Loading...
 

Server seed11 - seeds4c.org 2016


Page contents:

1.1. Introducció

Virtual server with Ubuntu 16.04 & ISPConfig3.1, to replace older seeds4c.org with Ubuntu 14.04.

1.2. Domain

https://seeds4c.org
Temporarily: semillaspec.org

user: root
pass: (demanar al xavi)

S.O: Ubuntu 16.04 server 64 bit
4Gb RAM (aprox), 8 cpu, 50 Gb hard drive (+ 50Gb free to expand where needed with LVM).

1.2.1. Initial Configuration

1.2.1.1. Locale Configuration

You get these messages Awhen installing any package:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "ca_ES.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").


You need to add the locale for your language:

Comanda a executar en un terminal
sudo apt-get install language-pack-ca-base


In Ubuntu 16.04, there seems no need to change locales manually, they are already changed in the previous step automagically.

1.3. Network configuration (ubuntu 16.04 server)

Cal configurar la xarxa dins la màquina virtual amb ubuntu16.04, tot tenint en compte que a Ubuntu 16.04 l'interfície principal de xarxa ja no s'anomena eth0 sino ensNN, essent NN un número de dos digits que no sé encara de què depen. Xavi


Per saber el nom exacte, ho mirem amb

ifconfig


I ens respon ens18 en el cas de la vm111 - seed11.

Per tant:

Command in a terminal
sudo nano /etc/network/interfaces

Contents of /etc/network/interfaces for vm 111 (seed11.seeds4c.org - 37.59.240.173 | 02:00:00:39:13:0c)
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens18
iface ens18 inet static
address 37.59.240.173
netmask 255.255.255.255
broadcast 37.59.240.173
dns-nameservers 8.8.8.8 8.8.4.4
dns-search local
post-up route add 94.23.26.254 dev ens18
post-up route add default gw 94.23.26.254
pre-down route del 94.23.26.254 dev ens18
pre-down route del default gw 94.23.26.254


Then reboot the container or issue ifup eth0.

Command in a terminal
sudo reboot now

1.4. Set hostname

root@seed11:~# hostname
seed11
root@seed11:~# hostname -f
seed11
root@seed11:~# hostname seed11.seeds4c.org
root@seed11:~# hostnamectl set-hostname seed11.seeds4c.org
root@seed11:~# hostnamectl
   Static hostname: seed11.seeds4c.org
         Icon name: computer-vm
           Chassis: vm
        Machine ID: longhash
           Boot ID: anotherlonghsah
    Virtualization: qemu
  Operating System: Ubuntu 16.04.1 LTS
            Kernel: Linux 4.4.0-38-generic
      Architecture: x86-64
root@seed11:~#

1.4.1. Installing ISP-Config 3

https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/

Manual ISPConfig3.
Bought:
Image 130518 Recibo Del Pago PayPal Manual ISPConfig3

20Mb. Reduced version to 150 dpi (4.7Mb):
Image ISPConfig 3 Manual 150dpi

Also available some version online here:

ISPConfig 3 Manual - Compuland - 25/10/2011 (20Mb)
http://www.compuland.com.br/helio/ispconfig_3_manual.pdf


2. Edit sources.list

sudo apt-get install nano
sudo nano /etc/apt/sources.list


Update the list of sources to this one:

Contents of /etc/apt/sources.list after edition
# deb cdrom:[Ubuntu-Server 16.04 LTS _Xenial Xerus_ - Release amd64 (20160420)]/ xenial main restricted

#deb cdrom:[Ubuntu-Server 16.04 LTS _Xenial Xerus_ - Release amd64 (20160420)]/ xenial main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ xenial main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu/ xenial main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
# deb-src http://de.archive.ubuntu.com/ubuntu/ xenial-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://de.archive.ubuntu.com/ubuntu/ xenial universe
# deb-src http://de.archive.ubuntu.com/ubuntu/ xenial universe
deb http://de.archive.ubuntu.com/ubuntu/ xenial-updates universe
# deb-src http://de.archive.ubuntu.com/ubuntu/ xenial-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ xenial multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ xenial multiverse
deb http://de.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ xenial-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu xenial partner
# deb-src http://archive.canonical.com/ubuntu xenial partner

deb http://security.ubuntu.com/ubuntu xenial-security main restricted
# deb-src http://security.ubuntu.com/ubuntu xenial-security main restricted
deb http://security.ubuntu.com/ubuntu xenial-security universe
# deb-src http://security.ubuntu.com/ubuntu xenial-security universe
deb http://security.ubuntu.com/ubuntu xenial-security multiverse
# deb-src http://security.ubuntu.com/ubuntu xenial-security multiverse


then run

sudo apt-get update
sudo apt-get upgrade
sudo reboot

3 Change The Default Shell


/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash


Use dash as the default system shell (/bin/sh)? < - - No

If you don't do this, the ISPConfig installation will fail.

4 Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

service apparmor stop 
update-rc.d -f apparmor remove 
apt-get remove apparmor apparmor-utils



However it seems that apparmor is not installed by default so far. So nothing to do.

root@seeds4c:~# service apparmor stop 
apparmor: unrecognized service
root@seeds4c:~# update-rc.d -f apparmor remove 
 Removing any system startup links for /etc/init.d/apparmor ...
root@seeds4c:~# apt-get remove apparmor apparmor-utils
S'està llegint la llista de paquets… Fet 
S'està construint l'arbre de dependències       
S'està llegint la informació de l'estat… Fet
Package 'apparmor' is not installed, so not removed
Package 'apparmor-utils' is not installed, so not removed
0 actualitzats, 0 nous a instaŀlar, 0 a suprimir i 0 no actualitzats.

5 Synchronize the System Clock


It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get -y install ntp ntpdate


and your system time will always be in sync.

Change time zone to match your local time zone

root@seeds4c:~# date
dc jun 11 03:25:25 EDT 2014
root@seeds4c:~# sudo dpkg-reconfigure tzdata

Current default time zone: 'Europe/Madrid'
Local time is now:      dc jun 11 09:25:53 CEST 2014.
Universal Time is now:  Wed Jun 11 07:25:53 UTC 2014.


root@seeds4c:~# date
ds mai 18 12:25:52 CEST 2013
root@seeds4c:~#

6. Install Postfix, Dovecot, MariaDB, rkhunter and binutils

For installing postfix, we need to ensure that sendmail is not installed and running. To stop and remove sendmail run this command:

service sendmail stop; update-rc.d -f sendmail remove


The error message:

Failed to stop sendmail.service: Unit sendmail.service not loaded.

Is ok, it just means that sendmail was not installed, so there was nothing to be removed.

Now we can install Postfix, Dovecot, MariaDB (as MySQL replacement), rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo


You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

It is important that you use a subdomain as "system mail name" like server1.example.com or server1.yourdomain.com and not a domain that you want to use as email domain (e.g. yourdomain.tld) later.

Next, open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/master.cf


Uncomment the submission and smtps sections as follows - add the line -o smtpd_client_restrictions=permit_sasl_authenticated,reject to both sections and leave everything thereafter commented:

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]


NOTE: The whitespaces in front of the "-o .... " lines are important!

Restart Postfix afterwards:

service postfix restart


We want MySQL to listen on all interfaces, not just localhost. Therefore, we edit /etc/mysql/mariadb.conf.d/50-server.cnf and comment out the line bind-address = 127.0.0.1:

nano /etc/mysql/mariadb.conf.d/50-server.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]


Now we set a root password in MariaDB. Run:

mysql_secure_installation


You will be asked these questions:

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y


Then we restart MariaDB:

service mysql restart




Now check that networking is enabled. Run

netstat -tap | grep mysql


The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp6 0 0 [::]:mysql [::]:* LISTEN 5230/mysqld
root@server1:~#


7 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey


If it fails installing amavisd because of wrong hostname, you can set it by hand at:

nano /etc/amavis/conf.d/05-node_id


and place myhostname by hand, in this case, I used seed11.seeds4c.org:

$myhostname = "seed11.seeds4c.org";


The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop
update-rc.d -f spamassassin remove


Edit the clamd configuration file:

nano /etc/clamav/clamd.conf


and change the line:

AllowSupplementaryGroups false


to:

AllowSupplementaryGroups true


And save the file. To start ClamAV use:

freshclam
service clamav-daemon start


The following warning can be ignored on the first run of freshclam as we start the ClamAV daemn after we updated the database.

WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory

7.1 Install Metronome XMPP Server (optional) - Skipped

I skip this part.

8. Install Apache, PHP, phpMyAdmin, FCGI, SuExec, Pear, and mcrypt

Section 2:
https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/2/

Apache2, PHP 7, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php-auth php7.0-mcrypt mcrypt  imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring


You will see the following question:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- Yes
MySQL application password for phpmyadmin: <-- Press enter

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include cgi
a2enmod dav_fs dav auth_digest headers


To ensure that the server can not be attacked trough the HTTPOXY vulnerability, I will disable the HTTP_PROXY header in apache globally.

sudo nano /etc/apache2/conf-available/httpoxy.conf


Paste this content to the file:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>


Enable the config file by running:

a2enconf httpoxy


Restart Apache afterward:

service apache2 restart


If you want to host Ruby files with the extension .rb on your web sites created through ISPConfig, you must comment out the line application/x-ruby rb in /etc/mime.types:

nano /etc/mime.types

[...]
#application/x-ruby                             rb
[...]


(This is needed only for .rb files; Ruby files with the extension .rbx work out of the box.)

Restart Apache afterwards:

service apache2 restart


8.1 PHP Opcode cache

APCu is a free PHP opcode cacher for caching and optimizing PHP intermediate code. It is strongly recommended to have one of these installed to speed up your PHP page.

APCu can be installed as follows:

apt-get install php7.0-opcache php-apcu


Now restart Apache:

service apache2 restart

8.2 PHP-FPM

To use PHP-FPM with Apache, we need the mod_fastcgi Apache module (please don't mix this up with mod_fcgid - they are very similar, but you cannot use PHP-FPM with mod_fcgid). We can install PHP-FPM and mod_fastcgi as follows:

apt-get install libapache2-mod-fastcgi php7.0-fpm


If you have it, then make sure you enable the module and restart Apache:

a2enmod actions fastcgi alias
service apache2 restart

8.3 Additional PHP Versions


It is possible to have multiple PHP versions on one server (selectable through ISPConfig) which can be run through FastCGI and PHP-FPM. To learn how to build additional PHP versions (PHP-FPM and FastCGI) and how to configure ISPConfig, please check this tutorial: How To Use Multiple PHP Versions (PHP-FPM & FastCGI) With ISPConfig 3 (Ubuntu 12.10) (works for Ubuntu 16.04 as well).

