How To Create a DNS Server On Ubuntu 18.04

The DNS or Domain Name System is the distributed database that allows zone records, such as IP addresses, to be associated with domain names. When a computer, such as your laptop or phone, needs to communicate with a remote computer, such as a web server, over the internet they use each others IP addresses. People are not very good at remembering IP addresses but they are good at remembering the words and phrases in domain names. The DNS system allows people to use domain names when they interface with computers whilst still allowing computers to use IP addresses when they communicate with each other.

In this guide, we will examine how you can install and configure a DNS server that will be the authoritative DNS server for your domain names. This will allow you to have complete control over your DNS information and make immediate changes to your DNS records whenever you need to make them.

Requirements

In order to follow this guide you will need:

  • An Ubuntu 18.04 server.
  • A domain name.
  • A non-root sudo enabled user on the server.

In order to begin this guide, you must log into your server as the non-root user.

Installation

The DNS server that we will use in this guide is BIND. BIND is the most deployed and one of the oldest DNS servers in use on the internet.

Before we install BIND you should ensure that your server up-to-date with the latest packages:

sudo apt update
sudo apt upgrade

BIND is available from the default CentOS repositories and is installed with the following command:

sudo apt install bind9 bind9utils bind9-doc dnsutils

BIND is now installed so we can move on to configuring it.

Global BIND Settings

Making BIND function as a DNS server falls into two parts. The first is setting the global parameters which will make BIND function in the manner we desire. The second is to create the domain-specific DNS information that BIND will serve. This information is known as “zone information” or “zone records”.

In this section, we will configure the global parameters.

The first configuration file that we will edit is located at /etc/bind/named.conf.options and configures how bind will operate. Open this file with your favorite text editor, here nano is used:

sudo nano /etc/bind/named.conf.options

Edit named.conf.options so that it looks like the following:

options {
        directory "/var/cache/bind";
        auth-nxdomain no;
        listen-on port 53 { any; };
        recursion no;
};

The options used here mean as follows:

  • directory – This sets a filesystem path variable. It does not need to be changed.
  • auth-nxdomain no – BIND will not answer authoritatively for domains that are not configured on this server.
  • listen-on port 53 { any; }; – This sets the port that BIND will listen on for incoming DNS requests. Port 53 is the default DNS port. The any options is used here instead of an IP address. This instructs BIND to attach to all available interfaces, private and public.
  • recursion no – This option configures BIND to only respond with information about domains that it has configuration files for. If this is set to yes then BIND will become a recursive DNS which means it will look up any request it receives a request for like Google’s recursive server at 8.8.8.8. This should always be set to no when BIND is also configured to respond to requests from any IP as we have set it up above for security reasons. This is because it can be used for DNS amplification attacks or other nefarious purposes.

The second configuration file we will create sets which domains BIND is responsible for and where the files that contain their zone information are located. Open this file with a text editor:

sudo nano /etc/bind/named.conf.local

Edit this file so that it looks like:

zone    "exmaple.com"   {
        type master;
        file    "/etc/bind/forward.example.com";
 };

zone   "10.100.51.198.in-addr.arpa"  {
       type master;
       file    "/etc/bind/reverse.example.com";
 };

The lines in this file mean as follows:

  • zone – This is the domain name or IP address that BIND will answer requests for.
  • type master – BIND will read the zone information from the local storage and provides authoritative information for the domain listed on the zone line.
  • file – The file that contains the zone information.

As you can see there are two sections to this file that have the same syntax. The first section lists the domain (example.com) and is the so-called, forward DNS record. This means that it will convert domain information to IP addresses.

The second is the reverse or PTR record of the server’s IP address. This converts in the opposite direction, i.e. IP addresses to domain names. The zone line for the reverse record looks a little strange because the IP address is in reverse. The IP address that this is the reverse record for is 198.51.100.10.

Reverse records are important to have because many security systems such as spam filters will be less likely to accept mail sent from an IP address that has no reverse record.

Now that BIND’s global configuration is set we can create the zone files that will hold the forward and reverse DNS information.

Zone File Configuration

The first zone file that we will create is the forward information for the domain name. Open and create the file with a text editor:

sudo nano /etc/bind/forward.example.com

And use the following as your template:

$TTL 1d
@               IN      SOA     dns1.example.com.    hostmaster.example.com. (
                1        ; serial
                6h       ; refresh after 6 hours
                1h       ; retry after 1 hour
                1w       ; expire after 1 week
                1d )     ; minimum TTL of 1 day
;
;
;Name Server Information 
@               IN      NS      ns1.example.com.
ns1             IN      A       198.51.100.10
;
;
;Mail Server Information
example.com.    IN      MX      10      mail.example.com.
mail            IN      A       198.51.100.20
;
;
;Additional A Records:   
www             IN      A       198.51.100.30
site            IN      A       198.51.100.30
;
;
;Additional CNAME Records:
slave           IN      CNAME   www.example.com.

The first configuration block beginning $TTL 1d has only a single line that you need to edit by changing example.com to your domain:

example.com.    IN      SOA     dns1.example.com.    hostmaster.example.com. (

This line means from left to right:

  • @ – This is replaced with the domain from the named.conf.local file i.e. example.com.
  • IN – The type of record, in this case, INternet records.
  • SOA – The record is the Start Of Authority record. This is the authoritative record for this domain.
  • dns1.example.com. – The nameserver where the DNS records are found.
  • hostmaster.example.com. – The email address of the administrator of the nameserver. The @ symbol is replaced with a dot.

The rest of the lines here set values such as Time To Live’s which you can copy from the example as they are functional values.

You should note the dots at end of the domains and hostnames e.g. example.com. This final dot stops the domain name getting added automatically. We want this to happen with, for example, the www’s in the following line www IN A 198.51.100.10 as this will resolve www.example.com to the IP address.

The next section – Name Server Information – is mandatory and should be edited to use the hostname of this nameserver and its IP address. It is customary to label the first nameserver ns1.domain.com but you can choose any hostname you want.

The remaining sections are optional and are included as examples. The first of these, Mail Server Information, is an example of how an email will get sent to an email server at the IP 198.51.100.20. MX records should always resolve to hostnames so the required A record for mail.example.com is included in the mail records section for ease of understanding.

The final two sections are further examples of A and CNAME records.

Next, we need to create a reverse zone file. Open and create the file with a text editor:

sudo nano /etc/bind/reverse.example.com

Use the following example as your template:

$TTL 1d
@               IN      SOA     dns1.example.com.    hostmaster.example.com. (
                1        ; serial
                6h       ; refresh after 6 hours
                1h       ; retry after 1 hour
                1w       ; expire after 1 week
                1d )     ; minimum TTL of 1 day
;
;
;Name Server Information 
@               IN      NS      ns1.example.com.
ns1             IN      A       198.51.100.10
;
;
;Reverse IP Information
10.100.51.198.in-addr.arpa.      IN      PTR       ns1.example.com.
20.100.51.198.in-addr.arpa.      IN      PTR       mail.example.com.
30.100.51.198.in-addr.arpa.      IN      PTR       www.example.com.

The first two sections are the same as the forward zone file. The last section configures the IP to domain name records.

The IP listed in the backward format with the hostname you want it to resolve to at the end of the line. Here the reverse maps are set for all three IP addresses used in the forward zone file as examples.

Check Your Configuration For Errors

BIND provides a pair of tools to check that its configuration files do not contain any errors that would prevent BIND from starting.

The first checks the global configuration files and is used as follows:

sudo named-checkconf /etc/bind/named.conf.options
sudo named-checkconf /etc/bind/named.conf.local

The second tool will check the zone files and is used as follows:

sudo named-checkzone  
e.g.
sudo named-checkzone example.com /etc/bind/forward.example.com

When you have finished editing these files and they do not throw any errors when you check BIND must be restarted and enabled so that it starts on boot:

sudo systemctl enable bind9.service
sudo systemctl restart bind9.service

Configure Systemd To Keep BIND Running

When you start using your own nameservers for your domain it is critical that BIND is always running. If it stops then anything that uses your domain e.g. email, website etc will stop working. Systemd is the program that, amongst other services, starts and stops programs like BIND on your server. In addition to starting and stopping it can be configured to ensures that a program is re-started if it stops for any reason.

First, make a copy of the BIND systemd service file that we will edit:

sudo cp /lib/systemd/system/bind9.service /etc/systemd/system/

This will ensure that the edits will not be lost in future system updates. Next, open the file in an editor:

sudo nano /etc/systemd/system/bind9.service

And add the following two lines to the [Service] section:

Restart=always
RestartSec=3

Then prompt Systemd to reload all its service files:

sudo systemctl daemon-reload

And restart BIND:

sudo systemctl restart bind9.service

Now, if BIND stop running for any reason, systemd will restart it again automatically.

Testing The DNS Server

Before you begin using your new DNS server you need to test that it works correctly i.e. BIND serves the correct DNS information for your domain.

The DNS inspection tool dig was included with the packages we installed at the beginning of this guide. dig is one of the powerful and flexible DNS testing and investigation command line tools available on Linux and should be your goto tool for looking up DNS records.

dig has the ability to ignore the system configured resolvers (set in /etc/resolv.conf) and request DNS information directly from a nameserver i.e. the DNS server you have just created.

The syntax of a dig query is as follows:

dig @ -t  

If we replace this information with the details of the example server in this guide we get:

dig @198.51.100.10 -t A www.example.com.

This will return quite a bit of information. The result that we are interested in is always contained in the ANSWER SECTION e.g.:

;; ANSWER SECTION:
example.com.         86400   IN      A       198.51.100.30

We can also check the reverse map record by using the -x flag:

dig @198.51.100.10 -x 198.51.100.10

Which will produce the result:

;; ANSWER SECTION:
10.100.51.198.in-addr.arpa.      IN      PTR       ns1.example.com.

You can perform similar queries against all of the zone records you have created for your domain. When they all return the correct information you are ready to start using your DNS server.

Conclusion

You have now successfully installed, configured and tested your own DNS server you are now ready to start using it. In order to do this, you will need to transfer your domain to your DNS server. This is done with the company that registered your domain for you. When you log into their site you will find somewhere in their control panel an option to transfer the domain to new authoritative nameservers.

