Ubuntu Server

From Indie IT Wiki
Jump to: navigation, search

The following assumes you have not enabled the root user, thus the use of 'sudo'. If you have enabled the root user you can ignore sudo.

Contents

Download

http://releases.ubuntu.com/16.04/ubuntu-16.04-server-amd64.iso

Standard System Utilities

You can see the list of packages after install using tasksel...

sudo tasksel --task-package standard 

List of packages...

telnet
powermgmt-base
ntfs-3g
ubuntu-release-upgrader-core
iputils-tracepath
python3-update-manager
groff-base
python3-distupgrade
bind9-host
mtr-tiny
bash-completion
mlocate
tcpdump
geoip-database
install-info
irqbalance
language-selector-common
friendly-recovery
command-not-found
info
hdparm
man-db
lshw
update-manager-core
apt-transport-https
accountsservice
command-not-found-data
python3-commandnotfound
time
ltrace
parted
popularity-contest
strace
ftp
ubuntu-standard
lsof

Thanks - http://askubuntu.com/questions/766419/whats-in-standard-system-utilities-w-16-04-server

Completely Automated Install

To do this, you need the package system-config-kickstart, but because this is a GUI program this will install WAY too much for a server. Therefore, we have to manually download the debian package file and install it by force.

Download the kickstart configurator package...

wget http://www.mirrorservice.org/sites/archive.ubuntu.com/ubuntu/pool/main/s/system-config-kickstart/system-config-kickstart_2.5.20-0ubuntu25_all.deb

Install it with force...

sudo dpkg --force-depends -i system-config-kickstart_2.5.20-0ubuntu25_all.deb

Now switch to root user...

sudo -i

Run the kickstart program with switches...

system-config-kickstart --generate ks.cfg

Edit the ks.cfg file to your liking.

http://askubuntu.com/questions/122505/how-do-i-create-a-completely-unattended-install-of-ubuntu

https://help.ubuntu.com/lts/installation-guide/i386/ch04s06.html

HOWTO: UPGRADE

Usual Routine

sudo apt-get update
sudo apt-get check
sudo apt-get --download-only upgrade
sudo apt-get --simulate upgrade
sudo apt-get --quiet upgrade
sudo update-grub
sudo update-initramfs -t -u
sudo reboot

From 13.04

Edit the sources file...

sudo nano /etc/apt/sources.list
deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main restricted
deb http://old-releases.ubuntu.com/ubuntu/ raring universe
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates universe
deb http://old-releases.ubuntu.com/ubuntu/ raring multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-backports main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-security main restricted
deb http://old-releases.ubuntu.com/ubuntu/ raring-security universe
deb http://old-releases.ubuntu.com/ubuntu/ raring-security multiverse

Update the package list...

sudo apt-get update
sudo apt-get check

Download the software first...

sudo apt-get --download-only dist-upgrade

Update the software...

sudo apt-get --simulate dist-upgrade
sudo apt-get --quiet dist-upgrade 

Double Check grub boot loader...

sudo update-grub
sudo update-initramfs -t -u
sudo sync

Reboot...

sudo reboot

'apt-get upgrade' OR 'apt-get dist-upgrade'?

upgrade
   upgrade is used to install the newest versions of all packages
   currently installed on the system from the sources enumerated in
   /etc/apt/sources.list. Packages currently installed with new
   versions available are retrieved and upgraded; under no
   circumstances are currently installed packages removed, or packages
   not already installed retrieved and installed. New versions of
   currently installed packages that cannot be upgraded without
   changing the install status of another package will be left at
   their current version. An update must be performed first so that
   apt-get knows that new versions of packages are available.
dist-upgrade
   dist-upgrade in addition to performing the function of upgrade,
   also intelligently handles changing dependencies with new versions
   of packages; apt-get has a "smart" conflict resolution system, and
   it will attempt to upgrade the most important packages at the
   expense of less important ones if necessary. So, dist-upgrade
   command may remove some packages. The /etc/apt/sources.list file
   contains a list of locations from which to retrieve desired package
   files. See also apt_preferences(5) for a mechanism for overriding
   the general settings for individual packages.

Thanks to AskUbuntu.com.

HOWTO: GENERAL:

Install Options

  1. Default Server = Server kernel + "Basic Ubuntu server" task packages
  2. Minimal System = Server kernel + no additional packages
  3. Minimal Virtual Machine = Virtual kernel + no additional packages

Thanks - http://askubuntu.com/questions/57336/minimal-system-or-minimal-virtual-machine-on-install

Downloads

http://releases.ubuntu.com

Size Swap File Partition - Suggested Sizes

  1. Systems with 4GB of ram or less require a minimum of 2GB of swap space
  2. Systems with 4GB to 16GB of ram require a minimum of 4GB of swap space
  3. Systems with 16GB to 64GB of ram require a minimum of 8GB of swap space
  4. Systems with 64GB to 256GB of ram require a minimum of 16GB of swap space

Thanks to Cyberciti.

HOWTO: DISABLE:

RAM Usage

http://pastebin.com/6yF7kFAC

Message Of The Day (MOTD)

sudo chmod a-x /etc/update-motd.d/*
sudo rm -rfv /etc/update-motd.d/50-landscape-sysinfo
sudo dpkg-reconfigure landscape-common
sudo apt-get purge landscape-*

Thanks - http://askubuntu.com/questions/385072/how-set-the-message-of-the-day-motd-as-ubuntu-server

rtc error

Ubuntu Server tries to load the module 'rtc' on boot. This is no longer needed for newer hardwware.

