Archive for the ‘ISPConfig 3’ Category
If you get the following error message in Ubuntu when you use PHP based shell scripts:
PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php5/20060613+lfs/htscanner.so’ – /usr/lib/php5/20060613+lfs/htscanner.so: cannot open shared object file: No such file or directory in Unknown on line 0
Then edit the file /etc/php5/cli/php.ini:
and remove the lines:
Extension = “htscanner.so”
config_file = “.htaccess”
default_docroot = “/var/www”
As the htscanner module works only for scripts within webservers but not for commandline scripts.
If you get an error like:
Aug 21 12:41:03 webb4 postfix/sendmail: fatal: web1_user(12967): queue file write error
in your mail log, then the vale for message_size_limit in postfix main.cf is too low. Edit postfix main.cf:
and set the message size limit to a higher value. E.g.
mesage_size_limit = 900000000
and restart postfix:
If there is no message_size_limit set in main.cf, just add the line.
If you run a joomla or wordpress installation with mod_php, the following settings in the vhost configuration file or the “Apache directives” field in ISPConfig can be used to set stricter securitypolicys. This helps limit the impact of a possible hack to this websiteand protect the other sites on the server.
php_admin_value disable_functions “show_source system shell_exec passthru exec phpinfo popen proc_open”
php_admin_flag allow_url_fopen Off
php_admin_value session.save_path “/var/www/webXXX/phptmp/”
php_admin_value open_basedir “/var/www/webXXX/:/tmp”
disable_functions disables functions that have a potential security impact e.g. because they allow the execution of external applications.
allow_url_fopen disables the ablity to open files via an URL.
session.save_path sets the path were php stores its session files. For ISPConfig 2, the path is e.g. “/var/www/webXXX/phptmp/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/tmp/” If you dont use ISPConfig, set this path to a directory which is writable for the webserver user. the directory should be unique for every website.
open_basedir sets the path were php scripts are allowed to open files. For ISPConfig 2, the path is like “/var/www/webXXX/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/” If you dont use ISPConfig, set this path to a the root directory of this vhost. With :/tmp we allow php scripts to use also the /tmp directory of the server.
Fail2ban uses iptables by default to block incoming connections when they exceed the max. login retrys. The iptables rules used by fail2ban might conflict with the firewall rules, so it might be nescessary to reconfigure fail2ban to use the route command for blocking incoming connections.
To reconfigure fail2ban for using the route command instead of iptables, edit or create the route.conf file:
And insert the following lines:
# Fail2Ban configuration file
actionban = ip route add unreachable <ip>
actionunban = ip route del unreachable <ip>
Then add or change the banaction in the jail.local file in the [DEFAULT] section to “route”:
And add or edit these lines:
# Fail2Ban configuration file
banaction = route
If webalizer statistics of your website are only showing the last 1 or two days instead of all days since the website has been created, you have to activate incremental processing in the webalizer configuration file (/etc/webalizer.conf or /etc/webalizer/webalizer.conf depending on the Linux distribution).
Change the line:
# Incremental yes
ISPConfig 3 roadmap:
ISPConfig 2 roadmap:
Hint: The procedure that is described below is for ISPConfig versions < 3.0.3. For newer ispconfig versions, use the builtin ssl certificate creation function of the ispconfig updater instead. The steps below should only be used to manually create a new SSL certificate in case that you can not run the updater on your installation.
The ISPConfig controlpanel login is running on http by default. This short tutorial shows you how to enable SSL encryption (https) vor the ispconfig vhost.
1) Make the directory for the SSL certificate:
2) Create the SSL certificate files
openssl genrsa -des3 -out ispserver.key 4096
openssl req -new -key ispserver.key -out ispserver.csr
openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
openssl rsa -in ispserver.key -out ispserver.key.insecure
mv ispserver.key ispserver.key.secure
mv ispserver.key.insecure ispserver.key
3) Enable the mod_ssl module
4) Edit th ISPConfig vhost file
and insert the following lines insert the fallowing lines between the “<VirtualHost ….></VirtualHost>” tags:
5) Restart apache2
The ISPConfig controlpanel login is now reachable on port 8080 by https.
In case that configuration changes does not get written to disk in ISPConfig 3, you should enable the debugging mode.
Login to ISPConfig and go to: System > Server config > Server (name of the server) > Server
and set Logelevl to Debug.
If you use a ISPConfig version < 3.0.2, then debugging has to be enabled in the configuration file:
Edit the ISPConfig configuration file:
and change the line:
$conf["log_priority"] = 2;
$conf["log_priority"] = 0;
The debugging information can be viewed in the system log in the ispconfig monitor and the output is also logged to the file /var/log/ispconfig/ispconfig.log
If you run a multiserver system, then you will have to enable debugging on the slave were the error occurs and not on the master node.