Some companies require that a domain has more than one authoritative nameserver. In this guide, we only created one, i.e. ns1.example.com. If an additional nameserver is required then you need to obtain a second virtual machine and copy the configuration substituting ns2 for ns1.

Alternatively, you can request a second IP address for your existing server and duplicate the ns1 records changing them to ns2.

The post How To Create a DNS Server On Ubuntu 18.04 appeared first on Low End Box.

Package Management Walkthrough: apt, yum, dnf, pkg

In this tutorial, we will give you an overview of package management utilities on Ubuntu and Debian, Centos, Fedora, and FreeBSD. Once you install, say, Apache and Nginx, PHP, a MySQL database, all these systems start behaving similarly. The main difference is located in the tools for package management and that is how most newcomers to VPS boxes decide which server to run their sites and applications on.

What We Are Going To Cover

  • apt utility for Debian and Ubuntu
  • yum for Centos
  • DNF for Fedora
  • pkg for FreeBSD

and for each of these will show how to

  • find help / read manual,
  • install a package,
  • delete it,
  • find package in a repository,
  • eventually check for vulnerabilitiesand so on.

Prerequisites

If you want to try out the commands, you will need

  • root user access as well as the ability to
  • SSH into the VPS.

Basic Functions of Package Managers

Windows users download their applications from web sites and each app is then responsible for the upgrades and security patches. Linux is different: all applications wait in so-called repositories to be downloaded and installed. Programs that download and install the packages are called package managers and each Linux distribution will have its own repository and the corresponding package manager. For more popular systems, such as Ubuntu, there are repositories for each major version, say, 14.04, 16.04 and so on. The so-called backport repositories may exist as well, when a newer version of the package, say from Ubuntu version 16.04, is ported “back” to the repository for Ubuntu version 14.04.

Unlike Windows users, on Linux you would not even care which version is installed. The package manager would choose the proper version and see to the rest of the process. Some software companies deliver installation files directly, on Debian for example, but there are lower level commands to handle such cases as well.

Package manager can search the repository so that you can see whether the package you want to install is there. It is also possible to test what would change in the system if you installed a package, which may be of vital importance in certain cases.

The same package manager can remove the installed package from system cache, and can also deinstall the app, completely. If there is a newer version in the repository then in the VPS, the package can be upgraded on the run.

APT for Debian / Ubuntu

For Debian-like systems, including Ubuntu, the basic high level package manager is called apt. Its lower level counterpart, for dealing with particular files is called dpkg. File type is .deb.

apt is a relatively new service, and gained prominence with Ubuntu 16.04. The name of the package manager that was used previously is apt-get. To make things even more confusing, the set of tools that Debian uses to manage packages is called APT — which is not the apt that we are talking here about.

apt was introduced to simplify package management for normal users. It has more default values and is easier to use than apt-get. apt-get, however, is not going anywhere and can still be used without problems. In this tutorial, we are going to use apt only.

How To Get Help About apt Package Manager

The command to read documentation about apt is

apt help

You will have the most popular commands at a glance:

How To Upgrade the Server

Package managers read files from the repository into the systems cache. The command is:

sudo apt update

Run that on Debian box. Dozens of lines of output will be produced, ending with

Notice it says there are 3 packages to be upgraded. Run

apt list --upgradable

to see the complete list.

Running the same upgrade command on Ubuntu 19.0 will produce a different outcome:

Under Ubuntu, there will be 65 packages to upgrade.

The entire server version will be updated with:

sudo apt upgrade

The command

sudo apt full-upgrade

will perform full upgrade, which means that the conflicting package dependencies will be upgraded to the newest version, removing older or unused dependencies at the same time.

Update and Upgrade In One Line

Following along recipes for installation of software for your VPS, you will frequently see the following line:

sudo apt update && sudo apt upgrade

which both updates and upgrades the server. That way, you are guaranteed to have the latest version of software for the installation.

Installing Software

You can search for the software to install:

sudo apt search packageName

The result may not be that usable, as it may consist of dozens of lines of available packages. You may want to copy the contents of the terminal window into a text editor and there search for the package name.

To install software, the command is:

sudo apt install packageName

For example, running

sudo apt install perl

on Debian let me install one new module for programmins language perl, while on Ubuntu nothing needed to be installed as

perl is already the newest version (5.28.1-6).

apt cannot install software from a URL, but the lower level package RPM can. Installing from the repositories is always safer, though.

Removing Packages With apt

To remove a package:

sudo apt remove packageName

apt will remove unused dependencies, but in case some still remain, here’s another command:

sudo apt autoremove

How to list all installed packages:

apt list --installed

Yum Package Manager On Centos

yum is the package manager for Centos, a security oriented version of Red Hat Linux. File format is .rpm. yum installs or upgrades any package dependencies, which is the main benefit from using it. yum wil download packages from the official repositories, but you can also set up your own repositories on systems that do not have Internet access.

How To Get Help About yum Package Manager

Run

yum help

The first screen lists all commands:

The second screen shows available parameters for yum:

How To Upgrade the Server With Yum

The update command of Yum both upgrades and updates the system:

sudo yum update

Even if your server installation is just one day old, as is the case here, there will be something new to upgrade and install:

It will ask you for approval, once or twice; answer Y if you want the installation to proceed.

WARNING: For longer transactions, it may appear that the terminal is dead (nothing happens in its window). Be patient and wait it out. Otherwise, when another transaction is set in motion, Centos will ask you to finish the previous transaction first. Or, you can clean up with the command such as:

yum-complete-transaction --cleanup-only

Installing Software With Yum

To search for an installable package:

sudo yum search packageName

Install a package with the following command:

sudo yum install packageName

NOTE: yum will ALWAYS install the latest version of the kernel.

Removing Packages with yum

Remove a package with:

sudo yum remove packageName

yum includes three commands for removing the packages:

  • autoremove will completely erase any traces of the previous configuration.
  • remove will maintain a local copy of any configuration files/directories that were changed from the default values during the installation.
  • erase is the same as remove.

DNF Package Manager on Fedora

While Centos is a free version of Red Hat Linux, Fedora is like a laboratory for research and development for those two systems. As of Fedora version 22, DNF has replaced yum as the official package manager and it is likely that one day the same will happen on Centos. DNF should serve as the improved version of yum so the commands will be similar.

With DNF, maintaining groups of machines is made easier, so you do not need to manually update each one using rpm. It also

  • supports multiple repositories
  • uses depsolving technology for dependency calculations
  • runs faster and takes less memory than yum
  • treats .RPM files consistently
  • is written in Python and runs on both Python 2 and Python 3
  • has its own plugins, which can modify its behavious and introduce new commands.

How To Get Help About DNF Package Manager

The command is:

dnf help

Here is a list of the main commands that it supports:

And this is the list of plugins and a partial list of optional arguments:

How To Upgrade the Server With DNF

To update and upgrade all software:

sudo dnf update

As usual, answer with Y when asked whether you want to proceed with the installation.

There also is a command

dnf check-update

but you do not need to do this as DNF updates its cache automatically before performing transactions.

Installing Packages with DNF

Search for an installable package:

sudo dnf search packageName

To install a package:

sudo dnf install packageName

Removing Packages with DNF

To remove a package:

sudo dnf remove packageName

The autoremove command will search across the system and remove unused dependencies:

sudo dnf autoremove 

This is the warning it sent me:

so be sure to always add the name of the package you want autoremoved:

sudo dbf autoremove packageName

Differences Between apt and BNF Commands

Here is a comparison between apt and DNF commands:

Ubuntu command Fedora command
apt update dnf check-update
apt upgrade dnf upgrade
apt dist-upgrade dnf system-upgrade
apt install dnf install
apt remove dnf remove
apt purge N/A
apt-cache search dnf search

Package Management With PKG On FreeBSD

FreeBSD has two ways of installing software:

  • packages, which is similar to installing .deb packages on Ubuntu / Debian and .rpm on Centos / Fedora, and
  • ports which is making software from source, and is not further explained in this tutorial.

The main difference is that pkg will install only the binary packages.

How To Get Help About pkg Package Manager

The command is

pkg help

How To Upgrade the Server With pkg

freebsd-update fetch install
pkg update && pkg upgrade

Press Y when asked whether to install.

Installing Packages with pkg

Search for a package:

pkg search packagename

Install a package:

pkg install packagename

Here is what installing nginx looks like:

List installed packages:

pkg info

Upgrade from remote repository:

pkg upgrade

Delete an installed package:

pkg delete packageName

Checking Dependencies

Check for missing dependencies:

pkg check -d -a

Remove unneeded dependencies:

pkg autoremove

Automatic And Non-automatic Packages

List non-automatic packages:

pkg query -e '%a =    0' %o

List automatic packages:

pkg query -e '%a =    1' %o

Change a package from automatic to non-automatic, which will prevent autoremove from removing it:

pkg set -A 0 packageName

Change a package from non-automatic to automatic, which will make autoremove it be removed once nothing depends on it:

pkg set -A 1 packageName

Security Advisories

Audit installed packages for security advisories:

pkg audit

And here is the result:

The audit command goes to the vulnerability database for FreeBSD and reads from there. Here is what it’s readable form looks like:

We should now wait for the upgraded version to appear and then use the upgrade command to patch it.

Dusko Savic is a technical writer and programmer.

duskosavic.com

The post Package Management Walkthrough: apt, yum, dnf, pkg appeared first on Low End Box.

How to Edit Files From Your Linux VPS Terminal

There is a constant need to read, edit and change text files on any VPS, mostly after the installation of new packages. Learning, practicing and gaining proficiency with command line text editors can mean a world of difference in your experience and results with VPS.

If your server runs into a trouble, the only resource will be access to system console and the only way to use it will be through a text editor. About the only editor that is guaranteed to exist everywhere is Vi or its descendant, Vim. In this tutorial, we will study nano and Vim, two popular text editors that you can run from a VPS terminal.

