Wednesday, July 14, 2010

Install ISPConfig on CentOS 5.5

SkyHi @ Wednesday, July 14, 2010

This tutorial shows you how to prepare a CentOS 5.5 x86_64 (ve) Server for the installation of ISPConfig 3. ISPConfig is an open source hosting control panel for Linux which is licensed under the BSD license. It allows you to configure the following services through a web browser: Apache web server, Postfix mail server, MySQL, BIND nameserver, vsftpd, SpamAssassin, ClamAV, and many more through an easy to use interface for administrators, resellers and clients.

Please keep in mind that your (ve) Server is very much a blank slate when provisioned. It is your responsibility to administer your server from Day 1. Following the information below will definitely help you on your way, but is not supported in any way by (mt) Media Temple.

In this tutorial I use the hostname with the IP address These settings will differ for you, so you have to replace them where appropriate.

Getting around 'noexec' issues with /tmp

Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. As a security precaution, /tmp is mounted with noexec. This is a good thing and should generally stay this way. There are some circumstances where you may need to have /tmp executable.

mkdir ~/tmp
mount --bind ~/tmp /tmp

Keep in mind that if you reboot your (ve) after you've done this, /tmp and /var/tmp will return to 'noexec'.

Logging in as root
By default, all of the distributions offered with your (ve) Server have only the root user installed. For security reasons we do not include the root password in your Service Activation Letter. To obtain the root user password, you will need to visit the "SSH Access" section of your (ve) Control Panel in the AccountCenter. Then you can change the password to one you know.

After you change the password, you can simply use a ssh client to connect to your server using your new password and root as the user. If you do not have a domain name that is currently resolving to your server, you can use the IP address that has been assigned.


Using YUM
In most of this article you will be using YUM (Yellow dog Updater, Modified), which is the default package manager used in CentOS ( all versions ). It is used to install and update packages from CentOS (and 3rd party) Repositories. After running a command, you will be prompted with "Is this ok [y/N]:", this will usually be yes, so type "y" and hit enter.

Using vi
vi is a family of screen-oriented text editors which share certain characteristics, such as methods of invocation from the operating system command interpreter, and characteristic user interface features. If you are not familiar with vi, you can refer to the article Mastering the VI editor.



Install Some Software

First we import the GPG keys for software packages:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Next we exclude postfix from base and updates, include postfix in centosplus, then enable the contrib and centosplus repositories:

vi /etc/yum.repos.d/CentOS-Base.repo

Edit the lines below:


Then we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum groupinstall 'Development Tools'
yum groupinstall 'Development Libraries'

Install Apache, MySQL, phpMyAdmin

First we enable the RPMforge repository on our CentOS system as lots of the packages that we are going to install in the course of this tutorial are not available in the official CentOS 5.5 repositories:

rpm --import
cd /tmp
rpm -ivh rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm

(If the above link doesn't work anymore, you can find the current version of rpmforge-release here:

Afterwards, we can install the needed packages with one single command:

yum install ntp httpd mysql-server php php-mysql php-mbstring php-mcrypt phpmyadmin

Install Dovecot

There's a Dovecot package in the CentOS repository, but unfortunately it doesn't support MySQL. Therefore we must we install the Dovecot package (from ATrpms) which comes with MySQL support:

rpm -ivh
rpm -ivh
rm -fr /usr/lib/dovecot/
ln -s /usr/lib64/dovecot/ /usr/lib/dovecot

Now we create the system startup links for Dovecot:

chkconfig --levels 235 dovecot on
/etc/init.d/dovecot start

Install Postfix With MySQL Support

The "normal" Postfix package from the CentOS repository doesn't have MySQL, but the Postfix package from the CentOS Plus repository does. Therefore we install it from the CentOS Plus repository:

yum install postfix

Then we start Postfix and MySQL:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
chkconfig --levels 235 postfix on
/etc/init.d/postfix start

Install Getmail

Getmail can be installed as follows:

yum install getmail

Set MySQL Passwords And Configure phpMyAdmin

Set passwords for the MySQL root account:


In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorization.