Check to make sure your clock is correct...

sudo date && sudo hwclock

Just comment out the offending line from the modules configuration file. Might as well stop the printer driver as well!

sudo nano /etc/modules
     # lp
     # rtc

console-kit-daemon

To see how many are running:

sudo apt-get install psmisc
pstree -cln

To get rid of the service you will need to first find its process ID:

ps aux| grep console-kit-daemon

Which should return something similar to:

root 1393  0.0  0.1 2091756 3940 ? Sl   11:04   0:00 /usr/sbin/console-kit-daemon --no-daemon

Where 1393 is the ID, to stop and remove it from start up:

pkill 1393
cp /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service org.freedesktop.ConsoleKit.old
rm /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service

Thanks to AskUbuntu.

Clear Screen After Boot Before Login

Add --noclear to the getty options for the 1st terminal...

sudo nano /etc/init/tty1.conf
     exec /sbin/getty -8 38400 --noclear tty1

Console Screen Blanking

sudo setterm --blank 0

To make this change permanent, create a file called 'setterm.start' in the /etc/local.d/ folder.

sudo mkdir /etc/local.d
sudo nano /etc/local.d/setterm.start
     setterm --blank 0
sudo chmod +x /etc/local.d/setterm.start

Control-Alt-Delete

NEW

sudo systemctl mask ctrl-alt-del.target
sudo systemctl daemon-reload

Thanks - https://help.ubuntu.com/lts/serverguide/console-security.html

OLD

sudo mkdir /root/misc
sudo mv -v /etc/init/control-alt-delete.conf /root/misc/

Low Resolution Console

sudo nano /etc/default/grub
     GRUB_HIDDEN_TIMEOUT_QUIET=false
     GRUB_TIMEOUT=10
     GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash nofb nomodeset"
     GRUB_TERMINAL=console
sudo update-grub

IPv6

sudo nano /etc/default/grub
     GRUB_CMDLINE_LINUX="ipv6.disable=1"
sudo update-grub
sudo nano /etc/netconfig
     #udp6       tpi_clts      v     inet6    udp     -       -
     #tcp6       tpi_cots_ord  v     inet6    tcp     -       -
sudo netstat -tln

whoopsie

Whoopsie is Ubuntu's Error Reporting daemon, to disable it:

sudo service whoopsie stop
sudo update-rc.d -f whoopsie remove
sudo apt-get purge whoopsie

Service From Automatically Starting By Upstart

sudo echo "manual" | sudo tee /etc/init/SERVICE.override

Thanks - http://askubuntu.com/questions/19320/how-to-enable-or-disable-services

HOWTO: INSTALL:

Encrypted LVM on top of Software RAID

https://www.itfromscratch.com/install-ubuntu-server-12-04-with-encrypted-lvm-on-raid1

Software RAID

https://help.ubuntu.com/16.04/serverguide/advanced-installation.html

The Urban Penguin - Software Raid Tutorial

Things To Do After Initial Install:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install -y apt-transport-https bash-completion curl nano screen
sudo reboot

Problems?

If you have used the CD to install, and are not able to complete the steps above, because it says you only have the lists on the CD to use, then the fix is below which edits the apt-getsources list of software...

sudo -i
echo "deb http://gb.archive.ubuntu.com/ubuntu trusty main restricted" >/etc/apt/sources.list
echo "deb http://gb.archive.ubuntu.com/ubuntu trusty-updates main restricted" >>/etc/apt/sources.list
echo "deb http://gb.archive.ubuntu.com/ubuntu trusty universe" >>/etc/apt/sources.list
echo "deb http://gb.archive.ubuntu.com/ubuntu trusty-updates universe" >>/etc/apt/sources.list

Now you can continue...

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install -y apt-transport-https bash-completion curl nano screen
sudo reboot

BASH Completion

sudo nano /etc/bash.bashrc

if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

CPU Stepping

sudo apt-get install -y cpufrequtils
sudo update-rc.d cpufrequtils defaults
sudo cpufreq-info
sudo grep 'MHz' /proc/cpuinfo

Network Time Protocol (NTP)

sudo apt-get -y install ntp ntpdate

To add or remove time servers edit the configuration file:

sudo nano /etc/ntp.conf

pool uk.pool.ntp.org

Then reconfigure...

sudo dpkg-reconfigure tzdata
sudo service ntp restart

Test...

date

Temperature Sensor Monitoring

sudo apt-get install lm-sensors
sudo sensors-detect
sudo service kmod start
sudo update-rc.d kmod defaults
sudo sensors

coretemp-isa-0000
Adapter: ISA adapter
Core 0:       +41.0°C  (high = +80.0°C, crit = +100.0°C)
Core 1:       +41.0°C  (high = +80.0°C, crit = +100.0°C)

smsc47b397-isa-0480
Adapter: ISA adapter
fan1:        1037 RPM
fan2:           0 RPM
fan3:           0 RPM
fan4:        1017 RPM
temp1:        +50.0°C  
temp2:        +37.0°C  
temp3:        +21.0°C  
temp4:       -128.0°C

Uptime

uptimed

sudo apt-get install -y uptimed

tuptimed

sudo apt-get install -y git python
cd /tmp
sudo git clone https://github.com/rfrail3/tuptime.git
cd tuptime
sudo chmod +x tuptime-install.sh
sudo ./tuptime-install.sh

Thanks to Cyberciti.

