完美安装配置Ubuntu 服务器版

 

这篇教程指导你如何完美安装配置ubuntu 服务器版本，并安装配置一般的服务：

apache （ssl） positfix 邮件服务器 smtp-auth tls bind dns服务器，proftpd ftp服务器

mysql数据库 courierpop3/imap 邮件服务， 磁盘限额，防火墙等等。虽然这篇教程

是在32位的ubutnu 8.04上安装的，但应该也适用于64位版本的。下面是相关软件的版本：

* Web 服务器: Apache 2.2 PHP 5.2.4? Ruby
* Database 服务器: MySQL 5.0
* Mail 服务器: Postfix
* DNS 服务器: BIND9
* FTP 服务器: proftpd
* POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.
* Webalizer 网站访问分析

安装完成之后你会有个稳定的服务器系统。

1 准备必要的东西

要安装需要准备下面的资料:

* Ubuntu 8.04 LTS 服务器版cd,

可以到这里下载: ftp://releases.ubuntu.com/releases/

* 比较快的互联网

2 注意点

在这篇教程里面服务器名叫server1.example.com ip 192.168.0.100 网关 192.168.0.1，

你的设置可能跟这个不同，替换成你需要设置的参数就可以了。

3 基本系统

插入你的ubuntu安装关盘，从光盘启动，选择安装语言:

选择安装ubuntu服务器:

再次选择语言:

选择区域:

选择键盘 基本选择标准101键盘，或者根据你的键盘选择

安装会自动校验光盘 硬件 配置网络

输入主机名，在这个教程里面，我的主机名叫 server.example.com 所以我输入server1

下面要分区了，为了简单步骤我选择整个硬盘，你也可以选择手动分区，使用lvm卷等

选择需要分区的硬盘

当问你是否要保存硬盘改变时选择yes

然后你的心得分区就会被创建并被格式化，下面开始安装

创建一个用户比如 administrator 不要选择ubuntu保留的用户名

下面配置包安装管理器，proxy那里不要设置，除非你有使用proxy

我们需要安装dns mail lamp 服务器，但是我从来不选择他们，因为我喜欢完全控制我的系统，

只安装那些我需要的。 我们会在后面手工安装它们。唯一我选择的是openssh服务器，因为我要马上

使用ssh在安装完成后登陆。ssh可以用? PuTTY

安装继续

安装grub

基础系统就安装完成了。拿出cd重新启动系统。

进入下一步

4 启用root用户

当重启之后你可以用刚刚你设置的用户明登陆了。比如administrator。因为我们要以root用户执行下面的

步骤，所以我们现在需要启用root用户。执行下面的命令

sudo passwd root

输入一个root密码，下面我们以root执行

su

5 安装ssh服务器（可选）

如果你一开始没有装，这个时候你就可以装了。

apt-get install ssh openssh-server

从现在开始你就可以从你的工作台上用ssh客户端比如 PuTTY 来连接服务器执行下面的安装了。

6 安装vim-full（可选）

在这篇教程里我使用的文字编辑器是vi。缺省的vi有点奇怪的问题，要修复这个问题，我们安装vim-full

apt-get install vim-full

(你不一定非的使用vi，你也可以使用joe or nano.)

7 配置网络

我们安装时使用的是缺省配置，获得ip是使用dhcp获得的，作为一个服务器应该有一个静态 ip，编辑

/etc/network/interfaces 调整相关参数以符合你的需要，我在教程里使用的是192.168.0.100:

vi /etc/network/interfaces

# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).# The loopback network interfaceauto loiface lo inet loopback# The primary network interfaceauto eth0iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1

重启网络:

/etc/init.d/networking restart

编辑/etc/hosts.

vi /etc/hosts

127.0.0.1 localhost.localdomain localhost192.168.0.100 server1.example.com server1# The following lines are desirable for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts

现在执行

echo server1.example.com > /etc/hostname

/etc/init.d/hostname.sh start

然后执行

hostname

hostname -f

两个都应该显示server1.example.com now.