Set root password? [Y/n] <-- ENTER
New password: <-- yourrootsqlpassword
Re-enter new password: <-- yourrootsqlpassword
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] <-- ENTER
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] <-- ENTER
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] <-- ENTER
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] <-- ENTER
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the stanza):

vi /etc/httpd/conf.d/phpmyadmin.conf
# Web application to manage MySQL

# Order Deny,Allow
# Deny from all
# Allow from

Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /mysqladmin /usr/share/phpmyadmin

Next we change the authentication in phpMyAdmin from cookie to http:

vi /usr/share/phpmyadmin/
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';

Then we create the system startup links for Apache and start it:

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

Now you can direct your browser to or and log in with the user name root and your new root MySQL password.

Install Amavisd-new, SpamAssassin And ClamAV

To install amavisd-new, spamassassin and clamav, run the following command:

yum install amavisd-new spamassassin clamav clamd unzip bzip2 unrar perl-DBD-mysql

Open /etc/sysconfig/amavisd...

vi /etc/sysconfig/amavisd

... and add the line CONFIG_FILE="/etc/amavisd/amavisd.conf":

### Uncomment this if you want to use amavis with sendmail milter interface.
### See README.milter for details.

### These are other defaults.

Then we start freshclam, amavisd, and clamd...

It is OK if you see errors during next command.

chkconfig --levels 235 amavisd on
chkconfig --levels 235 clamd on
/etc/init.d/amavisd start
/etc/init.d/clamd start

... and create some necessary directories:

mkdir /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db
chown amavis /var/run/amavisd /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db
ln -s /var/run/clamav/clamd.sock /var/spool/amavisd/clamd.sock

Installing Apache2 With mod_php, mod_fcgi/PHP5, And suPHP

ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis. mod_fcgid is not available in the official CentOS repositories, but there's a package for CentOS 5.x in the testing repository. We enable the repository as follows:

cd /etc/yum.repos.d/

Next we open /etc/yum.repos.d/kbsingh-CentOS-Extras.repo...

vi /etc/yum.repos.d/kbsingh-CentOS-Extras.repo

... and set enabled to 1 in the [kbs-CentOS-Testing] section:

name=CentOS.Karan.Org-EL$releasever - Testing

Afterwards we can install Apache2with mod_php5, mod_fcgid, and PHP5:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-mbstring php-mcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel

Next we open /etc/php.ini...

vi /etc/php.ini

... and change the error reporting (so that notices aren't shown any longer). Uncomment "error_reporting = E_ALL & ~E_NOTICE" and comment out ;error_reporting = E_ALL. Then add cgi.fix_pathinfo = 1 at the end of the file:

error_reporting = E_ALL & ~E_NOTICE
;error_reporting = E_ALL
cgi.fix_pathinfo = 1

Next we install suPHP:

mkdir ~/tmp
mount --bind ~/tmp /tmp
cd /tmp
tar xvfz suphp-0.7.1.tar.gz
cd suphp-0.7.1/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make install

Then we add the suPHP module to our Apache configuration...

vi /etc/httpd/conf.d/suphp.conf
LoadModule suphp_module modules/

... and create the file /etc/suphp.conf as follows:

vi /etc/suphp.conf
;Path to logfile
;User Apache is running as
;Path all scripts have to be in
;Path to chroot() to before executing script
; Security options
;Check wheter script is within DOCUMENT_ROOT
;Send minor error messages to browser
;PATH environment variable
;Umask to set, specify in octal notation
; Minimum UID
; Minimum GID
;Handler for php-scripts
;Handler for CGI-scripts

Finally we restart Apache:

/etc/init.d/httpd restart

Install vsftpd

yum install vsftpd

After installing, make sure that the service is running by doing:

chkconfig vsftpd on

Last, turn on the service itself:

service vsftpd start

Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Then do this:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
touch /var/named/chroot/etc/named.conf.local

We now copy the contents below into the named.conf file.