Linux Dash

Follow this article.

HOWTO: FIX:

Daily Cron Error

If you receive the following error:

/etc/cron.daily/apt: DB Update failed, database locked

Try uninstalling the following package:

sudo apt-get remove apt-xapian-index

Thanks to Porotal.org.

Enable IP Forwarding On Reboot

sysctl -w net.ipv4.ip_forward=1
nano /etc/sysctl.conf
     net.ipv4.ip_forward = 1

Thanks - http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

Cannot Reboot Or Shutdown Hangs Stops

This is to be used as a last resort... but it may just save your skin.

sudo echo 1 > /proc/sys/kernel/sysrq
sudo echo b > /proc/sysrq-trigger

Blank Screen Unsupported Video Options

  • Hold RIGHT SHIFT down during CD boot
  • Press F6 to choose Advanced Options
  • Press ESC
  • Use the arrow keys to move along the Boot line
  • Change the ==vga=== number to ==769==

Thanks to Wikipedia

Failed to connect to system bus ERROR

You may see these error messages in ==/var/log/auth.log==...

Feb 5 15:38:02 hostname proftpd: pam_systemd(proftpd:session): Failed to connect to system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory

To fix it, make sure you add the dbus service to system startup, and then restart the services...

sudo update-rc.d dbus defaults
sudo service dbus restart
sudo service proftpd restart

Thanks to Gentoo

MEI Kernel Error Messages

"The Intel Management Engine (Intel ME) is an isolated and protected computing resource (Co-processor) residing inside certain Intel chipsets. The Intel ME provides support for computer/IT management features. The feature set depends on the Intel chipset SKU."

Thansk to Kernel.org

But this might not be needed if the hardware does not support it, and you will get the following errors in your kernel logs...

kernel: [258168.036048] mei 0000:00:03.0: unexpected reset: dev_state = RESETING

Edit the ==/etc/modprobe.d/blacklist.conf== file and add the following line...

# fix unwanted intel kernel messages
blacklist mei

...then reboot.

User Is Not In The Sudoers File Stuck Help

http://www.maketecheasier.com/fixing-sudo-error-in-ubuntu/

Samba Error: no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory

sudo pam-auth-update

Untick "SMB password synchronization"

Thanks to Ubuntu Forums.

HOWTO: LIST:

If Packages Or System Needs Restart

sudo apt-get install needrestart
sudo needrestart

Thanks - https://www.cyberciti.biz/faq/how-to-find-out-if-my-ubuntudebian-linux-server-needs-a-reboot

Recently Installed Packages

sudo cat /var/log/dpkg.log* |grep ' installed' |sort -k1

Running Daemons With IPv4 And IPv6

sudo apt-get-y install lsof
sudo lsof -i -n -P

Startup Services

sudo apt-get install dialog rcconf
sudo rcconf
sudo initctl list |sort
sudo service --status-all
sudo ls -lah /etc/rc*

HOWTO: SET:

Touch Booted and Rebooted Files

sudo nano /etc/rc.local
touch /booted
exit 0
sudo nano /etc/init.d/rebooted
#!/bin/sh
touch /rebooted
sudo chmod +x /etc/init.d/rebooted
cd /etc/rc6.d/
sudo ln -s ../init.d/rebooted K00rebooted

Passwordless sudo

sudo nano /etc/sudoers

ALL ALL = (ALL) NOPASSWD: ALL

Application To Start On Boot

nano /etc/rc.local

Better Log Files

Edit the following file to match content below:

sudo nano /etc/rsyslog.d/50-default.conf
     cron.*                          /var/log/cron.log
     #mail.info                      -/var/log/mail.info
     #mail.warn                      -/var/log/mail.warn
     #mail.err                       /var/log/mail.err
     #news.crit                      /var/log/news/news.crit
     #news.err                       /var/log/news/news.err
     #news.notice                    -/var/log/news/news.notice
     # 
     # Some "catch-all" log files.
     # 
     *.=debug;\
            auth,authpriv.none;\
            news.none;mail.none     -/var/log/debug
     *.=info;*.=notice;*.=warn;\
            auth,authpriv.none;\
            cron,daemon.none;\
            mail,news.none          -/var/log/messages
     #daemon.*;mail.*;\
     #       news.err;\
     #       *.=debug;*.=info;\
     #       *.=notice;*.=warn       |/dev/xconsole
     #

Getty Terminals

Reduce the number of terminals to 2...

sudo mkdir /root/misc
sudo mv -v /etc/init/tty{3,4,5,6}.conf /root/misc/
sudo nano /etc/default/console-setup

ACTIVE_CONSOLES="/dev/tty[1-2]"

and

sudo nano /etc/systemd/logind.conf

NAutoVTs=2

and

sudo nano /lib/systemd/system/getty.target.wants/getty-static.service

from this...

ExecStart=/bin/systemctl --no-block start getty@tty2.service getty@tty3.service getty@tty4.service getty@tty5.service getty@tty6.service

to this...

ExecStart=/bin/systemctl --no-block start getty@tty2.service

Thanks - http://unix.stackexchange.com/questions/56531/how-to-get-fewer-ttys-with-systemd

Root User

sudo su
sudo passwd root

You will prompted to enter and confirm the password for 'root'. After which you will be able to log in the root user and have full privileges without having to type 'sudo' at the beginning of each line.