8 编辑 /etc/apt/sources.list 更新安装

编辑 /etc/apt/sources.list. 注释掉或者删除安装cd，添加一些互联网仓库，国内cn99的比较快，

我这里只是举个例子，大家可以直接按照自己的需要添加互联网仓库:

vi /etc/apt/sources.list

##deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ Release i386 (20080423.2)]/ hardy main restricted#deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_-Release i386 (20080423.2)]/ hardy main restricted# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to# newer versions of the distribution.deb http://de.archive.ubuntu.com/ubuntu/ hardy main restricteddeb-src http://de.archive.ubuntu.com/ubuntu/ hardy main restricted## Major bug fix updates produced after the final release of the## distribution.deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricteddeb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu## team, and may not be under a free licence. Please satisfy yourself as to## your rights to use the software. Also, please note that software in## universe WILL NOT receive any review or updates from the Ubuntu security## team.deb http://de.archive.ubuntu.com/ubuntu/ hardy universedeb-src http://de.archive.ubuntu.com/ubuntu/ hardy universedeb http://de.archive.ubuntu.com/ubuntu/ hardy-updates universedeb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu## team, and may not be under a free licence. Please satisfy yourself as to## your rights to use the software. Also, please note that software in## multiverse WILL NOT receive any review or updates from the Ubuntu## security team.deb http://de.archive.ubuntu.com/ubuntu/ hardy multiversedeb-src http://de.archive.ubuntu.com/ubuntu/ hardy multiversedeb http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiversedeb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse## Uncomment the following two lines to add software from the ‘backports’## repository.## N.B. software from this repository may not have been tested as## extensively as that contained in the main release, although it includes## newer versions of some applications which may provide useful features.## Also, please note that software in backports WILL NOT receive any review## or updates from the Ubuntu security team.# deb http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe

#multiverse# deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe

#multiverse## Uncomment the following two lines to add software from Canonical’s## ‘partner’ repository. This software is not part of Ubuntu, but is## offered by Canonical and the respective vendors as a service to Ubuntu## users.# deb http://archive.canonical.com/ubuntu hardy partner# deb-src http://archive.canonical.com/ubuntu hardy partnerdeb http://security.ubuntu.com/ubuntu hardy-security main restricteddeb-src http://security.ubuntu.com/ubuntu hardy-security main restricteddeb http://security.ubuntu.com/ubuntu hardy-security universedeb-src http://security.ubuntu.com/ubuntu hardy-security universedeb http://security.ubuntu.com/ubuntu hardy-security multiversedeb-src http://security.ubuntu.com/ubuntu hardy-security multiverse

接着运行更新包数据库

apt-get update

安装最新的包

apt-get upgrade

9 改变缺省的shell

/bin/sh 是一个符号链接，联结至/bin/dash, 我们比较常用的是/bin/bash, not /bin/dash. 所以我们这么做:

ln -sf /bin/bash /bin/sh

有好多脚本是用bash写的，所以，建议大家用bash作为缺省shell

10 禁用 AppArmor

AppArmor是一个安装扩展，类似红帽的selinux . 在我的观念里面，你不需要他就可以配置一个非常安全

的系统，而且这个扩展经常导致这样或那样奇怪的问题。因此我禁用了这个扩展。

像这样来禁用他:

/etc/init.d/apparmor stop

update-rc.d -f apparmor remove

apt-get remove apparmor apparmor-utils

11 安装一些相关的包

有一些包是非常通用的，建议直接装上，执行：

apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev

libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf

automake1.9 libtool bison autotools-dev g++ build-essential

这些命令是要使用互联网链接的，如果你没有联网，可能就装不了。

12 磁盘限额

如果你使用的是一个分区，那么你一定要使用磁盘限额，以免整个系统的空间被哪个家伙全吃掉。

安装quota执行

apt-get install quota

编辑 /etc/fstab. 最起码像这样(我在/下分区上添加了,usrquota,grpquota? ):

vi /etc/fstab

# /etc/fstab: static file system information.## <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc defaults 0 0# /dev/sda1UUID=6af53069-0d51-49be-b275-aeaea8d780c5 / ext3relatime,errors=remount-ro,usrquota,grpquota 0 1# /dev/sda5UUID=d8e1f66c-1442-423e-b442-8ae66eded9d7 none swap sw 0 0/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0