Vi Editor

A problem for most newcomers to VPS is that vi, the only text editor that is by default present on any Linux distribution, is neither WYSISWYG nor intuitive. If you expect it to obey commands from Windows Notepad or MacOS TextEdit editors, you’ll be frustrated and disappointed in no time. Let’s say you are following a script to install some widely used program, say Nginx, and that it contains a command such as

sudo vim /etc/nginx/nginx.conf

If this is your first contact with vi, you will discover that

A) you cannot type into the editor (unless you by chance press i on the keyboard) and that

B) you have no idea how to save the file and leave the editor (until you find out that :wq will do the trick).

Vim Editor

In time, an enhancement of vi called vim, became very popular with power users. It is an almost strict superset of vi but with dozens of additional features sucs as protocols, plugins, tasks automation, working with several files at once, using its internal language VimScript or more formal Python, Ruby, Perl, or Tcl as scripting languages, and so on.

Vim is difficult to learn completely, but well worth the effort.

Nano Editor

Problems that newcomers have with Vi / Vim is the reason why another editor, nano, is so popular. It will show the available commands as a menu on screen, and when you start typing, you will see text filling in. No wonder the first thing many users do after installing a “droplet”, an “instance” or a “server” on their VPS boxes, will be to install nano.

What We Are Going To Cover

For nano and Vi / Vim we shall demonstrate how to:

  • Install the editor on Debian / Ubuntu and Centos
  • Explain the philosophical approach to editing
  • Get help
  • Create new or open an existing file
  • Show important commands within the editor
  • Save file and exit

Prerequisites

  • Debian / Ubuntu or Centos systems
  • Ability to SSH into the server
  • Since Vim is a superset of Vi, we are going to concentrate on Vim only

Installing Editors on Ubuntu 16.04 and Debian 9

Vi should be present on all servers, however, on some it may actually envoke Vim. We are showing commands for installation on all systems as there may be differences amongst hosting providers and server versions provided.

First update and upgrade the current version of Ubuntu / Debian:

sudo apt update
sudo apt upgrade

Depending on the version of Debian, the sudo command may not be recognized immediately after the server is installed. If that is the case, just omit sudo from the commands.

On Ubuntu only, if you get the following prompt:

just press Tab on the keyboard and then Enter.

You may then install updates, if any:

sudo apt dist-upgrade 

Then, install Nano:

sudo apt install nano

We see that it is already installed on Ubuntu 16.04:

Let’s now install Vim:

sudo apt install vim

It comes preinstalled as well.

Installing Editors on Centos 7

The commands are:

sudo yum update
sudo yum install nano
sudo yum install vim

How to Start the Editor

To start an editor, you invoke it by its name at the command prompt. If you add a file name, two things can happen. If there is no file at that address, the editor will create an empty file, and if the file exists, it will be opened in the editor.

Nano

When To Use Nano

This is the ideal case for using nano: you are (fairly) new to VPS servers, but you have just acquired one in order to run one specific program on it, or a couple of sites. So you snoop around and find a good recipe for installing your software of choice, you follow along and you reach a point when a config file needs to be changed. Nano is an ideal editor for such small, quick and dirty jobs, where you add a line or two, say, tweak site name for Nginx and so on, then save and close the file.

Now move to a neutral folder such as /tmp and open a file called sometext.txt in it:

cd /tmp
nano sometext.txt

We can start typing new text right away or we can paste a text we already have in clipboard. If it’s a terminal window under Windows (such as Kitty or Putty), you will paste text with the right click of the mouse and if it’s under MacOS, a simple Cmd-V should do.

I have copied the above paragraph and this is what I’ve got:

The text is all in there but you see only its very end. Nano by default does not wrap text as that is the expected behaviour when you edit configuration files. To change to wrapped text, press Esc, release it, and then press $:

That was soft wrapping, hard wraps are turned on or off with Esc + L.

The normal way to issue commands in nano is through Ctrl key plus a letter, which is denoted as ^G – meaning press Ctrl and then pres key g while still holding Ctrl. In the menus, nano uses upper-case G so it seems you have to press the Shift key and then g but actually, you do not have to press Shift at all.

Instead of Esc followed by a key press, you can also use key Alt with a simultaneous key press. So hard wrap would mean pressing Alt, holding it, then pressing Shift, holding it, then pressing l. In general, Alt and Esc are called meta keys and – depending on your keyboard – some other key may be assigned that role.

Help Screen in nano

Ctrl-G will get you main nano help text on screen:

Scroll down with combinations of ^Y and ^V or, if on a normal PC / Mac keyboard, just use PageUp and PageDown keys. You can also scroll with cursor keys, up and down.

We’ll now study keyboard combinations a bit more:

Commands starting with M, for instance, M-(, call for pressing the Meta key, which, as we have seen already, can be Esc, Alt or something else. So you can go to the beginning of the paragraph by pressing Esc, release pressure, then press on Shift and 9 at the same time. Or, you can press Alt, keep the key pressed, press on Shift, hold both keys pressed and then press on 9.

Press on Ctrl-X to leave the help screen.

Saving File With nano

To save file with nano, use Ctrl-O. The menu at the bottom changes to:

To save the file with changes, just press Enter.

Pressing on Ctrl-X will leave nano if the file is saved; if not, it will ask for confirmation with Y.

From the main menu, we see that Ctrl-W will find text, _Ctrl-_ is for the replace operation and so on.

Vim Editor

Learning Vim With Vimtutor

The best way to learn Vim is to start a special version of Vim called vimtutor:

vimtutor

You are in Vim right away, and in its “normal” mode. It means pressing keys on the keyboard will not enter text but will be interpreted as interactive commands. To move cursor press on keys h, j, k, and l. Pressing j, for instance, will move cursor one row below. Keep pressing j until you see the second screen in vimtutor:

and then proceed with learning from there.

Running Vim

Run the following command

vim

and you’ll get this window:

It’s easy to create or open a file with Vim:

vim anothertext.txt

Three Modes of Operation in Vim

Vim has several modes of operations but these three are the most important:

  • NORMAL MODE – cursors, moving through text, text buffers, text manipulation etc.
  • INSERT MODE – inserting text: typing and editing.
  • VISUAL MODE – mode in which larger blocks of text can be defined, cut out, pasted and so on.

Press Esc twice to return to the normal mode.

INSERT MODE In Vim

If you want to type text, press i in the normal mode to ignite the Insert mode. You’ll see the word — INSERT — in the lower left corner of the window and you’ll be able to enter text.

In insert mode, I copied the above paragraph and right clicked on the mouse – the text appeared in Vim editor.

The Command Mode in Vim

You start issuing commands by typing a colon. For example, type :h for help and the following help screen will show up:

Type :q to get back to the screen with text.

To leave the file and exit the editor, enter:

:x[return]

To quit vim without saving the file, enter:

:q![return]

Here are the basic commands:

  • save: :w
  • save and exit: :wq
  • exit: :q
  • force: ! (example :w! :q!)
  • copy: y
  • copy a line: yy
  • paste: p
  • cut: d
  • cut a line: dd

Typing a number in front of command will execute that command that number of times. That means that if w is a command to move cursor to the beginning of the next word, 15w will move cursor 15 words to the right.

VISUAL MODE In Vim

Typing V in normal mode will turn on the Visual mode.

Note the label VISUAL LINE in the lower left corner of terminal window.

In this mode pressing keys such as j and k will move cursor up and down but will also mark a white block of text. Since we have pressed V, entire lines with cursor will be marked. Press v to enable character- based visual selection of text, in which case, the lower left corner will show only the word VISUAL.

Now, to delete text, press d (delete) and press y (yank) to copy the marked region. Then move the cursor to the desired paste location; pressing p will then paste after the cursor, while P will paste before it.

Press c to change text… and for further commands be sure to devote more time to learning Vim than you expected!

What Can You Do Next

We have shown basic editing capabilities of two almost universally present text editors, nano and Vi or Vim. They may not be your cup of tea at all, but you should at least learn enough of Vi / Vim to read a file, edit and then save it. Other famous editors we have no space to do justice here are Emacs, Micro, NE, and there are many others to choose from for your VPS!

Dusko Savic is a technical writer and programmer.

duskosavic.com

The post How to Edit Files From Your Linux VPS Terminal appeared first on Low End Box.

How To Set Up Cron On Your VPS

In this tutorial, we will see how to set up repetitive tasks on your VPS. You may want to automate system maintenance or administration so that you

  • download email every day,
  • download weekly new songs from the Internet,
  • erase files that you do not need any more,
  • daily backup your databases or data,
  • update your system with the latest security patches,
  • check your disk space usage,
  • send emails

and so on. The command that will do all that for you is cron and the tasks are called cron jobs. Many popular software packages, will either ask you to fill in cron details or, like Drupal and Magento, will install cron jobs on their own.

What We Are Going To Cover

  • Definition of crontab
  • How to add cron command to a crontab file
  • Saving the output of cron jobs
  • Structure of crontab commands
  • Start, stop, restart cron on Centos & Ubuntu / Debian
  • Editing crontab file in Ubuntu, Debian, and Centos
  • Crontab restrictions
  • General format of cron commands
  • Crontab variables
  • Examples of cron jobs

Prerequisites

  • You will need ability to SSH into your VPS as a root.
  • You should also have one non-root user with sudo capabilities, at your disposal.
  • We use nano as our text editor. It will come preinstalled on Ubuntu and Debian. On Centos, install it with this command:
yum install nano

Press y twice to finish the installation.

What Is crontab

crontab, which is short for cron table, is a configuration file that defines shell commands to run periodically on a given schedule.

Cron may be system-wide or on a single user basis so there will be two kinds of crontabs, one for root user and the others for individual users. System-wide crontab will contain column for a particular user name, while crontabs for individual users will not.

On all three systems, the system-wide crontab is at /etc/crontab. You can edit cron jobs directly from this file but you actually shouldn’t. True automation will come only if each user has its own set of crontab files.

On CentOS, crontab files are stored in the /var/spool/cron directory while on Debian and Ubuntu, crontab files are stored in the /var/spool/cron/crontabs directory.

