Posts Tagged ‘ISPConfig 3’
Secure /tmp and /dev/shm directories in a OpenVZ enviroment
The /tmp and /dev/shm directories of a OpenVZ virtual machine shall be mounted without suid and exec permissions. To achieve this, create a a shell script on the host server for every virtual machine which contains the commands to remount the directories. This script will be started automatically by openvz when the VM is started.
I will use VPSID as placeholder for the ID of the virtual machine in the commands and the script. Replace VPSID with the id of the virtual machine that you want to create the script for, e.g. replace VPSID with 101.
Create the script:
vi /etc/vz/conf/VPSID.mount
and insert the following lines:
#!/bin/bash mount -n --bind -onosuid,noexec /vz/vps/VPSID/tmp /vz/root/VPSID/tmp mount -n --bind -onosuid,noexec /vz/vps/VPSID/shm /vz/root/VPSID/dev/shm exit ${?}
now make the sscript executable:
chmod 700 /etc/vz/conf/VPSID.mount
Migrate physical server system to OpenVZ virtual machine
In case you plan to virtualize your server infrastructure and migrate physical servers to OpenVZ virtual machines, you may find this tutorial helpful:
http://wiki.openvz.org/Physical_to_container
I used this to migrate a ISPConfig Debian system to OpenVZ successfully.
How to disable spamfilter- and antivirus functions in ISPConfig 3
If you use a mailserver wil very low ram (< 500 MB) and a slow CPU then it might be nescessary to disable the spam- and antivirus filter functions in ISPConfig 3 as amavisd and clamav might be too heavy for your server hardware. The steps to disable clamav and amavisd are:
Edit postfix main.cf file
vi /etc/postfix/main.cf
and comment out these lines by adding a “#” in front of them:
# content_filter = amavis:[127.0.0.1]:10024 # receive_override_options = no_address_mappings
Then restart postfix:
/etc/init.d/postfix restart
Now stop and disable the services. The following commands are for Debian and Ubuntu, the commands for other Linux distributions may vary
/etc/init.d/clamav-daemon stop /etc/init.d/clamav-freshclam stop /etc/init.d/amavis stop
update-rc.d -f clamav-daemon remove update-rc.d -f clamav-freshclam remove update-rc.d -f amavis remove
P The normal mail receive and send functions will still work after this modification. But please be aware that disabling amavisd and clamav will disable all spam- and antivirus filtering so that the spamfiltering options that can be configured in the ispconfig interface will have any effect on mail delivery and no spam and viruses will get filtered.
The changes in postfix main.cf will get overwitten by a ispconfig software update when you select to reconfigure services during upadte, so you should comment out the lines again after you install a ispconfig update.
How to solve the ClamAV error “This version of the ClamAV engine is outdated” on Debian 5.0 (Lenny)
As of today, all ClamAV 0.94 or older installs will stop working. The Debian project has not released updates for their current stable release (5.0) yet to solve this, but there is a workaround. The Debain volatile project provides newer clamav versions. The installation steps to install ClamAV 0.95.3 on Debian lenny are:
1) Add the debian volatile repository to the sources list:
echo "deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free" >> /etc/apt/sources.list
2) Update the sources and install the new clamav package:
apt-get update apt-get install clamav apt-get -u upgrade
3) If you use amavisd-new (e.g. if you use a ISPConfig 3 server) then restart amavisd:
/etc/init.d/amavis restart
How to redirect requests for domain names without www to www.domain.tld
Many webmasters want to redirect users that access their websites with “domain.tld” automatically to “www.domain.tld”. If you use the Apache web server, you can do this by using Apache rewrite rules.
Add a .htaccess file with the following content in the root directory of the website:
Options +FollowSymlinks RewriteEngine On RewriteCond %{HTTP_HOST}//s%{HTTPS} ^[^w][^w][^w][^.].*//((s)on¦s.*) [NC] RewriteRule ^ http%2://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If you use ISPConfig as hosting control panel, you can add these rules also in the Apache directives field of the website.
Thanks to “extras” from webmasterworld for this useful rewrite rule.
How to disable Apache mod_security for a website in ISPConfig 3.