8.4 Install HHVM (HipHop Virtual Machine)

In this step we will install HHVM with apt. HHVM is a fast PHP engine developed by Facebook.

sudo apt-get install hhvm

9. Install Let's Encrypt


ISPConfig 3.1 has builtin support for the free SSL Certificate Authority Let's encrypt. The Let's Encrypt function allows you to create free SSL Certificates for your website in ISPConfig.

Now we will add support for Let's encrypt.

mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto

Now run the certboot-auto command which will download and install the software and it's dependencies.

./certbot-auto


The command will then tell you that "no names were found in your configuration files" and asks if it shall continue, please chose "no" here as the certs will be created by ISPConfig.
Image

I got this error, however:

(...)
Setting up libffi-dev:amd64 (3.2.1-4) ...
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Creating virtual environment...
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /home/xavi/.local/sh...ncrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1
root@seed11:/opt/certbot#


I seem to have avoided the issue by means of installing some extra packages (See below).

I did not get the letsencrypt certificates created by ispconfig (maybe some issue was there since I migrated the ispconfig from a ubuntu 14.04 server to a new one with 16.04?).

I seemed to have avoided the issue by means of running manually the /opt/certbot/certbot-auto and accepting to choose the domains/sites for which I wanted the certificates created.



Extra info: I had some error like:

File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 193, in recv    [self.socket], [], [], self.socket.gettimeout())


And googling a bit for this type of error, I installed a few extra python packages (just in case), and now I seem to be able to avoid the timeout, and everything run smoothly (12 domains in the same go, wohooo!)

The extra packages I installed:

sudo apt-get install python-pip
pip install pyopenssl ndg-httpsclient pyasn1

15 Install Mailman Skipped

[+]

11. Install PureFTPd and Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool


Edit the file /etc/default/pure-ftpd-common...

nano /etc/default/pure-ftpd-common


... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

Contents of /etc/default/pure-ftpd-common
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]


Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS


In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/


Afterwards, we can generate the SSL certificate as follows:

root@server:~# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 2048 bit RSA private key
.+++
..............+++
writing new private key to '/etc/ssl/private/pure-ftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Catalonia
Locality Name (eg, city) []:Barcelona
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Seeds for change (Seeds4c)        
Organizational Unit Name (eg, section) []:Seed Bank
Common Name (e.g. server FQDN or YOUR name) []:seeds4c.org
Email Address []:xavi@seeds4c.org
root@server:~#


Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem


Then restart PureFTPd:

service pure-ftpd-mysql restart


I Skip the following part of editing fstab since I will not be using quota to avoid issues in dimensis backup system.

Edit /etc/fstab. The one from the guy from the tutorial looked like this (He added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

nano /etc/fstab

contents of the file in seed11.seeds4c.org after the edition
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/seed11--vg-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=b0bad8a4-135c-4dab-a29a-a7558be1d4bf /boot           ext2    defaults        0       2
/dev/mapper/seed11--vg-swap_1 none            swap    sw              0       0


To enable quota, run these commands:

mount -o remount /
quotacheck -avugm
quotaon -avug


Which will show the following output:

root@server1:~# quotacheck -avugm
quotacheck: Scanning /dev/mapper/server1--vg-root [/] done
quotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old user quota file //quota.user: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file //quota.group: No such file or directory. Usage will not be subtracted.
quotacheck: Checked 11642 directories and 81307 files
quotacheck: Old file not found.
quotacheck: Old file not found.
root@server1:~# quotaon -avug
/dev/mapper/server1--vg-root [/]: group quotas turned on
/dev/mapper/server1--vg-root [/]: user quotas turned on


17 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils haveged


18 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl


Open /etc/cron.d/awstats afterwards...

nano /etc/cron.d/awstats


... and comment out everything in that file:

#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh


14 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.11 libtool flex bison debhelper binutils
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
./debian/rules binary


You can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.19-1_*.deb
rm -rf jailkit-2.19*



20 Install fail2ban and UFW

This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban


To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

nano /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled  = true
port     = smtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 3


Then create the following two filter files:

nano /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =


Add the missing ignoreregex line in the postfix-sasl file:

echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf


Restart fail2ban afterwards:

service fail2ban restart


To install the UFW firewall, run this apt command:

apt-get install ufw

Continue with section 3

https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/3/

16. Install Roundcube Webmail
[+]

17. Install ISPConfig 3

To install ISPConfig 3 from the latest released version, do this:

cd /tmp
wget -O ispconfig.tar.gz https://git.ispconfig.org/ispconfig/ispconfig3/repository/archive.tar.gz?ref=stable-3.1
tar xfz ispconfig.tar.gz
cd ispconfig3*/install/


The next step is to run

php -q install.php


This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 (perfect setup guides) is not necessary.

# php -q install.php


--------------------------------------------------------------------------------
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Debian 8.0 (Jessie) or compatible

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]: <-- Hit Enter

Installation mode (standard,expert) [standard]: <-- Hit Enter

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.canomi.com]: <-- Hit Enter

MySQL server hostname [localhost]: <-- Hit Enter

MySQL server port [3306]: <-- Hit Enter

MySQL root username [root]: <-- Hit Enter

MySQL root password []: <-- Enter your MySQL root password

MySQL database to create [dbispconfig]: <-- Hit Enter

MySQL charset [utf8]: <-- Hit Enter

Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
.......................................................................++
........................................................................................................................................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
State or Province Name (full name) [Some-State]: <-- Enter the name of the  state
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server1.example.com
Email Address []: <-- Hit Enter
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Jailkit
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Metronome XMPP Server
writing new private key to 'localhost.key'
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) [server1.canomi.com]: <-- Enter the server hostname, in my case: server1.example.com
Email Address []: <-- Hit Enter

Configuring Ubuntu Firewall
Configuring Fail2ban
[INFO] service OpenVZ not detected
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:

Admin password [admin]:

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <-- Hit Enter

Generating RSA private key, 4096 bit long modulus
.......................++
................................................................................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Enter 2 letter country code
State or Province Name (full name) [Some-State]: <-- Enter the name of the  state
Locality Name (eg, city) []: <-- Enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter
Organizational Unit Name (eg, section) []: <-- Hit Enter
Common Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server1.example.com
Email Address []: <-- Hit Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- Hit Enter
An optional company name []: <-- Hit Enter
writing RSA key


Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.


The installer automatically configures all underlying services, so no manual configuration is needed.

Afterward you can access ISPConfig 3 under http(s)://server1.example.com:8080/ or http(s)://192.168.1.100:8080/ (HTTP or HTTPS depends on what you chose during installation). Log in with the username admin and the password admin (you should change the default password after your first login).

Once finished, you can access your control panel at:
https://seeds4c.org:8080/

The system is now ready to be used.

18. Additional Notes

18.1 Fix MySQL Login for roundcube


MariaDB enables a plugin called "unix_socket" for the root user by default, this plugin prevents that the root user can log in to PHPMyAdmin and that TCP connections to MySQL are working for the root user. Therefore, I'll deactivate that plugin with the following command:

echo "update user set plugin='' where User='root';" | mysql -root -p mysql


Enter the MySQL / MariaDB root password when requested.

18.2 OpenVZ


If the Ubuntu server that you've just set up in this tutorial is an OpenVZ container (virtual machine), you should do this on the host system (I'm assuming that the ID of the OpenVZ container is 101 - replace it with the correct VPSID on your system):

VPSID=101
for CAP in CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE
do
  vzctl set $VPSID --capability ${CAP}:on --save
done

18.3 Virtual machine image download of this tutorial


This tutorial is available as ready to use virtual machine image in ovf/ova format that is compatible with VMWare and Virtualbox. The virtual machine image uses the following login details:

SSH / Shell Login

Username: administrator
Password: howtoforge

This user has sudo rights.

ISPConfig Login

Username: admin
Password: howtoforge

MySQL Login

Username: root
Password: howtoforge

The IP of the VM is 192.168.1.100, it can be changed in the file /etc/network/interfaces. Please change all the above passwords to secure the virtual machine.

Extra programs installed

sudo apt install logwatch sendemail lftp pflogsumm mc htop mailutils svn

1.5. Migrate ISPConfig3 data

With this script:
https://github.com/xavidp/bashscripts/blob/master/migrateispconfig.sh

It started to work once I had updated all domains to use the new ip, and changed the hostname from seed11.seeds4c.org to the equivalent name as in the old server: system.seeds4c.org.

For some reason, the mysql password for the ispconfig user in mysql.user data was gone. So I had to re-add it, from the value in:
vi /usr/local/ispconfig/server/lib/config.inc.php

...
$conf['db_password'] = 'VERYLONGPASSWORDSTRING';
...


And in mysql (for instance, through phpmyadmin), run this sql command:

update user set Password = PASSWORD('VERYLONGPASSWORDSTRING') WHERE User = 'ispconfig';


In addition, I had to re-create the roundcube user in mysql, with no privileges other than manage data only in the database roundcube. Password for that mysql user was taken from /etc/roundcube/config.inc.php

Temporary issues (solved all)

[+]

1.6. Manage ISPConfig3

See details at:
https://doc.tiki.org/ISPConfig

Example of key section of the control panel:

Click to expand
Click to expand


For this:
http://ueb.vhir.org/blogpost9-PluginR-v0-80-released-2-new-trainings-in-July-2013

1.6.1. Add svn to jailkit ssh sessions

Sure and please, do not hesitate if you have other questions!