Crontab File Locations in Centos

Here are the locations for cron jobs:

/etc/crontab
/etc/cron.d/
/etc/cron.daily/
/etc/cron.hourly/
/etc/cron.monthly/
/etc/cron.weekly/
/var/spool/cron/

/var/spool/cron/ contains a crontab file for each user who is using crontab.

Log files for cron runs can be found at the /var/log/cron.

The Contents of a System-wide crontab File on Ubuntu

Use this command to quickly see the contents of the crontab file:

cat /etc/crontab

Lines starting with # are comments.

Let’s analyse the contents of crontab file.

Crontab Variables

Lines such as

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

contain cron variables.

SHELL – it is possible to choose the shell that cron will run from. The default is /bin/sh.

PATH command, to denote where the system should look up when executing cron commands (see below). If PATH is blank, the entire path to the command must be explictly stated in the command itself.

HOME Normally, cron would execute the command from the user’s home directory. You can change the HOME variable to point to another directory.

MAILTO For each event, cron sends email notifications to the owner of the crontab. Specify a comma separated list of all the email addresses you want the notifications to be sent to. Put MAILTO=”” to deliver no mail at all.

Here is an example of a cron job with all these variables:

HOME=/opt
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SHELL=/bin/zsh
MAILTO=email@example.com

*/1 * * * * command

This command would execute every minute.

Cron Commands Explained

Columns in cron commands have the following meaning:

  • m – minutes during the hour, from 0 to 59. Number 17 in this column means crontab will perform an action on every 17th minute of the hour.
  • h – hours during the day, from 0 to 23. Number 6 here would mean some action would be performed every six hour during the day.
  • dom – date of month, from 0 to 31.
  • mon – month in year, from 0 to 11. Instead of numbers we can use jan, feb, mar, apr etc.
  • dow – day of week, from 0 to 6, where 0 is Sunday and 6 is Saturday. On some systems, 7 can mean Sunday as well.

It is also possible to use

Operator Values In Columns

* Asterisk means any value or always. An asterisk symbol in the Minutes field will perform the each minute.

, Comma specifies a list of values for repetition. For example, if you have 1,13,15 in the Hour field, the task will be run at 1 am, 1 pm and 3 pm.

Hyphen specifies a range of values. If you have 1-5 in the Month field, the task will run every month from January to May.

/ Slash specifies values that will be repeated over a certain interval between them. For example, if you have */4 in the Minutes field, the action will be performed every four minutes. The same effect would be to have had specified values of 0,4,8,12,16,20. You can also put a range of values before the slash. For example, 1-30/10 is the same as 1,11,21.

Crontab Restrictions

Imagine you are the system administrator and one of your users has started sending email marketing campaigns at the rate of 20,000 messages per hour. That may lead to poor experience for other users of your VPS, or you may want that user to just start paying more for the convenience. Or, you can restrict his crontabs on a user per user basis. That is where files /etc/cron.deny and /etc/cron.allow come into play. They contain a list of user names, one user name per row.

The /etc/cron.deny file exists by default and in the beginning it is empty. That means that all users of the system can use cron jobs. User with names listed in that file will not be able to use cron at all.

The counterpart file is /etc/cron.allow – only the users with names in it will be allowed to use cron.

If neither file exists, and depending on other system parameters, either only the super user will be able to use cron jobs, or all users would be able to use cron jobs.

Using crontab Command on Ubuntu

Here is a handy command:

crontab -e

It asks to decide upon an editor and we choose nano.

Once in it, we see the crontab file contents:

Editing crontab File in Debian

The command is the same:

crontab -e

Choose nano amongst eight different editors that Debian offers:

You will end up in the same content as for Ubuntu, so we won’t repeat the image.

Editing crontab File in Centos

Use nano to edit the crontab file directly:

sudo nano /etc/crontab

and the contents of the crontab file are different:

Each time you change a crontab, you will need to restart the cron utility. Here are the relevant commands.

Start, Stop, and Restart cron on Ubuntu / Debian

sudo service cron status
sudo service cron start
sudo service cron stop
sudo service cron restart

Start, Stop, and Restart cron On Centos

service crond status
service crond stop
service crond start
service crond restart

Structure Of crontab Commands

Here are the parameters of the crontab command:

crontab -e Edit crontab file, or create one if it doesn’t already exist.
crontab -l Display crontab file contents.
crontab -r Remove current crontab file.
crontab -i Remove current crontab file with a prompt before removal.
crontab -u Edit other user’s crontab file. Must be run with system administrator privileges.

Examples of cron Commands

Schedule a backup script to run every day at 5:30 AM:

30 5 * * * /path/to/script/backup-script.sh

To schedule the backup on the first day of each month at 8 PM:

0 18 1 * * /path/to/script/backup-script.sh

It is possible to use several macros to start events in the beginning of hour, day, week, and month.

@hourly path/to/script/script.sh
@daily path/to/script/script.sh
@weekly path/to/script/script.sh
@monthly path/to/script/script.sh
@reboot path/to/script/script.sh

The last line, with @reboot, will execute after server reboot.

Saving the Output of cron Jobs

In general, the script we execute as cron jobs will generate some output. We can save it log files, like this:

0 3,11,16 * * tue,sat path/to/script/script.sh > /path/to/logs/backup.log 2>&1

That command will execute on Tuesdays and Saturdays, at 3 AM, 11 AM and 16 PM and will save the output to a file called backup.log at the address /path/to/logs.

If we do not want to record any output, the command can look like this:

0 3,11,16 * * tue,sat path/to/script/script.sh > /dev/null 2>&1

How To Add cron Command To a crontab File

We simply open the crontab file with nano, and enter one or more of the above commands in the end. Here is crontab file found in the fresh server install in Centos:

sudo nano /etc/cron.d/0hourly

Now enter the line shown above and you’ll get:

Save and close the file and that restart crond in this case. Of course, in real life you would put your own script address instead of path/to/script/script.sh.

What Can You Do Next

Take a long and hard look at the way you are using your VPS and then surf around. You will find many repetitive tasks that you would like to automate so start using cron and crontab files as much as you can!

Dusko Savic is a technical writer and programmer.

duskosavic.com

The post How To Set Up Cron On Your VPS appeared first on Low End Box.

How to Replace Apache with NGINX on Ubuntu 18.04

NGINX is the modern web server founded by computer software engineer Igor Sysoev in the year 2004. NGINX is used by the most busiest and high traffic website. NGINX works out of box with the most major web stacks including LEMP (Linux, NGINX, MySQL, PHP) stack. This tutorial assumes that your website is hosted with the Apache web server and you want to migrate to NGINX . The process of migration includes replacing the Apache web server with the NGINX without loosing the website data with less downtime.

Why Replace Apache with NGINX ?

There are several reasons to replace Apache with NGINX are:

  • NGINX is the fastest web server that supports concurrent connections and supports high traffic website load.
  • NGINX consumes less RAM and CPU compared to Apache and it is resource friendly.
  • NGINX improves performance of website by supporting inbuilt cache system for faster access for website static contents like Images, CSS, JavaScript, etc.

What is the major difference between Apache and NGINX?

These are the major difference between Apache and NGINX are:

  • The main configuration files for Apache and NGINX are located at /etc/apache2/apache2.conf and /etc/nginx/nginx.conf respectively.
  • NGINX uses server block but Apache uses virtual host.
  • NGINX and Apache both are using same default root directory /var/www/html.
  • NGINX has inbuilt cache system but Apache don’t have any inbuilt cache system.

Pre Requirements

Before starting the tutorial you will need:

  • You will need a Ubuntu 18.04 VPS with minimum 1GB of RAM for smooth operations.
  • The Apache web server must be previously installed on your VPS.

Step-1: Remove the Apache Web Server

Before installing the NGINX you will remove the Apache web server to avoids conflict between them.

First of all you will stop the Apache service before removing the Apache web server. This enables us to remove the Apache without any issues.

$ sudo systemctl stop apache2

After stopping the Apache you will remove the startup Apache entries from systemctl. This enables us to remove the startup entries so that Apache services won’t be automatically started during boot time.

$ sudo systemctl disable apache2

When Apache services are successfully stopped and startup entries are also remove then it time to remove the Apache web server packages from the system.

$ sudo apt remove apache2

Above command will remove only apache2 packages on but Apache related dependencies are kept on with system. So it is essential to remove those unwanted dependencies to free your space. This can be run by given command.

$ sudo apt autoremove

Now, the Apache web server has successfully removed. The installation of NGINX is described in the next step.

Step-2: Install the NGINX Web Server

Let’s begin with the installation of NGINX on Ubuntu. The Ubuntu default repository contains all the packages of NGINX. Installation is straight forward so you have to install it without any hassle using apt package manager.

First remove and flush the old apt repository cache then update the repository to load latest packages information and perform a full upgrade to upgrade all the installed packages.

$ sudo apt clean all && sudo apt update && sudo apt dist-upgrade

After updating the repository it is the right time to install the updated NGINX packages.

$ sudo apt install nginx

When NGINX has successfully installed then Let’s begin with the next step that will guide you firewall configuration for NGINX web server.

Step-3: Configure UFW Firewall

The NGINX web server requires HTTP Port that is Port No. 80 and HTTPS port that is Port No. 443 to successfully work with firewall. So it is essential to keep this port open for that purpose so that NGINX works flawlessly. The UFW (Unified Firewall) is the default firewall for Ubuntu 18.04 Linux distribution. Hence, you will add firewall rules to allow HTTP and HTTPS ports.

By Default there is no rules are added to UFW firewall so it is so easy to add those rules. You are required to add the HTTP and HTTPS port rules to UFW firewall this can be done by simple commands. The NGINX Full rules contains both the HTTP and HTTP ports and this will allow these ports to be kept open by the UFW firewall.

$ sudo ufw allow "Nginx Full"

After adding the firewall rules its time to check the rules which had been added or updated using these rules using status command.

$ sudo ufw status

The above command show given sample output.

Status: active

To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp LIMIT Anywhere
Nginx Full ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) LIMIT Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)

Above output shows that you have successfully added the firewall rules and you ready to move forward to configure the NGINX web server that is described in next step.