Normal User

sudo useradd -c "John Smith" -s /bin/bash -m jsmith
sudo passwd jsmith

Elevate User To Root

sudo gpasswd -a jsmith sudo
sudo gpasswd -a jsmith adm

Static IP Address

sudo nano /etc/network/interfaces

Edit the file to read (this example uses 192.168.0.100 for the system and Google's DNS servers):

For a single network card system...

# ONE CARD

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto em1
iface em1 inet static
address 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.254
dns-nameservers 208.67.222.222 208.67.222.220 8.8.8.8 8.8.4.4
## post-up route del -net 169.254.0.0 netmask 255.255.0.0

For a dual network card system, using Shoreline Firewall (Shorewall)...

# TWO CARDS

# The loopback network interface
auto lo
iface lo inet loopback

# The inside network interface
auto em2
iface em2 inet static
address 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
dns-nameservers 127.0.0.1
dns-search domain.com

# The outside network interface
auto em1
iface em1 inet static
address 10.0.0.1
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
gateway 10.0.0.2

Save and close the file, then restart the network:

sudo /etc/init.d/networking restart

Edit the 'hosts' file:

sudo nano /etc/hosts

Edit the file to read (server2 used for this example):

127.0.0.1 localhost.localdomain localhost
192.168.0.100 server1.example.com server1

Then run:

sudo echo server1.example.com > /etc/hostname
sudo /etc/init.d/hostname.sh restart

Check the configuration:

hostname
hostname -f

Both of the above commands should return:

server1.example.com

Time Zone And Date

sudo apt-get install ntp
sudo dpkg-reconfigure tzdata

HOWTO: RUN:

Automated Package List Updates But Not Install

Install the software...

sudo apt-get install cron-apt
sudo nano /etc/cron-apt/config
     MAILON="always"
     MAILTO="me@myemail.com"

Read more about the software in the README...

less /usr/share/doc/cron-apt/README.gz

Thanks to Debian Administration Org.

Command On System Startup As Another User

sudo nano /etc/rc.local
     # mpdscribble
     su -c 'mpdscribble' username &

     # exit (the line below must be the last line in the file)
     exit 0

Thanks to AskUbuntu.

Force Filesystem Check On Reboot

sudo touch /forcefsck
sudo reboot

HOWTO: SSH:

Install Server

sudo apt-get install ssh openssh-server

Copy Public Key To Server

ssh-copy-id -i ~/.ssh/id_rsa.pub username@192.168.0.x

Secure

To get it "Tight as a duck's a***"...

Levels

  1. Port Number
  2. Firewall Rules
  3. TCP Wrappers
  4. SSH Daemon Configuration
User --> Non Standard Port --> Firewall Check --> TCP Wrapper Check --> SSH Configuration Check --> Logged In

Files

==> /etc/hosts <==
127.0.0.1 localhost.localdomain localhost
10.0.0.1 server1.domain.co.uk server1
12.345.678.90 www.domain.co.uk

==> /etc/hosts.allow <==
ALL: 10.0.0.0/24
imap: ALL
sshd: 123.456.789

==> /etc/hosts.deny <==
ALL: ALL

Testing

tcpdmatch sshd 123.456.789

client:   address  123.456.789
server:   process  sshd
access:   granted

Thanks to Bodhizazen Net. & Cyberciti

Speed Up Logins

Server Side

Turn off the DNS lookups...

sudo nano /etc/ssh/sshd_config
     UseDNS no

Turn off the MOTD (Message Of The Day)...

touch ~/.hushlogin

Client Side

Turn off IPv6...

sudo nano ~/.ssh/config

Host *
   AddressFamily inet

HOWTO: DNS

sudo apt-get install dnsutils dnsmasq
service dnsmasq stop
sudo nano /etc/default/dnsmasq
     IGNORE_RESOLVCONF=yes
sudo nano /etc/dnsmasq.conf
     resolv-file=/etc/dnsmasqresolv.conf
     domain=domain.uk.com
sudo nano /etc/dnsmasqresolv.conf
     nameserver 208.67.222.222 # OpenDNS
     nameserver 208.67.222.220 # OpenDNS
     nameserver 8.8.8.8 # Google
     nameserver 8.8.4.4 # Google
sudo nano /etc/hosts # Delete the contents of the file and add the following to match your server details.
     127.0.0.1 localhost.localdomain localhost
     192.168.0.1 server.domain.uk.com server
sudo service dnsmasq restart
netstat -nap |grep 'dnsmasq'
dig
dig @localhost test.domain.uk.com
dig @localhost test
dig @localhost www.google.co.uk

...as per this page - DNS#HOWTO:_Local_Network_Fast_Caching_Name_Server_.2B_DHCP_Server_Using_DNSMasq

HOWTO: DHCP

sudo nano /etc/dnsmasq.conf
     dhcp-range=192.168.0.50,192.168.0.99,12h
     dhcp-host=e8:03:9a:ed:65:56,paul-laptop,192.168.0.103,12h
     dhcp-option=router,192.168.0.1
     dhcp-option=ntp-server,192.168.0.1
     dhcp-option=dns-server,192.168.0.1

HOWTO: FILE SERVER: SAMBA

sudo apt-get install samba samba-client
sudo service smbd stop
sudo service nmbd stop
sudo nano -w /etc/samba/smb.conf

     [global]
       workgroup = BLOGGS
       server string = Samba Server %v
       netbios name = SERVER1
       map to guest = Bad User
       passdb backend = smbpasswd
       log file = /var/log/samba/log.%m
       max log size = 50
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
       load printers = No
       domain master = No
       dns proxy = No
       printing = bsd

