[Fri Apr 26 00:55:00 2013] [warn] NameVirtualHost *:80 has no VirtualHosts 
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:443 has no VirtualHosts 
[Fri Apr 26 00:55:01 2013] [warn] NameVirtualHost *:80 has no VirtualHosts 
 ... waiting    ...done. 
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -b -u 1000 -D -H -Y 1 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B 
Installation completed. 
root@server1:/tmp/ispconfig3_install/install#




The installer automatically configures all underlying services, so no manual configuration is needed.

You now also have the possibility to let the installer create an SSL vhost for the ISPConfig control panel, so that ISPConfig can be accessed using https:// instead of http://. To achieve this, just press ENTER when you see this question: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) y:.

Afterwards you can access ISPConfig 3 under http(s)://server1.example.com:8080/ or http(s)://192.168.2.251:8080/ ( http or https depends on what you chose during installation). Log in with the username admin and the password admin (you should change the default password after your first login):

Once finished, you can access your control panel at:
https://seeds4c.org:8080/

24. Fix Squirrelmail to allow attaching files under ISPConfig 

There was a problem when trying to attach files through squirrelmail and getting this message:

Squirrelmail "Could not move/copy file. File not attached" when trying to attach a file"

Solution from
https://www.howtoforge.com/community/threads/squirrelmail-could-not-move-copy-file-file-not-attached-when-trying-to-attach-a-fi.55043/#post-267993

Do as root:

  • 1) create directory in /usr/share/squirrelmail/ for example attach -
    /usr/share/squirrelmail/attach
  • 2) chmod 733 -R /usr/share/squirrelmail/attach
  • 2) run squirrelmail-configure
  • 3) choose 4(General Options) and press Enter
  • 4) choose 2(Attachment Directory) and paste /usr/share/squirrelmail/attach



1.3. Manage ISPConfig3 

See details at:
https://doc.tiki.org/ISPConfig

Example of key section of the control panel:

Click to expand
Click to expand


For this:
http://ueb.vhir.org/blogpost9-PluginR-v0-80-released-2-new-trainings-in-July-2013

1.3.1. Add svn to jailkit ssh sessions 

Sure and please, do not hesitate if you have other questions!

What version of Jailkit have you installed? There is a bug in the 2.16 release:

http://lists.gnu.org/archive/html/jailkit-users/2013-04/msg00003.html

From what I understand, normally you should only need to add '/usr/bin/svn' to 'System > Server Config > [Server] > Jailkit > Jailkit chrooted applications'. Because of this bug in the latest release which breaks '-j' usage, you need to manually run the following command for all your sites:

jk_cp /var/www/clients/[client#]/[web#] /usr/bin/svn

i.e.:

jk_cp /var/www/clients/client3/web3 /usr/bin/svn

Then Subversion will be usable at the next SSH logon. Please, also add '/usr/bin/svn to the 'Jailkit chrooted applications' setting in ISPConfig:

- Go to 'System > Server Config > [Server] > Jailkit > Jailkit chrooted applications';
- Add '/usr/bin/svn' to the list of applications;
- Click on the 'Save' button.

If you add SVN to the default setting, the line should now read '/usr/bin/groups /usr/bin/id /usr/bin/dircolors /bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/svn'.

I hope this helps! Have a great weekend!

-- 
Eric Beaurivage (eric@avantech.net | eric.beaurivage@oriaks.com)

1.3.2. Chrooted user homes 

New sites are associated with clients, and some ssh users can be created associated with that client and site.
ssh users have their chrooted environents in this absolute path in the server:

/var/www/clients/clientN/webM/


For instance, for the test case of the rol site (http://rol.r.dimensis.com) for Ferran (UEB), client uat is #3 (N in hte path above), , ssh user uatferran, and the website is #8 (M in the path above). Therefore, his website will be here:

/var/www/clients/client3/web8/


And when he logs in through ssh, he will be at the apparentpath for him:

/home/uatferran/


His website http://rol.r.dimenis.com will be initially fed with the contents at the file (chrooted, apparently absolute path for him):

/web/index.html


Which in fact, will be the real paths at the server for his home directory and website are:

/var/www/clients/client3/web8/home/uatferran/
/var/www/clients/client3/web8/web/index.html

1.3.3.1. Re-set admin password 

If you need to re-set the admin password, run this SQL thorugh phpmyadmin on the appropriate db for ispconfig

UPDATE sys_user SET passwort = md5('YourNewPassword') WHERE username = 'admin';

1.3.3.2. Increase php.ini-like settings for websites 

You can add custom php.ini settings for each website controlled by ISPConfig here:
ISPConfig > Sites > seeds4c.org (click on the Domain name of your chosen site to edit) > Web Domain > Options > Custom php.ini settings:


Example of params added at the Options > Custom php.ini settings box:

max_execution_time=120
max_input_time=120
post_max_size=105M
upload_max_filesize=100M
memory_limit=256M

Other tweaks by hand when needed 

In case it is needed, see this intructions copied from forums in howtoforge:
(from http://www.howtoforge.com/forums/showthread.php?t=4373&page=2 & page 3)

How to do this:

1) Install a SSH daemon that supports chrooting.
2) Enable chrooting in ISPConfig in the file /home/admispconfig/ispconfig/config.inc.php
3) Every newly created or updated user is chrooted by ISPConfig. ISPConfig runs the script /root/ispconfig/scripts/shell/create_chroot_env.sh automatically to copy the needed binaries and dependencies to the chroot enviroment.


And:

Got it!

The file ld-linux.so.2 isn't being copied into the chrooted lib/ when new users are created. Without it, bash fails.

I'll investigate why this is and try to fix it. I assume I can add it to the create_chroot_env.sh script...

Edit:

There are actually two libraries that bash requires which are not copied over for some reason. They ARE listed in ldd so I don't know why they don't copy.

As a temporary kludgy hack, I have added the following two lines to /root/ispconfig/scripts/shell/create_chroot_env.sh

Code:
cp /lib/ld-linux.so.2 ./lib/
cp lib/tls/libdl.so.2 ./lib/tls/

1.3.4. PHP modes (for ISPConfig3 apps such as Tiki) 

PHP-FCGI is the default PHP mode used in ISPConfig3 admin panels. But you can change it to other PHP modes if desired.

Click to expand
Click to expand


The other PHP modes are:

  • FastCGI
  • CGI
  • Mod-PHP
  • SuPHP
  • PHP-FPM


We'll show how to fix some usual errors with some of them.

1.3.4.1. Using PHP mode PHP-FCGI 

1.3.4.1.1. Error 500 in PHP mode PHP-FCGI: Allow uploading bigger files than 1Mb 

If you hit error 500 when attempting to upload files bigger than 1 Mb, and error.log shows something like:

mod_fcgid: HTTP request length 131665 (so far) exceeds MaxRequestLen


then you need to increase this directive in your vhost, to something like 2MB (1Mb by default)

FcgidMaxRequestLen 2000000


More in:
http://www.howtoforge.com/apache2-mod_fcgid-http-request-length-exceeds-maxrequestlen

1.3.4.2. Using PHP mode PHP-FPM 

You might want to use another PHP mode for your website. For instance, PHP-FPM (FastCGI Process Manager), which is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites..

This is the mode I did set for the sustainability site.

According to the ISPConfig3 pdf manual, you need to install these packages:

Commands in a terminal
sudo apt-get install php5-fpm
sudo /etc/init.d/php5-fpm restart
sudo apt-get install fcgiwrap


1.3.4.2.1. Error 500 in PHP mode PHP-FPM: File is not in document root of Vhost 

You may choose another PHP mode for your site. For instance, suPHP, or PHP-FPM. In such case, some features like replacing a file in a file gallery might produce this type of error 500:

root@example:/# tail /var/log/ispconfig/httpd/mysite.example.com/error.log
(...)
SoftException in Application.cpp:221: File "/var/www/c1tiki12farm/tiki-list_file_gallery.php" is not in document root of Vhost "/var/www/clients/client1/web6/web", referer: http://example.com/tiki-list_file_gallery.php


As indicated here, the solution to this is to pop open the suphp config file (/etc/suphp/suphp.conf) and tell it to stop checking that scripts are under the document root like this:

File edited: /etc/suphp/suphp.conf
check_vhost_docroot=false


And restart Apache.

sudo service apache2 restart


You will get then this other error when visiting any url of the tiki site:

root@example:/# tail /var/log/ispconfig/httpd/mysite.example.com/error.log
(...)
SoftException in Application.cpp:350: UID of script "/var/www/clients/client1/web6/web/tiki-list_file_gallery.php" is smaller than min_uid
Premature end of script headers: tiki-list_file_gallery.php


As indicated here, Suphp, by default, won't allow any scripts to run with a user or group ID under 100. Since Tiki has all its files installed owned by the user www-data (UID 33) when it's installed, this poses quite a problem. One solution is to set the min_uid and min_gid values in the suphp config file to 33 which allows the scripts to run as www-data.

File edited: /etc/suphp/suphp.conf
; Minimum UID
;min_uid=100
min_uid=33

; Minimum GID
;min_gid=100
min_gid=33


Restart Apache, and you'll be able to replace files in file galleries again.