Step-4: Understanding the Configuration File of NGINX Web Server Compared to Apache Web Server

The configuration of NGINX are almost same like Apache web server but the structure and syntax is different referred to configuration files. This Difference between the can be understand by the given sample configuration file of Apache and NGINX

Sample Apache Configuration file is located at /etc/apache2/sites-available/example.com.conf

ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/html/



Require all granted
AllowOverride None

Sample NGINX Configuration file is located at /etc/nginx/sites-available/example.com.conf

server {
listen 80;
server_name example.com www.example.com;
root /var/www/html;

location / {
try_files $uri $uri/ =404;
}
}

If you look carefully from the both the configuration files you will find that Apache configuration file are expressed in virtual host and NGINX configuration file are expressed in server block. After understanding the difference between the configuration file of Apache and NGINX. Now, you ready to configure the rest of the NGINX configuration files that is described in next step.

Step-5: Configure NGINX Web Server

The NGINX has same capabilities like Apache web server but it has faster support of concurrent connections. The configuration file of NGINX uses the server blocks in configuration. You have to configure it wheres the same location of document root where all your static web assets like HTML, CSS, JavaScript and Images are stored.

Note: In this guide we throughout assume that your document root is /var/www/html and default domain name is example.com

In Ubuntu, the NGINX Server Blocks are located at sites-available and sites-enabled directory inside the NGINX configuration directory. You will edit the server blocks files located in /etc/nginx/sites-available/ and you will be create one for enabling the server blocks for your domain. This method is highly recommended because it allows you to host more than one website and at different domains and files locations on your Ubuntu.

$ sudo nano /etc/nginx/sites-available/example.com.conf

Add the given lines and don’t forget to replace example.com and www.example.com with your base domain name and subdomain to enable server blocks for NGINX.

server { 
listen 80; 
server_name example.com www.example.com; 
root /var/www/html; 

location / { 
try_files $uri $uri/ =404; 
} 
}

When you will completely add all of these lines then hit Ctrl + O to save and Ctrl + X to exit from nano text editor.

In NGINX server blocks configuration files you will create the symbolic link using soft links between sites-available and sites-enabled directory. Soft links allows you whenever you will make changes to server blocks configuration file located in sites-available directory and it will immediately replicated to sites-enabled directory.

$ sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/example.com.conf

You will check for correct syntax and to avoid any error present in NGINX configuration files. This command will also tells you where you have errors are present.

$ sudo nginx -t

When all syntax is correct then it will shows you Syntax OK as a output. If any thing goes wrong please re-check NGINX server blocks files. When all steps are completed then restart the services for making changes in the effect.

$ sudo systemctl restart nginx

After all things are ready then you will change the permission for default NGINX user www-data to enable read, write and execute permissions for default web root directory.

$ sudo chown www-data:www-data /var/www/html

To verify whether the www-data user and groups are owned the default web root directory by running the given long listing command

$ ll /var/www/html

After running this command the output shows www-data user and group is owned by the default web root directory /var/www/html . This means default NGINX user www-data will able to read, write and execute the default web root directory.

Conclusion

Lastly, you have successfully replaced the Apache to NGINX. Now you will ready to use the NGINX for your web property to enable fast access to web assets and low memory foot-printing. In the end, the NGINX can be used for various proposes and it can be used for both static and dynamic websites. For more information regarding the NGINX refer the man pages available in Ubuntu.

The post How to Replace Apache with NGINX on Ubuntu 18.04 appeared first on Low End Box.

How to Secure Apache with Let’s Encrypt Ubuntu 16.04

In this tutorial, we will examine how to secure Apache with Let’s Encrypt for the Ubuntu 16.04 operating system.   We will first examine an overview of Let’s Encrypt, certificate authorities, and then dive into a step by step guide to install & configure Let’s Encrypt on your Ubuntu 16.04 VPS servers and the review how to automatically renew SSL certificates.

What is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open Certificate Authority (CA), that provides the ability to secure a website. Let’s Encrypt also provides automation and tools to reduce setup and maintenance challenges needed to secure web servers using HTTPS (SSL/TLS).


Why use Let’s Encrypt as your Certificate Authority?

Let’s Encrypt is free, easy to create, configure, and renew certificates on web servers (like Apache).

Most administrators who host web servers have a goal of attracting new visitors along with retaining end-user attention – as this often translates into profits or a growing website community. People hosting web servers also want to reduce maintenance and cost.

End users, on the other hand, are motivated to visit websites that are safe and do not compromise their security.

To satisfy both administrators and end users, a Certificate Authority is used to validate the authenticity of the web server’s domain name.

Traditional CA (Certificate Authorities) solutions like Verisign required domain owners to pay a fee to use the CA services, this is no longer required when using Let’s Encrypt. The Let’s encrypt service is funded by sponsors and donors.


How Certificate Authority works

  1. The web server admin creates a private and public key pair. Using the public key the website admin will create a CSR (certificate signing request) and then send the CSR to a Certificate Authority.
  2. The Certificate Authority signs the CSR and returns a final certificate that the web server admin will install on their web server.
  3. The final certificate is signed by the Certificate Authorities private key and holds metadata about the admin’s web server.
  4. When a website visitor goes to the web page, the visitor’s browser will download the final certificate from the web server. The visitor’s browser will contact the Certificate Authority to make sure that the certificate downloaded from the website is valid.
  5. If the Certificate authority confirms that the certificate is authentic/valid, the website visitor will receive a green padlock in their browser in the URL address box. This will notify the end user that the website is safe to visit.


Prerequisites to installing Let’s Encrypt on Ubuntu

  1. You must be an administrator of the domain name you want to secure; for this tutorial, we will be using the DNS hostname “LetsEncryptTutorial.ddns.net.
  2. You need to have your public IP address.
  3. You must install Apache web server if it’s not already installed.


Install Apache

  1. Update the Ubuntu apt repository package definitions. Open a command line terminal and type “apt-update” or if you are logged in as a non-root user, type “sudo apt update”.

  1. To Install Apache: “apt install apache2 -y” or “sudo apt install apache2 -y”

  1. Change into the directory called /var/www/html and ensure an index.html file exists in the directory.

  1. Optional but recommended: Edit the default index.html title to be unique (example: Let’s Encrypt tutorial website) by adding “Let’s Encrypt tutorial” to the body. NOTE: This is simply to help you confirm the server is resolving and you are not accessing cached pages.

  1. If using systemd for startup restart Apache “systemctl restart apache2” or “sudo systemctl restart apache2” if using non-root user. If using init run “service apache2 restart”

  1. Confirm Apache is running properly on your system. If using systemd use “systemctl status apache2” and if using init use “service apache2 status”

  1. Confirm that the modified default Apache website is now available via a web browser

First, confirm that port 80 is open and working by going to the following URL,
http://:80 (you should see your edited webpage)

Next, confirm that the web server SSL port 443 is also open and working by going to the following,
https://:443

NOTE: When the server resolves in a browser using port 443 you will get a “Not Encrypted” or “Not Secure” error in the address bar. That’s ok.

Caution: Do not proceed to the following steps if you are not able to successfully reach your Apache server on both ports 80 and 443. If the server does not resolve to either port contact your network admins to ensure that both ports are configured to allow web traffic.

Once we know Apache is resolving correctly, we can move on to the next section of this tutorial.


How to set up Let’s Encrypt on Apache

  1. Install common tools “apt-get install software-properties-common -y” if logged in as root user

  1. Add the apt component for installing new repositories, by running: “add-apt-repository universe”

  1. Add certbot to the list of apt repositories “add-apt-repository ppa:certbot/certbot”

  1. Update apt to detect the newly added repositories: “apt update”

  1. Install certbot to create and renew certificates using let’s encrypt: “apt-get install certbot python-certbot-apache -y”

  1. Run the certbot command to create SSL for your domain.

  1. Now visit https:// to verify that your new certificate works properly and your website has a valid certificate. You will notice a green lock icon confirming a secured connection is established with your Apache server. Click the green lock to get details about the SSL certificate.


How to automate the renewal of Let’s Encrypt

It is highly recommended to automate the renewal of your certificate to avoid http traffic interruption due to an expired SSL certificate. For Example; on the Apache server you can create a cron job to renew the certificate every month on the 10th at 6:04 am using cron by typing “sudo crontab -e” and at the bottom add the following line (below) and save/exit.

4 6 10 * * certbot –apache –force-renewal renew –quiet


EOF

The post How to Secure Apache with Let’s Encrypt Ubuntu 16.04 appeared first on Low End Box.

How to Setup & Configure VestaCP on Ubuntu 16.04

VestaCP is a versatile open-source control panel for Linux machines. It provides a point & click, clutter-free interface, simplifying server administration tasks at the same time.   In this tutorial we will walk you through the process of installation, configuration, and first time usage of this free and open-source web hosting control panel.

As a part of the installation, VestaCP will install and configure the following for you:

  • Apache web server with Nginx as the frontend. Nginx will serve static files (such as images and CSS), while Apache will render PHP and HTML files.
  • vsftpd, a FTP server
  • Exim and Dovecot, so you can create and use email accounts
  • MySQL database
  • Softaculous, an application auto-installer

It requires 512MB RAM, 1Ghz CPU, and 20Gb disk space.

In this article, you will install VestaCP on your VPS. Then, you’ll setup a new site in VestaCP, along with an email address (at your domain).

Prerequisites

  • A clean VPS running Ubuntu 16.04 with at least 512MB RAM, 1GHz CPU and 20Gb disk space.
  • A domain name for hosting VestaCP and your sites, pointed to your machine’s IP address at your DNS provider. We will use panel.example.com for Vesta, and test.example.com for the website throughout the tutorial.
  • If you wish to set up email accounts, you’ll need to have PTR records correctly set for your server. This can be done only by your hosting provider.

Step 1 – Installing VestaCP

First, login to your VPS as root via SSH. After logging in, navigate to the /tmp directory by running the following command:

cd /tmp

Then, download VestaCP installation script by running:

curl -O http://vestacp.com/pub/vst-install.sh

Run it with:

bash vst-install.sh --force

The –force parameter overrides Vesta’s warnings such as Apache already installed, the admin group already being present in the system and so on. The warning may look like this:

With the the –force option you go directly to the installation prompt:

Answer with y. You will be be asked to provide your email address and a FQDN hostname. Enter an email where you woud like to receive messages from Vesta, and for the hostname, enter your domain name, which you have set up in the prerequisites.