     [shared]
       comment = Shared file space
       path = /home/samba/shared
       force user = nobody
       force group = nogroup
       read only = No
       guest ok = Yes
       create mask = 0775
       force create mode = 0775
       directory mask = 0775
       force directory mode = 0775

mkdir -p /home/samba/shared
chown -R nobody /home/samba/shared
chgrp -R nogroup /home/samba/shared
touch /etc/printcap
smbpasswd -a jbloggs
testparm -s
service smbd start
service nmbd start
smbstatus 
smbtree # You will be asked for root's password, ignore this and just press enter
smbclient -U jbloggs -L //SERVER1/

HOWTO: MAIL SERVER:

INSTALL: Virtual Users Using Postfix And Dovecot With Security

sudo -i
groupadd vmail -g 2222
useradd vmail -r -g 2222 -u 2222 -d /var/vmail -m -c "VMail User"
sudo apt-get -y install postfix
    (no configuration)
cd /etc/postfix/
touch aliases
touch generic
touch header_checks
touch main.cf
touch relay_recipients
touch sender_access
touch vmail_aliases
touch vmail_domains
touch vmail_mailbox
nano generic
postmap generic
nano main.cf
>master.cf
nano master.cf
nano relay_recipients
postmap relay_recipients
nano sender_access
postmap sender_access
nano vmail_aliases
postmap vmail_aliases
nano vmail_domains
postmap vmail_domains
nano vmail_mailbox
postmap vmail_mailbox
service postfix stop



https://www.rosehosting.com/blog/mailserver-with-virtual-users-and-domains-using-postfix-and-dovecot-on-a-centos-6-vps/

INSTALL: Slim Email Server - Sent To Another Server's Mail Hub

http://wiki.indie-it.com/index.php?title=SSMTP

INSTALL: Basic Email Server - Part I - Procmail + Postfix + Mutt

Set the System Wide Maildir Email Directory...

sudo nano /etc/bash.bashrc
     MAIL=$HOME/.maildir/

Install the software...

sudo apt-get install procmail postfix mutt
Postfix Configuration > Mailer Type > Internet Site with Smarthost
                      > Domain Name = server1.domain.com
                      > SMTP Relay = auth.smtp.1and1.co.uk

Configure the software...

sudo nano /etc/procmailrc

# Use maildir-style mailbox in user's home directory
DEFAULT=$HOME/.maildir/
# Log actions to file
LOGFILE=/var/log/procmail.log
# Log synopsis of messages
LOGABSTRACT=all
# Be verbose
VERBOSE=no
sudo nano /etc/postfix/main.cf

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = server2.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server2.domain.com, server2, domain.com, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 192.168.0.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 127.0.0.1, 192.168.0.171
inet_protocols = ipv4
header_checks = regexp:/etc/postfix/header_checks
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
relayhost = [auth.smtp.1and1.co.uk]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_password
smtp_sasl_security_options = noanonymous

Create the SASL password file...

sudo nano /etc/postfix/sasl/sasl_password

[my.smtp.host.co.uk] me@myemailaccount.com:passW0rD

Lock down permissions...

sudo chmod 0600 /etc/postfix/sasl/sasl_password

Hash the file...

sudo postmap hash:/etc/postfix/sasl/sasl_password

Create the Postfix generic maps file...

sudo nano /etc/postfix/generic

root@myhostname.localdomain me@myemailaccount.com
user1@myhostname.localdomain me@myemailaccount.com
user2@myhostname.localdomain me@myemailaccount.com

Hash the file...

sudo postmap hash:/etc/postfix/generic

Copy the supporting files to the Postfix working directory...

sudo cp -av /etc/hosts /var/spool/postfix/etc/
sudo cp -av /etc/services /var/spool/postfix/etc/
sudo cp -av /etc/localtime /var/spool/postfix/etc/
sudo cat /etc/resolv.conf > /var/spool/postfix/etc/resolv.conf

Create the header checks file for later (with MailScanner)...

sudo touch /etc/postfix/header_checks

Fix the aliases file for root's email...

sudo nano /etc/aliases
     root: regularuser
sudo newaliases

Restart Postfix...

sudo postfix stop
sudo postfix start

Install heirloom-mailx and mutt...

sudo apt-get install -y heirloom-mailx mutt

Configure system wide settings...

sudo nano -w /etc/Muttrc

## tweaks
set mbox_type=maildir
set editor="nano"
# I like to see all my mail headers in my editor:
set edit_headers=yes
# don't wait for sendmail to finish (this runs sendmail in the background)
set sendmail_wait=-1
# this prevents Mutt from endlessly asking when you quit:
#     "Move read messages to ~/mbox? ([no]/yes):"
set move=no
# this prevents Mutt from endlessly asking:
#     "~/Mail does not exist. Create it? ([yes]/no):"
set folder=""

Send test email message...

mail me@myemailaccount.com
     Subject: test
     Cc:
     message
     .