What version of Jailkit have you installed? There is a bug in the 2.16 release:

http://lists.gnu.org/archive/html/jailkit-users/2013-04/msg00003.html

From what I understand, normally you should only need to add '/usr/bin/svn' to 'System > Server Config > [Server] > Jailkit > Jailkit chrooted applications'. Because of this bug in the latest release which breaks '-j' usage, you need to manually run the following command for all your sites:

jk_cp /var/www/clients/[client#]/[web#] /usr/bin/svn

i.e.:

jk_cp /var/www/clients/client3/web3 /usr/bin/svn

Then Subversion will be usable at the next SSH logon. Please, also add '/usr/bin/svn to the 'Jailkit chrooted applications' setting in ISPConfig:

- Go to 'System > Server Config > [Server] > Jailkit > Jailkit chrooted applications';
- Add '/usr/bin/svn' to the list of applications;
- Click on the 'Save' button.

If you add SVN to the default setting, the line should now read '/usr/bin/groups /usr/bin/id /usr/bin/dircolors /bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/svn'.

I hope this helps! Have a great weekend!

-- 
Eric Beaurivage (eric@avantech.net | eric.beaurivage@oriaks.com)

1.6.2. Chrooted user homes

New sites are associated with clients, and some ssh users can be created associated with that client and site.
ssh users have their chrooted environents in this absolute path in the server:

/var/www/clients/clientN/webM/


For instance, for the test case of the rol site (http://rol.r.dimensis.com) for Ferran (UEB), client uat is #3 (N in hte path above), , ssh user uatferran, and the website is #8 (M in the path above). Therefore, his website will be here:

/var/www/clients/client3/web8/


And when he logs in through ssh, he will be at the apparentpath for him:

/home/uatferran/


His website http://rol.r.dimenis.com will be initially fed with the contents at the file (chrooted, apparently absolute path for him):

/web/index.html


Which in fact, will be the real paths at the server for his home directory and website are:

/var/www/clients/client3/web8/home/uatferran/
/var/www/clients/client3/web8/web/index.html

1.6.3.1. Re-set admin password

If you need to re-set the admin password, run this SQL thorugh phpmyadmin on the appropriate db for ispconfig

UPDATE sys_user SET passwort = md5('YourNewPassword') WHERE username = 'admin';

1.6.3.2. Increase php.ini-like settings for websites

You can add custom php.ini settings for each website controlled by ISPConfig here:
ISPConfig > Sites > seeds4c.org (click on the Domain name of your chosen site to edit) > Web Domain > Options > Custom php.ini settings:


Example of params added at the Options > Custom php.ini settings box:

max_execution_time=120
max_input_time=120
post_max_size=105M
upload_max_filesize=100M
memory_limit=256M

Other tweaks by hand when needed

In case it is needed, see this intructions copied from forums in howtoforge:
(from http://www.howtoforge.com/forums/showthread.php?t=4373&page=2 & page 3)

How to do this:

1) Install a SSH daemon that supports chrooting.
2) Enable chrooting in ISPConfig in the file /home/admispconfig/ispconfig/config.inc.php
3) Every newly created or updated user is chrooted by ISPConfig. ISPConfig runs the script /root/ispconfig/scripts/shell/create_chroot_env.sh automatically to copy the needed binaries and dependencies to the chroot enviroment.


And:

Got it!

The file ld-linux.so.2 isn't being copied into the chrooted lib/ when new users are created. Without it, bash fails.

I'll investigate why this is and try to fix it. I assume I can add it to the create_chroot_env.sh script...

Edit:

There are actually two libraries that bash requires which are not copied over for some reason. They ARE listed in ldd so I don't know why they don't copy.

As a temporary kludgy hack, I have added the following two lines to /root/ispconfig/scripts/shell/create_chroot_env.sh

Code:
cp /lib/ld-linux.so.2 ./lib/
cp lib/tls/libdl.so.2 ./lib/tls/

1.6.4. PHP modes (for ISPConfig3 apps such as Tiki)

PHP-FCGI is the default PHP mode used in ISPConfig3 admin panels. But you can change it to other PHP modes if desired.

Click to expand
Click to expand


The other PHP modes are:

  • FastCGI
  • CGI
  • Mod-PHP
  • SuPHP
  • PHP-FPM


We'll show how to fix some usual errors with some of them.

1.6.4.1. Using PHP mode PHP-FCGI

1.6.4.1.1. Error 500 in PHP mode PHP-FCGI: Allow uploading bigger files than 1Mb

If you hit error 500 when attempting to upload files bigger than 1 Mb, and error.log shows something like:

mod_fcgid: HTTP request length 131665 (so far) exceeds MaxRequestLen


then you need to increase this directive in your vhost, to something like 2MB (1Mb by default)

FcgidMaxRequestLen 2000000


More in:
http://www.howtoforge.com/apache2-mod_fcgid-http-request-length-exceeds-maxrequestlen

1.6.4.2. Using PHP mode PHP-FPM

You might want to use another PHP mode for your website. For instance, PHP-FPM (FastCGI Process Manager), which is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites..

This is the mode I did set for the sustainability site. Xavi

According to the ISPConfig3 pdf manual, you need to install these packages:

Commands in a terminal
sudo apt-get install php5-fpm
sudo /etc/init.d/php5-fpm restart
sudo apt-get install fcgiwrap


1.6.4.2.1. Error 500 in PHP mode PHP-FPM: File is not in document root of Vhost

You may choose another PHP mode for your site. For instance, suPHP, or PHP-FPM. In such case, some features like replacing a file in a file gallery might produce this type of error 500:

root@example:/# tail /var/log/ispconfig/httpd/mysite.example.com/error.log
(...)
SoftException in Application.cpp:221: File "/var/www/c1tiki12farm/tiki-list_file_gallery.php" is not in document root of Vhost "/var/www/clients/client1/web6/web", referer: http://example.com/tiki-list_file_gallery.php


As indicated here, the solution to this is to pop open the suphp config file (/etc/suphp/suphp.conf) and tell it to stop checking that scripts are under the document root like this:

File edited: /etc/suphp/suphp.conf
check_vhost_docroot=false


And restart Apache.

sudo service apache2 restart


You will get then this other error when visiting any url of the tiki site:

root@example:/# tail /var/log/ispconfig/httpd/mysite.example.com/error.log
(...)
SoftException in Application.cpp:350: UID of script "/var/www/clients/client1/web6/web/tiki-list_file_gallery.php" is smaller than min_uid
Premature end of script headers: tiki-list_file_gallery.php


As indicated here, Suphp, by default, won't allow any scripts to run with a user or group ID under 100. Since Tiki has all its files installed owned by the user www-data (UID 33) when it's installed, this poses quite a problem. One solution is to set the min_uid and min_gid values in the suphp config file to 33 which allows the scripts to run as www-data.

File edited: /etc/suphp/suphp.conf
; Minimum UID
;min_uid=100
min_uid=33

; Minimum GID
;min_gid=100
min_gid=33


Restart Apache, and you'll be able to replace files in file galleries again.

1.6.5. Basic LAMP & R Installation

basic programs installed as root
apt-get install mc htop
apt-get install mysql-server mysql-client apache2 php5 php5-tidy php-pear memcached php5-xcache php5-gd php5-xmlrpc php-xml-parser phpmyadmin postfix
apt-get install  imagemagick php5-imagick php5-gd graphviz
apt-get install  
apt-get install r-recommended
apt-get install subversion


Update R to 3.0.x (by default, Ubuntu 12.04 comes with 2.14.x, it seems)

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:marutter/rrutter 
sudo apt-get update
sudo apt-get upgrade


Change perms on site-library from R to allow users to install packages there system wide.

sudo chmod 777 /usr/local/lib/R/site-library/


Some system debian packages for R were missing (like Rcurl, etc.). I added all the ones needed for ueb, as indicated there in our knowledge base, adn everything worked like a charm after that! :-):

sudo apt-get install r-cran-rgl r-cran-misc3d libx11-dev libxt-dev libcurl4-gnutls-dev libxml2-dev r-cran-xml libgraphviz-dev libcairo2-dev r-cran-cairodevice freeglut3 freeglut3-dev r-cran-rglpk libgtk2.0-dev

1.6.6. Backup inicial /etc

Fet, abans de remenar res de configuració, ni instal·lar cap "control panel", etc.
/home/xavi/backups/131210_etc_inicial.tgz

1.6.7. Adding Tiki to Client Websites

For instance, to copy the svn installation of tiki12 under my home folder over the website of a client (lets say: client1 (xavi) web2 (seeds4c.org) (i.e. http://seeds4c.org ), you can do that with:

xavi@seeds4c:~# sudo su
root@seeds4c:~# mkdir /var/www/tiki12
root@seeds4c:~# cd /var/www/tiki12
#root@seeds4c:/var/www/tiki12# svn export --force . /var/www/clients/client1/web2/web/
#Export complete.
root@seeds4c:/var/www/tiki12# cd /var/www/clients/client1/web2/web/
root@seeds4c:/var/www/clients/client1/web2/web/# rm * -R
root@seeds4c:/var/www/clients/client1/web2/web/# svn checkout https://svn.code.sf.net/p/tikiwiki/code/branches/12.x .
root@seeds4c:/var/www/clients/client1/web2/web/# sh setup.sh
User [www-data]: web2
> Group [www-data]: client1
> Multi []: 
Checking dirs : 
  db ...  ok.
  dump ...  ok.
  img/wiki ...  ok.
  img/wiki_up ...  ok.
  img/trackers ...  ok.
  modules/cache ...  ok.
  temp ...  ok.
  temp/cache ...  ok.
  temp/public ...  ok.
  templates_c ...  ok.
  templates ...  ok.
  styles ...  ok.
  maps ...  ok.
  whelp ...  ok.
  mods ...  Creating directory ok.
  files ...  ok.
  tiki_tests/tests ...  ok.
  temp/unified-index ...  Creating directory ok.
Fix global perms ...
Change user to web8 and group to client3... done.
Fix normal dirs ... done.
Fix special dirs ... done.


The force option is needed since the destination folder already exists.

And the svn export is preferred (if no svn is needed) because of the space savings reducing it down to aprox. 40% of the initial size on disk (453 Mb for the svn-enabled version of tiki09svn, 181 Mb for the non-svn-enabled version).