Vesta will then start the installation, and it will take about 15 minutes to complete. You won’t need to enter anything else. When it finishes, you will see a message that looks like this:

Note the username (admin) and the generated password – you’ll need them to log in to Vesta.

Step 2 – Logging in to Vesta

Navigate to the domain shown in the message in your web browser. Note the :8083 at the end of the address – that is the default port for accessing Vesta.

During the installation, Vesta created a self-signed certificate to enable HTTPS access. That is why your browser may show a warning  about TLS certificates being self-signed — here is what it would look like in case of Mozilla Firefox:

In case of Chrome, the message will be:

In spite of the warnings, proceed to the advanced section and create an exception for your browser.

You will be asked to log in:

Enter the credentials you noted previously and press the Login button. You will see Vesta control panel:

Notice the columns in the center upper part of the screen. They allow access to the core of Vesta’s functionality – managing users, their websites, DNS records, email addresses, databases and backups.

Step 3 – Creating a New User

After the installation of Vesta, there will be exactly one user, called admin, as shown in the image above. Adding a new user is a frequent task when setting up Vesta, as you’ll need one new user for each new site that you are creating.

When you want to create a new resource in Vesta (be it a user, a domain, or whatever else), you’ll need to click the green plus button, which will expand with additional text when you hover mouse cursor over it.

So, to add a new user, press the green plus button on the Users page. You’ll see the following form:

Fill in the username and password with your desired credentials, the first and last name with your name, and type in your email. When you’re done, scroll down and press Add.

Vesta will then show the same page you were on before, with the message informing you that the user has been successfully created. For a user named example-user, here’s how the message will look like:

For each available user, you have the options such as Logout, Edit, Suspend, and Delete. They will unintuitively appear only when you hover your mouse cursor over the row, and they look like this:

Step 4 – Create a New Web Site

Click the link shown to log in as the newly created user, and when you become logged in, click the Web column. Press the green plus button to create a new web site.

Enter the domain name  — ours is test.example.com. As noted in the prerequisites, you’ll need to point the domain name to the IP address of your server beforehand – for instructions on how to achieve this, consult your DNS provider.

FTP access

To be able to access files in your site, you will need to create a FTP user for it. To do so, press on Advanced Options and check the additional FTP option. Then, enter username for the new FTP user (maximum safe length is 8 characters), and a password. You can press on Generate to let Vesta create one for you. Note it down for future reference, because that is how you will be accessing your website’s files from now on. If you want to create an additional FTP user, press Add One More FTP Account and repeat the process.

Enabling HTTPS

If you want to have HTTPS enabled for your site (and you most certainly do), check the SSL Support option.

Then, you’ll have to fill in the required fields with the data you got from your certificate issuer, or automate the whole process for free by checking Lets Encrypt Support. Let’s Encrypt is a fully trusted certificate authority which issues completely free certificates, which last 90 days. You can check this option provided you have certbot installed on your system (the program which actually requests the certificates) installed, and Vesta will create and renew them for you. Keep in mind that if you do select this option, Vesta will take a longer time to add the new website, so don’t press the Add button twice.

Tracking Site Statistics

VestaCP also allows you to set up either webalizer or awstats web statistics software. Without delving in deeply into which one of them is better, note that Webalizer does not differentiate between human visitors and bots in its reports, while awstats tries to.

When you are done, click on Add to create the website in Vesta. When the page loads, you’ll see the new website in the list. If you navigate to your domain in your browser, you’ll see a placeholder page created by Vesta that shows the domain name.

Step 5 – Create an Email Account

Click on the Mail column in the center. To create an email address, you’ll first have to add an email domain in Vesta, after which you will be able to create unlimited amounts of email addresses. As in the previous steps, start adding an email domain by clicking the green plus button.

You’ll only need to enter a domain name. Leave the AntiSpam and AntiVirus options checked, which will increase security at no additional expense. When you are finished, press the Add button.

As in the case of Users, additional options will show up when you hover your mouse cursor over it. To list the existing email accounts for that domain, click the List Account button. Otherwise, to add a new email address (account), click Add Account.

Type in your desired email address (without the @domain part) in the Account field. Next, enter your desired password, or let Vesta create one for you by pressing on Generate. You can see how the final configuration will look like in the box shown on the right.

If you wish to set a storage quota or set up email forwarding, press on Advanced Options and type in the relevant information. When you are done, press Add.

You’ll be returned to the listing. Vesta will show you a success message that looks like this:

You can press the Open Webmail link, which will open Roundcube. Roundcube is a mature open source web mail software used by many. It will ask you to log in – enter the full email address you just created as the username as well as your password, then click on Login. Once in Roundcube, you’ll be able to read and write email as you normally would.

Dusko Savic is a technical writer and Flutter programmer.
duskosavic.com

The post How to Setup & Configure VestaCP on Ubuntu 16.04 appeared first on Low End Box.

Install and Secure phpMyAdmin on Ubuntu 16.04 VPS

With this tutorial, you will be able to install and secure phpMyAdmin, the most popular program for accessing MySQL and MariaDB databases on Internet servers.

What We Are Going To Cover

  • Installing the LAMP stack (Linux, Apache, MySQL, PHP)
  • Adding PHP extensions to run phpMyAdmin
  • How to install phpMyAdmin itself

To secure phpMyAdmin, we are going to:

  • Install Let’s Encrypt
  • Edit php.ini to eliminate showing of PHP errors
  • Restrict access to folders templates and libraries
  • Prevent robots from accessing phpMyAdmin
  • Hide phpMyAdmin behind an authentication proxy
  • Change the URL of phpMyAdmin

Prerequisites

We will install and deploy phpMyAdmin on :

  • a clean installation of Ubuntu 16.04,
  • with at least 512Mb of RAM available on the server and
  • at least 15Gb free disk space.
  • You will need root user access.

To install Let’s Encrypt certificates

  • You must have DNS records for your your domain already set up to point to your VPS.

Step 1: Install Apache

First, update your package manager’s cache:

sudo apt update -y

Install the Apache web server:

sudo apt install apache2 -y

Enable its service to make it run on every system boot:

sudo systemctl enable apache2

Finally, start it:

sudo systemctl start apache2

To verify that Apache was installed successfully, access it from your local browser by navigating to http://YOUR_DOMAIN/. If that does not work, try adding :80 in the end, like this:

http://YOUR_DOMAIN:80

You should see a welcome page for Apache, which means that you now have Apache running.

Step 2: Install PHP 7.3

At the time of this writing, phpMyAdmin requires a version of PHP 7.1.0 or newer to be installed. We shall install PHP 7.3. First, install the prerequisite packages:

sudo apt install software-properties-common python-software-properties

Then, add the ondrej PPA:

sudo add-apt-repository -y ppa:ondrej/php

and update your sources by running:

sudo apt update

Install PHP 7.3 using the following command:

sudo apt install php7.3 php7.3-cli php7.3-common

Step 3: Install Required PHP Extensions

The PHP extensions that phpMyAdmin requires are:

  • session support, the Standard PHP Library (SPL) extension, hash, ctype, and JSON support
  • mbstring, zip, gd. openssl, libxml, curl

Install them:

sudo apt install php7.3-curl php7.3-gd php7.3-json  php7.3-mbstring php7.3-intl php7.3-mysql php7.3-xml php7.3-zip

Restart Apache to activate:

sudo systemctl restart apache2

Step 4: Install MariaDB

Install MariaDB database with the following command:

sudo apt install mysql-server -y

This will install MariaDB database server (an enhanced fork of MySQL). You will be asked to enter password for the MySQL root user. (Use Tab key from the keyboard to switch to the OK button and press Enter on the keyboard.)

Then, secure MySQL installation by running:

sudo /usr/bin/mysql_secure_installation

Press 2 to select the highest level of password complexity. Answer y to every prompt you get afterwards.

So you enter one password first, to enable access to MySQL, then enter another password to secure the installation. Store that second password as you will need it in Step 5 of this article.

To make it run on every system boot, enable it via systemctl:

sudo systemctl enable mysql

Step 5: Install phpMyAdmin From Ubuntu Repository

It is possible to install phpMyAdmin via Composer and Git, but the easiest way is to pull it from the Ubuntu repository:

sudo apt install phpmyadmin php-mbstring php-gettext

You will see this window:

Press space on the keyboard, otherwise the Apache option will NOT be checked. Then, press Tab and Enter to finish data entry in this window.

Press Enter in the next window to let the installer configure a suitable database for phpMyAdmin for you.

In the next screen, enter a password with which phpMyAdmin will connected to the database. That will be the second password from Step 4:

The installation process created files phpmyadmin.conf in directory /etc/apache2/conf-enabled/. Apache will automatically read in all files in that directory.

Execute the following command to see the new file:

ls /etc/apache2/conf-enabled/

Finally, restart Apache so that all these changes take effect:

sudo systemctl restart apache2

Step 6: Securing You Site To Serve Only HTTPS

If you have a domain name and DNS records properly set up to point to your VPS, you can use certbot to generate Let’s Encrypt certificates. This means that you will always access phpMyAdmin (and the rest of your YOUR_DOMAIN) via HTTPS.

We will folow the original documentation to install Let’s Encrypt. Choose Apache for software and Ubuntu 16.04 (xenial) for System – it should look like this:

The site will then generate the following commands for you to enter into the command prompt of your VPS:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache 
sudo certbot --apache

You will be asked for the DNS name of your site and whether you want to route all traffic from HTTP to HTPPS. Choose this option as that is the sole reason of installing Let’s Encrypt in the first place.

Now that the access to site is secure behind HTTPS, we can access phpMyAdmin for the first time, without fear that someone could sniff our database user name and password.

Go to this address in your browser:

http://YOUR_DOMAIN/phpmyadmin

Note that this address started with HTTP, but it will end up as HTTPS.