Also, see Postfix and Mutt

INSTALL: Basic Email Server - Part II - Fetchmail

sudo apt-get install fetchmail
sudo useradd -c "Server Postman" -d /home/postman -s /bin/bash -m postman
sudo passwd postman

su - postman
cd
touch fetchmail.log
nano ~/.fetchmailrc

set daemon 600
set logfile /home/postman/fetchmail.log
set no bouncemail
set postmaster postman
poll pop.1and1.co.uk protocol pop3 uidl localdomains domain.com
     username "mailbox@domain.com" password "mypassword" is root here fetchall
preconnect "date >> /home/postman/fetchmail.log"
chmod 0700 ~/.fetchmailrc
exit
su - postman
cd
nano fmcheck

#!/bin/bash
#
#       fmcheck
#
#       Script to check if the fetchmail daemon is running
#
EXPRESSION='fetchmail'
ps -U postman | grep $EXPRESSION
if [ $? -eq 0 ]; then
        echo "$EXPRESSION process running"
else
        echo "$EXPRESSION process not running"
        fetchmail --quit
        sleep 3
        fetchmail --limit 30000000
        echo "$EXPRESSION process running"
fi

chmod +x fmcheck
fetchmail --version --check --verbose
./fmcheck
sudo crontab -e -u postman
*/20 * * * * ~/fmcheck &>/dev/null

INSTALL: Basic Email Server - Part III - MailScanner + ClamAV + SpamAssassin + DCC + Razor + Pyzor

Make sure you have enough free memory for this, and create a swapfile if needed!

https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04

.

Switch to root first. You have a LOT to do here...

sudo -i

Install Clam AntiVirus and SpamAssassin first...

sudo apt-get install -y -v clamav clamav-daemon spamassassin
sudo service spamassassin stop
update-rc.d -f spamassassin remove
sudo nano /etc/clamav/freshclam.conf
     DatabaseMirror db.GB.clamav.net
sudo freshclam
sudo sa-update
sudo clamscan --version
sudo spamassassin --version

Now switch to root home directory and install the latest MailScanner from the Ubuntu DEB version...

cd
mkdir misc
cd misc
wget https://s3.amazonaws.com/mailscanner/release/v4/deb/MailScanner-4.85.2-3.deb.tar.gz
tar -xzvf MailScanner-4.85.2-3.deb.tar.gz
cd MailScanner-install-4.85.2/
./install.sh

Install the link for the old version...

ln -s /opt/MailScanner/bin/check_mailscanner /usr/sbin/

Now add some MailScanner jobs to root's crontab...

crontab -e
     # mailscanner
     0 0 * * * /root/bin/mailscanner_archive.sh &>/dev/null
     37      5 * * * /usr/sbin/update_bad_phishing_sites &>/dev/null
     07      * * * * /usr/sbin/update_bad_phishing_sites &>/dev/null
     42      * * * * /usr/sbin/update_virus_scanners &>/dev/null
     3,23,43 * * * * /usr/sbin/check_mailscanner &>/dev/null

Configure the main MailScanner configuration file...

nano /etc/MailScanner/MailScanner.conf
     %org-name% = mydomain
     %org-long-name% = Company Name
     %web-site% = www.mydomain.com
     Run As User = postfix
     Run As Group = postfix
     Incoming Queue Dir = /var/spool/postfix/hold
     Outgoing Queue Dir = /var/spool/postfix/incoming
     Incoming Work Dir = /var/spool/MailScanner/incoming
     Quarantine Dir = /var/spool/MailScanner/quarantine
     MTA = postfix
     Incoming Work User =
     Incoming Work Group = clamav
     Incoming Work Permissions = 0640
     Virus Scanners = clamd
     Clamd Port = 3310
     Clamd Socket = /var/run/clamav/clamd.ctl
     Clamd Lock File = # /var/lock/subsys/clamd
     Clamd Use Threads = no
     Mail Header = X-%org-name%-MailScanner-VirusCheck:
     Information Header = X-%org-name%-MailScanner-Information:
     Information Header Value = MailScanner Version 4.84.6
     Always Include SpamAssassin Report = yes
     Archive Mail = /home/MailScanner/archive/_DATE_/messages
     Missing Mail Archive Is = file
     Use SpamAssassin = yes
     Required SpamAssassin Score = 5
     Log Spam = yes

Install some extra PERL modules...

sudo apt-get install libdbi-perl libdbd-sqlite3-perl libfilesys-df-perl libio-stringy-perl libnet-cidr-perl libsys-sigaction-perl libmime-tools-perl libarchive-zip-perl libole-storage-lite-perl

Check that it works so far...

sudo /usr/sbin/MailScanner --version

Create some more directories for ClamAV, Postfix and MailScanner to work together...

chown postfix /var/spool/postfix/
mkdir /var/spool/MailScanner/spamassassin/
chown -R postfix:postfix /var/spool/MailScanner/*
chmod -R g+w /var/spool/MailScanner/*
chgrp -R clamav /var/spool/MailScanner/incoming/
find /var/spool/MailScanner/incoming/ -type d -exec chmod 0770 {} \;
find /var/spool/MailScanner/incoming/ -type f -exec chmod 0664 {} \;

Create the MailScanner archiving script...

mkdir /root/bin
nano /root/bin/mailscanner_archive.sh
    #!/bin/bash
    ARCHIVE=/home/MailScanner/archive
    DIRNAME=$( date +%Y%m%d )
    MESSAGES=messages
    /usr/bin/logger -p 'mail.info' Checking for MailScanner message archive...
    if [ -f $ARCHIVE/$DIRNAME/$MESSAGES ] ; then
         echo "$ARCHIVE/$DIRNAME/$MESSAGES exists."
    else
         mkdir -p $ARCHIVE
         mkdir -p $ARCHIVE/$DIRNAME
         touch $ARCHIVE/$DIRNAME/$MESSAGES
         chown -R postfix:postfix $ARCHIVE/
         chmod g+w $ARCHIVE/$DIRNAME/$MESSAGES
         echo "$ARCHIVE/$DIRNAME/$MESSAGES created."
    fi

Make the script executable...

chmod 0700 /root/bin/mailscanner_archive.sh

Run the MailScanner archiving script...