1.6.8. Fix apache2.4 default settings to run Tiki


Edit /etc/apache2/sites-enabled/000-default

and change docroot from /var/www to /var/ww/tiki or your custom path, AllowOVerride from None to All, and ensure that the syntax to allow access to override .htaccess file is set with the syntax for Apache 2.4 ("Require all granted") and not with the former one for Apache2.2 ("Order allow,deny" and "Allow from all")

The file should be left as like:

root@r:~# cat /etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/seeds4c.org
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/seeds4c.org/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
     	#Order allow,deny
        #Allow from all
        Require all granted
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>



1.6.9. Set server homepage to tiki12


Fetch a copy of tiki12svn to /var/www/tiki12svn
Set a symlink between /var/www/tiki12svn and /var/www/tiki
Install Tiki as usual

1.6.10. Fix immutable bit (root cannot delete web folders)

For some reason I can't understand yet, after some months of activity with ISPCOnfig3, some web folders become immutable.
This time I know I haven't updated system ubuntu packages for a loooong while (many months), and a few days ago I did create new websites (through ispconfig web interface. Today Xavi I've realized that they were the first webs that came created again with the immutable bit set for the "./web" folder:

root@seeds4c:~# cd /var/www/clients/client1
root@seeds4c:/var/www/clients/client1# lsattr
---------------- ./web7
---------------- ./web28
(...)
----i----------- ./web39
----i----------- ./web40
----i----------- ./web41
(...)
root@seeds4c:/var/www/clients/client1#


How does it affect the multitiki installations in a ISPConfig-powered server?

If you want to remove the web folder inside any of those web dir tree, in order to create a new symlink to the common path to the multitiki farm for that client, you will get a permission denied message upon removal attempt, even if you are root user!:

root@seeds4c:/var/www/clients/client1# cd web39
root@seeds4c:/var/www/clients/client1/web39# rmdir web
rmdir: no s’ha pogut eliminar «web»: S’ha denegat el permís


If you look at that folder, there no issues apparently with the setup: usual permissions, usuasl attributes (no immutable bit):

root@seeds4c:/var/www/clients/client1/web39# ls -l
total 28
drwxr-xr-x 2 web39 client1 4096 feb  3 20:16 cgi-bin
drwxr-xr-x 2 root  root    4096 feb  8 13:26 log
drwx--x--- 2 web39 client1 4096 feb  3 20:16 private
drwxr-xr-x 2 root  root    4096 feb  3 20:16 ssl
drwxrwx--- 2 web39 client1 4096 feb  3 20:16 tmp
drwx--x--x 2 web39 client1 4096 feb  8 13:29 web
drwx--x--- 2 web39 client1 4096 feb  3 20:16 webdav
root@seeds4c:/var/www/clients/client1/web39# lsattr
---------------- ./tmp
---------------- ./webdav
---------------- ./cgi-bin
---------------- ./web
---------------- ./private
---------------- ./ssl
---------------- ./log
root@seeds4c:/var/www/clients/client1/web39#


But as we saw in an earlier step, the parent web39 folder has the immutable bit set. So we need to temporarily remove that immuntable bit. Then we can proceed to create the symlink, and then we can re-set the immutable bit again:

root@seeds4c:/var/www/clients/client1/web39# cd ..
root@seeds4c:/var/www/clients/client1# chattr -i web39
root@seeds4c:/var/www/clients/client1# rmdir web39/web
root@seeds4c:/var/www/clients/client1# ln -s /var/www/c1tiki12farm /var/www/clients/client1/web39/web
root@seeds4c:/var/www/clients/client1# chattr +i web39


More info about the issue with the immutable bit for the root user in debian-based installs:
http://www.aboutlinux.info/2005/11/make-your-files-immutable-which-even.html

1.7. Corregir error enviament de correus

After everything was installed, I tried sending emails from the command line.

sudo apt-get install mailutils
echo testing | mail -s Bla xavier.depedro@vhir.org



And no email was received: I was getting this error message:

postdrop: warning: unable to look up public/pickup: No such file or directory


Therefore, I found googling a but out there that it was due to sendmail not being killed properly after postfix was installed. To solve, I did:

sudo mkfifo /var/spool/postfix/public/pickup
ps aux | grep sendmail
# Look at the ps number (e.g. NNN) corresponding to sendmail 
sudo kill NNN
sudo /etc/init.d/postfix restart


Test again, and it works:

echo testing | mail -s Bla xavier.depedro@vhir.org


1.8. Instal·lació de Tiki

En general he seguit aquest pasos (i actualitzat la pàgina de documentació allà):
https://doc.tiki.org/Ubuntu+Install

No empro tasksel sino apt-get install de paquets a ma.

I tiki ho baixo per subversion (mira https://dev.tiki.org/Get+code ), a:
/var/www/tiki12/

Instal·lo PluginR, i aplico els perfils r_test, i R_Heatmaps sense massa problemes. Després d'aplicar el de R_Heatmaps, sembla que falla el mostrar pàgina inicial amb url curtes. Faig els retocs habituals en .htaccess del tiki root.

Not Found
The requested URL /tiki9/HeatMaps was not found on this server.


Activo mod rewrite:

sudo a2enmod rewrite
sudo service apache2 restart


Canvio la linia de l'apache que permet emprar htaccess en subdirectoris, a: /etc/apache2/sites-enabled/000-default
L'AllowOverride de "/var/www/" s'ha de canviar de AllowOverride None a AllowOverride All, per a que quedi com:

<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>


Canvio Tiki /var/www/tiki9/.htaccess per a que permeti emprar les regles e escritptura en subdirectoris:

RewriteBase /tiki12/

I ja que hi soc faig alguns canvis més en aquest .htaccess per a millorar el funcionament de Tiki.

1.8.1. Actualització posterior de Tiki

To upgrade to latest svn version, go there as root and run, one after the previous one has finished:

svn up
sh setup.sh
# If no multitiki
php console.php d:u
# If multitiki installation, add the --site=yoursite.com
php console.php d:u --site=seeds4c.org


bbdd: tiki12
u: tikiuser
p: (ask xavi, if needed)
mysql details for the tiki db are usually at

/var/www/tiki12/db/local.php

1.8.2. PluginR

As usual, check the documentation, profiles, links to videos, screencasts & tutorials, etc, at:


Development blog:


Support forum:

1.9. Backups webs (mysql, tikifiles i /etc)

1.9.1. Custom backup script

Modified after http://www.cyberciti.biz/faq/ubuntu-linux-mysql-nas-ftp-backup-script/

See https://github.com/xavidp/bashscripts

File named:

/home/xavi/backups/backup_webs.sh


Chmod it to 600, from root:root

sudo chmod 600 /home/xavi/backups/backup_webs.sh
sudo chmod root:root /home/xavi/backups/backup_webs.sh


Cron:

55 23 * * * cd /home/xavi/backups/;sh backup_webs.sh




1.10. Monitoring

1.10.1. Logwatch

Logwatch is a modular log analyser that runs every night and mails you the results. It can also be run from command line.The output is by service and you can limit the output to one particular service. The subscripts which are responsible for the output, mostly convert the raw log lines in structured format.


Once you have installed Logwatch (sudo apt-get install logwatch), you will need to configure it to email you the reports it generates. You are encouraged to look through the entire configuration, but you may safely use Logwatch after editing the lines below.

1.10.1.1. Configuration

File:/usr/share/logwatch/default.conf/logwatch.conf
Output = mail
Format = html
MailTo = xavi@confluencia.net
MailFrom = logwatch


These directives tell Logwatch to email you reports in an HTML format. The MailTo and MailFrom directives should be valid email addresses.

Issue the following command to test your logwatch installation:

logwatch


Once you have issued this command, you will need to check your email to make sure that logwatch is working. Be sure to check your spam folder as these emails may be seen as spam.

1.10.1.2. Adding a Cron Job for Logwatch

You should know that logwatch by default adds a system cronjob at:

system cronjob file from logwatch by default when installed
/etc/cron.daily/00logwatch


But if for whatever reason, you want to add a cron job for Logwatch in order to receive daily emails of new reports, you can add a new entry to your crontab by running crontab -e, for instance. The following example cron job runs Logwatch at 2 AM each day, issuing you an email report of the daily activity:

crontab -e
# m h dom mon dow   command
0 2  * * *          /usr/sbin/logwatch


Congratulations! You can now monitor system logs with Logwatch!


Related:

1.10.2. Notification emails if there are php errors

This is to send out an email alert when php hits an out of memory error, adapted to B52 from an email from ohertel:

The program sec (simple event correlator - http://simple-evcorr.sf.net ) is used, with this command written to a new shell script called check_php_errors.sh, that will be run as root in seeds4c:

sudo apt-get install sec


Edit the script

Command on a console on a terminal connected by ssh to the server
sudo pico /home/xavi/scripts/check_php_errors.sh


Add this content inside (Copy this content, and Ctrl+Shift+V at the terminal to paste this content):

Content to be pasted to the script check_php_errors.sh
/usr/bin/perl -w /usr/bin/sec -conf=/etc/sec.conf -input=/var/log/apache2/error.log -pid=/var/run/sec.pid -detach -syslog=daemon


Make it executable:

Command on a console
sudo chmod +x /home/xavi/scripts/check_php_errors.sh


In the specific case of seeds4c.org, we have error logs splitted in several files:

/var/log/apache2/error.log
/var/log/apache2/suexec.log
/var/log/ispconfig/httpd/seeds4c.org/error.log
/var/log/ispconfig/httpd/uamep.org/error.log
(...)