1.3.5. Basic LAMP & R Installation 

basic programs installed as root
apt-get install mc htop
apt-get install mysql-server mysql-client apache2 php5 php5-tidy php-pear memcached php5-xcache php5-gd php5-xmlrpc php-xml-parser phpmyadmin postfix
apt-get install  imagemagick php5-imagick php5-gd graphviz
apt-get install  
apt-get install r-recommended
apt-get install subversion


Update R to 3.0.x (by default, Ubuntu 12.04 comes with 2.14.x, it seems)

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:marutter/rrutter 
sudo apt-get update
sudo apt-get upgrade


Change perms on site-library from R to allow users to install packages there system wide.

sudo chmod 777 /usr/local/lib/R/site-library/


Some system debian packages for R were missing (like Rcurl, etc.). I added all the ones needed for ueb, as indicated there in our knowledge base, adn everything worked like a charm after that! :-):

sudo apt-get install r-cran-rgl r-cran-misc3d libx11-dev libxt-dev libcurl4-gnutls-dev libxml2-dev r-cran-xml libgraphviz-dev libcairo2-dev r-cran-cairodevice freeglut3 freeglut3-dev r-cran-rglpk libgtk2.0-dev

1.3.6. Backup inicial /etc 

Fet, abans de remenar res de configuració, ni instal·lar cap "control panel", etc.
/home/xavi/backups/131210_etc_inicial.tgz

1.3.7. Adding Tiki to Client Websites 

For instance, to copy the svn installation of tiki12 under my home folder over the website of a client (lets say: client1 (xavi) web2 (seeds4c.org) (i.e. http://seeds4c.org ), you can do that with:

xavi@seeds4c:~# sudo su
root@seeds4c:~# mkdir /var/www/tiki12
root@seeds4c:~# cd /var/www/tiki12
#root@seeds4c:/var/www/tiki12# svn export --force . /var/www/clients/client1/web2/web/
#Export complete.
root@seeds4c:/var/www/tiki12# cd /var/www/clients/client1/web2/web/
root@seeds4c:/var/www/clients/client1/web2/web/# rm * -R
root@seeds4c:/var/www/clients/client1/web2/web/# svn checkout https://svn.code.sf.net/p/tikiwiki/code/branches/12.x .
root@seeds4c:/var/www/clients/client1/web2/web/# sh setup.sh
User [www-data]: web2
> Group [www-data]: client1
> Multi []: 
Checking dirs : 
  db ...  ok.
  dump ...  ok.
  img/wiki ...  ok.
  img/wiki_up ...  ok.
  img/trackers ...  ok.
  modules/cache ...  ok.
  temp ...  ok.
  temp/cache ...  ok.
  temp/public ...  ok.
  templates_c ...  ok.
  templates ...  ok.
  styles ...  ok.
  maps ...  ok.
  whelp ...  ok.
  mods ...  Creating directory ok.
  files ...  ok.
  tiki_tests/tests ...  ok.
  temp/unified-index ...  Creating directory ok.
Fix global perms ...
Change user to web8 and group to client3... done.
Fix normal dirs ... done.
Fix special dirs ... done.


The force option is needed since the destination folder already exists.

And the svn export is preferred (if no svn is needed) because of the space savings reducing it down to aprox. 40% of the initial size on disk (453 Mb for the svn-enabled version of tiki09svn, 181 Mb for the non-svn-enabled version).

1.3.8. Fix apache2.4 default settings to run Tiki 


Edit /etc/apache2/sites-enabled/000-default

and change docroot from /var/www to /var/ww/tiki or your custom path, AllowOVerride from None to All, and ensure that the syntax to allow access to override .htaccess file is set with the syntax for Apache 2.4 ("Require all granted") and not with the former one for Apache2.2 ("Order allow,deny" and "Allow from all")

The file should be left as like:

root@r:~# cat /etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/seeds4c.org
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/seeds4c.org/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
     	#Order allow,deny
        #Allow from all
        Require all granted
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>



1.3.9. Set server homepage to tiki12 


Fetch a copy of tiki12svn to /var/www/tiki12svn
Set a symlink between /var/www/tiki12svn and /var/www/tiki
Install Tiki as usual

1.3.10. Fix immutable bit (root cannot delete web folders) 

For some reason I can't understand yet, after some months of activity with ISPCOnfig3, some web folders become immutable.
This time I know I haven't updated system ubuntu packages for a loooong while (many months), and a few days ago I did create new websites (through ispconfig web interface. Today I've realized that they were the first webs that came created again with the immutable bit set for the "./web" folder:

root@seeds4c:~# cd /var/www/clients/client1
root@seeds4c:/var/www/clients/client1# lsattr
---------------- ./web7
---------------- ./web28
(...)
----i----------- ./web39
----i----------- ./web40
----i----------- ./web41
(...)
root@seeds4c:/var/www/clients/client1#


How does it affect the multitiki installations in a ISPConfig-powered server?

If you want to remove the web folder inside any of those web dir tree, in order to create a new symlink to the common path to the multitiki farm for that client, you will get a permission denied message upon removal attempt, even if you are root user!:

root@seeds4c:/var/www/clients/client1# cd web39
root@seeds4c:/var/www/clients/client1/web39# rmdir web
rmdir: no s’ha pogut eliminar «web»: S’ha denegat el permís


If you look at that folder, there no issues apparently with the setup: usual permissions, usuasl attributes (no immutable bit):

root@seeds4c:/var/www/clients/client1/web39# ls -l
total 28
drwxr-xr-x 2 web39 client1 4096 feb  3 20:16 cgi-bin
drwxr-xr-x 2 root  root    4096 feb  8 13:26 log
drwx--x--- 2 web39 client1 4096 feb  3 20:16 private
drwxr-xr-x 2 root  root    4096 feb  3 20:16 ssl
drwxrwx--- 2 web39 client1 4096 feb  3 20:16 tmp
drwx--x--x 2 web39 client1 4096 feb  8 13:29 web
drwx--x--- 2 web39 client1 4096 feb  3 20:16 webdav
root@seeds4c:/var/www/clients/client1/web39# lsattr
---------------- ./tmp
---------------- ./webdav
---------------- ./cgi-bin
---------------- ./web
---------------- ./private
---------------- ./ssl
---------------- ./log
root@seeds4c:/var/www/clients/client1/web39#


But as we saw in an earlier step, the parent web39 folder has the immutable bit set. So we need to temporarily remove that immuntable bit. Then we can proceed to create the symlink, and then we can re-set the immutable bit again:

root@seeds4c:/var/www/clients/client1/web39# cd ..
root@seeds4c:/var/www/clients/client1# chattr -i web39
root@seeds4c:/var/www/clients/client1# rmdir web39/web
root@seeds4c:/var/www/clients/client1# ln -s /var/www/c1tiki12farm /var/www/clients/client1/web39/web
root@seeds4c:/var/www/clients/client1# chattr +i web39


More info about the issue with the immutable bit for the root user in debian-based installs:
http://www.aboutlinux.info/2005/11/make-your-files-immutable-which-even.html

1.4. Corregir error enviament de correus 

After everything was installed, I tried sending emails from the command line.

sudo apt-get install mailutils
echo testing | mail -s Bla xavier.depedro@vhir.org



And no email was received: I was getting this error message:

postdrop: warning: unable to look up public/pickup: No such file or directory


Therefore, I found googling a but out there that it was due to sendmail not being killed properly after postfix was installed. To solve, I did:

sudo mkfifo /var/spool/postfix/public/pickup
ps aux | grep sendmail
# Look at the ps number (e.g. NNN) corresponding to sendmail 
sudo kill NNN
sudo /etc/init.d/postfix restart


Test again, and it works:

echo testing | mail -s Bla xavier.depedro@vhir.org


1.5. Instal·lació de Tiki 

En general he seguit aquest pasos (i actualitzat la pàgina de documentació allà):
https://doc.tiki.org/Ubuntu+Install

No empro tasksel sino apt-get install de paquets a ma.

I tiki ho baixo per subversion (mira https://dev.tiki.org/Get+code ), a:
/var/www/tiki12/

Instal·lo PluginR, i aplico els perfils r_test, i R_Heatmaps sense massa problemes. Després d'aplicar el de R_Heatmaps, sembla que falla el mostrar pàgina inicial amb url curtes. Faig els retocs habituals en .htaccess del tiki root.

Not Found
The requested URL /tiki9/HeatMaps was not found on this server.


Activo mod rewrite:

sudo a2enmod rewrite
sudo service apache2 restart


Canvio la linia de l'apache que permet emprar htaccess en subdirectoris, a: /etc/apache2/sites-enabled/000-default
L'AllowOverride de "/var/www/" s'ha de canviar de AllowOverride None a AllowOverride All, per a que quedi com:

<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>


Canvio Tiki /var/www/tiki9/.htaccess per a que permeti emprar les regles e escritptura en subdirectoris:

RewriteBase /tiki12/

I ja que hi soc faig alguns canvis més en aquest .htaccess per a millorar el funcionament de Tiki.

1.5.1. Actualització posterior de Tiki 

To upgrade to latest svn version, go there as root and run, one after the previous one has finished:

svn up
sh setup.sh
# If no multitiki
php console.php d:u
# If multitiki installation, add the --site=yoursite.com
php console.php d:u --site=seeds4c.org


bbdd: tiki12
u: tikiuser
p: (ask xavi, if needed)
mysql details for the tiki db are usually at

/var/www/tiki12/db/local.php

1.5.2. PluginR 

As usual, check the documentation, profiles, links to videos, screencasts & tutorials, etc, at:


Development blog:


Support forum:

1.6. Backups webs (mysql, tikifiles i /etc) 

1.6.1. Backintime Disabled on June 6th 2014 

Backups with Backintime have been disabled due to issues with the symlinks or hardlinks and the backup system for the virtual machine at the hosting level. Disabled on June 6th 2014


Backintime has to be set through the GUI. For each user (including root), those settings are stored in:

~/.config/backintime/config


You need to use a recent version of backintime for these instructions to work (probably something higer than 1.0.x). Ubuntu Lucid (10.04) repos come with backintime v0.9.6, which doesn't use this type of settings indicated below). You can use backintime repos, which as of January 2013, come with backintime 1.0.20 (as of Feb 2014: backintime 1.0.34):

Command on a console
sudo add-apt-repository ppa:bit-team/stable
sudo apt-get update
sudo apt-get install backintime-common


Config file:

Contents of /root/.config/backintime/config in seeds4c 

Contents of /root/.config/backintime/config in seeds4c
profile1.snapshots.automatic_backup_day=1
profile1.snapshots.automatic_backup_mode=20
profile1.snapshots.automatic_backup_time=100
profile1.snapshots.automatic_backup_weekday=7
profile1.snapshots.backup_on_restore.enabled=true
profile1.snapshots.check_for_changes=true
profile1.snapshots.continue_on_errors=true
profile1.snapshots.copy_links=false
profile1.snapshots.copy_unsafe_links=false
profile1.snapshots.cron.ionice=true
profile1.snapshots.cron.nice=true
profile1.snapshots.dont_remove_named_snapshots=true
profile1.snapshots.exclude.1.value=.gvfs
profile1.snapshots.exclude.10.value=/proc
profile1.snapshots.exclude.11.value=/sys
profile1.snapshots.exclude.12.value=/dev
profile1.snapshots.exclude.2.value=.cache*
profile1.snapshots.exclude.3.value=[Cc]ache*
profile1.snapshots.exclude.4.value=.thumbnails*
profile1.snapshots.exclude.5.value=[Tt]rash*
profile1.snapshots.exclude.6.value=*.backup*
profile1.snapshots.exclude.7.value=*~
profile1.snapshots.exclude.8.value=/home/xavi/Ubuntu One
profile1.snapshots.exclude.9.value=.dropbox*
profile1.snapshots.exclude.size=12
profile1.snapshots.include.1.type=0
profile1.snapshots.include.1.value=/var/lib/mysql
profile1.snapshots.include.2.type=0
profile1.snapshots.include.2.value=/var/www
profile1.snapshots.include.3.type=0
profile1.snapshots.include.3.value=/etc
profile1.snapshots.include.4.type=0
profile1.snapshots.include.4.value=/root
profile1.snapshots.include.5.type=0
profile1.snapshots.include.5.value=/usr/local/ispconfig
profile1.snapshots.include.6.type=0
profile1.snapshots.include.6.value=/var/log/ispconfig
profile1.snapshots.include.7.type=0
profile1.snapshots.include.7.value=/var/lib/roundcube
profile1.snapshots.include.size=7
profile1.snapshots.log_level=3
profile1.snapshots.min_free_space.enabled=true
profile1.snapshots.min_free_space.unit=20
profile1.snapshots.min_free_space.value=1
profile1.snapshots.no_on_battery=false
profile1.snapshots.notify.enabled=true
profile1.snapshots.path=/home/xavi/backups
profile1.snapshots.path.auto=false
profile1.snapshots.path.host=seeds4c_org
profile1.snapshots.path.profile=1
profile1.snapshots.path.user=xavi
profile1.snapshots.preserve_acl=false
profile1.snapshots.preserve_xattr=false
profile1.snapshots.remove_old_snapshots.enabled=true
profile1.snapshots.remove_old_snapshots.unit=80
profile1.snapshots.remove_old_snapshots.value=10
profile1.snapshots.smart_remove=true
profile1.snapshots.smart_remove.keep_all=2
profile1.snapshots.smart_remove.keep_one_per_day=4
profile1.snapshots.smart_remove.keep_one_per_month=24
profile1.snapshots.smart_remove.keep_one_per_week=4
profile1.snapshots.use_checksum=false
profile1.snapshots.user_backup.ionice=false
profiles.version=1



You have to tweak at least a few paths:

  • where to store the backups to:
    • profile1.snapshots.path=/home/xavi/backups
  • which single files to include: type=1, value=/yourpath/yourfile
    • profile1.snapshots.include.1.type=1
      profile1.snapshots.include.1.value=/home/xavi/favicon_seeds4c.ico
  • which complete folders to include: : type=0, value=/yourpath/yourfolder
    (everything inside will be included recursively; also hidden folders: e.g. .foo)
    • profile1.snapshots.include.2.type=0
      profile1.snapshots.include.2.value=/home/xavi/scripts
  • last, the size of items set in the include settings (files or base folders count as one each)
    • profile1.snapshots.include.size=2



You'll need to create the base folder for snapshots by hand

create base folder for snapshots by hand
xavi@seeds4c:~$ sudo mkdir -p /home/xavi/backups/backintime/seeds4c_org/xavi/1


The first time you can test this manually:

test of backintime run by hand
xavi@seeds4c:~$ sudo /usr/bin/backintime  --backup-job
[sudo] password for xavi: 

Back In Time
Version: 1.0.34

Back In Time comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions; type `backintime --license' for details.

INFO: Lock
INFO: on process begins
INFO: Profile_id: 1
INFO: Call rsync to take the snapshot
INFO: Command "rsync -rtDH --links --no-p --no-g --no-o  --delete --delete-excluded  -v  --chmod=Du+wx  --exclude="/home/xavi/backups" --exclude="/home/xavi/.local/share/backintime" --exclude="/tmp/backintime" --include="/var/lib/mysql/" --include="/var/lib/" --include="/var/" --include="/var/www/" --include="/etc/" --include="/root/" --include="/usr/local/ispconfig/" --include="/usr/local/" --include="/usr/" --include="/var/log/ispconfig/" --include="/var/log/" --include="/var/lib/roundcube/" --exclude=".gvfs" --exclude=".cache*" --exclude="[Cc]ache*" --exclude=".thumbnails*" --exclude="[Tt]rash*" --exclude="*.backup*" --exclude="*~" --exclude="/home/xavi/Ubuntu One" --exclude=".dropbox*" --exclude="/proc" --exclude="/sys" --exclude="/dev" --include="/var/lib/mysql/**" --include="/var/www/**" --include="/etc/**" --include="/root/**" --include="/usr/local/ispconfig/**" --include="/var/log/ispconfig/**" --include="/var/lib/roundcube/**" --exclude="*" / "/home/xavi/backups/backintime/seeds4c_org/xavi/1/new_snapshot/backup/" 2>&1" returns 0
INFO: Save config file
INFO: Command "cp /home/xavi/.config/backintime/config /home/xavi/backups/backintime/seeds4c_org/xavi/1/new_snapshot/backup/.." returns 0
INFO: Save permissions
INFO: Create info file
INFO: Command "chmod -R a-w "/home/xavi/backups/backintime/seeds4c_org/xavi/1/20140220-153630-699"" returns 0
INFO: Remove backups older than: 20040201-000000
INFO: [smart remove] considered: ['20140220-153630-699']
INFO: [smart remove] There is only one snapshots, so keep it
INFO: Keep min free disk space: 1024 Mb
INFO: Keep min 2% free inodes
INFO: Unlock


First backup took 7Gb on disk. Not that bad. :-)

For this to be run periodically, you can add it to a cronjob:

Command on a console
sudo crontab -e


Contents to add:

Content of cronjob relatedx to backintime
0 1 * * * nice -n 19 ionice -c2 -n7 /usr/bin/backintime  --backup-job >/dev/null 2>&1


Restart the cron:

Command on a console
sudo service cron restart

1.6.2. Custom backup script 

Modified after http://www.cyberciti.biz/faq/ubuntu-linux-mysql-nas-ftp-backup-script/

#!/bin/bash
#######################################
### PARAMETERS TO CUSTOMIZE THE SCRIPT
#######################################
### Generic Label for the server ###
MLABEL="seeds4c_org"
### MySQL Server Login Info ###
MUSER="usuarimysql"
MPASS="contrasenyamysql"
MHOST="localhost"
### FTP SERVER Login info ###
FTPU="usuariftp"
FTPP="contrasenyaftp"
FTPS="servidorftp"
FTPF="./backups/intercanvis"
NOWD=$(date +"%Y-%m-%d")
NOWT=$(date +"%H_%M_%S")
## Some paths defined
MYSQL="$(which mysql)"
MYSQLDUMP="$(which mysqldump)"
BAKPATH="/home/xavi" 
BAK="backups"
TIKIFILESABSPATH="/var/www/clients/client1/web3/private/arxius_xavi/"
# Relative paths to backup folders
RBAK1="mysql"
RBAK2="tikifiles"
RBAK3="serverfiles"
EMAILF="backups@seeds4c.org"
EMAILT="xavi@pangea.org"
SMTP=""

#### End of parameters
#######################################


# Base path for backup folders
BBAK=$BAKPATH/$BAK/$NOWD
# Absolute paths to backup folders (base path + relative path)
ABAK1=$BBAK/$RBAK1
ABAK2=$BBAK/$RBAK2
ABAK3=$BBAK/$RBAK3
# Other variables used
GZIP="$(which gzip)"
# Relative paths for each log file
RLOGF=log-$MLABEL-SUM.$NOWD.txt
RLOGF1=log-$MLABEL-$RBAK1.$NOWD.txt
RLOGF2=log-$MLABEL-$RBAK2.$NOWD.txt
RLOGF3=log-$MLABEL-$RBAK3.$NOWD.txt
# Base log path (set by default to the same base path for backups)
BLOGF=$BBAK
# Absolute path for log files
ALOGF=$BLOGF/$RLOGF
ALOGF1=$BLOGF/$RLOGF1
ALOGF2=$BLOGF/$RLOGF2
ALOGF3=$BLOGF/$RLOGF3


### These next parts (1) & (2) are related to the removal of previous files in these folders if they exist, and create dirs as needed for new set of periodic backups ###

## (1) To remove all previous backups locally at the server and at the same base backup folder, uncomment the following line
#[ ! -d $BAKPATH/$BAK ] && mkdir -p $BAKPATH/$BAK || /bin/rm -f $BAKPATH/$BAK/*

## (2) To avoid removing previous backups from teh same day locally, keep the last part commeted out (with ## just in front of "|| /bin/rm -f ..." )
[ ! -d $ABAK1 ] && mkdir -p $ABAK1 || /bin/rm -f $ABAK1/*
[ ! -d $ABAK2 ] && mkdir -p $ABAK2 || /bin/rm -f $ABAK2/*
[ ! -d $ABAK3 ] && mkdir -p $ABAK3 || /bin/rm -f $ABAK3/*
### [ ! -d "$BAK" ] && mkdir -p "$BAK" ### ||
 
DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'show databases')"
for db in $DBS
do
 FILE=$ABAK1/$db.$NOWD-$NOWT.gz
 $MYSQLDUMP -u $MUSER -h $MHOST -p$MPASS $db | $GZIP -9 > $FILE
done
 
### Backup tikifiles ###
tar -czvf $ABAK2/00-$RBAK2-$MLABEL.$NOWD-$NOWT.tgz $TIKIFILESABSPATH*/* >  $ALOGF2

### Backup serverfiles ###
tar -chzvf $ABAK3/00-$RBAK3-$MLABEL.$NOWD-$NOWT.tgz /etc/* /root/* >  $ALOGF3

### Send files over ftp ###
lftp -u $FTPU,$FTPP -e "mkdir $FTPF/$NOWD;cd $FTPF/$NOWD; mput $ABAK1/*.gz; mput $ABAK2/*.tgz; mput $ABAK3/*.tgz; quit" $FTPS > $ALOGF
cd $ABAK1;ls -lh * > $ALOGF1
# Add a short summary with partial dir sizes and append all partial log files into one ($LOGF)
cd $BBAK;du -h $RBAK1 $RBAK2 $RBAK3 > $ALOGF;echo "" >> $ALOGF;echo "--- $RBAK2 uncompressed: ---------------" >> $ALOGF;du $TIKIFILESABSPATH* -h --max-depth=2 >> $ALOGF

### Compress and Send log files ###
tar -czvf $ALOGF1.tgz -C $BLOGF $RLOGF1
tar -czvf $ALOGF2.tgz -C $BLOGF $RLOGF2
tar -czvf $ALOGF3.tgz -C $BLOGF $RLOGF3
lftp -u $FTPU,$FTPP -e "cd $FTPF/$NOWD; put $ALOGF1.tgz; put $ALOGF2.tgz; put $ALOGF3.tgz; quit" $FTPS

### Send report through email ###
sendemail -f $EMAILF -t $EMAILT -u '[seeds4c.org Backup Report]' -m 'Short report attached' -a $ALOGF -a $ALOGF1



File named:

/home/xavi/backups/backup_webs.sh


Chmod it to 600, from root:root

sudo chmod 600 /home/xavi/backups/backup_webs.sh
sudo chmod root:root /home/xavi/backups/backup_webs.sh


Cron:

55 23 * * * cd /home/xavi/backups/;sh backup_webs.sh




1.7. Monitoring 

1.7.1. Logwatch 

Logwatch is a modular log analyser that runs every night and mails you the results. It can also be run from command line.The output is by service and you can limit the output to one particular service. The subscripts which are responsible for the output, mostly convert the raw log lines in structured format.


