Linode.com Forum

[ged]

sufehmi wrote: I have no problem at all with that, in fact I'll be happy to.
Great!

sufehmi wrote: After a few problems in the past, my primary concerns now are security, maintainability, and reliability; that's why I stick to Debian stable
I agree. I've only made a couple of exceptions so far: webmin and phpMyAdmin are installed from source (easy though). And the Apache/MySQL/PHP-related packages come from http://dotdeb.org's .deb repository which gets updates as well, but they're not official.

I'd prefer the stable packages rather than dotdeb, if stable is debugged/secure enough. What do you think?

I'm nixing qmail, actually, though I haven't updated the tutorial. I'm looking at a Postfix solution instead. I have been reviewing a few different tutorials to try to find a Debian-stable solution, and I am leaning toward something like this one (which is part of the install docs for PHPMyWebHosting). I think it might work well, and it uses standard packages.

sufehmi wrote: # Some people may say you're lame for using Webmin - but my concern is to manage as many servers using as little time as possible (including time needed to learn each software packages)
Well, whatever. :? Hey, I'm open to other ideas. :)

Update:

I've been searching around for a good virtual mail howto that is simple to set up. No dice. The one I mentioned above is fairly complicated, and none of the howtos I saw using Postfix+Courier+MySQL talked about how to use the system once it's in place. Go figure.

So I'm on the fence between qmail+vmailmgr and Postfix+etc. Vmailmgr has a command-line interface which would work well for me, but it's not part of the Debian distribution.

[sufehmi]

Sorry for the late reply, just returned from a week's holiday in Scotland. I've forgotten how nice a holiday can be :shock: highly recommended !

ged wrote: sufehmi wrote: I have no problem at all with that, in fact I'll be happy to.
Great!

I just finished installing a plain Debian server at home. I'll use it to make my guide better, also utilising information in yours.

I just updated my guide to reflect this, also have started to incorporate some bits and pieces from your guide.


Quote: sufehmi wrote: After a few problems in the past, my primary concerns now are security, maintainability, and reliability; that's why I stick to Debian stable
I agree. I've only made a couple of exceptions so far: webmin and phpMyAdmin are installed from source (easy though). And the Apache/MySQL/PHP-related packages come from http://dotdeb.org's .deb repository which gets updates as well, but they're not official.

I'd prefer the stable packages rather than dotdeb, if stable is debugged/secure enough. What do you think?

Agree, I'd prefer that as well.


Quote: I'm nixing qmail, actually, though I haven't updated the tutorial. I'm looking at a Postfix solution instead. I have been reviewing a few different tutorials to try to find a Debian-stable solution, and I am leaning toward something like this one (which is part of the install docs for PHPMyWebHosting). I think it might work well, and it uses standard packages.

Thanks for the info, I'll use it when installing Postfix in this test server.


Quote: Update:
I've been searching around for a good virtual mail howto that is simple to set up. No dice. The one I mentioned above is fairly complicated, and none of the howtos I saw using Postfix+Courier+MySQL talked about how to use the system once it's in place. Go figure.

I noticed that too.... well, it seems that our guide will be filling a lot of holes once finished.


Quote: So I'm on the fence between qmail+vmailmgr and Postfix+etc. Vmailmgr has a command-line interface which would work well for me, but it's not part of the Debian distribution.

Fortunately, we have quite supportive Postfix community in Indonesia - so fingers crossed, I'll be able to set it up for virtual mail.

I'll keep you posted.



cheers,
Harry

[ged]

Yes, I'll be on holiday soon myself (Maine here in the US), which is a good thing. I will hopefully go before I lose it and yell at my boss' boss. It's been one of those months.

:D -> :) -> :? -> :( -> :x -> :evil:

In any case, I'm glad to let someone else piece through the Postfix virtual mail puzzle - it's gives me a headache. <g>

What I'm hoping to generate is a secure virtual mailhosting setup with IMAP support, where the domain & mailuser can be configured via mySQL. (Kind of like using the mysql-include module for Apache.) Add a domain and mail users to the DB, restart the appropriate services (if necessary), and voila. That's my hope anyway.

Since there seem to be so many manual changes that need to be made to support it, perhaps we can put together something like this tutorial for qmail on Debian, but for Postfix:

http://www.qmailrocks.org/install_db.htm

They make the process simpler by scripting many of the manual changes.