There all these folders with error logs:

# ls /var/log/ispconfig/httpd/
2012.forumsocialcatala.cat  d-recerca.org           masfranch.seeds4c.org       uelm.seeds4c.org
2014.forumsocialcatala.cat  forumsocialcatala.cat   piwik.seeds4c.org           uniwiki.seeds4c.org
awikiforum.seeds4c.org      gavarrespedia.org       seeds4c.org                 xissabadell.org
carpetiki.seeds4c.org       iesgogreen.seeds4c.org  semillaspec.org             xissabadell.seeds4c.org
cochise.seeds4c.org         llavorspac.org          sustainability.seeds4c.org
deliberaweb.seeds4c.org     margalef.seeds4c.org    uamep.org


so somethig more will have to be done, in order to have sec monitor all of them.

sec.conf, so far, looks like this:

contents of /etc/sec.conf
type=single
continue=takenext
ptype=regexp
pattern=exhausted
desc=scan for php memory errors in seeds4c webserver
action=add php-memory-errors $0

type=calendar
continue=takenext
time=* * * * *
desc=sec cron
context=php-memory-errors
action=report php-memory-errors /usr/bin/mail -s "alert:php out of memory error at seeds4c" xavi@confluencia.net; delete php-memory-errors;


If some sec processes are running and you want to change them (delete old ones, and re-send new sec processes, you need to manually kill the old (perl) processes that were linked to the sec program.
So you should do:

search for former processes linked to sec
sudo ps -e | grep perl


Identify which perl processes are not related to this sec job (if any), and kill the rest with "kill -9 pid", being pid the number shown at the left of the perl processes as shown by the output of the command "sudo ps -e | grep perl"

1.10.2.1. Have this script re-run at every boot or reboot

This script works fine while it's in memory. But when you reboot the machine, the perl command is not re-run bu default. So that you need to add it in the right place to have it re reun at each new boot or re-boot.

From:
http://en.kioskea.net/faq/3348-ubuntu-executing-a-script-at-startup-and-shutdown

1.10.2.1.1. To execute a script at startup of Ubuntu


Edit /etc/rc.local and add your command as shown above.

The script must always end with an un exit 0

1.10.2.1.2. To execute a script upon rebooting Ubuntu


Put your script in /etc/rc0.d. The name of your script must begin with K99 to run at the right time, since the scripts in this directory are executed in alphabetical order.

And make it executable (sudo chmod +x check_php_errors.sh)

1.10.2.1.3. To execute a script at shutdown (when needed, not for php errors)


Put your script in /etc/rc6.d

and make it executable (sudo chmod +x myscript)

Note that: The scripts in this directory are executed in alphabetical order.

The name of your script must begin with K99 to run at the right time.

1.10.3. Munin

See:


Install it with:

sudo apt-get install munin munin-node munin-plugins-extra libcache-perl libcache-cache-perl


Apache is used to show the Munin pages, the apache fcgid module is required for the Munin graph zoom feature. I will install apache and the libapache2-mod-fcgid module with apt.

apt-get -y install apache2 libcgi-fast-perl libapache2-mod-fcgid


Enable the fcgid module in apache.

a2enmod fcgid


You can have a look at what plugins are suggested for your site with:

sudo munin-node-configure --suggest


Enable a few extra munin plugins (consider removing the last one for amavis, if you don't run amavis antivirus in your server):

cd /etc/munin/plugins && ln -s /usr/share/munin/plugins/mysql_ mysql_ && ln -s /usr/share/munin/plugins/mysql_bytes mysql_bytes && ln -s /usr/share/munin/plugins/mysql_innodb mysql_innodb && ln -s /usr/share/munin/plugins/mysql_isam_space_ mysql_isam_space_ && ln -s /usr/share/munin/plugins/mysql_queries mysql_queries && ln -s /usr/share/munin/plugins/mysql_slowqueries mysql_slowqueries && ln -s /usr/share/munin/plugins/mysql_threads mysql_threads  && ln -s /usr/share/munin/plugins/apache_accesses apache_accesses  && ln -s /usr/share/munin/plugins/apache_processes apache_processes  && ln -s /usr/share/munin/plugins/apache_volume apache_volume && ln -s /usr/share/munin/plugins/amavis amavis


Once the package is installed, and those extra plugins enabled, you only need to make a few changes to get your installation working.

1.10.3.1. Changes in /etc/munin/munin.conf

Configuring Munin server: You need to edit the /etc/munin/munin.conf file

sudo nano /etc/munin/munin.conf


And make a few minor changes:

Change 1:

#dbdir /var/lib/munin
#htmldir /var/cache/munin/www
#logdir /var/log/munin
#rundir /var/run/munin


to

dbdir /var/lib/munin
#htmldir /var/www/munin
htmldir /var/cache/munin/www
logdir /var/log/munin
rundir /var/run/munin



Change 2:
From

#tmpldir /etc/munin/templates

to

tmpldir /etc/munin/templates


Change 3:
the server name on the line localhost.localdomain should be updated to display the hostname, domain name, or other identifier you'd like to use for your monitoring server
From:

# a simple host tree
[localhost.localdomain]
address 127.0.0.1
use_node_name yes


to

[seeds4c.org]
address 127.0.0.1
use_node_name yes

1.10.3.2. Changes in /etc/munin/apache24.conf

You need to edit the munin apache configuration

sudo nano /etc/munin/apache24.conf


We need to allow connections from outside of the local computer for this do the following changes

<Directory /var/cache/munin/www>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
Options None



to

Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
 # Require local
 Require all granted
 Options FollowSymLinks SymLinksIfOwnerMatch
 Options None
</Directory>

ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
 # Require local
 Require all granted
 Options FollowSymLinks SymLinksIfOwnerMatch
 <IfModule mod_fcgid.c>
 SetHandler fcgid-script
 </IfModule>
 <IfModule !mod_fcgid.c>
 SetHandler cgi-script
 </IfModule>
</Location>


Restart Apache:

sudo service apache2 restart


Then restart Munin:

sudo service munin-node restart


Now wait a few minutes so that Munin can produce its first output, and then go to http://www.example.com/munin/ in your browser, and you see the first statistics. However, since we use to have tiki sites in the base domains, which prevent through .htaccess some features needed by munin, we will need to create a subdomain for munin.

1.10.3.3. Crete a subdodmain and ispconfig website for munin

And I did make a symlink from the original folder /var/cache/munin/www to the web folder of a new subsite made through ispconfig, after a new subdomain was created. Therefore, step by step, was:

Create a new subdomain for munin.seeds4c.org through isp manager in dimensis.com (ecodim-dns.net):
https://ecodim-dns.net/manager/
Login with the appropriate username and pass, and go to create a new dns records for your domain:

Click to expand
Click to expand


It may (usually) take a few minutes until the new domain is propagated across dns servers worldwide.

In the meantime, you can proceed to prepare your ispconfig site for that subdomain you have just created (even if it's not yet available worldwide, it will be in short, you will be already prepared for then). Go to your ispconfig installation, and create a new site:

Click to expand
Click to expand


Then you will be able to see the standard screen in your new domain munin.seeds4c.org when the domain is propagated.
We can then replace the web folder from that site with a symlink to the www folder of munin in the server.
We need to know which client and web number ispconfig assigned to this domain munin.seeds.org. In our case, it was client1 web44.
Then we proceed as usual:

cd /var/www/clients/client1/
chattr -i web44
rm web44/web/* -R
rm web44/web/.* -R
rmdir web44/web
sudo ln -s /var/cache/munin/www /var/www/clients/client1/web44/web
chattr +i web44

1.10.3.4. Restart munin and apache

Now you need to restart the munin and apache services using the following commands

sudo service munin-node restart
sudo service apache2 restart


It might take a few minutes to generate the necessary graphs and html files. After about five minutes, your files should be created and you will be able to access your data, siwth some graphs similar to:
Image 1

You should be able to access your munin details at:

http://munin.seeds4c.org/


(This is just a small excerpt of the many graphics that munin produces...)

1.10.3.5. Password-Protect The munin Output Directory (Optional)


Now it is a good idea to password-protect the munin output directory unless you want everybody to be able to see every little statistic about your server.
To do this, we must create the password file /etc/munin/munin-htpasswd. We want to log in with the username admin, so we do this:

htpasswd -c /etc/munin/munin-htpasswd munin


Enter a password for munin. Then open /etc/apache2/conf.d/munin /etc/munin/apache.conf again...

nano /etc/munin/apache.conf


... and uncomment the following section:

[...]
        AuthUserFile /etc/munin/munin-htpasswd
        AuthName "Munin"
        AuthType Basic
        require valid-user
[...]


In addition, we will create an .htaccess file in the web docroot for munin.seeds4c.org, to ensure that this auth is requested:

sudo nano /var/www/munin.seeds4c.org/web/.htaccess


And add this contents (it was empty as it was a new file created by us):

# For the .htaccess file option to work the munin www directory
        # (/var/cache/munin/www) must have "AllowOverride all" or something
        # close to that set.
        #

        AuthUserFile /etc/munin/munin-htpasswd
        AuthName "Munin"
        AuthType Basic
        require valid-user


Then restart Apache:

sudo service apache2 restart

1.10.3.6. Monitor other servers as nodes from this munin server

Munin can easily monitor multiple servers at once. Let's add another server to be monitored by this one. For instance, precarios.org.
We connect through ssh to precarios as user with sudo perms.

First you need to install munin client package using the following commands

sudo apt-get install munin-node munin-plugins-extra libcache-perl libcache-cache-perl


Enable a few extra munin plugins, with a one-liner command ;-) (consider removing the last one for amavis, if you don't run amavis antivirus in your server):

cd /etc/munin/plugins && ln -s /usr/share/munin/plugins/mysql_ mysql_ && ln -s /usr/share/munin/plugins/mysql_bytes mysql_bytes && ln -s /usr/share/munin/plugins/mysql_innodb mysql_innodb && ln -s /usr/share/munin/plugins/mysql_isam_space_ mysql_isam_space_ && ln -s /usr/share/munin/plugins/mysql_queries mysql_queries && ln -s /usr/share/munin/plugins/mysql_slowqueries mysql_slowqueries && ln -s /usr/share/munin/plugins/mysql_threads mysql_threads  && ln -s /usr/share/munin/plugins/apache_accesses apache_accesses  && ln -s /usr/share/munin/plugins/apache_processes apache_processes  && ln -s /usr/share/munin/plugins/apache_volume apache_volume && ln -s /usr/share/munin/plugins/amavis amavis



Now you need to edit the munin-node.conf file to specify that your monitoring server is allowed to poll the client for information.

sudo nano /etc/munin/munin-node.conf


Search for the section that has the line "allow ^127\.0\.0\.1$". Modify the IP address to reflect your monitoring server's IP address (in this case, we have to add the ip from seeds4c.org).If your server ip is 172.30.2.100

allow ^172\.30\.2\.100$



Save and exit the file

You need to restart the munin client using the following information

sudo service munin-node restart


Now you need to login in to your munin server (seeds4c.org in this case) and edit the munin.conf file

sudo nano /etc/munin/munin.conf


Copy the following section and change the ip address to your remote server client ip address (precarios.org in this case)

[MuninMonitor]
address 127.0.0.1
use_node_name yes


to

[precarios.org]
address 172.30.2.101
use_node_name yes


(replace 172.30.2.101 with the real ip of your server, the one from precarios.org in this case)


Regarding apache and amavis, some extra steps are needed

Ensure that you have these packages installed (run the install command, just in case you miss some of them)

sudo apt-get install libwww-perl liblwp-useragent-determined-perl libipc-sharelite-perl logtail


You need mod_status installed and configured
See: http://www.rackspace.com/knowledge_center/article/enabling-and-using-apaches-modstatus-on-debian-and-ubuntu

Enable mod_status

The default installation of apache usually has mod_status enabled, but verify this. Check the contents of apache's enabled modules directory:

ls /etc/apache2/mods-enabled


Search for status.conf and status.load. If those files aren't listed in that directory, you will need to enable mod_status by running:

sudo /usr/sbin/a2enmod status


Allow mod_status from apache 2.4 to display the server-status to your own site, and your desktop ip to let you check that everything works as expected:

sudo nano /etc/apache2/mods-enabled/status.conf


And add (or uncomment and edit) this type of section between "Location" tags, so that it's applied, with the ip's of your own monitoring server, and your own ip from your desktop so that you can check that server-status from apache works:

<IfModule mod_status.c>
        # Allow server status reports generated by mod_status,
        # with the URL of http://servername/server-status
        # Uncomment and change the "192.0.2.0/24" to allow access from other hosts.