Once you have installed Logwatch (sudo apt-get install logwatch), you will need to configure it to email you the reports it generates. You are encouraged to look through the entire configuration, but you may safely use Logwatch after editing the lines below.

1.7.1.1. Configuration 

File:/usr/share/logwatch/default.conf/logwatch.conf
Output = mail
Format = html
MailTo = xavi@confluencia.net
MailFrom = logwatch


These directives tell Logwatch to email you reports in an HTML format. The MailTo and MailFrom directives should be valid email addresses.

Issue the following command to test your logwatch installation:

logwatch


Once you have issued this command, you will need to check your email to make sure that logwatch is working. Be sure to check your spam folder as these emails may be seen as spam.

1.7.1.2. Adding a Cron Job for Logwatch 

You should know that logwatch by default adds a system cronjob at:

system cronjob file from logwatch by default when installed
/etc/cron.daily/00logwatch


But if for whatever reason, you want to add a cron job for Logwatch in order to receive daily emails of new reports, you can add a new entry to your crontab by running crontab -e, for instance. The following example cron job runs Logwatch at 2 AM each day, issuing you an email report of the daily activity:

crontab -e
# m h dom mon dow   command
0 2  * * *          /usr/sbin/logwatch


Congratulations! You can now monitor system logs with Logwatch!


Related:

1.7.2. Notification emails if there are php errors 

This is to send out an email alert when php hits an out of memory error, adapted to B52 from an email from ohertel:

The program sec (simple event correlator - http://simple-evcorr.sf.net ) is used, with this command written to a new shell script called check_php_errors.sh, that will be run as root in seeds4c:

sudo apt-get install sec


Edit the script

Command on a console on a terminal connected by ssh to the server
sudo pico /home/xavi/scripts/check_php_errors.sh


Add this content inside (Copy this content, and Ctrl+Shift+V at the terminal to paste this content):

Content to be pasted to the script check_php_errors.sh
/usr/bin/perl -w /usr/bin/sec -conf=/etc/sec.conf -input=/var/log/apache2/error.log -pid=/var/run/sec.pid -detach -syslog=daemon


Make it executable:

Command on a console
sudo chmod +x /home/xavi/scripts/check_php_errors.sh


In the specific case of seeds4c.org, we have error logs splitted in several files:

/var/log/apache2/error.log
/var/log/apache2/suexec.log
/var/log/ispconfig/httpd/seeds4c.org/error.log
/var/log/ispconfig/httpd/uamep.org/error.log
(...)


There all these folders with error logs:

# ls /var/log/ispconfig/httpd/
2012.forumsocialcatala.cat  d-recerca.org           masfranch.seeds4c.org       uelm.seeds4c.org
2014.forumsocialcatala.cat  forumsocialcatala.cat   piwik.seeds4c.org           uniwiki.seeds4c.org
awikiforum.seeds4c.org      gavarrespedia.org       seeds4c.org                 xissabadell.org
carpetiki.seeds4c.org       iesgogreen.seeds4c.org  semillaspec.org             xissabadell.seeds4c.org
cochise.seeds4c.org         llavorspac.org          sustainability.seeds4c.org
deliberaweb.seeds4c.org     margalef.seeds4c.org    uamep.org


so somethig more will have to be done, in order to have sec monitor all of them.

sec.conf, so far, looks like this:

contents of /etc/sec.conf
type=single
continue=takenext
ptype=regexp
pattern=exhausted
desc=scan for php memory errors in seeds4c webserver
action=add php-memory-errors $0

type=calendar
continue=takenext
time=* * * * *
desc=sec cron
context=php-memory-errors
action=report php-memory-errors /usr/bin/mail -s "alert:php out of memory error at seeds4c" xavier.depedro@vhir.org; delete php-memory-errors;


If some sec processes are running and you want to change them (delete old ones, and re-send new sec processes, you need to manually kill the old (perl) processes that were linked to the sec program.
So you should do:

search for former processes linked to sec
sudo ps -e | grep perl


Identify which perl processes are not related to this sec job (if any), and kill the rest with "kill -9 pid", being pid the number shown at the left of the perl processes as shown by the output of the command "sudo ps -e | grep perl"

1.7.2.1. Have this script re-run at every boot or reboot 

This script works fine while it's in memory. But when you reboot the machine, the perl command is not re-run bu default. So that you need to add it in the right place to have it re reun at each new boot or re-boot.

From:
http://en.kioskea.net/faq/3348-ubuntu-executing-a-script-at-startup-and-shutdown

1.7.2.1.1. To execute a script at startup of Ubuntu 


Edit /etc/rc.local and add your command as shown above.

The script must always end with an un exit 0

1.7.2.1.2. To execute a script upon rebooting Ubuntu 


Put your script in /etc/rc0.d

and make it executable (sudo chmod +x check_php_errors.sh)

Note that : The scripts in this directory are executed in alphabetical order.

The name of your script must begin with K99 to run at the right time.

1.7.2.1.3. To execute a script at shutdown (when needed, not for php errors) 


Put your script in /etc/rc6.d

and make it executable (sudo chmod +x myscript)

Note that: The scripts in this directory are executed in alphabetical order.

The name of your script must begin with K99 to run at the right time.

1.7.3. Icinga 

Icinga (Former Nagios) for Server Monitoring
See http://www.icinga.org

sudo add-apt-repository ppa:formorer/icinga
sudo apt-get update
sudo apt-get install icinga icinga-doc icinga-idoutils mysql-server libdbd-mysql mysql-client


See also:

1.7.3.1. Icinga on ISPConfig powered servers 

See:

  1. http://www.howtoforge.com/server-monitoring-with-icinga-on-ubuntu-11.10
    • 1. Preliminary Note
    • 2. Installing Icinga On The Icinga Host (server1)
  2. http://www.howtoforge.com/server-monitoring-with-icinga-on-ubuntu-11.10-p2
    • 3. Configuring Icinga
  3. http://www.howtoforge.com/server-monitoring-with-icinga-on-ubuntu-11.10-p3
    • 4. Adding A Remote Server (server2) To Icinga

1.7.3.2. Configuring Icinga 

The main Icinga configuration file is /etc/icinga/icinga.cfg, additional configurations are stored in /etc/icinga/commands.cfg and /etc/icinga/resource.cfg. Usually the default configuration is ok, so you don't have to change these files.

The first thing you should change is the contact details in /etc/icinga/objects/contacts_icinga.cfg so that notifications are sent to the correct email address:

sudo nano /etc/icinga/objects/contacts_icinga.cfg

section from contacts_icinga.cfg to define email
[...]
define contact{
        contact_name                    root
        alias                           Falko Timme
        service_notification_period     24x7
        host_notification_period        24x7
        service_notification_options    w,u,c,r
        host_notification_options       d,r
        service_notification_commands   notify-service-by-email
        host_notification_commands      notify-host-by-email
        email                           me@myself.com
        }
[...]


Let's assume we want to add a service check for MySQL, we first take a look at the appropriate plugin configuration:

cat /etc/nagios-plugins/config/mysql.cfg

# 'check_mysql' command definition
define command{
        command_name    check_mysql
        command_line    /usr/lib/nagios/plugins/check_mysql -H '$HOSTADDRESS$'
}

# 'check_mysql_cmdlinecred' command definition
define command{
        command_name    check_mysql_cmdlinecred
        command_line    /usr/lib/nagios/plugins/check_mysql -H '$HOSTADDRESS$' -u '$ARG1$' -p '$ARG2$'
}

# 'check_mysql_database' command definition
define command{
        command_name    check_mysql_database
        command_line    /usr/lib/nagios/plugins/check_mysql -d '$ARG3$' -H '$HOSTADDRESS$' -u '$ARG1$' -p '$ARG2$'
}


The command I want to use is check_mysql_cmdlinecred - this takes a MySQL username and a password as arguments (besides the host address which is taken from the host_name parameter of the service check definition. I want to use the MySQL user nagios with the password howtoforge here, so I add the following section to /etc/icinga/objects/localhost_icinga.cfg:

sudo nano /etc/icinga/objects/localhost_icinga.cfg

[...]
define service{
       use                             generic-service
       host_name                       localhost
       service_description             MySQL
       check_command                   check_mysql_cmdlinecred!nagios!howtoforge
}


Before we restart Icinga, we must create the MySQL user nagios with the password howtoforge:

mysql -u root -p

GRANT USAGE ON *.* TO nagios@localhost IDENTIFIED BY 'howtoforge';
GRANT USAGE ON *.* TO nagios@localhost.localdomain IDENTIFIED BY 'howtoforge';
FLUSH PRIVILEGES;
quit;


(The USAGE privilege is a synonym for 'no privileges', i.e., the nagios user can connect to MySQL, but not alter or read any data.)

