Wiki Index All Recent Edit Bottom

QuicknDirtyVirtualHostingwithControlPanel

1.   Introduction
1.1   Hosting Companies
1.2   The Control Panel Contenders
2.   My Guides
3.   The Operating System
4.   RavenCore Control Panel
4.1   chkconfig
5.   Installing Raven Core
5.1   Security Tweaks
5.2   Resource allocation tweaks

Introduction

AGAIN THIS IS OLD, UNUSED AND UNLOVED

When I was planning moving my hosting to a dedicated server I wanted to use a control panel so that I could easily manage and setup virtual hosting for other domains. This page is a collection of installation notes for the OpenSource solution which best met my requirements, RavenCore.

Hosting Companies

Here is a list of companies that offer hosting solutions which suited my requirements.

• http://easyspeedy.com/
• http://www.quantact.com

The Control Panel Contenders

Below is a list of the virtual hosting solutions, I also found the http://deb.riseup.net/web-server/control-panels article very useful at the time but it is now quite old.

• http://www.acctmgr.com/
• http://www.alternc.org/
• http://www.gplhost.com/software-dtc.html
• http://www.hostingsoftware.net/
• http://www.ispconfig.org/
• http://ispman.net/
• http://www.ravencore.com/
• http://vhcs.net

Having tested most of the hosting applications above, RavenCore is my favourite and most suitable for my needs. I have been testing RavenCore since v0.0.6 and have been using on my production server since v0.1.4.

My Guides

These guides are a work in progress and really only intended for my own reference, they may be inaccurate or incomplete, but if you find them useful that is a bonus.

NOTE!' Although these installation instructions do cover some server hardening and security safegaurds, they are not comprehensive. You should consider additional safegaurds such as chrooting SSH and Apache, using mod_security and/or suphp for Apache, deploying a full IDS such as Snort and putting your server in a controlled DMZ with a dedicated managed firewall. You should also conduct peridodic vulnerability assessments using tools such as Nessus and ensure you apply any new security patches for applications you have installed.

The Operating System

These articles explain my standard install for a servers running Debian Sarge 3.1 or Ubuntu Server 6.06.1 LTS.

• DebianSargeStableNetInstall
• UbuntuServer6061LTSInstall

RavenCore Control Panel

RavenCore is developed primarily on RedHat based OS's so Debain and Ubuntu support is not 100% perfect. However since RavenCore 0.1.5 a number of new features to significantly improve Debian and Ubuntu compatibility have been added and that good work has continued on in the 0.2.x releases.

It might look like a bit of an effort to get RavenCore to play nicely with Ubuntu but if you follow the steps below you do end up with an easy to manage and stable virtual hosting platform. The installation notes below assume that Debian or Ubuntu has been installed as per my notes above.

chkconfig

RavenCore uses 'chkconfig' (a RedHat tool) to update and query runlevel information for system services. There is a port for Debian Woody, but it is not in the official Debian or Ubuntu repositories.

 apt-get install libnewt0.51
 ln -s /usr/lib/libnewt.so.0.51 /usr/lib/libnewt.so.0.50
 wget http://www.tuxx-home.at/projects/chkconfig-for-debian/chkconfig_1.2.24d-1_i386.deb
 dpkg -i chkconfig_1.2.24d-1_i386.deb

This will spit out some errors, but don't worry about that, we will fix those next.

chkconfig_1.2.24d-1_i386.deb is currently only available for Debian woody and depends on libnewt0. libnewt0 is no longer available for recent versions of Debain or Ubuntu as they now use libnewt0.51 instead.

To avoid breaking your package management system you have to edit '/var/lib/dpkg/status' and change "libnewt0" to "libnewt0.51" in the "Depends:" line for the package 'chkconfig'.

 vi /var/lib/dpkg/status

Now find...

 Depends: libc6 (>= 2.2.4-4), libnewt0, libpopt0 (>= 1.6.2-1), sysvinit

...and replace it with...

 Depends: libc6 (>= 2.2.4-4), libnewt0.51, libpopt0 (>= 1.6.2-1), sysvinit

...and finally run the following to ensure chkconfig is setup correctly.

 apt-get upgrade

References

• http://www.tuxx-home.at/projects/chkconfig-for-debian/
• http://lists.debian.org/debian-devel/2001/12/msg00737.html
• http://www.tuxx-home.at/archives/2005/07/09/T20_53_31/

Installing Raven Core

• DebianSargeandRavenCore
• UbuntuServer606LTSandRavenCore023

Security Tweaks

OK, so we now have a server up and running, but that is not the end of the story. There are some additional tweaks we can make to RavenCore and the services it manages. These tweaks will slightly enhance your server security so everyone should apply them.