激活quota, 执行这些命令:

touch /quota.user /quota.group

chmod 600 /quota.*

mount -o remount /

quotacheck -avugm

quotaon -avug

13 DNS 服务器

运行

apt-get install bind9

因为一些安装问题，我们需要chrooted bind（这个相当与虚拟一个新的linux给dns使用），执行下面的步骤

/etc/init.d/bind9 stop

编辑 /etc/default/bind9 以便超级线程可以以一个没有权限的用户运行，

比如bind，chrooted 到/var/lib/named. 修改这一行: OPTIONS=”-u bind” 加上选项OPTIONS=”-u bind -t /var/lib/named”:

vi /etc/default/bind9

OPTIONS=”-u bind -t /var/lib/named”# Set RESOLVCONF=no to not run resolvconfRESOLVCONF=yes

在 /var/lib下创建相关目录:

mkdir -p /var/lib/named/etc

mkdir /var/lib/named/dev

mkdir -p /var/lib/named/var/cache/bind

mkdir -p /var/lib/named/var/run/bind/run

移动配置文件夹从/etc 到 /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

创建一个符号从旧的文件夹连接到新的配置文件夹，这是为了避免当bind升级时出现问题。

ln -s /var/lib/named/etc/bind /etc/bind

创建一些不存在的随便的设备，以修复文件夹的权限：

mknod /var/lib/named/dev/null c 1 3

mknod /var/lib/named/dev/random c 1 8

chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random

chown -R bind:bind /var/lib/named/var/*

chown -R bind:bind /var/lib/named/etc/bind

我们需要修改/etc/default/syslogd 以便我们登陆系统的时候可以得到一些重要日志信息。. 修改这一行: SYSLOGD=”"? SYSLOGD=”-a /var/lib/named/dev/log”:

vi /etc/default/syslogd

## Top configuration file for syslogd### Full documentation of possible arguments are found in the manpage# syslogd(8).### For remote UDP logging use SYSLOGD=”-r”#SYSLOGD=”-a /var/lib/named/dev/log”

重启日志进程:

/etc/init.d/sysklogd restart

启动 BIND, 检查/var/log/syslog汇报的错误:

/etc/init.d/bind9 start

14 MySQL数据库

要安装MySQL, 我们执行

apt-get install mysql-server mysql-client libmysqlclient15-dev

安装中会要求你给root设置一个密码，安装完了之后，

root@localhost? 和 root@server1.example.com 该E-mail地址已受到防止垃圾邮件机器人的保护，您必须启用浏览器的Java Script才能看到。 的密码都是刚刚设的这个，我们就不需要再重设root密码了。:

New password for the MySQL “root” user: <– 你要设置的密码

Repeat password for the MySQL “root” user: <– 再输入一次你要输入的密码

我们需要mysql监听所有的接口而不是只有127.0.0.1 所以我们要编辑/etc/mysql/my.cnf

注释掉这一行 bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]# Instead of skip-networking the default is now to listen only on# localhost which is more compatible and is not less secure.#bind-address = 127.0.0.1[...]

重启MySQL:

/etc/init.d/mysql restart

检查是否已经在网络上开了服务端口. 执行

netstat -tap | grep mysql

结果看起来应该象这个:

root@server1:~# netstat -tap | grep mysql

tcp??????? 0????? 0 *:mysql???????????????? *:*???????????????????? LISTEN????? 5869/mysqld

root@server1:~#

15 安装带SMTP-AUTH 和 TLS模块邮件服务器Postfix

按照下面的步骤安装daismtp-auth 和 tls 模块的邮件服务器:

apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail

按照下面回答提示的两个问题:

General type of mail configuration: <– Internet Site

System mail name: <– server1.example.com

执行

dpkg-reconfigure postfix

还会提示下面的问题:

General type of mail configuration: <– Internet Site

System mail name: <– server1.example.com

Root and postmaster mail recipient: <– [blank]

Other destinations to accept mail for (blank for none):

<– server1.example.com, localhost.example.com, localhost.localdomain, localhost

Force synchronous updates on mail queue? <– No

Local networks: <– 127.0.0.0/8

Use procmail for local delivery? <– Yes

Mailbox size limit (bytes): <– 0

Local address extension character: <– +

Internet protocols to use: <– all

接着执行下面的命令:

postconf -e ‘smtpd_sasl_local_domain =’

postconf -e ‘smtpd_sasl_auth_enable = yes’

postconf -e ‘smtpd_sasl_security_options = noanonymous’

postconf -e ‘broken_sasl_auth_clients = yes’

postconf -e ‘smtpd_sasl_authenticated_header = yes’

postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’

postconf -e ‘inet_interfaces = all’

echo ‘pwcheck_method: saslauthd’ >> /etc/postfix/sasl/smtpd.conf

echo ‘mech_list: plain login’ >> /etc/postfix/sasl/smtpd.conf

然后我们创建tls认证:

mkdir /etc/postfix/ssl

cd /etc/postfix/ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

下面配置 TLS (确认你自己使用正确的 hostname 在 myhostname这一项上):

postconf -e ‘myhostname = server1.example.com’

postconf -e ‘smtpd_tls_auth_only = no’

postconf -e ‘smtp_use_tls = yes’

postconf -e ‘smtpd_use_tls = yes’

postconf -e ‘smtp_tls_note_starttls_offer = yes’

postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’

postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’

postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’

postconf -e ‘smtpd_tls_loglevel = 1′

postconf -e ‘smtpd_tls_received_header = yes’

postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’

postconf -e ‘tls_random_source = dev:/dev/urandom’

最后/etc/postfix/main.cf 看起来像这样:

cat /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version# Debian specific: Specifying a file name will cause the first# line of that file to be used as the name. The Debian default# is /etc/mailname.#myorigin = /etc/mailnamesmtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)biff = no# appending .domain is the MUA’s job.append_dot_mydomain = no# Uncomment the next line to generate “delayed mail” warnings#delay_warning_time = 4hreadme_directory = no# TLS parameterssmtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crtsmtpd_tls_key_file = /etc/postfix/ssl/smtpd.keysmtpd_use_tls = yessmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${data_directory}/smtp_scache# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for# information on enabling SSL in the smtp client.myhostname = server1.example.comalias_maps = hash:/etc/aliasesalias_database = hash:/etc/aliasesmyorigin = /etc/mailnamemydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhostrelayhost =mynetworks = 127.0.0.0/8mailbox_command = procmail -a “$EXTENSION”mailbox_size_limit = 0recipient_delimiter = +inet_interfaces = allinet_protocols = allsmtpd_sasl_local_domain =smtpd_sasl_auth_enable = yessmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yessmtpd_recipient_restrictions =

permit_sasl_authenticated,permit_mynetworks,reject_unauth_destinationsmtpd_tls_auth_only = nosmtp_use_tls = yessmtp_tls_note_starttls_offer = yessmtpd_tls_CAfile = /etc/postfix/ssl/cacert.pemsmtpd_tls_loglevel = 1smtpd_tls_received_header = yessmtpd_tls_session_cache_timeout = 3600stls_random_source = dev:/dev/urandom

认证由saslauthd实现的，因为postfix是chroot运行在/var /spool/postfix/下，我们需要做一些改变使其正常工作，

:

mkdir -p /var/spool/postfix/var/run/saslauthd

编辑/etc/default/saslauthd 激活sslauthd. 设置 START 为yes 把OPTIONS=”-c -m /var/run/saslauthd”