You should see the familiar interface of phpMyAdmin:

Step 7: Securing the Instance of phpMyAdmin

There are several ways to secure the instance of phpMyAdmin. We will show only those that do not require access to phpMyAdmin source code.

Edit php.ini To Eliminate Showing of PHP Errors

Open the config file for PHP and eliminate showing of the errors for all PHP apps:

sudo nano /etc/php/7.3/apache2/php.ini

With Ctrl-W search for “Error handling and logging”. You’ll see something like this:

You will want to change the so-called production values in that document.

We want to turn off any errors tht PHP might return. Find row that starts with errorreporting_ and set it to off or to this:

error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

(Optional) Restrict Access to Folders templates and libraries

Folders templates and libraries in your phpMyAdmin installation must not be accessed by non-authorized visitors. This kind of protection should be installed right from the start, but if that is not the case, here is how we can allow only, say, the root user to access these folders:

sudo chown -R root:root /usr/share/phpmyadmin/templates
sudo chmod 0750 /usr/share/phpmyadmin/templates
sudo chown -R root:root /usr/share/phpmyadmin/libraries
sudo chmod 0750 /usr/share/phpmyadmin/libraries

Prevent Robots From Accessing phpMyAdmin

To prevent robots from accessing your phpMyAdmin installation, create a .htaccess file:

sudo nano /usr/share/phpmyadmin/.htaccess

then enter the following text into it:

RewriteEngine on

RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|wkito|pikto|scan|acunetix).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]

intext:"Cookies must be enabled"
RewriteCond %{HTTP_USER_AGENT} ^.*(AdsBot-Google|ia_archiver|Scooter|Ask.Jeeves|Baiduspider|Exabot|FAST.Enterprise.Crawler|FAST-WebCrawler|www.neomo.de|Gigabot|Mediapartners-Google|Google.Desktop|Feedfetcher-Google|Googlebot|heise-IT-Markt-Crawler|heritrix|ibm.comcs/crawler|ICCrawler|ichiro|MJ12bot|MetagerBot|msnbot-NewsBlogs|msnbot|msnbot-media|NG-Search|lucene.apache.org|NutchCVS|OmniExplorer_Bot|online.link.validator|psbot0|Seekbot|Sensis.Web.Crawler|SEO.search.Crawler|Seoma.[SEO.Crawler]|SEOsearch|Snappy|www.urltrends.com|www.tkl.iis.u-tokyo.ac.jp/~crawler|SynooBot|crawleradmin.t-info@telekom.de|TurnitinBot|voyager|W3.SiteSearch.Crawler|W3C-checklink|W3C_Validator|www.WISEnutbot.com|yacybot|Yahoo-MMCrawler|Yahoo!.DE.Slurp|Yahoo!.Slurp|YahooSeeker).* [NC]
RewriteRule .* - [F]

This may be just a beginning in your battle against the robots, but the code above is a good start.

Hiding phpMyAdmin Behind an Authentication Proxy

You can force your users to enter login details before accessing phpMyAdmin. To that end, configure your web server to request HTTP authentication. Open the phpmyadmin.conf file for editing:

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Find the following line in nano editor: “Directory /usr/share/phpmyadmin”. Add the line “AllowOverride All”, then save and close the file.

This is what it will look like in the editor:

Restart Apache for these changes to take effect:

sudo systemctl restart apache2

Now Apache can read .htaccess file for phpmyadmin folder, but we haven’t created that file as yet. Create it by running:

sudo nano /usr/share/phpmyadmin/.htaccess

Enter the following text:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

Save and close the file.

Here is what the commands in this file do:

  • AuthType defines what kind of authentification will be used. “Basic” means it will ask for a password.
  • AuthName is the name of the rule applied for authentication. In our case, that is a string that will appear in the dialogue when asking user for login details.
  • AuthUserFile – where will the password file reside? We are going to create this file outside of the usual paths for files.
  • Require – Who will have access to the main site? In this case, only valid users will have it, while none of the others will be let in.

Now, create a password file with the following command:

sudo htpasswd -c /etc/phpmyadmin/.htpasswd username

Executing it will define a user called username in the password file, and will ask for a password. Store that password in a secure place as you will need it as soon as you visit the address

http://YOUR_DOMAIN/phpmyadmin

You will see a form prompting you to enter a username and password:

Once you enter it successfully, you will be redirected to another form asking for login details.

Into that second form, enter login credentials for the database. You can log in as root using the password you set up previously, in Step 4.

Changing the URL of phpMyAdmin

Instead of using a very obvious name of /phpmyadmin, you can use something else. Access the configuration file like this:

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Put phpmyadmin234 instead of phpmyadmin. Here is how the relevant part in the editor may look like:

Use this address in your browser to access phpmyadmin:

http://YOUR_DOMAIN/phpmyadmin234

Restart Apache to activate:

sudo systemctl restart apache2

This is a “security through obscurity” approach at work. Most bots won’t try other paths except the default one anyways.

Dusko Savic is a technical writer and Flutter programmer.

duskosavic.com

The post Install and Secure phpMyAdmin on Ubuntu 16.04 VPS appeared first on Low End Box.

How To Install And Configure Postfix on Ubuntu 16.04

With this tutorial, you will learn how to install and use Postfix, an open-source mail transfer agent. With Postfix, you will be able to send and receive e-mail, and also send them through third party SMTP servers, such as gmail.com.

What We Are Going To Cover

  • Creating a user which will send and receive mail
  • Interactive installation of Postfix
  • Configuring Postfix through file main.cf
  • Setting up mailbox for Postfix
  • Setting up the virtual maps file
  • Adding firewall rule to enable Postfix
  • Mail location (in which folder to hold mail files)
  • Checking Postfix status
  • Using Postfix via TELNET
  • Installing a mail client
  • Working with the mail client

Prerequisites

We will install and configure Postfix on Ubuntu 16.04:

  • Starting with a clean VPS with
  • At least 512Mb of RAM and
  • 15Gb of free disk space.
  • You will need root user access and
  • DNS records for your domain must be already in place, especially PTR and MX.

Step 1: Creating a Non Root User

Once you are logged in as root, you can create a new user account that will receive and send mail to and from Postfix. To create a user called postfixuser, run the following command:

adduser postfixuser

Then, add it to the sudo group, so that you can run commands as sudo:

usermod -aG sudo postfixuser

Step 2: Interactive Installation of Postfix

Postfix is quite easy to install. First, update the system cache and dive into the installation right away.

sudo apt update
sudo apt install postfix

You will be guided by a series of three screens, to define basic parameters for Postfix. Press Tab key on the keyboard to move cursor to the button Ok and then press Enter.

The first screen explains the choices you have, but you get to actually select them on the next screen.

Select option Internet site.

For the screen above (the mail name), enter the proper name of your domain, the one you have previously set up with your DNS registrar.

Step 2A (optional): Full Interactive Installation of Postfix

There is another command to install Postfix:

sudo dpkg-reconfigure postfix

It will offer the same first three screens and will then continue with the following screens, for more granular control:

Here enter the name of the user that will receive mail for the system administrator.

On this screen, you define the final destination of the email. Select Ok as the choices offered are good enough.

Select No on this screen, as you are using a journaled system for data.

Choose Ok to accept the default values in above screen.

Again, select Ok to choose 0 for limit on Postfix files.

You can select the character that will define local address extensions – just press on Ok.

Use vertical cursor keys to select one of the three values. Select All.

That was the last screen in interactive Postfix installation.

Step 3: Configuring Postfix Through Configuration File main.cf

The main configuration file for Postfix is located at /etc/postfix/main/cf. Open it for editing with this command:

sudo nano /etc/postfix/main.cf

and you’ll see this:

You will recognize values that we have entered in the manual installation procedure.

If you change something in this file, execute this command:

/etc/init.d/postfix reload

for the new values to take effect.

Load new aliases and then enable and restart the Postfix service so that it is always available:

sudo newaliases
sudo systemctl enable postfix
sudo systemctl restart postfix

Step 4: Set Up Mailbox for Postfix

When the mail messages start arriving, we can keep them as separate files or in one large file. The former possibility is known as Maildir format, while the latter is known as mbox format. To denote that we shall use the Maildir format, we have to change value of parameter homemailbox_ in the main.cf file.

One way to do it is via nano editor and the other is by using the following command:

sudo postconf -e 'home_mailbox= Maildir/'

postconf is a program that changes main.cf “from the outside”, parameter by parameter.

Step 5: Setting Up the Virtual Maps File

We will now connect email addresses with users on your VPS. We have already created a user called postfixuser, so let’s now connect them to two email addresses: info@example.com and office@example.com. Change this generic name example.com to your actual domain name.)

Postfix holds connections in the file /etc/postfix/virtual and there is a parameter virtual_alias_maps in the config file to change. Taken together:

sudo postconf -e 'virtual_alias_maps= hash:/etc/postfix/virtual'

Then, open this file in nano:

sudo nano /etc/postfix/virtual

Add the following lines to configure the addresses:

postfixuser@example.com postfixuser
office@example.com postfixuser

To inform Postfix about these changes, restart its process again:

sudo postmap /etc/postfix/virtual
sudo systemctl restart postfix

Step 6: Change Firewall Rules to Enable Postfix

If you are using a firewall, you’ll need to configure it to allow Postfix and email. Firewall called ufw (uncomplicated firewall), should be already installed on Ubuntu so you can add Postfix with one line only:

sudo ufw allow Postfix

In case that ufw is not there first install it with these two commands:

sudo apt install ufw

sudo ufw enable

After installation you would have to denote ALL ports that you want to be operational, like this:

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow Postfix
sudo ufw enable

WARNING: If you ommit lines with ssh, http, https and so on, you will NOT be able to log into your VPS server! You are strongly advised to study the ports that your hosting provider counts on to exist and include them in the above list.

Step 6: Mail Location

Mail location should be updated so that all users know about it. There are two places in which we need to add the new location: /etc/bash.bashrc and /etc/profile.d/mail.sh.

You can change both files with the following command:

echo 'export MAIL=~/Maildir' | sudo tee -a /etc/bash.bashrc | sudo tee -a /etc/profile.d/mail.sh

It will add export MAIL=~/Maildir to these files at the very end of each.