Apache

Hiding the Apache version number and signature just makes it a little more difficult for the "casual" attacker from probing your server to determine if you are running a vulnerable software.

 ServerSignature Off
 ServerTokens Prod

..are defined somewhere in '/etc/httpd/conf/httpd.conf' and '/usr/local/ravencore/ravencore-apache-2.0.conf' (or /usr/local/ravencore/ravencore-apache-2.2.conf' is you use Apache 2.2).

Now restart RavenCore and then Apache.

Bind

Although I described how to chroot Bind during the RavenCore installation Bind can benefit from some additional tweaks to prevent recursive queries and hide (to some extent) the Bind version number. Why do this?

If a nameserver allows anyone to use it to resolve third parties names (i.e. domains your server is not authoritative for) then this potentially allows attackers to do cache poisoning attacks against the nameserver. If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system.

Hiding the Bind version number just makes it a little more difficult for the "casual" attacker from probing your server to determine if you are running a vulnerable version of Bind.

Add the 'acl recurseallow' line before the 'options' in '/etc/bind/named.conf' but replace 222.222.222.222 with your servers IP address and add any other IP's your want to allow to do recursive queries.

 acl recurseallow { 127.0.0.1; 222.222.222.222; };

Then add the 'allow-recursion' and 'version' parameters to the 'option' section of '/etc/bind/named.conf after the 'directory' parameter.

 options {
         directory "/etc/bind";
 
         allow-recursion { recurseallow; };
         version "Withheld";
 };

Now, restart Bind.

I have also manually added a Sender Policy Framework (SPF) record to my zone files.

When your DNS server is configured you should test it using IntoDNS.

Postfix

Hiding the Postfix product name just makes it a little more difficult for the "casual" attacker from probing your server to determine if you are running a vulnerable software. Additionally under a US proposed federal law, unsolicited commercial email cannot be sent through a server that includes the string NO UCE in the 220 greeting line.

 echo \$_[HOSTNAME] NO UCE ESMTP > /usr/local/ravencore/etc/postfix/main.cf/smtpd_banner

Despite using amavis there are some good anti spam capabilities Postfix can employ. I configure POstfix to Reject the request when a client sends SMTP commands ahead of time without knowing that Postfix actually supports SMTP command pipelining. This stops mail from bulk mail software that improperly uses SMTP command pipelining to speed up deliveries.

 echo permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net, reject_rbl_client list.dsbl.org, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_sender rhsbl.sorbs.net, permit > /usr/local/ravencore/etc/postfix/main.cf/smtpd_recipient_restrictions

• Disable VRFY command. This stops some spammers from trying to extract valid email address.
• Require HELO command at the beginning of smtp session. Requiring this will stop some bulk mail programs.
• Require strict RFC 821 envelopes. This will stop unwanted emails.
• Disable notify local users of the arrival of new mail. This feature makes use of the comsat network service, which is turned off on many UNIX systems for performance and/or security reasons.

 echo yes > /usr/local/ravencore/etc/postfix/main.cf/disable_vrfy_command
 echo yes > /usr/local/ravencore/etc/postfix/main.cf/smtpd_helo_required
 echo yes > /usr/local/ravencore/etc/postfix/main.cf/strict_rfc821_envelopes
 echo no > /usr/local/ravencore/etc/postfix/main.cf/biff

Now, restart RavenCore.

References

• http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
• http://www.muine.org/~hoang/postfix.html
• http://www.akadia.com/services/postfix_uce.html
• http://www.pantz.org/email/postfix/postfixconfigfiles.shtml
• http://www.lugatgt.org/articles/postfix/

SSH

You may be offering SSH access to your users and RavenCore doesn't provide a way to manage key based authentication, so SSH is a little exposed. Therefore I suggest you limit SSH to v2 of the protocol, do not allow 'root' logins via SSH and do not permit empty passwords.

If you do require 'root' level access via SSH I suggest you login as a regular user and then use 'sudo'. 'Edit sshd_config'...

 vi /etc/ssh/sshd_config

...and make sure the following are defined somewhere.

 Protocol 2
 PermitRootLogin no
 PermitEmptyPasswords no

Now, restart sshd.