Now we restart Icinga so that our changes take effect:

/etc/init.d/icinga restart


If you check localhost's services in the Icinga web interface now, you should see that a check for MySQL has been added

1.7.4. Contents of config file for apache2 

In seeds4c (Ubuntu 12.04):
/etc/apache2/conf.d/icinga.conf

symlink from /etc/icinga/apache2.conf

(In Ubuntu 13.10, at: /etc/apache2/conf-enabled/icinga.conf, and symlink of the same file /etc/icinga/apache2.conf )

Contents of /etc/apache2/conf.d/icinga.conf
# apache configuration for icinga

ScriptAlias /cgi-bin/icinga /usr/lib/cgi-bin/icinga

# Where the stylesheets (config files) reside
Alias /icinga/stylesheets /etc/icinga/stylesheets

# Where the HTML pages live
Alias /icinga /usr/share/icinga/htdocs

<DirectoryMatch "^(?:/usr/share/icinga/htdocs|/usr/lib/cgi-bin/icinga|/etc/icinga/stylesheets)/">
	Options FollowSymLinks

	DirectoryIndex index.html

	AllowOverride AuthConfig
	Order Allow,Deny
	Allow From All

	AuthName "Icinga Access"
	AuthType Basic
	AuthUserFile /etc/icinga/htpasswd.users
	Require valid-user
</DirectoryMatch>



1.7.5. Munin 

See:


Install it with:

sudo apt-get install munin munin-node munin-plugins-extra libcache-perl libcache-cache-perl


You can have a look at what plugins are suggested for your site with:

sudo munin-node-configure --suggest


Enable a few extra munin plugins (consider removing the last one for amavis, if you don't run amavis antivirus in your server):

cd /etc/munin/plugins && ln -s /usr/share/munin/plugins/mysql_ mysql_ && ln -s /usr/share/munin/plugins/mysql_bytes mysql_bytes && ln -s /usr/share/munin/plugins/mysql_innodb mysql_innodb && ln -s /usr/share/munin/plugins/mysql_isam_space_ mysql_isam_space_ && ln -s /usr/share/munin/plugins/mysql_queries mysql_queries && ln -s /usr/share/munin/plugins/mysql_slowqueries mysql_slowqueries && ln -s /usr/share/munin/plugins/mysql_threads mysql_threads  && ln -s /usr/share/munin/plugins/apache_accesses apache_accesses  && ln -s /usr/share/munin/plugins/apache_processes apache_processes  && ln -s /usr/share/munin/plugins/apache_volume apache_volume && ln -s /usr/share/munin/plugins/amavis amavis


Once the package is installed, and those extra plugins enabled, you only need to make a few changes to get your installation working.

1.7.5.1. Changes in /etc/munin/munin.conf 

Configuring Munin server: You need to edit the /etc/munin/munin.conf file

sudo nano /etc/munin/munin.conf


And make a few minor changes:

Change 1:

#dbdir /var/lib/munin
#htmldir /var/cache/munin/www
#logdir /var/log/munin
#rundir /var/run/munin


to

dbdir /var/lib/munin
#htmldir /var/www/munin
htmldir /var/cache/munin/www
logdir /var/log/munin
rundir /var/run/munin



Change 2:
From

#tmpldir /etc/munin/templates

to

tmpldir /etc/munin/templates


Change 3:
the server name on the line localhost.localdomain should be updated to display the hostname, domain name, or other identifier you'd like to use for your monitoring server
From:

# a simple host tree
[localhost.localdomain]
address 127.0.0.1
use_node_name yes


to

[seeds4c.org]
address 127.0.0.1
use_node_name yes

1.7.5.2. Changes in /etc/munin/apache.conf 

You need to edit the munin apache configuration

sudo nano /etc/munin/apache.conf


We need to allow connections from outside of the local computer for this do the following changes

<Directory /var/cache/munin/www>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
Options None



to

<Directory /var/cache/munin/www>
        AllowOverride AuthConfig
        Order allow,deny
        #Allow from localhost 127.0.0.0/8 ::1
        Allow from all
        Options None


1.7.5.3. Crete a subdodmain and ispconfig website for munin 

And I did make a symlink from the original folder /var/cache/munin/www to the web folder of a new subsite made through ispconfig, after a new subdomain was created. Therefore, step by step, was:

Create a new subdomain for munin.seeds4c.org through isp manager in dimensis.com (ecodim-dns.net):
https://ecodim-dns.net/manager/
Login with the appropriate username and pass, and go to create a new dns records for your domain:

Click to expand
Click to expand


It may (usually) take a few minutes until the new domain is propagated across dns servers worldwide.

In the meantime, you can proceed to prepare your ispconfig site for that subdomain you have just created (even if it's not yet available worldwide, it will be in short, you will be already prepared for then). Go to your ispconfig installation, and create a new site:

Click to expand
Click to expand


Then you will be able to see the standard screen in your new domain munin.seeds4c.org when the domain is propagated.
We can then replace the web folder from that site with a symlink to the www folder of munin in the server.
We need to know which client and web number ispconfig assigned to this domain munin.seeds.org. In our case, it was client1 web44.
Then we proceed as usual:

cd /var/www/clients/client1/
chattr -i web44
rm web44/web/* -R
rm web44/web/.* -R
rmdir web44/web
sudo ln -s /var/cache/munin/www /var/www/clients/client1/web44/web
chattr +i web44

1.7.5.4. Restart munin and apache 

Now you need to restart the munin and apache services using the following commands

sudo service munin-node restart
sudo service apache2 restart


It might take a few minutes to generate the necessary graphs and html files. After about five minutes, your files should be created and you will be able to access your data, siwth some graphs similar to:
Image 1

You should be able to access your munin details at:

http://munin.seeds4c.org/


(This is just a small excerpt of the many graphics that munin produces...)

1.7.5.5. Password-Protect The munin Output Directory (Optional) 


Now it is a good idea to password-protect the munin output directory unless you want everybody to be able to see every little statistic about your server.
To do this, we must create the password file /etc/munin/munin-htpasswd. We want to log in with the username admin, so we do this:

htpasswd -c /etc/munin/munin-htpasswd admin


Enter a password for admin. Then open /etc/apache2/conf.d/munin /etc/munin/apache.conf again...

nano /etc/munin/apache.conf


... and uncomment the following section:

[...]
        AuthUserFile /etc/munin/munin-htpasswd
        AuthName "Munin"
        AuthType Basic
        require valid-user
[...]


In addition, we will create an .htaccess file in the web docroot for munin.seeds4c.org, to ensure that this auth is requested:

sudo nano /var/www/munin.seeds4c.org/web/.htaccess


And add this contents (it was empty as it was a new file created by us):

# For the .htaccess file option to work the munin www directory
        # (/var/cache/munin/www) must have "AllowOverride all" or something
        # close to that set.
        #

        AuthUserFile /etc/munin/munin-htpasswd
        AuthName "Munin"
        AuthType Basic
        require valid-user


Then restart Apache:

sudo service apache2 restart

1.7.5.6. Monitor other servers as nodes from this munin server 

Munin can easily monitor multiple servers at once. Let's add another server to be monitored by this one. For instance, precarios.org.
We connect through ssh to precarios as user with sudo perms.

First you need to install munin client package using the following commands

sudo apt-get install munin-node munin-plugins-extra libcache-perl libcache-cache-perl


Enable a few extra munin plugins, with a one-liner command ;-) (consider removing the last one for amavis, if you don't run amavis antivirus in your server):

cd /etc/munin/plugins && ln -s /usr/share/munin/plugins/mysql_ mysql_ && ln -s /usr/share/munin/plugins/mysql_bytes mysql_bytes && ln -s /usr/share/munin/plugins/mysql_innodb mysql_innodb && ln -s /usr/share/munin/plugins/mysql_isam_space_ mysql_isam_space_ && ln -s /usr/share/munin/plugins/mysql_queries mysql_queries && ln -s /usr/share/munin/plugins/mysql_slowqueries mysql_slowqueries && ln -s /usr/share/munin/plugins/mysql_threads mysql_threads  && ln -s /usr/share/munin/plugins/apache_accesses apache_accesses  && ln -s /usr/share/munin/plugins/apache_processes apache_processes  && ln -s /usr/share/munin/plugins/apache_volume apache_volume && ln -s /usr/share/munin/plugins/amavis amavis



Now you need to edit the munin-node.conf file to specify that your monitoring server is allowed to poll the client for information.

sudo nano /etc/munin/munin-node.conf


Search for the section that has the line "allow ^127\.0\.0\.1$". Modify the IP address to reflect your monitoring server's IP address (in this case, we have to add the ip from seeds4c.org).If your server ip is 172.30.2.100

allow ^172\.30\.2\.100$




Save and exit the file

You need to restart the munin client using the following information

sudo service munin-node restart


Now you need to login in to your munin server (seeds4c.org in this case) and edit the munin.conf file

sudo nano /etc/munin/munin.conf


Copy the following section and change the ip address to your remote server client ip address (precarios.org in this case)

[MuninMonitor]
address 127.0.0.1
use_node_name yes


to

[precarios.org]
address 172.30.2.101
use_node_name yes


(replace 172.30.2.101 with the real ip of your server, the one from precarios.org in this case)


Regarding apache and amavis, some extra steps are needed

Ensure that you have these packages installed (run the install command, just in case you miss some of them)

sudo apt-get install libwww-perl liblwp-useragent-determined-perl libipc-sharelite-perl logtail


You need mod_status installed and configured
See: http://www.rackspace.com/knowledge_center/article/enabling-and-using-apaches-modstatus-on-debian-and-ubuntu

Enable mod_status

The default installation of apache usually has mod_status enabled, but verify this. Check the contents of apache's enabled modules directory:

ls /etc/apache2/mods-enabled


Search for status.conf and status.load. If those files aren't listed in that directory, you will need to enable mod_status by running:

sudo /usr/sbin/a2enmod status


Allow mod_status from apache 2.4 to display the server-status to your own site, and your desktop ip to let you check that everything works as expected:

sudo nano /etc/apache2/mods-enabled/status.conf


And add (or uncomment and edit) this type of section between "Location" tags, so that it's applied, with the ip's of your own monitoring server, and your own ip from your desktop so that you can check that server-status from apache works:

<IfModule mod_status.c>
        # Allow server status reports generated by mod_status,
        # with the URL of http://servername/server-status
        # Uncomment and change the "192.0.2.0/24" to allow access from other hosts.

        <Location /server-status>
            SetHandler server-status
            Require local
            Require ip 172.30.2.100
            Require ip 95.23.18.40
        </Location>

        # Keep track of extended status information for each request
        ExtendedStatus On

[...]


(replace 172.30.2.100 with the real ip of your server, the one from munin.seeds4c.org, in this case, and replace 95.23.18.40 with the ip from your adsl or work, so that you can check from your desktop computer that the server-status page produces the expected output).

Then you need to restart the apache server using the following command

sudo service apache2 restart


You will notice that you can see the output from server-status at your address:
http://example.com/server-status

However, in our case, it didn't work because the .htaccess from Tiki was overruling with its rewrite rules, saying that that wiki page didn't exist. Therefore, one workaround for this type of setup with ISPConfig server and a Tiki site in the main website, is to access the server-status information from another website in the same server. For instance: http://piwik.seeds4c.org/server-status worked, while http://seeds4c.org/server-status or http://localhost/server-status with a wget from console server-side didn't work.