/root/bin/mailscanner_archive.sh

Fix the AppArmor bug for ClamAV...

sudo usermod -a -G www-data clamav
sudo nano /etc/apparmor.d/usr.sbin.clamd
     # mailscanner
     /var/spool/MailScanner/** rw,
     /var/spool/MailScanner/incoming/** rw,
sudo /etc/init.d/apparmor reload

Change SpamAssassin settings...

nano /etc/MailScanner/spam.assassin.prefs.conf
     # use_auto_whitelist 0
     bayes_ignore_header X-mydomain-MailScanner
     bayes_ignore_header X-mydomain-MailScanner-VirusCheck
     bayes_ignore_header X-mydomain-MailScanner-SpamCheck
     bayes_ignore_header X-mydomain-MailScanner-SpamScore
     bayes_ignore_header X-mydomain-MailScanner-Information
     envelope_sender_header X-mydomain-MailScanner-From
     bayes_path /var/spool/MailScanner/spamassassin/bayes
     bayes_file_mode 0660

Fix the missing link for MailScanner and SpamAssassin...

sudo ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/mail/spamassassin/mailscanner.cf

Initialise the Bayes databases...

cd /tmp/
sudo -u postfix -g postfix sa-learn --sync

Check that they are being used...

cd /tmp/
sudo -u postfix -g postfix sa-learn -D --dump magic
Mar  4 17:49:50.258 [10827] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks
Mar  4 17:49:50.259 [10827] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen
Mar  4 17:49:50.259 [10827] dbg: bayes: found bayes db version 3
0.000          0          3          0  non-token data: bayes db version
0.000          0          0          0  non-token data: nspam
0.000          0          0          0  non-token data: nham
0.000          0          0          0  non-token data: ntokens
0.000          0          0          0  non-token data: oldest atime
0.000          0          0          0  non-token data: newest atime
0.000          0          0          0  non-token data: last journal sync atime
0.000          0          0          0  non-token data: last expiry atime
0.000          0          0          0  non-token data: last expire atime delta
0.000          0          0          0  non-token data: last expire reduction count
ls -lah /var/spool/MailScanner/spamassassin/
-rw-rw---- 1 postfix postfix   12 2015-03-04 17:47 bayes.mutex
-rw-rw---- 1 postfix postfix  12K 2015-03-04 17:47 bayes_seen
-rw-rw---- 1 postfix postfix  12K 2015-03-04 17:47 bayes_toks

Tweak MailScanner virus scanning settings for ClamAV...

nano /etc/MailScanner/virus.scanners.conf
     clamav          /usr/share/MailScanner/clamav-wrapper     /usr
     #generic
nano /usr/share/MailScanner/clamav-autoupdate
     $PackageDir = shift || "/usr";

Another tweak for Postfix file locking from unix to fifo...

nano /etc/postfix/master.cf
     pickup    fifo  n
     qmgr      fifo  n

Important setting for Postfix and MailScanner...

nano /etc/postfix/header_checks
     /^Received:/ HOLD

Final tweaks to users and groups...

usermod -a -G postfix clamav
usermod -a -G clamav postfix
usermod -a -G www-data postfix
groups clamav
groups postfix

Restart services...

service postfix restart
service clamav-daemon restart

Final testing...

pkill MailScanner
cd /tmp/
sudo -u postfix -g postfix /usr/sbin/MailScanner --lint

Add the boot startup script...

sudo nano /etc/rc.local
     # mailscanner
     /root/bin/mailscanner_archive.sh
     /usr/sbin/check_mailscanner
     exit 0

Go for launch...

service postfix restart
pkill -HUP MailScanner
/usr/sbin/check_mailscanner

Now, DCC. Download and install...

sudo -i
cd /root/misc/
mkdir dcc
cd dcc/
wget http://www.dcc-servers.net/dcc/source/dcc.tar.Z
tar -xzvf dcc.tar.Z
cd dcc-1.3.158/
./configure
make
make install

Configure to use the always running daemon...

nano /var/dcc/dcc_conf
     DCCIFD_ENABLE=on

Create the automatic startup links and start dccifd...

cp /var/dcc/libexec/rcDCC /etc/init.d/adcc
update-rc.d adcc defaults
/etc/init.d/adcc start

Test if dccifd is running...

netstat -nap |grep 'dcc'
udp        0      0 0.0.0.0:52926           0.0.0.0:*                           2599/dccifd
unix  2      [ ACC ]     STREAM     LISTENING     70691    2598/dccifd         /var/dcc/dccifd
unix  2      [ ]         DGRAM                    70144    2599/dccifd

Enable the SpamAssassin DCC plugin...

nano /etc/mail/spamassassin/v310.pre
     loadplugin Mail::SpamAssassin::Plugin::DCC
nano /etc/mail/spamassassin/mailscanner.cf
     ifplugin Mail::SpamAssassin::Plugin::DCC
     dcc_home /var/dcc
     dcc_dccifd_path /var/dcc/dccifd
     dcc_path /usr/local/bin/dccproc
     endif

Download a test spam email message and train spamassassin...