It would be really cool if RavenCore could add/maintain the 'AllowUsers' in '/etc/ssh/sshd_config' to only list the users who are permitted to login via SSH. Then any users not in the 'AllowUsers' list will be denied access even if they use a correct username and password. Sadly RavenCore doesn't have that feature currently. Hint, hint! ;-)

vsFTPd

Hiding the vsFTPd version number and product name just makes it a little more difficult for the "casual" attacker from probing your server to determine if you are running a vulnerable software.

 echo Welcome to My Server > /usr/local/ravencore/etc/vsftpd/vsftpd.conf/ftpd_banner
 chown rcadmin:root /usr/local/ravencore/etc/vsftpd/vsftpd.conf/*

Now, restart RavenCore.

Resource allocation tweaks

These tweaks are specific to my needs as I run my servers on resource limited servers. These configuration settings are listed here for my own reference and **I do not recommend that you copy them!**

Apache

Improves responsivenss and reduces memory consumption.

 vi /etc/httpd/conf/httpd.conf

Sample

 TimeOut 45
 KeepAlive On
 MaxKeepAliveRequests 100
 KeepAliveTimeout 2
 ServerName yourserver.com:80
 ServerAdmin webmaster@yourserver.com
 
 <ifmodule>
 StartServers        1
 MinSpareServers     2
 MaxSpareServers     3
 MaxClients          48
 MaxRequestsPerChild 512
 </ifmodule>

RavenCore

Improves responsivenss and reduces memory consumption.

 vi /usr/local/ravencore/ravencore-apache-2.0.conf

Sample

 TimeOut 45
 KeepAlive On
 MaxKeepAliveRequests 100
 KeepAliveTimeout 2
 ServerName yourserver.com:80
 ServerAdmin webmaster@yourserver.com
 
 <ifmodule>
 StartServers       1
 MinSpareServers    1
 MaxSpareServers    1
 MaxClients        32
 MaxRequestsPerChild  384
 </ifmodule>

SpamAssassin

Only start one child.

 echo "-d -c -m1 -H -u vmail -x --virtual-config-dir=$_[VMAIL_ROOT]/%d/%l" > /usr/local/ravencore/etc/spamassassin/spamassassin/SPAMDOPIONS

ClamAV

Reduce threads and memory consumption.

 echo 8 > /usr/local/ravencore/etc/clamd/clamd.conf/MaxConnectionQueueLength
 echo 4 > /usr/local/ravencore/etc/clamd/clamd.conf/MaxThreads 
 echo 4 > /usr/local/ravencore/etc/clamd/clamd.conf/MaxDirectoryRecursion
 touch    /usr/local/ravencore/etc/clamd/clamd.conf/ArchiveLimitMemoryUsage
 chown rcadmin:root /usr/local/ravencore/etc/clamd/clamd.conf/*

vsFTPd

Limit the number of client connections and log in both native an wu-ftpd formats.

 echo YES    > /usr/local/ravencore/etc/vsftpd/vsftpd.conf/dual_log_enable
 echo 12     > /usr/local/ravencore/etc/vsftpd/vsftpd.conf/max_clients
 chown rcadmin:root /usr/local/ravencore/etc/vsftpd/vsftpd.conf/*

Dovecot

Reduce the number of login processes, not sure this works correctly.

 echo 2 > /usr/local/ravencore/etc/dovecot/dovecot.conf/login_processes_count
 echo 2 > /usr/local/ravencore/etc/dovecot/dovecot.conf/login_max_processes_count

MySQL

Tune the MySQL memory consumption.

Edit '/etc/mysql/my.cnf' and change the settings as shown below.

 key_buffer 		= 2M
 max_allowed_packet 	= 1M
 thread_stack 		= 64K
 
 query_cache_limit	= 1M
 query_cache_size	= 6M
 query_cache_type 	= 1
 
 table_cache = 4
 sort_buffer_size = 64K
 read_buffer_size = 256K
 read_rnd_buffer_size = 256K
 net_buffer_length = 2K
 
 innodb_buffer_pool_size = 16k
 
 key_buffer_size = 16k
 myisam_sort_buffer_size = 16k
 bdb_cache_size = 16k

Amavis

Log to syslog and only start one server.

 vi /usr/local/ravencore/etc/amavisd.conf.in

Sample

 $max_servers = 1;
 $DO_SYSLOG = 1;

$Id: QuicknDirtyVirtualHostingwithControlPanel,v 1.5 2008/01/06 10:42:34 martin Exp $

Wiki Index All Recent Edit Top