Therefore, we hardcoded this value in the apache-related plugins of munin in our server:

/etc/munin/plugins/apache_accesses
/etc/munin/plugins/apache_processes
/etc/munin/plugins/apache_volume


Each time that the url was indicated as http://127.0.0.1:%d/... we replaced that with http://piwik.seeds4c.org:%d/...

( Info for amavis and apache partially derived from:
http://howto.biapy.com/fr/debian-gnu-linux/applications-web/supervision/installer-un-noeud-munin-sur-debian )

Finall you need to restart the munin-node and the apache server using the following commands

sudo service munin-node restart
sudo service apache2 restart

1.7.5.7. Monitor munin from an android smartphone 

See:


1.7.6. Monit 

See:


First commands:

sudo su
apt-get install monit
cp /etc/monit/monitrc /etc/monit/monitrc_orig
cat /dev/null > /etc/monit/monitrc
nano /etc/monit/monitrc


Contents of /etc/monit/monitrc to paste to the file:

set daemon  60
set logfile syslog facility log_daemon
set mailserver localhost
set mail-format { from: monit@seeds4c.org }
set alert xavi@pangea.org
set httpd port 2812 and
     SSL ENABLE
     PEMFILE  /var/certs/monit.pem
     allow admin:samepassasispconfig

#check process proftpd with pidfile /var/run/proftpd.pid
#   start program = "/etc/init.d/proftpd start"
#   stop program  = "/etc/init.d/proftpd stop"
#   if failed port 21 protocol ftp then restart
#   if 5 restarts within 5 cycles then timeout

check process sshd with pidfile /var/run/sshd.pid
   start program  "/etc/init.d/ssh start"
   stop program  "/etc/init.d/ssh stop"
   if failed port 22 protocol ssh then restart
   if 5 restarts within 5 cycles then timeout

check process mysql with pidfile /var/run/mysqld/mysqld.pid
   group database
   start program = "/etc/init.d/mysql start"
   stop program = "/etc/init.d/mysql stop"
   if failed host 127.0.0.1 port 3306 then restart
   if 5 restarts within 5 cycles then timeout

check process apache with pidfile /var/run/apache2/apache2.pid
   group www
   start program = "/etc/init.d/apache2 start"
   stop program  = "/etc/init.d/apache2 stop"
   if failed host seeds4c.org port 80 protocol http
      and request "/monit/token" then restart
   if cpu is greater than 60% for 2 cycles then alert
   if cpu > 80% for 5 cycles then restart
   if totalmem > 500 MB for 5 cycles then restart
   if children > 250 then restart
   if loadavg(5min) greater than 10 for 8 cycles then stop
   if 3 restarts within 5 cycles then timeout

check process postfix with pidfile /var/spool/postfix/pid/master.pid
   group mail
   start program = "/etc/init.d/postfix start"
   stop  program = "/etc/init.d/postfix stop"
   if failed port 25 protocol smtp then restart
   if 5 restarts within 5 cycles then timeout

#check process nginx with pidfile /var/run/nginx.pid
#   start program = "/etc/init.d/nginx start"
#   stop  program = "/etc/init.d/nginx stop"
#   if failed host 127.0.0.1 port 80 then restart
#
#check process memcached with pidfile /var/run/memcached.pid
#   start program = "/etc/init.d/memcached start"
#   stop  program = "/etc/init.d/memcached stop"
#   if failed host 127.0.0.1 port 11211  then restart
#
#check process pureftpd with pidfile /var/run/pure-ftpd/pure-ftpd.pid
#   start program = "/etc/init.d/pure-ftpd-mysql start"
#   stop program  = "/etc/init.d/pure-ftpd-mysql stop"
#   if failed port 21 protocol ftp then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process named with pidfile /var/run/named/named.pid
#   start program = "/etc/init.d/bind9 start"
#   stop program = "/etc/init.d/bind9 stop"
#   if failed host 127.0.0.1 port 53 type tcp protocol dns then restart
#   if failed host 127.0.0.1 port 53 type udp protocol dns then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process ntpd with pidfile /var/run/ntpd.pid
#   start program = "/etc/init.d/ntp start"
#   stop  program = "/etc/init.d/ntp stop"
#   if failed host 127.0.0.1 port 123 type udp then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process mailman with pidfile /var/run/mailman/mailman.pid
#   group mail
#   start program = "/etc/init.d/mailman start"
#   stop  program = "/etc/init.d/mailman stop"
#
check process amavisd with pidfile /var/run/amavis/amavisd.pid
   group mail
   start program = "/etc/init.d/amavis start"
   stop  program = "/etc/init.d/amavis stop"
   if failed port 10024 protocol smtp then restart
   if 5 restarts within 5 cycles then timeout

#check process courier-imap with pidfile /var/run/courier/imapd.pid
#   group mail
#   start program = "/etc/init.d/courier-imap start"
#   stop program = "/etc/init.d/courier-imap stop"
#   if failed host localhost port 143 type tcp protocol imap then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process courier-imap-ssl with pidfile /var/run/courier/imapd-ssl.pid
#   group mail
#   start program = "/etc/init.d/courier-imap-ssl start"
#   stop program = "/etc/init.d/courier-imap-ssl stop"
#   if failed host localhost port 993 type tcpssl sslauto protocol imap then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process courier-pop3 with pidfile /var/run/courier/pop3d.pid
#   group mail
#   start program = "/etc/init.d/courier-pop start"
#   stop program = "/etc/init.d/courier-pop stop"
#   if failed host localhost port 110 type tcp protocol pop then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process courier-pop3-ssl with pidfile /var/run/courier/pop3d-ssl.pid
#   group mail
#   start program = "/etc/init.d/courier-pop-ssl start"
#   stop program = "/etc/init.d/courier-pop-ssl stop"
#   if failed host localhost port 995 type tcpssl sslauto protocol pop then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process dovecot with pidfile /var/run/dovecot/master.pid
#   group mail
#   start program = "/etc/init.d/dovecot start"
#   stop program = "/etc/init.d/dovecot stop"
#   if failed host localhost port 993 type tcpssl sslauto protocol imap then restart
#   if 5 restarts within 5 cycles then timeout

echo "hello world from seeds4c.org" > token
mkdir /var/certs
cd /var/certs
nano /var/certs/monit.cnf


Contents of /var/certs/monit.cnf to paste to the file:

# create RSA certs - Server

RANDFILE = ./openssl.rnd

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = MO

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Monitoria

localityName                    = Locality Name (eg, city)
localityName_default            = Monittown

organizationName                = Organization Name (eg, company)
organizationName_default        = Monit Inc.

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Dept. of Monitoring Technologies

commonName                      = Common Name (FQDN of your server)
commonName_default              = server.monit.mo

emailAddress                    = Email Address
emailAddress_default            = root@monit.mo

[ cert_type ]
nsCertType = server

openssl req -new -x509 -days 365 -nodes -config ./monit.cnf -out /var/certs/monit.pem -keyout /var/certs/monit.pem
openssl gendh 512 >> /var/certs/monit.pem
openssl x509 -subject -dates -fingerprint -noout -in /var/certs/monit.pem
chmod 700 /var/certs/monit.pem
/etc/init.d/monit start 
nano /etc/monit/monitrc
/etc/init.d/monit restart 
/etc/init.d/monit reload
monit status

root@seeds4c:/var/run# monit status
The Monit daemon 5.6 uptime: 0m 

Process 'sshd'
  status                            Running
  monitoring status                 Monitored
  pid                               689
  parent pid                        1
  uptime                            24d 6h 5m 
  children                          6
  memory kilobytes                  332
  memory kilobytes total            17608
  memory percent                    0.0%
  memory percent total              0.4%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.023s to localhost:22 [SSH via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

Process 'mysql'
  status                            Running
  monitoring status                 Monitored
  pid                               28458
  parent pid                        1
  uptime                            13d 15h 58m 
  children                          0
  memory kilobytes                  119416
  memory kilobytes total            119416
  memory percent                    2.8%
  memory percent total              2.8%
  cpu percent                       1.1%
  cpu percent total                 1.1%
  port response time                0.000s to 127.0.0.1:3306 [DEFAULT via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

Process 'apache'
  status                            Running
  monitoring status                 Monitored
  pid                               4629
  parent pid                        1
  uptime                            7m 
  children                          24
  memory kilobytes                  34028
  memory kilobytes total            1566844
  memory percent                    0.8%
  memory percent total              37.3%
  cpu percent                       0.0%
  cpu percent total                 5.7%
  port response time                0.004s to seeds4c.org:80/monit/token [HTTP via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

Process 'postfix'
  status                            Running
  monitoring status                 Monitored
  pid                               28668
  parent pid                        1
  uptime                            13d 15h 58m 
  children                          13
  memory kilobytes                  608
  memory kilobytes total            31688
  memory percent                    0.0%
  memory percent total              0.7%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.002s to localhost:25 [SMTP via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

Process 'amavisd'
  status                            Running
  monitoring status                 Monitored
  pid                               5444
  parent pid                        1
  uptime                            3m 
  children                          2
  memory kilobytes                  111144
  memory kilobytes total            331452
  memory percent                    2.6%
  memory percent total              7.9%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.007s to localhost:10024 [SMTP via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

System 'seeds4c.org'
  status                            Running
  monitoring status                 Monitored
  load average                      [0.77] [1.23] [1.53]
  cpu                               13.4%us 4.0%sy 0.0%wa
  memory usage                      1687120 kB [40.2%]
  swap usage                        287076 kB [54.7%]
  data collected                    Thu, 21 May 2015 22:09:10

root@seeds4c:/var/run#



Just in case, I clicked at the buttons in the web interface for the apache in monit:

  • Start monitoring
  • Start service

Click to expand
Click to expand

Click to expand
Click to expand

1.7.7. Mail Log Analyzer: MailGraph & pflogsumm 

See:


line added to the cron job of root
# send mail log summary at AM 1:00 everyday to root
00 01 * * * perl /usr/sbin/pflogsumm -e -d yesterday /var/log/mail.log | mail -s 'Logwatch for Postfix' monitoring@seeds4c.org

1.7.8. ISPConfig monitor from an android smartphone 

See:


Current interface with ISPConfig 3.0.5x:

Click to expand
Click to expand


1.8. Log analytics 

1.8.1. Piwik (standard install) 

See Piwik

1.8.2. Add geoIP engine 

Taken from: http://piwik.org/faq/how-to/#faq_164

sudo apt-get install php5-geoip php5-dev libgeoip-dev
sudo pecl install geoip


Finally, add the following to your php.ini file:

extension=geoip.so


Once the PECL extension is installed, you must configure it. Add the following to your php.ini file (which is at /etc/php5/apache2/php.ini ):

geoip.custom_directory=/path/to/piwik/misc


Replace /path/to/piwik with the path to your Piwik installation (which in seeds4c it's at /var/www/clients/client1/web20/web/ ).