cd /root/misc/dcc
wget http://www200.pair.com/mecham/spam/sample-spam.txt
sa-learn --spam sample-spam.txt
spamassassin -D dcc <sample-spam.txt

It should show...

dbg: dcc: connected to local socket /var/dcc/dccifd

All is good. Now restart MailScanner to use DCC...

pkill MailScanner
/usr/sbin/check_mailscanner

Next, Razor...

cd
sudo apt-get install -y razor
rm /etc/razor/razor-agent.conf
razor-admin -create
razor-admin -register
sed -i 's/= 3/= 0/' /root/.razor/razor-agent.conf
cp -av .razor /var/spool/postfix/
chown -R postfix:postfix /var/spool/postfix/.razor/
chmod g+w /var/spool/postfix/.razor/
nano /etc/mail/spamassassin/v310.pre
    loadplugin Mail::SpamAssassin::Plugin::Razor2
cd /tmp/
sudo -u postfix -g postfix /usr/sbin/MailScanner --lint
wget http://www200.pair.com/mecham/spam/sample-spam.txt
spamassassin -D razor2 <sample-spam.txt
cd
pkill MailScanner
/usr/sbin/check_mailscanner

Next, Pyzor...

sudo apt-get install -y pyzor
pyzor discover
cp -av .pyzor /var/spool/postfix/
chown -R postfix:postfix /var/spool/postfix/.pyzor/
chown postfix /var/spool/postfix/
which pyzor
nano /etc/mail/spamassassin/v310.pre
     loadplugin Mail::SpamAssassin::Plugin::Pyzor
nano /etc/mail/spamassassin/mailscanner.cf
     ifplugin Mail::SpamAssassin::Plugin::Pyzor
     pyzor_path /usr/bin/pyzor
     endif
cd /tmp/
sudo -u postfix -g postfix /usr/sbin/MailScanner --lint
wget http://www200.pair.com/mecham/spam/sample-spam.txt
spamassassin -D pyzor <sample-spam.txt

Now restart MailScanner...

cd
pkill MailScanner
/usr/sbin/check_mailscanner

TWEAK: Sendmail (DEPRECATED)

sudo nano /etc/mail/sendmail.cf
     PrivacyOptions=noetrn
     DeliveryMode=queueonly
     QueueDirectory=/var/spool/mqueue.in

http://www.mailscanner.info/sendmail.html

SET: System Wide Maildir Email Directory

sudo nano /etc/bash.bashrc
     MAIL=$HOME/.maildir/

FIX: Dovecot Startup Script

cd /etc/init.d/
sudo ln -s /lib/init/upstart-job dovecot
sudo update-rc.d dovecot defaults
sudo service dovecot start

HOWTO: LAMP:

Linux, Apache, MySQL, PHP

sudo apt-get install apache2
sudo apt-get install mysql-server mysql-client
sudo service mysql status
sudo apt-get install php5 php5-mysql libapache2-mod-php5
sudo apt-get install phpmyadmin

Thanks to Unixmen.

HOWTO: NAGIOS 3:

Also see the dedicated wiki page Nagios3.

sudo apt-get install nagios3 nagios-nrpe-plugin
sudo usermod -a -G nagios www-data
sudo chmod -R +x /var/lib/nagios3/
sudo nano /etc/nagios3/nagios.cfg
     check_external_commands=1
sudo /etc/init.d/nagios3 restart
sudo apt-get install nagios-nrpe-server nagios-plugins
sudo nano /etc/nagios/nrpe.cfg
     allowed_hosts=127.0.0.1 192.168.0.171

Thanks to Unixmen.

HOWTO: MISCELLANEOUS

Web Admin Control Panel

Ajenti

Canonical Livepatch Service

Apply critical kernel patches without rebooting.

https://www.ubuntu.com/server/livepatch

Encryption

USB Drive

Encryption TO BE DONE.

Daily Use

udisksctl unlock -b /dev/disk/by-uuid/c985c79b-69bb-4751-afef-b6333fd834ba 
udisksctl mount -b /dev/dm-0 
udisksctl unmount -b /dev/dm-0 
udisksctl lock -b /dev/disk/by-uuid/c985c79b-69bb-4751-afef-b6333fd834ba 
udisksctl power-off -b /dev/disk/by-uuid/c985c79b-69bb-4751-afef-b6333fd834ba

Thanks - https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage

Thanks - https://unix.stackexchange.com/questions/188553/mounting-luks-from-the-command-line

Full Hard Disk Drive

https://superuser.com/questions/305318/full-disk-encryption-with-two-factor-authentication-for-ubuntu-how?rq=1

Early SSH

Dropbear

http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/

$ apt-cache search dropbear
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remote machines
dropbear - transitional dummy package for dropbear-{run,initramfs}
dropbear-bin - lightweight SSH2 server and client - command line tools
dropbear-initramfs - lightweight SSH2 server and client - initramfs integration
dropbear-run - lightweight SSH2 server and client - startup scripts

Rotate Log Files Manually

savelog -l -n -p mail.log

Stress Testing

sudo apt-get install stress
sudo stress --cpu 2 --io 1 --vm 1 --vm-bytes 128M --hdd 1 --timeout 10s

Thanks Cyberciti.

Backup Whole Entire System (less /home)

sudo -i
cd /
tar -cvpzf /backup.tar.gz --exclude=/backup.tar.gz --exclude=/home --one-file-system /

Documentation

http://vwiki.co.uk/Configuration_%28Ubuntu%29