        <Location /server-status>
            SetHandler server-status
            Require local
            Require ip 172.30.2.100
            Require ip 95.23.18.40
        </Location>

        # Keep track of extended status information for each request
        ExtendedStatus On

[...]


(replace 172.30.2.100 with the real ip of your server, the one from munin.seeds4c.org, in this case, and replace 95.23.18.40 with the ip from your adsl or work, so that you can check from your desktop computer that the server-status page produces the expected output).

Then you need to restart the apache server using the following command

sudo service apache2 restart


You will notice that you can see the output from server-status at your address:
http://example.com/server-status

However, in our case, it didn't work because the .htaccess from Tiki was overruling with its rewrite rules, saying that that wiki page didn't exist. Therefore, one workaround for this type of setup with ISPConfig server and a Tiki site in the main website, is to access the server-status information from another website in the same server. For instance: http://piwik.seeds4c.org/server-status worked, while http://seeds4c.org/server-status or http://localhost/server-status with a wget from console server-side didn't work.

Therefore, we hardcoded this value in the apache-related plugins of munin in our server:

/etc/munin/plugins/apache_accesses
/etc/munin/plugins/apache_processes
/etc/munin/plugins/apache_volume


Each time that the url was indicated as http://127.0.0.1:%d/... we replaced that with http://piwik.seeds4c.org:%d/...

( Info for amavis and apache partially derived from:
http://howto.biapy.com/fr/debian-gnu-linux/applications-web/supervision/installer-un-noeud-munin-sur-debian )

Finall you need to restart the munin-node and the apache server using the following commands

sudo service munin-node restart
sudo service apache2 restart

1.10.3.7. Monitor munin from an android smartphone

See:


1.10.4. Monit

See:


First commands:

sudo su
apt-get install monit
cp /etc/monit/monitrc /etc/monit/monitrc_orig
cat /dev/null > /etc/monit/monitrc
nano /etc/monit/monitrc


Contents of /etc/monit/monitrc to paste to the file:

set daemon  60
set logfile syslog facility log_daemon
set mailserver localhost
set mail-format { from: monit@seeds4c.org }
set alert xavi@pangea.org
set httpd port 2812 and
     SSL ENABLE
     PEMFILE  /var/certs/monit.pem
     allow admin:samepassasispconfig

#check process proftpd with pidfile /var/run/proftpd.pid
#   start program = "/etc/init.d/proftpd start"
#   stop program  = "/etc/init.d/proftpd stop"
#   if failed port 21 protocol ftp then restart
#   if 5 restarts within 5 cycles then timeout

check process sshd with pidfile /var/run/sshd.pid
   start program  "/etc/init.d/ssh start"
   stop program  "/etc/init.d/ssh stop"
   if failed port 22 protocol ssh then restart
   if 5 restarts within 5 cycles then timeout

check process mysql with pidfile /var/run/mysqld/mysqld.pid
   group database
   start program = "/etc/init.d/mysql start"
   stop program = "/etc/init.d/mysql stop"
   if failed host 127.0.0.1 port 3306 then restart
   if 5 restarts within 5 cycles then timeout

check process apache with pidfile /var/run/apache2/apache2.pid
   group www
   start program = "/etc/init.d/apache2 start"
   stop program  = "/etc/init.d/apache2 stop"
   if failed host seeds4c.org port 80 protocol http
      and request "/monit/token" then restart
   if cpu is greater than 60% for 2 cycles then alert
   if cpu > 80% for 5 cycles then restart
   if totalmem > 500 MB for 5 cycles then restart
   if children > 250 then restart
   if loadavg(5min) greater than 10 for 8 cycles then stop
   if 3 restarts within 5 cycles then timeout

check process postfix with pidfile /var/spool/postfix/pid/master.pid
   group mail
   start program = "/etc/init.d/postfix start"
   stop  program = "/etc/init.d/postfix stop"
   if failed port 25 protocol smtp then restart
   if 5 restarts within 5 cycles then timeout

#check process nginx with pidfile /var/run/nginx.pid
#   start program = "/etc/init.d/nginx start"
#   stop  program = "/etc/init.d/nginx stop"
#   if failed host 127.0.0.1 port 80 then restart
#
#check process memcached with pidfile /var/run/memcached.pid
#   start program = "/etc/init.d/memcached start"
#   stop  program = "/etc/init.d/memcached stop"
#   if failed host 127.0.0.1 port 11211  then restart
#
#check process pureftpd with pidfile /var/run/pure-ftpd/pure-ftpd.pid
#   start program = "/etc/init.d/pure-ftpd-mysql start"
#   stop program  = "/etc/init.d/pure-ftpd-mysql stop"
#   if failed port 21 protocol ftp then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process named with pidfile /var/run/named/named.pid
#   start program = "/etc/init.d/bind9 start"
#   stop program = "/etc/init.d/bind9 stop"
#   if failed host 127.0.0.1 port 53 type tcp protocol dns then restart
#   if failed host 127.0.0.1 port 53 type udp protocol dns then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process ntpd with pidfile /var/run/ntpd.pid
#   start program = "/etc/init.d/ntp start"
#   stop  program = "/etc/init.d/ntp stop"
#   if failed host 127.0.0.1 port 123 type udp then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process mailman with pidfile /var/run/mailman/mailman.pid
#   group mail
#   start program = "/etc/init.d/mailman start"
#   stop  program = "/etc/init.d/mailman stop"
#
check process amavisd with pidfile /var/run/amavis/amavisd.pid
   group mail
   start program = "/etc/init.d/amavis start"
   stop  program = "/etc/init.d/amavis stop"
   if failed port 10024 protocol smtp then restart
   if 5 restarts within 5 cycles then timeout

#check process courier-imap with pidfile /var/run/courier/imapd.pid
#   group mail
#   start program = "/etc/init.d/courier-imap start"
#   stop program = "/etc/init.d/courier-imap stop"
#   if failed host localhost port 143 type tcp protocol imap then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process courier-imap-ssl with pidfile /var/run/courier/imapd-ssl.pid
#   group mail
#   start program = "/etc/init.d/courier-imap-ssl start"
#   stop program = "/etc/init.d/courier-imap-ssl stop"
#   if failed host localhost port 993 type tcpssl sslauto protocol imap then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process courier-pop3 with pidfile /var/run/courier/pop3d.pid
#   group mail
#   start program = "/etc/init.d/courier-pop start"
#   stop program = "/etc/init.d/courier-pop stop"
#   if failed host localhost port 110 type tcp protocol pop then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process courier-pop3-ssl with pidfile /var/run/courier/pop3d-ssl.pid
#   group mail
#   start program = "/etc/init.d/courier-pop-ssl start"
#   stop program = "/etc/init.d/courier-pop-ssl stop"
#   if failed host localhost port 995 type tcpssl sslauto protocol pop then restart
#   if 5 restarts within 5 cycles then timeout
#
#check process dovecot with pidfile /var/run/dovecot/master.pid
#   group mail
#   start program = "/etc/init.d/dovecot start"
#   stop program = "/etc/init.d/dovecot stop"
#   if failed host localhost port 993 type tcpssl sslauto protocol imap then restart
#   if 5 restarts within 5 cycles then timeout

echo "hello world from seeds4c.org" > token
mkdir /var/certs
cd /var/certs
nano /var/certs/monit.cnf


Contents of /var/certs/monit.cnf to paste to the file:

# create RSA certs - Server

RANDFILE = ./openssl.rnd

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = MO

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Monitoria

localityName                    = Locality Name (eg, city)
localityName_default            = Monittown

organizationName                = Organization Name (eg, company)
organizationName_default        = Monit Inc.