And finally, if you are using the GeoLite City database there is one more thing you need to do. The PECL extension won’t recognize the database if it’s named GeoLiteCity.dat so make sure it is named GeoIPCity.dat (piwik 2.11.1 did that renaming automagically for me).

Restart the webserver and the GeoIP extension should now be loaded and working in Piwik > Settings > Geolocation.

1.8.3. Piwik Server Log Analytics 

See:
http://piwik.org/docs/log-analytics-tool-how-to/

1.9. Other system tweaks 

1.9.1. Set nano as default editor 

You can do it just for this session with this command:

export EDITOR="/usr/bin/nano"


You can make the changes permanent for all sessions in this computer:

sudo nano /etc/environment


Add at the end of the file:

EDITOR="/usr/bin/nano"


Run this command to apply changes (no need to reboot)(:

source /etc/environment

1.9.2. Add highlighting for nano editor 

See this: http://askubuntu.com/questions/90013/how-do-i-enable-syntax-highlighting-in-nano

What I did:

  1. nano ~/.nanorc
    • Contens after the edition:
      Contents after the edtion of /home/xavi/.nanorc after the command nano ~/.nanorc
      include "/usr/share/nano/sh.nanorc"
      include "/usr/share/nano/c.nanorc"
      include "/usr/share/nano/perl.nanorc"
      include "/usr/share/nano/awk.nanorc"
      include "/usr/share/nano/css.nanorc"
      include "/usr/share/nano/php.nanorc"
      include "/usr/share/nano/xml.nanorc"
      include "/usr/share/nano/html.nanorc"
      include "/usr/share/nano/patch.nanorc"

      But this was not enough, let's say, to highlight contents of other files like /etc/postfix/main.cf, so that we need to create some quick&dirty /usr/share/nano/cf.nanorc
  2. cp /usr/share/nano/sh.nanorc /usr/share/nano/cf.nanorc
  3. nano ~/.nanorc
    • Add this one at the end:
      Add this line at the end
      include "/usr/share/nano/cf.nanorc"
  4. We need to tweak a bit that file, the first lines, until the line starting with header.
    • nano /usr/share/nano/cf.nanorc
      First lines after the edition
      ## Here is a custom example for .cf files like the ones from postfix configuration.
      ##
      syntax "cf" "\.cf$"
  5. Now we can test that it works! :-)
    • nano /etc/postfix/main.cf

1.10. Cron jobs 

output from: sudo crontab -e as of ISPCOnfig installation time + backintime
* * * * * /usr/local/ispconfig/server/server.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfi$
30 00 * * * /usr/local/ispconfig/server/cron_daily.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/is$
0 1 * * * nice -n 19 ionice -c2 -n7 /usr/bin/backintime  --backup-job >/dev/null 2>&1

output from: sudo crontab -e as of June 6, 2014
root@seeds4c:/var/www/intercanvis.net/web# crontab -l
#0 1 * * * nice -n 19 ionice -c2 -n7 /usr/bin/backintime  --backup-job >/dev/null 2>&1
35 00 * * * cd /var/www/c1tiki12r;php -n console.php index:rebuild --log --site=llavorspac.org > /dev/null 2>&1
55 00 * * * cd /var/www/c1tiki12r;php -n console.php daily-report:send --log --site=llavorspac.org > /dev/null 2>&1
55 23 * * * cd /home/xavi/scripts/;sh backup_webs.sh
10 2 * * * cd /var/www/c8tiki12farm;php console.php index:rebuild --log --site=intercanvis.net > /dev/null 2>&1
30 2 * * * cd /var/www/c8tiki12farm;php console.php daily-reports:send --log --site=intercanvis.net > /dev/null 2>&1
50 2 * * * cd /var/www/clients/client7/web32/web;php console.php index:rebuild --log --site=r-es.org > /dev/null 2>&1
10 3 * * * cd /var/www/clients/client7/web32/web;php console.php daily:reports --log --site=r-es.org > /dev/null 2>&1
@daily /usr/bin/wget -O - -q -t 1 http://intercanvis.net/tiki-batch_todo.php > /dev/null 2>&1
* * * * * /usr/local/ispconfig/server/server.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
30 00 * * * /usr/local/ispconfig/server/cron_daily.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done

1.10.1. Dependency issues with newer apache 2.5 & php 5.5 repos 

I tried first to install on Penguinbookpro, which runs on a standard xubuntu 12.04 plus updated repos for PHP 5.5 (needed for tiki13+), which also upgrades Apache to 2.4 and probably a few other system packages, as we can see below for the isues found when attempting to use the bbb auto_install script on it.

(...)
root@penguinbookpro:/var/cache/apt/archives# wget http://ftp.us.debian.org/debian/pool/main/e/eglibc/libc6-i686_2.11.3-4_i386.deb
--2014-03-10 10:34:12--  http://ftp.us.debian.org/debian/pool/main/e/eglibc/libc6-i686_2.11.3-4_i386.deb
Resolent ftp.us.debian.org (ftp.us.debian.org)... 64.50.236.52, 128.30.2.36, 128.61.240.89, ...
S'està connectant a ftp.us.debian.org (ftp.us.debian.org)|64.50.236.52|:80... conectat.
HTTP: Petició enviada, esperant resposta... 200 OK
Longitud: 1205790 (1,1M) [application/x-debian-package]
S'està desant a: «libc6-i686_2.11.3-4_i386.deb»

100%[======================================>] 1.205.790    293K/s   en 4,3s    

2014-03-10 10:34:17 (271 KB/s) - s'ha desat «libc6-i686_2.11.3-4_i386.deb» [1205790/1205790]

root@penguinbookpro:/var/cache/apt/archives# dpkg -i ia32-libs-i386_0.4_i386.deb ia32-libs_20140131_amd64.deb libc6-i386_2.11.3-4_amd64.deb libc6_2.11.3-4_amd64.deb libc6-i686_2.11.3-4_i386.deb
S'està seleccionant el paquet ia32-libs-i386:i386 prèviament no seleccionat.
(S'està llegint la base de dades… hi ha 348354 fitxers i directoris instaŀlats actualment.)
S'està desempaquetant ia32-libs-i386:i386 (de ia32-libs-i386_0.4_i386.deb)…
S'està seleccionant el paquet ia32-libs prèviament no seleccionat.
S'està desempaquetant ia32-libs (de ia32-libs_20140131_amd64.deb)…
dpkg: avís: s'està desactualitzant libc6-i386 de 2.15-0ubuntu10.5 a 2.11.3-4.
S'està preparant per a reemplaçar libc6-i386 2.15-0ubuntu10.5 (fent servir libc6-i386_2.11.3-4_amd64.deb)…
S'està desempaquetant el reemplaçament de libc6-i386…
Reemplaçat pels fitxers al paquet instaŀlat libc6:i386…
dpkg: avís: s'està desactualitzant libc6 de 2.15-0ubuntu10.5 a 2.11.3-4.
dpkg: s'ha produït un error en processar libc6_2.11.3-4_amd64.deb (--install):
 libc6:amd64 2.11.3-4 (Multi-Arch: no) is not co-installable with libc6:i386 2.15-0ubuntu10.5 (Multi-Arch: same) which is currently installed
S'està seleccionant el paquet libc6-i686:i386 prèviament no seleccionat.
dpkg: referent a libc6-i686_2.11.3-4_i386.deb que conté libc6-i686:i386, problema de predependència:
 libc6-i686:i386 pre-depèn de libc6 (= 2.11.3-4)
  libc6:i386 està instaŀlat, però té una versió 2.15-0ubuntu10.5.
dpkg: s'ha produït un error en processar libc6-i686_2.11.3-4_i386.deb (--install):
 problema de predependència - no s'instaŀlarà libc6-i686:i386
dpkg: problemes de dependències impedeixen la configuració de ia32-libs-i386:i386:
 ia32-libs-i386:i386 depèn de freeglut3 (>= 2.6.0-1).
 ia32-libs-i386:i386 depèn de lesstif2 (>= 1:0.95.2-1).
 ia32-libs-i386:i386 depèn de libacl1 (>= 2.2.49-4).
 ia32-libs-i386:i386 depèn de libaio1 (>= 0.3.107-7).
 ia32-libs-i386:i386 depèn de libattr1 (>= 1:2.4.44-2).
 ia32-libs-i386:i386 depèn de libaudiofile1 (>= 0.2.6-8).
 ia32-libs-i386:i386 depèn de libbsd0 (>= 0.2.0-1).
 ia32-libs-i386:i386 depèn de libcap2 (>= 1:2.19-3).
 ia32-libs-i386:i386 depèn de libcurl3 (>= 7.21.0-2).
 ia32-libs-i386:i386 depèn de libdirectfb-1.2-9 (>= 1.2.10.0-4).
 ia32-libs-i386:i386 depèn de libedit2 (>= 2.11-20080614-2).
 ia32-libs-i386:i386 depèn de libesd0 (>= 0.2.41-8).
 ia32-libs-i386:i386 depèn de libfltk1.1 (>= 1.1.10-2+b1).
 ia32-libs-i386:i386 depèn de libgdbm3 (>= 1.8.3-9).
 ia32-libs-i386:i386 depèn de libjpeg62 (>= 6b1-1).
 ia32-libs-i386:i386 depèn de liblzo2-2 (>= 2.03-2).
 ia32-libs-i386:i386 depèn de libnspr4-0d (>= 4.8.6-1).
 ia32-libs-i386:i386 depèn de libnss3-1d (>= 3.12.8-1+squeeze4).
 ia32-libs-i386:i386 depèn de libpam0g (>= 1.1.1-6.1+squeeze1).
 ia32-libs-i386:i386 depèn de libpopt0 (>= 1.16-1).
 ia32-libs-i386:i386 depèn de libsdl1.2debian (>= 1.2.15).
 ia32-libs-i386:i386 depèn de libsigc++-2.0-0c2a (>= 2.2.4.2-1).
 ia32-libs-i386:i386 depèn de libssh2-1 (>= 1.2.6-1).
 ia32-libs-i386:i386 depèn de libstdc++5 (>= 1:3.3.6-20).
 ia32-libs-i386:i386 depèn de libsvga1 (>= 1:1.4.3-29).
 ia32-libs-i386:i386 depèn de libsysfs2 (>= 2.1.0+repack-1).
 ia32-libs-i386:i386 depèn de libtdb1 (>= 1.2.1-2+b1).
 ia32-libs-i386:i386 depèn de libts-0.0-0 (>= 1.0-7).
 ia32-libs-i386:i386 depèn de libvorbisfile3 (>= 1.3.1-1).
 ia32-libs-i386:i386 depèn de libx86-1 (>= 1.1+ds1-6).
 ia32-libs-i386:i386 depèn de libxaw7 (>= 2:1.0.7-1).
 ia32-libs-i386:i386 depèn de libxcb-render-util0 (>= 0.3.6-1).
 ia32-libs-i386:i386 depèn de libxmu6 (>= 2:1.0.5-2).
 ia32-libs-i386:i386 depèn de libxmuu1 (>= 2:1.0.5-2).
 ia32-libs-i386:i386 depèn de libxp6 (>= 1:1.0.0.xsf1-2).
 ia32-libs-i386:i386 depèn de libxtst6 (>= 2:1.1.0-3).
 ia32-libs-i386:i386 depèn de odbcinst1debian2 (>= 2.2.14p2-1).
 ia32-libs-i386:i386 depèn de libodbc1.
 ia32-libs-i386:i386 depèn de xaw3dg (>= 1.5+E-18).
dpkg: s'ha produït un error en processar ia32-libs-i386:i386 (--install):
 problemes de dependències - es deixa sense configurar
dpkg: problemes de dependències impedeixen la configuració de ia32-libs:
 ia32-libs depèn de lib32bz2-1.0; tot i així:
  El paquet lib32bz2-1.0 no està instaŀlat.
 ia32-libs depèn de lib32asound2 (>> 1.0.18); tot i així:
  El paquet lib32asound2 no està instaŀlat.
 ia32-libs depèn de lib32ncurses5 (>= 5.7+20100313); tot i així:
  El paquet lib32ncurses5 no està instaŀlat.
 ia32-libs depèn de lib32stdc++6 (>= 4.1.1); tot i així:
  El paquet lib32stdc++6 no està instaŀlat.
 ia32-libs depèn de lib32v4l-0 (>= 0.5.0); tot i així:
  El paquet lib32v4l-0 no està instaŀlat.
 ia32-libs depèn de lib32z1 (>= 1:1.2.3.3.dfsg); tot i així:
  El paquet lib32z1 no està instaŀlat.
dpkg: s'ha produït un error en processar ia32-libs (--install):
 problemes de dependències - es deixa sense configurar
dpkg: problemes de dependències impedeixen la configuració de libc6-i386:
 libc6-i386 depèn de libc6 (= 2.11.3-4); tot i així:
  La versió del paquet «libc6» al sistema és 2.15-0ubuntu10.5.
dpkg: s'ha produït un error en processar libc6-i386 (--install):
 problemes de dependències - es deixa sense configurar
S'han trobat errors en processar:
 libc6_2.11.3-4_amd64.deb
 libc6-i686_2.11.3-4_i386.deb
 ia32-libs-i386:i386
 ia32-libs
 libc6-i386