vi /var/named/chroot/etc/named.conf
// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
options {
listen-on port 53 {; };
listen-on-v6 port 53 { ::1; };
directory "/var/named/chroot/var/named";
dump-file "/var/named/chroot/var/named/data/cache_dump.db";
statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
logging {
channel default_debug {
file "data/";
severity dynamic;
zone "." IN {
type hint;
file "named.root";
include "/var/named/chroot/etc/named.conf.local";
chkconfig --levels 235 named on
/etc/init.d/named start

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

Install Vlogger And Webalizer

Vlogger and webalizer can be installed as follows:

yum install webalizer perl-DateTime-Format-HTTP perl-DateTime-Format-Builder
cd /tmp
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*

Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

mount --bind ~/tmp /tmp
cd /tmp
tar xvfz jailkit-2.11.tar.gz
cd jailkit-2.11
make install
cd ..
rm -rf jailkit-2.11*

Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

yum install fail2ban
chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start

Install rkhunter

rkhunter can be installed as follows:

yum install rkhunter

Install SquirrelMail

To install the SquirrelMail webmail client, run...

yum install squirrelmail

... and restart Apache:

/etc/init.d/httpd restart

Then configure SquirrelMail:


We must tell SquirrelMail that we are using Courier-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0)
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color off
S Save data
Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.

Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server

quit = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix =
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue... <-- press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color off
S Save data
Q Quit

Command >> <--S

Data saved in config.php
Press enter to continue...

SquirrelMail Configuration : Read: config.php (1.4.0)
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color off
S Save data
Q Quit

Command >> <--Q

One last thing we need to do is modify the file /etc/squirrelmail/config_local.php and comment out the $default_folder_prefix variable - if you don't do this, you will see the following error message in SquirrelMail after you've logged in: Query: CREATE "Sent" Reason Given: Invalid mailbox name.

vi /etc/squirrelmail/config_local.php

* Local config overrides.
* You can override the config.php settings here.
* Don't do it unless you know what you're doing.
* Use standard PHP syntax, see config.php for examples.
* @copyright © 2002-2006 The SquirrelMail Project Team
* @license GNU Public License
* @version $Id: config_local.php,v 1.2 2006/07/11 03:33:47 wtogami Exp $
* @package squirrelmail
* @subpackage config

//$default_folder_prefix = '';

Now you can type in or in your browser to access SquirrelMail.

Install ISPConfig 3

To install ISPConfig 3 from the latest released version, do this:

mount --bind ~/tmp /tmp
cd /tmp
tar xvfz ISPConfig-
cd ispconfig3_install/install/

(Replace ISPConfig- with the latest version.)

The next step is to run

php -q install.php

This will start the ISPConfig 3 installer:

_____ ___________ _____ __ _
|_ _/ ___| ___ \ / __ \ / _(_)
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| |
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, |
__/ |

>> Initial configuration

Operating System: Redhat or compatible, unknown version.

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with .
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld []: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 2048 bit RSA private key
writing new private key to 'smtpd.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]: <-- ENTER
State or Province Name (full name) [Berkshire]: <-- ENTER
Locality Name (eg, city) [Newbury]: <-- ENTER
Organization Name (eg, company) [My Company Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, your name or your server's hostname) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER

Configuring DBServer
Installing Crontab
no crontab for root
no crontab for getmail
Restarting services ...
Stopping MySQL: [ OK ]
Starting MySQL: [ OK ]
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
Stopping saslauthd: [FAILED]
Starting saslauthd: [ OK ]
Shutting down Mail Virus Scanner (amavisd): [FAILED]
Starting Mail Virus Scanner (amavisd): [ OK ]
Stopping Dovecot Imap: [ OK ]
If you have trouble with authentication failures,
enable auth_debug setting. See
This message goes away after the first successful login.
Starting Dovecot Imap: [ OK ]
Stopping httpd: [ OK ]
[Tue May 25 18:15:57 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
Starting httpd: [ OK ]
Stopping pure-ftpd: [ OK ]
Starting pure-ftpd: [ OK ]
Installation completed.

The installer automatically configures all underlying services, so no manual configuration is needed.

Afterwards you can access ISPConfig 3 under or Log in with the username admin and the password admin (you should change the default password after your first login):

Reboot Your Server

Now we reboot your so that /tmp and /var/tmp will return to 'noexec'.