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Dept. of Monitoring Technologies

commonName                      = Common Name (FQDN of your server)
commonName_default              = server.monit.mo

emailAddress                    = Email Address
emailAddress_default            = root@monit.mo

[ cert_type ]
nsCertType = server

openssl req -new -x509 -days 365 -nodes -config ./monit.cnf -out /var/certs/monit.pem -keyout /var/certs/monit.pem
openssl gendh 512 >> /var/certs/monit.pem
openssl x509 -subject -dates -fingerprint -noout -in /var/certs/monit.pem
chmod 700 /var/certs/monit.pem
/etc/init.d/monit start 
nano /etc/monit/monitrc
/etc/init.d/monit restart 
/etc/init.d/monit reload
monit status

root@seeds4c:/var/run# monit status
The Monit daemon 5.6 uptime: 0m 

Process 'sshd'
  status                            Running
  monitoring status                 Monitored
  pid                               689
  parent pid                        1
  uptime                            24d 6h 5m 
  children                          6
  memory kilobytes                  332
  memory kilobytes total            17608
  memory percent                    0.0%
  memory percent total              0.4%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.023s to localhost:22 [SSH via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

Process 'mysql'
  status                            Running
  monitoring status                 Monitored
  pid                               28458
  parent pid                        1
  uptime                            13d 15h 58m 
  children                          0
  memory kilobytes                  119416
  memory kilobytes total            119416
  memory percent                    2.8%
  memory percent total              2.8%
  cpu percent                       1.1%
  cpu percent total                 1.1%
  port response time                0.000s to 127.0.0.1:3306 [DEFAULT via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

Process 'apache'
  status                            Running
  monitoring status                 Monitored
  pid                               4629
  parent pid                        1
  uptime                            7m 
  children                          24
  memory kilobytes                  34028
  memory kilobytes total            1566844
  memory percent                    0.8%
  memory percent total              37.3%
  cpu percent                       0.0%
  cpu percent total                 5.7%
  port response time                0.004s to seeds4c.org:80/monit/token [HTTP via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

Process 'postfix'
  status                            Running
  monitoring status                 Monitored
  pid                               28668
  parent pid                        1
  uptime                            13d 15h 58m 
  children                          13
  memory kilobytes                  608
  memory kilobytes total            31688
  memory percent                    0.0%
  memory percent total              0.7%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.002s to localhost:25 [SMTP via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

Process 'amavisd'
  status                            Running
  monitoring status                 Monitored
  pid                               5444
  parent pid                        1
  uptime                            3m 
  children                          2
  memory kilobytes                  111144
  memory kilobytes total            331452
  memory percent                    2.6%
  memory percent total              7.9%
  cpu percent                       0.0%
  cpu percent total                 0.0%
  port response time                0.007s to localhost:10024 [SMTP via TCP]
  data collected                    Thu, 21 May 2015 22:09:10

System 'seeds4c.org'
  status                            Running
  monitoring status                 Monitored
  load average                      [0.77] [1.23] [1.53]
  cpu                               13.4%us 4.0%sy 0.0%wa
  memory usage                      1687120 kB [40.2%]
  swap usage                        287076 kB [54.7%]
  data collected                    Thu, 21 May 2015 22:09:10

root@seeds4c:/var/run#



Just in case, I clicked at the buttons in the web interface for the apache in monit:

  • Start monitoring
  • Start service

Click to expand
Click to expand

Click to expand
Click to expand

1.10.5. Mail Log Analyzer: MailGraph & pflogsumm

See:


line added to the cron job of root
# send mail log summary at AM 1:00 everyday to root
00 01 * * * perl /usr/sbin/pflogsumm -e -d yesterday /var/log/mail.log | mail -s 'Logwatch for Postfix' monitoring@seeds4c.org

1.10.6. Add extra postfix restrictions

Derived from https://www.howtoforge.com/block_spam_at_mta_level_postfix

sudo nano /etc/postfix/main.cf


Comment out this line

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf


And add this section to the end:

settings in /etc/postfix/main.cf
# Extra section added by Xavier de Pedro on 20161207 ini
# from www.howtoforge.com/block_spam_at_mta_level_postfix

#smtpd_helo_required = yes # added already by ispconfig above
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
#unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions = reject_invalid_hostname,
  reject_unknown_recipient_domain,
  reject_unauth_pipelining,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
#  reject_rbl_client multi.uribl.com,
  reject_rbl_client dsn.rfc-ignorant.org,
  reject_rbl_client dul.dnsbl.sorbs.net,
#  reject_rbl_client list.dsbl.org,
  reject_rbl_client sbl-xbl.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
#  reject_rbl_client dnsbl.sorbs.net,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client ix.dnsbl.manitu.net,
  reject_rbl_client combined.rbl.msrbl.net,
  reject_rbl_client rabl.nuclearelephant.com,
  check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, 
  check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
  permit
# Extra section added by Xavier de Pedro on 20161205 end


Then restart postfix

sudo service postfix restart

WARNING: I had to re-apply most of these changes after I installed an upgrade to the ISPConfig software. Xavi


See also as a reference:
http://www.postfix.org/SMTPD_ACCESS_README.html#lists

A very useful command to see what may be failing in postfix (if anything in your case) is:

sudo su
egrep '(warning|fatal|panic):' /var/log/mail.log | tail -20
exit

1.10.7. ISPConfig monitor from an android smartphone

See:


Current interface with ISPConfig 3.0.5x:

Click to expand
Click to expand


1.11. Log analytics

1.11.1. Piwik (standard install)

See Piwik

1.11.2. Add geoIP engine

Taken from: http://piwik.org/faq/how-to/#faq_164

sudo apt-get install php5-geoip php5-dev libgeoip-dev
sudo pecl install geoip


Finally, add the following to your php.ini file:

extension=geoip.so


Once the PECL extension is installed, you must configure it. Add the following to your php.ini file (which is at /etc/php5/apache2/php.ini ):

geoip.custom_directory=/path/to/piwik/misc


Replace /path/to/piwik with the path to your Piwik installation (which in seeds4c it's at /var/www/clients/client1/web20/web/ ).

And finally, if you are using the GeoLite City database there is one more thing you need to do. The PECL extension won’t recognize the database if it’s named GeoLiteCity.dat so make sure it is named GeoIPCity.dat (piwik 2.11.1 did that renaming automagically for me).

Restart the webserver and the GeoIP extension should now be loaded and working in Piwik > Settings > Geolocation.

1.11.3. Piwik Server Log Analytics

See:
http://piwik.org/docs/log-analytics-tool-how-to/

1.12. Other system tweaks

1.12.1. Set nano as default editor

You can do it just for this session with this command:

export EDITOR="/usr/bin/nano"


You can make the changes permanent for all sessions in this computer:

sudo nano /etc/environment


Add at the end of the file:

EDITOR="/usr/bin/nano"


Run this command to apply changes (no need to reboot)(:

source /etc/environment

1.12.2. Add highlighting for nano editor

See this: http://askubuntu.com/questions/90013/how-do-i-enable-syntax-highlighting-in-nano

What I did:

  1. nano ~/.nanorc
    • Contens after the edition:
      Contents after the edtion of /home/xavi/.nanorc after the command nano ~/.nanorc
      include "/usr/share/nano/sh.nanorc"
      include "/usr/share/nano/c.nanorc"
      include "/usr/share/nano/perl.nanorc"
      include "/usr/share/nano/awk.nanorc"
      include "/usr/share/nano/css.nanorc"
      include "/usr/share/nano/php.nanorc"
      include "/usr/share/nano/xml.nanorc"
      include "/usr/share/nano/html.nanorc"
      include "/usr/share/nano/patch.nanorc"

      But this was not enough, let's say, to highlight contents of other files like /etc/postfix/main.cf, so that we need to create some quick&dirty /usr/share/nano/cf.nanorc
  2. cp /usr/share/nano/sh.nanorc /usr/share/nano/cf.nanorc
  3. nano ~/.nanorc
    • Add this one at the end:
      Add this line at the end
      include "/usr/share/nano/cf.nanorc"
  4. We need to tweak a bit that file, the first lines, until the line starting with header.
    • nano /usr/share/nano/cf.nanorc
      First lines after the edition
      ## Here is a custom example for .cf files like the ones from postfix configuration.
      ##
      syntax "cf" "\.cf$"
  5. Now we can test that it works! :-)
    • nano /etc/postfix/main.cf

1.13. Cron jobs

output from: sudo crontab -e as of ISPCOnfig installation time + backintime
* * * * * /usr/local/ispconfig/server/server.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfi$
30 00 * * * /usr/local/ispconfig/server/cron_daily.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/is$
0 1 * * * nice -n 19 ionice -c2 -n7 /usr/bin/backintime  --backup-job >/dev/null 2>&1

output from: sudo crontab -e as of June 6, 2014
root@seeds4c:/var/www/intercanvis.net/web# crontab -l
#0 1 * * * nice -n 19 ionice -c2 -n7 /usr/bin/backintime  --backup-job >/dev/null 2>&1
35 00 * * * cd /var/www/c1tiki12r;php -n console.php index:rebuild --log --site=llavorspac.org > /dev/null 2>&1
55 00 * * * cd /var/www/c1tiki12r;php -n console.php daily-report:send --log --site=llavorspac.org > /dev/null 2>&1
55 23 * * * cd /home/xavi/scripts/;sh backup_webs.sh
10 2 * * * cd /var/www/c8tiki12farm;php console.php index:rebuild --log --site=intercanvis.net > /dev/null 2>&1
30 2 * * * cd /var/www/c8tiki12farm;php console.php daily-reports:send --log --site=intercanvis.net > /dev/null 2>&1
50 2 * * * cd /var/www/clients/client7/web32/web;php console.php index:rebuild --log --site=r-es.org > /dev/null 2>&1
10 3 * * * cd /var/www/clients/client7/web32/web;php console.php daily:reports --log --site=r-es.org > /dev/null 2>&1
@daily /usr/bin/wget -O - -q -t 1 http://intercanvis.net/tiki-batch_todo.php > /dev/null 2>&1
* * * * * /usr/local/ispconfig/server/server.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
30 00 * * * /usr/local/ispconfig/server/cron_daily.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done


1.14. Crontab list

As of Jan 01, 2015

35 00 * * * cd /var/www/c1tiki12r;php -n console.php index:rebuild --log --site=llavorspac.org > /dev/null 2>&1
55 00 * * * cd /var/www/c1tiki12r;php -n console.php daily-report:send --site=llavorspac.org > /dev/null 2>&1
10 23 * * 0 cd /home/xavi/scripts/;sh backup_webs.sh
10 2 * * * cd /var/www/c8tiki12farm;php console.php index:rebuild --log --site=intercanvis.net > /dev/null 2>&1
30 2 * * * cd /var/www/c8tiki12farm;php console.php daily-report:send --site=intercanvis.net > /dev/null 2>&1
@daily /usr/bin/wget -O - -q -t 1 http://intercanvis.net/tiki-batch_todo.php > /dev/null 2>&1
#50 2 * * * cd /var/www/clients/client7/web32/web;php console.php index:rebuild --log --site=r-es.org > /dev/null 2>&1
#10 3 * * * cd /var/www/clients/client7/web32/web;php console.php daily:report --site=r-es.org > /dev/null 2>&1

* * * * * /usr/local/ispconfig/server/server.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
30 00 * * * /usr/local/ispconfig/server/cron_daily.sh 2>&1 > /dev/null | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done

1.15. Letsencrypt

1.15.1. Renewals of letsencrypt (certbot)

Configuration tweak under ISPConfig for le renewals to work

For some reason, as of 2017, letsencrypt renewals stopped to work in seeds4c.org server. I presume that some update to ISPConfig restricted access to .well-known/acme-challenge/, because certs could be created and renewed during 2016 in this sever, as far as I remember, and they could not be renewed anymore with the same commands at some point during 2017. AS of 2018-02-17, I discovered a way to avoid the issue, and let letsencrypt renew again its onw certificates in my seeds4c.org server.