1.11. Deshabilitar SSLv3 (segons ISPConfig) 

Veure:
http://www.howtoforge.com/how-to-secure-your-ispconfig-3-server-against-the-poodle-ssl-attack

1.12. Crontab list 

As of Jan 01, 2015

35 00 * * * cd /var/www/c1tiki12r;php -n console.php index:rebuild --log --site=llavorspac.org > /dev/null 2>&1
55 00 * * * cd /var/www/c1tiki12r;php -n console.php daily-report:send --site=llavorspac.org > /dev/null 2>&1
10 23 * * 0 cd /home/xavi/scripts/;sh backup_webs.sh
10 2 * * * cd /var/www/c8tiki12farm;php console.php index:rebuild --log --site=intercanvis.net > /dev/null 2>&1
30 2 * * * cd /var/www/c8tiki12farm;php console.php daily-report:send --site=intercanvis.net > /dev/null 2>&1
@daily /usr/bin/wget -O - -q -t 1 http://intercanvis.net/tiki-batch_todo.php > /dev/null 2>&1
#50 2 * * * cd /var/www/clients/client7/web32/web;php console.php index:rebuild --log --site=r-es.org > /dev/null 2>&1
#10 3 * * * cd /var/www/clients/client7/web32/web;php console.php daily:report --site=r-es.org > /dev/null 2>&1

* * * * * /usr/local/ispconfig/server/server.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
30 00 * * * /usr/local/ispconfig/server/cron_daily.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done

1.13. Set up https for websites 

Done with letsencrypt:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

usage:
  letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

xavi@penguinbookpro:~$ ssh xavi@seeds4c.org
(...)
xavi@seeds4c:~# sudo screen
root@seeds4c:/home/xavi/# cd /opt/letsencrypt
root@seeds4c:/opt/letsencrypt# ./letsencrypt-auto --apache -d seeds4c.org -d llavorspac.org -d semillaspec.org -d sustainability.seeds4c.org -d iesgogreen.seeds4c.org -d intercanvis.net -d www.intercanvis.net -d d-recerca.org -d www.d-recerca.org
Checking for new version...
Requesting root privileges to run letsencrypt...
   /home/xavi/.local/share/letsencrypt/bin/letsencrypt --apache -d seeds4c.org -d llavorspac.org -d semillaspec.org -d sustainability.seeds4c.org -d iesgogreen.seeds4c.org -d intercanvis.net -d www.intercanvis.net -d d-recerca.org -d www.d-recerca.org

(...)

Choose:
 ( X ) Enable http and https for these domains
 (    ) Force to always use https for these domains

(...) 

                                  │ Congratulations! You have successfully enabled                       │                                     
                                  │ https://seeds4c.org, https://llavorspac.org, ...              │                                     
                                  │                                                                      │                                     
                                  │ You should test your configuration at:                               │                                     
                                  │ https://www.ssllabs.com/ssltest/analyze.html?d=seeds4c.org       │                                     
                                  │ https://www.ssllabs.com/ssltest/analyze.html?d=llavorsapc.org  
                                  │ ...  

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/seeds4c.org/fullchain.pem. Your cert will
   expire on 2016-06-30. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@seeds4c:/opt/letsencrypt# ./letsencrypt-auto renew
Checking for new version...
Requesting root privileges to run letsencrypt...
   /home/xavi/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/seeds4c.org.conf
Processing /etc/letsencrypt/renewal/intercanvis.net.conf

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/seeds4c.org/fullchain.pem (skipped)
  /etc/letsencrypt/live/intercanvis.net/fullchain.pem (skipped)
No renewals were attempted.
root@seeds4c:/opt/letsencrypt# exit
xavi@seeds4c:~$ exit
logout
Connection to seeds4c.org closed.


Set Up Auto Renewal 

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

To trigger the renewal process for all installed domains, you should run:

root@seeds4c:/opt/letsencrypt# ./letsencrypt-auto renew


Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.

Let's edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:

sudo crontab -e


Include the following content, all in one line:

30 1 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log


Save and exit. This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 1:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.

Updating the Let’s Encrypt Client (optional) 

Whenever new updates are available for the client, you can update your local copy by running a git pull from inside the Let’s Encrypt directory:

cd /opt/letsencrypt
sudo git pull


This will download all recent changes to the repository, updating your client.

1.14. Pendents 

  • activar logwatch
  • posar en marxa sistema de backup de llocs web (backintime)
  • Fer correus-e pendents
    • info@gavarrespedia.org
  • Migrar mail aliases postfix del servidor vell al nou
    • d-recerca, etc.
  • fer client i espai per a xissabadell
  • deixar funcionals videos bbb de seeds4c vell a intercanvis.net
  • avisar a jordi flores per donar de baixa l'altre servidor
  • sistema monitoreig del servidor: monit i munin
  • posar en marxa cronjob per a rebuild search index tikis 12
  • webs subdomini.seeds4c.org amb menys visites
  • activar https per a webs clients



1.15. Future potential software to use/test 

1.16. Former Errors & solutions 

[+]

1.17. Fixes to have email accounts working to receive email also (2016 March) 

The server hostname must not match the virtual email domain. They were set up both as "seeds4c.org", but in order to work, they need to be changed so that this is the new info:

/etc/hostname 

Command in a terminal
sudo nano /etc/hostname

Contents of /etc/hostname
system.seeds4c.org


I also had to rename that through the ISPConfig UI. From:
ISPConfig > System > Server > seeds4c.org > (Services) Servername: seeds4c.org

to

ISPConfig > System > Server > system.seeds4c.org > (Services) Servername: system.seeds4c.org

/etc/hosts 

Command in a terminal
sudo nano /etc/hosts

Contents of /etc/hosts
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

127.0.0.1 localhost.localdomain localhost
# Auto-generated hostname. Please do not remove this comment.
37.247.124.71 system.seeds4c.org  seeds4c seedling
::1		localhost ip6-localhost ip6-loopback


/etc/mailname 

Command in a terminal
sudo nano /etc/mailname

Contents of /etc/mailname
mail.seeds4c.org


/etc/postfix/main.cf 

Then, change myhostname and mydestination to get different names:

Command in a terminal
sudo nano /etc/postfix/main.cf

Contents of /etc/postfix/main.cf
#...
myhostname = system.seeds4c.org
#...

#...
mydestination = mail.seeds4c.org, localhost, localhost.localdomain
#...



Ensure that there is an mx record at the domin management level. In my case, at:
https://ecodim-dns.net/manager/ispmgr?startpage=domain (click on seeds4c.org)

Name: seeds4c.org.
Type: MX (mail server)
Address or domain name: mail
Priority: 10


And this other one entry for A (internet address) inting to the server IP, defined too:

Name: mail:
Type: A (Intenet address)
Address or domain name: 37.247.124.71


Then restart postfix:

sudo service postfix restart


Webmail: https://seeds4c.org:8080/webmail/ (Squirrelmail so far)

1.18. Check and fix all mysql tables in one go 

# To check and repair
sudo mysqlcheck -u root -p --auto-repair --check --all-databases

16 pages found for title search 'Servidor seeds4c.org'


Alias names for this page

Server seeds4c.org 2014 | seeds4c2014 | Servidor seeds4c.org 2014 | munin2014

Image Seed: noun \ˈsēd\ : the beginning of something which continues to develop or grow

Knowledge seeds

Switch Language