改成 OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”:

vi /etc/default/saslauthd

## Settings for saslauthd daemon# Please read /usr/share/doc/sasl2-bin/README.Debian for details.## Should saslauthd run automatically on startup? (default: no)START=yes# Description of this saslauthd instance. Recommended.# (suggestion: SASL Authentication Daemon)DESC=”SASL Authentication Daemon”# Short name of this saslauthd instance. Strongly recommended.# (suggestion: saslauthd)NAME=”saslauthd”# Which authentication mechanisms should saslauthd use? (default: pam)## Available options in this Debian package:# getpwent — use the getpwent() library function# kerberos5 — use Kerberos 5# pam — use PAM# rimap — use a remote IMAP server# shadow — use the local shadow password file# sasldb — use the local sasldb database file# ldap — use LDAP (configuration is in /etc/saslauthd.conf)## Only one option may be used at a time. See the saslauthd man page# for more information.## Example: MECHANISMS=”pam”MECHANISMS=”pam”# Additional options for this mechanism. (default: none)# See the saslauthd man page for information about mech-specific options.MECH_OPTIONS=”"# How many saslauthd processes should we run? (default: 5)# A value of 0 will fork a new process for each connection.THREADS=5# Other options (default: -c -m /var/run/saslauthd)# Note: You MUST specify the -m option or saslauthd won’t run!## See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.# See the saslauthd man page for general information about these options.## Example for postfix users: “-c -m /var/spool/postfix/var/run/saslauthd”#OPTIONS=”-c -m /var/run/saslauthd”OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”

下面把postfix user 加到sasl组里面，这一步使postfix有权限使用saslauthd

adduser postfix sasl

重启Postfix 启动saslauthd:

/etc/init.d/postfix restart

/etc/init.d/saslauthd start

下面看看smtp-auth 和tls工作了没：

telnet localhost 25

看到提示了后执行：

ehlo localhost

如果你看到了下面的

250-STARTTLS

还有这个

250-AUTH LOGIN PLAIN

那就证明所有的都ok了。

在我的机器上显示的像下面的:

root@server1:/etc/postfix/ssl# telnet localhost 25

Trying 127.0.0.1…

Connected to localhost.localdomain.

Escape character is ‘^]’.

220 server1.example.com ESMTP Postfix (Ubuntu)

ehlo localhost

250-server1.example.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

quit

221 2.0.0 Bye

Connection closed by foreign host.

root@server1:/etc/postfix/ssl#

输入

quit

返回系统shells.

16 安装 Courier-IMAP/Courier-POP3

执行下面的命令安装Courier-IMAP/Courier-IMAP-SSL (IMAPs 在端口 993上)

和Courier-POP3/Courier-POP3-SSL (POP3s 在端口 995上)pop3和imap是明文传输密码的，这两个包是为了解决安全问提出现的:

apt-get install courier-authdaemon courier-base courier-imap

courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

提示下面两个问题:

Create directories for web-based administration? <– No

SSL certificate required <– Ok

17 安装Apache/PHP5/Ruby

下面我们安装Apache:

apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert

下面我们安装PHP5 和 Ruby (两个都是apache的模块):

apt-get install libapache2-mod-php5 libapache2-mod-ruby php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

编辑edit /etc/apache2/mods-available/dir.conf:

vi /etc/apache2/mods-available/dir.conf

更改DirectoryIndex 这一行:

<IfModule mod_dir.c>#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htmDirectoryIndex index.html index.htm index.shtml index.cgi index.php </IfModule>

现在我们可以激活某些Apache 模块了 (SSL, rewrite, suexec, and include):

a2enmod ssl

a2enmod rewrite

a2enmod suexec

a2enmod include

重新加载配置文件:

/etc/init.d/apache2 force-reload

17Proftpd

安装Proftpd, run

apt-get install proftpd ucf

会提示你这个问题:

Run proftpd: <– standalone

为了提高proftpd的安全性可以做下面的操作，更多信息可以看这里: http://proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd/proftpd.conf

[...]DefaultRoot ~IdentLookups offServerIdent on “FTP Server ready.”[...]

18 网站访问统计分析

安装webalizer,直接运行

apt-get install webalizer

19 同步系统时钟

与互联网上某个时间服务器同步是一个不错的选择。简单的执行

apt-get install ntp ntpdate

以后你的系统时间就会自动同步了。