If you use mod_security on your server you might encounter that a website script is not compatible with mod_security. To disable mod_security (v2) for a website, add the following code into the apache directives field:
<IfModule mod_security2.c> SecRuleEngine Off </IfModule>
For the older mod_security 1 version, use these configuration directives:
<IfModule mod_security.c> SecFilterEngine Off </IfModule>
Thanks to Planetfox for this tipp.
How to Update ISPConfig 3
The ISPConfig update script is a easy way to update a ISPConfig 3 installation. If you want to backup the installation before, take a look at the instructions at the end of the article.
To update ISPConfig 3, login as root user on the shell of your server and run the command:
ispconfig_update.sh
>> Update
Please choose the update method. For production systems select 'stable'. The update from svn is only for development systems and may break your current setup.
Select update method (stable,svn) [stable]:
You should always select “stable” on a production system. The “svn” version is only suitable for ISPConfig 3 development.
The updater will then check the version of your system, download the latest update and starts the update process. In the next step, enter the mysql root password:
This application will update ISPConfig 3 on your server. MySQL root password []:
Then you were asked if the services shall be reconfigured:
Reconfigure Services? (yes,no) [yes]:
You should choose “yes” here, only if you modified your system configuration manually, it might be better to choose no. But in this case, new features in ISPConfig might not work or functions might stop working until you adjusted the config files manually. So its always a good choice to select ‘yes’ here. In the next step, select the ispconfig port:
ISPConfig Port [8080]:
Port 8080 is the default, if you have not changed it, press enter. Otherwise enter the port number and then press enter. As the last step, you wre asked if the crontab shall get reconfigured, you can select yes here by just pressing return.
Reconfigure Crontab? (yes,no) [yes]:
The ISPConfig updater will then update the ispconfig files and restart services, if the configuration has been changed.
Backup before updates
Before you update a software, it is always a good idea to backup all relevant data. This enables you to restore the software version that you had before in case of an error. The steps to create a backup of the ispconfig software and settings are:
Create a backup folder:
mkdir /home/backup chmod 700 /home/backup cd /home/backup
Backup the database
mysqldump -u root -p dbispconfig > dbispconfig.sql
Backup the ISPConfig software
tar pcfz ispconfig_software.tar.gz /usr/local/ispconfig
Backup the configuration files in /etc
tar pcfz etc.tar.gz /etc
This backup does not include the emails and website data.
Keep the spamassassin filter rules up to date in ISPConfig 3
To update the spamassassin rules regularily on your ISPConfig 3 server, add the following line to the root crontab by running:
crontab -e
then insert the following line:
23 4 */2 * * /usr/bin/sa-update --no-gpg &> /dev/null
and save the file. The path to the sa-update script is /usr/bin/sa-update on Ubuntu and Debian Linux, if you use a different linux distrubution, run the command:
which sa-update
to find the location of the sa-update script and adjust the path in the crontab line above so that it matches the path on your system.
How to fix the spamassassin bug with the FH_DATE_PAST_20XX rule
Since january 1 2010, spamassassin is falsely marking non spam emails as spam due to an error in the regular expression of the FH_DATE_PAST_20XX rule.
Description of the bug:
https://secure.grepular.com/blog/index.php/2010/01/01/spamassassin-2010-bug/
To fix this, run the following command on the shell as root user:
sa-update
If you use the software ISPConfig 2 on your server, run this command:
/home/admispconfig/ispconfig/tools/spamassassin/usr/bin/sa-update
How to reset the administrator password in ISPConfig 3
If you lost your ISPConfig 3 administrator password, you can reset it with the following SQL query.
UPDATE sys_user SET passwort = md5('admin') WHERE username = 'admin';
The SQL query sets the password to “admin” for the user “admin”, it has to be executed in the ISPConfig mysql database, e.g. with phpmyadmin. If you dont have phpmyadmin installed, then the query can be executed with the mysql commandline utility as well:
Login to the mysql database.
mysql -u root -p
and enter the password of the mysql root user. To switch to the ISPConfig database, run this command:
use dbispconfig;
Now execute the SQL command:
UPDATE sys_user SET passwort = md5('admin') WHERE username = 'admin';
and close the mysql shell:
quit;