Let me know what you think.

ged

[sufehmi]

ged wrote: What I'm hoping to generate is a secure virtual mailhosting setup with IMAP support, where the domain & mailuser can be configured via mySQL. (Kind of like using the mysql-include module for Apache.) Add a domain and mail users to the DB, restart the appropriate services (if necessary), and voila. That's my hope anyway.
Since there seem to be so many manual changes that need to be made to support it, perhaps we can put together something like this tutorial for qmail on Debian, but for Postfix

Hi Ged,

Sorry, been busy with life & office in the past few weeks - anyway, looks like someone has beat us to it :

http://www.workaround.org/articles/ispmail/

I'm gonna give it a try as soon as possible, then I'll let you know.


cheers,
Harry

[sufehmi]

A few updates:
# A bit extra information on how to avoid logcheck from sending huge report to you (hint: specify entries that can be safely ignored)
# Firehol config updated- example to blacklist IP addresses (useful in case of DoS/DDoS), avoiding dhclient from filling logs with junk
# Information to setup postfix ala ISPs (database-based virtual domain, anti-virus/spam, webmail, etc)

http://www.harrysufehmi.com/phpwiki/index.php/SettingUpLinuxServer


cheers,
Harry

[SunZoomSpark]

caker wrote:
Modules are disabled inside the Linode kernels for security reasons. You can ignore that warning message, most likely.
-Chris
Ok, I'm ignoring it -- but Firehol does say specifically: "FireHOL requires this command for its operation".

And in http://www.harrysufehmi.com/phpwiki/index.php/SettingUpLinuxServer#firewall
(just above http://www.harrysufehmi.com/phpwiki/index.php/SettingUpLinuxServer#serverhardening ) we read "If you see that your 7-lines firehol.conf becomes 150-lines of iptables commands, ..."
That hasn't happened!

How do we know if Firehol is working or not?

[sufehmi]

SunZoomSpark wrote: How do we know if Firehol is working or not?

Try accessing the ports of the server which has been blocked by Firehol, see if it's REALLY blocked.

btw; wow, an ancient thread :)

[c1i77]

or:
Code: sudo firehol status
will produce the output of /sbin/iptables -nxvL | /usr/bin/pager.

Cliff

[SunZoomSpark]

Right now any command (eg: start, stop, explain, debug, status, helpme) to firehol.sh generates this message:
Quote: ERROR: Command 'lsmod' not found in the system path.
FireHOL requires this command for its operation.
Please install the required package and retry.

Note that you need an operational 'which' command
for FireHOL to find all the external programs it
needs. Check it yourself. Run:

which lsmod


Output from /sbin/iptables -nxvL is
Quote: Chain INPUT (policy ACCEPT 77661 packets, 45148429 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 60343 packets, 7237447 bytes)
pkts bytes target prot opt in out source destination


I don't think firehol is working yet.

[c1i77]

Hi,

You are right -- firehol did not create a firewall (iptables).

To resolve this you can either hack on firehol (so it doesn't require lsmod as a dependency) or you can install /bin/lsmod.

Debian: Code: apt-get install module-init-tools
Even though we can't use kernel modules on a Linode, having that package installed causes no harm.

Another thing you might want to do to appease firehol's environment checks, is this (as root):
Code: mkdir /usr/src/linux-fake
ln -s /usr/src/linux-fake /usr/src/linux
zcat /proc/config.gz > /usr/src/linux/.config


That will kill the warning message firehol exudes when it can't find the non-existent kconfig file.


Cliff

[SunZoomSpark]

Forever in your debt c1i77 ...
c1i77 wrote: ... you can install /bin/lsmod
So that is what I did and all I had to do!

I haven't looked at iptables closely yet, but output from /sbin/iptables -nxvL | wc -l is 223 lines.

Attempted connections to rejected ports get closed immediately, so I guess firehol is now set up.

Thanks++

[purana]

It would appear the wiki pages mentioned through out this thread all no longer work, anyone know where they moved too.

Thanks

[OverlordQ]

purana wrote: It would appear the wiki pages mentioned through out this thread all no longer work, anyone know where they moved too.

Thanks

thank you for bumping a 4 year old thread. No, most likely not.

[Randin]

purana wrote: It would appear the wiki pages mentioned through out this thread all no longer work, anyone know where they moved too.

Thanks

Purana, might I suggest:
http://www.howtoforge.com/perfect_setup_debian_etch

It's a good tutorial for the initial setup, there are also howto's for other apps afterward, good luck.