Idea obtained after:
https://wiki.archlinux.org/index.php/Let%E2%80%99s_Encrypt

Create the file /etc/apache2/conf-available/httpd-acme.conf:

sudo nano /etc/apache2/conf-available/httpd-acme.conf


Copy and paste these contents into the file:

Contents of /etc/apache2/conf-available/httpd-acme.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>


Save the file and exit (Ctrl+x)

Make a symbolic link from the conf-enabled sister directory, so that Apache under ISPConfig reads the configuration in this file also:

sudo ln -s /etc/apache2/conf-available/httpd-acme.conf /etc/apache2/conf-enabled/httpd-acme.conf


Restart Apache:

sudo service apache2 restart


You can now check that Apache has access to the contents of that folder. Create a simple text file inside that folder, and attempt to reach it with the web browser frmo some of your domains. You should be able to see its contents. OTherwise, double check permissions on that file or folder created inside /var/lib/letsencrypt so that they match the expected owner user and group by ISPConfig (www-data:client1 for seeds4c.org server, etc.)

1.15.2. Renew certs in my own servers

Run these commands in a terminal:

sudo su
cd /opt/certbot/;./certbot-auto renew -n
exit


If for some reason the output of the command indicates that nothing to renew yet, but you know that they are close to expiry deadline, and you won't be able to attend the renewal yourself when needed, and you don't trust the cron job yet, you can force the renewal by hand with:

sudo su
cd /opt/certbot/;./certbot-auto renew -n --force-renewal
exit


Example:

root@seeds4c:# cd /opt/certbot/;./certbot-auto renew -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/intercanvis.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/iesgogreen.seeds4c.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/seeds4c.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/intercanvis.net/fullchain.pem (skipped)
  /etc/letsencrypt/live/iesgogreen.seeds4c.org/fullchain.pem (skipped)
  /etc/letsencrypt/live/seeds4c.org/fullchain.pem (skipped)
No renewals were attempted.
root@seeds4c:/opt/certbot# cd /opt/certbot/;./certbot-auto renew -n --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/intercanvis.net.conf
-------------------------------------------------------------------------------
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for intercanvis.net
tls-sni-01 challenge for www.intercanvis.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/intercanvis.net/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/iesgogreen.seeds4c.org.conf
-------------------------------------------------------------------------------
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for iesgogreen.seeds4c.org
tls-sni-01 challenge for creientsendiaspora.org
tls-sni-01 challenge for d-recerca.org
tls-sni-01 challenge for deliberaweb.seeds4c.org
tls-sni-01 challenge for gavarrespedia.org
tls-sni-01 challenge for grups.cristianismexxi.cat
tls-sni-01 challenge for intercanvis.net
tls-sni-01 challenge for llavorspac.org
tls-sni-01 challenge for piwik.seeds4c.org
tls-sni-01 challenge for seeds4c.org
tls-sni-01 challenge for semillaspec.org
tls-sni-01 challenge for sustainability.seeds4c.org
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0009_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/iesgogreen.seeds4c.org/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/seeds4c.org.conf
-------------------------------------------------------------------------------
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for seeds4c.org
tls-sni-01 challenge for d-recerca.org
tls-sni-01 challenge for iesgogreen.seeds4c.org
tls-sni-01 challenge for intercanvis.net
tls-sni-01 challenge for llavorspac.org
tls-sni-01 challenge for semillaspec.org
tls-sni-01 challenge for sustainability.seeds4c.org
tls-sni-01 challenge for www.d-recerca.org
tls-sni-01 challenge for www.intercanvis.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0010_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0010_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/seeds4c.org/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/intercanvis.net/fullchain.pem (success)
  /etc/letsencrypt/live/iesgogreen.seeds4c.org/fullchain.pem (success)
  /etc/letsencrypt/live/seeds4c.org/fullchain.pem (success)
root@seeds4c:/opt/certbot#

1.15.3. Renewal process (updated as of 2018)

root@seeds4c:~/tmp# /opt/certbot/certbot-auto certonly --webroot -w /var/lib/letsencrypt/ -d seeds4c.org,llavorspac.org,semillaspec.org -d sustainability.seeds4c.org -d iesgogreen.seeds4c.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/iesgogreen.seeds4c.org-0001.conf)

It contains these names: iesgogreen.seeds4c.org

You requested these names for the new certificate: seeds4c.org, llavorspac.org,
semillaspec.org, sustainability.seeds4c.org, iesgogreen.seeds4c.org.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for seeds4c.org
http-01 challenge for llavorspac.org
http-01 challenge for semillaspec.org
http-01 challenge for sustainability.seeds4c.org
http-01 challenge for iesgogreen.seeds4c.org
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /var/lib/letsencrypt/.well-known/acme-challenge

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/iesgogreen.seeds4c.org-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/iesgogreen.seeds4c.org-0001/privkey.pem
   Your cert will expire on 2018-05-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@seeds4c:~/tmp#

1.15.4. Add new certs (updated way)

Request a certificate for domain.tld using /var/lib/letsencrypt/ as public accessible path:

# certbot certonly --email email@example.com --webroot -w /var/lib/letsencrypt/ -d domain.tld


To add a (sub)domain, include all registered domains used on the current setup:

# certbot certonly --email email@example.com --webroot -w /var/lib/letsencrypt/ -d domain.tld,sub.domain.tld


To renew (all) the current certificate(s):

# certbot renew

1.15.5. Add new certs (former way)

sudo su
cd /opt/certbot
apt-get install python-urllib3 # if needed, in case this package is not installed yet
./certbot-auto certonly --webroot -w /var/www/c1tikitrunk/ -d next.seeds4c.org


this added a new .pem certificate file at:
/etc/letsencrypt/live/next.seeds4c.org/fullchain.pem

Then presumably you just need to edit the site definition through ISPConfig control panel, and tick the checkboxes for "Let's Encrypt SSL", which will also enable the SSL checkbox. Wait a few minutes for the change to take effect, and that should be it [uncofirmed whether there is some more magic needed; hitting it with a hammer in a few places might have helped] Xavi

1.16. Pending

  • Monit


1.17. Check and fix all mysql tables in one go

# To check and repair
sudo mysqlcheck -u root -p --auto-repair --check --all-databases

1.18. Remove https in a Tiki instance through mysql directly

DELETE FROM `tiki_preferences` WHERE `name` IN ('https_login','session_protected', 'tiki_cachecontrol_session', 'smarty_compilation');

Thanks jonnyb for sharing

1.19. Fix MySQL/MariaDB: Out of resources when opening file (Errcode: 24)

See:
http://www.antojose.com/node/50

1.20. Fix Full /boot partition

Generic information from:
https://help.ubuntu.com/community/RemoveOldKernels#Safely_Removing_Old_Kernels

First remove any leftover temporary files from previous kernel updates.

sudo rm -rv ${TMPDIR:-/var/tmp}/mkinitramfs-*



Determine the version number of the currently running kernel, which you DO NOT want to remove.

$ uname -r
4.2.0-21-generic



Taken from:
https://gist.github.com/ipbastola/2760cfc28be62a5ee10036851c654600

See also: https://help.ubuntu.com/community/RemoveOldKernels

Case II: Can't Use apt i.e. /boot is 100% full
NOTE: this is only if you can't use apt to clean up due to a 100% full /boot

1. Get the list of kernel images
Get the list of kernel images and determine what you can do without. This command will show installed kernels except the currently running one

$ sudo dpkg --list 'linux-image*'|awk '{ if ($1=="ii") print $2}'|grep -v `uname -r`
You will get the list of images somethign like below:

linux-image-3.19.0-25-generic
linux-image-3.19.0-56-generic
linux-image-3.19.0-58-generic
linux-image-3.19.0-59-generic
linux-image-3.19.0-61-generic
linux-image-3.19.0-65-generic
linux-image-extra-3.19.0-25-generic
linux-image-extra-3.19.0-56-generic
linux-image-extra-3.19.0-58-generic
linux-image-extra-3.19.0-59-generic
linux-image-extra-3.19.0-61-generic

2. Prepare Delete
Craft a command to delete all files in /boot for kernels that don't matter to you using brace expansion to keep you sane. Remember to exclude the current and two newest kernel images. From above Example, it's

sudo rm -rf /boot/*-3.19.0-{25,56,58,59,61,65}-*

3. Clean up what's making apt grumpy about a partial install.

sudo apt-get -f install

4. Autoremove
Finally, autoremove to clear out the old kernel image packages that have been orphaned by the manual boot clean.

sudo apt-get autoremove

5. Update Grub

sudo update-grub

6. Now you can update, install packages

sudo apt-get update


Also done these steps to enable automatic removing of old kernels:
(instructions taken from here http://ubuntuhandbook.org/index.php/2016/05/remove-old-kernels-ubuntu-16-04/ )

Run command to enable unattended upgrades. For Desktop Ubuntu 16.04, this is enabled by default.
sudo dpkg-reconfigure unattended-upgrades

Edit the config file via command (first install gksu via sudo apt install gksu):
gksudo gedit /etc/apt/apt.conf.d/50unattended-upgrades

When the file opens, uncomment the following line and change the value to true:

//Unattended-Upgrade::Remove-Unused-Dependencies "false";


Alias names for this page

Server seeds4c.org 2016 | seeds4c2016 | Servidor seeds4c.org 2016 | seeds4c 2016 | seeds4c2006 | seeds4c.org2016

Image Seed: noun \ˈsēd\ : the beginning of something which continues to develop or grow

Knowledge seeds

Switch Language