To see the result, execute

sudo cat /etc/bash.bashrc

and see export MAIL=~/Maildir as the last statement in the file:

Ditto for /etc/profile.d/mail.sh:

sudo cat /etc/profile.d/mail.sh

When starting, Ubuntu will read and execute all files ending with .sh in the folder /etc/profile.d/. Instead of restarting your VPS, execute

source /etc/profile.d/mail.sh

to reload mail.sh into the current session.

Step 7: Switch To a Particular User

This is a simple command but will save you many hours of debugging. We switch to, then send and receive mails as one particular user. If you try to proceed as root you will most likely get this error:

Can't canonicalize "/root/Maildir"

The way out is switching to a non root user, like this:

su postfixuser

Step 8: Checking Postfix Status

Running the command

sudo postfix status

will inform us whether Postfix is running or not. A typical output would be:

In case it is not running, start it again:

sudo postfix start

Step 9: Using Postfix Via TELNET

We have installed and configured Postfix, but is it working properly?

Assuming port 25 on your VPS is open, we can test Postfix by using a service called TELNET.

telnet localhost 25

Here is a typical output that you will see:

The line starting with 500 is an error, because I have intentionally pressed Enter. Telnet is expecting you to enter an email, line by line:

ehlo localhost
mail from: root@localhost
rcpt to: fmaster@localhost
data
Subject: My first mail on Postfix

Hi there,
How is your day today?
Hope all is well!

Admin
.  
quit

A dot in the end signals the end of input and quit in the last line takes us back to the terminal command line.

With each quit, your message will be queued, that is, will be sent as an email.

Step 10: Installing a Mail Client

In order to see emails and do something with them, we have to install an email client. There are several applications to consider, the most popular are s-nail and mailutils. They all lead to the same virtual package mailx, and all are activated by command mail in the command line.

Command

sudo apt install mailutils

will give us a command mail utility program.

Another contender, s-nail, can be installed by running this command:

sudo apt install s-nail

Open its configuration file s-nail.rc:

sudo nano /etc/s-nail.rc

then add the following lines at the end of the file:

set emptystart
set folder=~/Maildir
set record=+sent

Step 11: Working With the Mail Client

Let’s send our first email via the mail command:

echo 'init' | mail -s 'init' -Snorecord postfixuser

From this image

we see that first we had four messages (sent via telnet in my case) and that after executing the above command, we have five messages in the folder. It means Postfix and the mail program are working correctly.

The question mark in the beginning of the line means that we can enter commands to the mail client, for instance:

  • enter – show the message,
  • h – go back one message,
  • d – delete current message,
  • file +sent – message that were sent,
  • q – quit the terminal.

It is also possible to send messages with mail, like this:

echo "Beginning" | mail -s 'Great News Ahead' example@example.com

The message will be sent out, but you will, most probably, first notice that you have received new messages, like this:

When you open the message, it will explain what went wrong. Number 550 for error may mean something like

  • Verification failed
  • Unrouteable address
  • Sender verify failed

The incoming server tried to see who is sending email and – finding no additional information – refused to accept it. This is to be expected in the era of spam all across the globe.

What To Do Next

You now have Postfix running and one or two email clients as well. They are all command line based, and are good for administrators only. Your users will need to have a graphical interface to email and for that, we need not only Postfix, but some additional programs as well. One such program for SMTP transfer is Dovecot, or you may connect Postfix with a service such as gmail.com, to send an email from a proxy address.

Dusko Savic is a technical writer and Flutter programmer.

duskosavic.com

The post How To Install And Configure Postfix on Ubuntu 16.04 appeared first on Low End Box.

Set Up And Configure Postfix E-Mail Server with Dovecot On Ubuntu 16.04

Set Up And Configure Postfix E-Mail Server with Dovecot

With this tutorial, we assume that you have already installed Postfix, an open-source mail transfer agent. After that, we install and configure Dovecot, an open source IMAP and POP3 email server for Linux/UNIX-like systems.

Finally, we shall install SquirrelMail, a mail user interface, to show that Postfix and Dovecot really work.

What We Are Going To Cover

  • How to install Apache and PHP 7.3
  • Install Postfix mail server
  • Installing Dovecot as a mail client
  • Install and configure SquirrelMail
  • Annuling errors in SquirrelMail installation
  • Creating a user which will send and receive mail
  • Send mail from SquirrelMail

Prerequisites

We use Ubuntu 16.04:

  • Starting with a clean VPS with
  • At least 512Mb of RAM and
  • 15Gb of free disk space.
  • You will need root user access and
  • DNS records for your domain must be already in place, especially PTR and MX.
  • In this post we assume that you have worked through “How To Install And Configure Postfix“, and that you have Postfix up and running as instructed.

We start from scratch and install all that we need to finish up with a running SquirrelMail.

Step 1: Install Apache

First, update your package manager’s cache:

sudo apt update -y

Install the Apache web server:

sudo apt install apache2 -y

Enable its service to make it run on every system boot:

sudo systemctl enable apache2

Finally, start it:

sudo systemctl start apache2

To verify that Apache was installed successfully, access it from your local browser by navigating to http://YOUR_DOMAIN/. If that does not work, try adding :80 in the end, like this:

http://YOUR_DOMAIN:80

You should see a welcome page for Apache, which means that you now have Apache running.

Step 2: Install PHP 7.3

First, install the prerequisite packages:

sudo apt install software-properties-common python-software-properties

Then, add the ondrej PPA:

sudo add-apt-repository -y ppa:ondrej/php

and update your sources by running:

sudo apt update

Install PHP 7.3 using the following command:

sudo apt install php7.3 php7.3-cli php7.3-common

Step 3: Install PHP Extensions

These are the usual extensions that many programs expect to be there:

  • session support, the Standard PHP Library (SPL) extension, hash, ctype, and JSON support
  • mbstring, zip, gd. openssl, libxml, curl

Install them:

sudo apt install php7.3-curl php7.3-gd php7.3-json  php7.3-mbstring php7.3-intl php7.3-mysql php7.3-xml php7.3-zip

Restart Apache to activate:

sudo systemctl restart apache2

Step 4: Install Postfix Mail Server

We have gone over installation of Postfix in some length in article “How To Install And Configure Postfix“. Here we only repeat the commands:

sudo apt-get install postfix

Select Internet site, and enter FQDN site name, for instance, aleksasavic.com. Next restart Postfix:

sudo service postfix restart

Step 5: Install Dovecot

Postfix is the mail server while Dovecot is a mail delivery agent (MDA). They cooperate as Dovecot delivers the emails from/to Postfix.

Dovecot is a secure IMAP server. It silently indexes email messages in the background, and will replace most other IMAP clients. Besides Postfix, it works with Exim as well, and will even offer workarounds for some bugs present in other IMAP and POP3 clients

For the basic installation of Dovecot, only two commands are needed:

sudo apt-get install dovecot-imapd dovecot-pop3d
sudo service dovecot restart

Step 6: Install SquirrelMail

SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has few requirements and is easy to configure and install. SquirrelMail also supports MIME, address books, and folder manipulation.

Here is how to install it:

sudo apt-get install squirrelmail
sudo squirrelmail-configure

Step 7: Configuring SquirellMail

Now we need to configure SquirrelMail, through a special command:

sudo squirrelmail-configure

We are met with a series of textual menus.

Enter 2 for server settings and another menu:

Now select 1 to change domain name to your domain name.

To go back, enter R and press Enter on the keyboard.

Next to change is option 4 for General Options.

We go after option “Allow server-side sorting”; enter “11” and change it from “false” to “true” by entering “y”. Press Enter on the keyboard, and enter the “S” key to save the configuration file.

Finally, Q to quit.

Now we copy squirrel configuration files to apache:

sudo cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail.conf
sudo a2ensite squirrelmail.conf && sudo service apache2 reload

Restart Apache to activate:

sudo systemctl restart apache2

We have installed Postfix, Dovecot, and SquirrelMail. Now we should be able to see SquirrelMail in action, by navigating to

aleksasavic.com/squirrelmail

in the browser.

Step 8: Create Email User

Let us now define a user which will have access to the mail:

sudo useradd squser
sudo passwd squser
sudo mkdir -p /var/www/html/squser

We also have to state permissions for the aquser:

sudo chown -R squser:squser /var/www/html/squser

Login into your mail again. If there are directories without permissions, execute these commands:

sudo chmod 777 /var/mail
sudo chmod 777 /var/www
sudo chmod 777 /home

Step 9: Resolving Errors

If there are errors, have a look at errors log:

sudo nano /var/log/mail.err

and find what the complaint is about. In this case:

mkdir(/home/squser/mail) failed: Permission denied (
euid=1002(squser) egid=1002(squser) missing +w perm: /home,

so we need to give writing permission to folder /home:

sudo chmod 777 /home

Execute command

/etc/init.d/postfix reload

to activate the changes we have just created. Restart Postfix:

sudo service postfix restart

Step 10: Encrypt Mail with Standard TLS

Email started out as sending plain text from sender to recipient. That is not safe, so the messages should be encrypted — protected while in transfer. Only the intended recipient should be able to read them.

We shall now protect the transfer with standard protocol STARTTLS:

sudo postconf -e 'smtptlssecuritylevel = may'
sudo postconf -e 'smtpdtlssecuritylevel = may'
sudo postconf -e 'smtptlsnotestarttlsoffer = yes'
sudo service postfix restart

Step 11: Send Email From SquirrelMail

Let us return to the browser, we should enter user name and password. User name is the name of the user that we created, such as squser and password to enter is its password from Ubuntu.

Enter SquirrelMail. If everything goes well, we shall see good old SquirrelMail on the screen. You should be able to send messages immediately, while to receive them, you would have to set up an MX parameter at your registrar’s site. You might also need to configure Postfix a bit more, which is out of scope of this article.

What To Do Next

SquirrelMail is a mature application and its development has stopped five years ago. You can still run it in production environment and it won’t fail you. You may also want to install another email client such as RoundCube, which is much harder to install but is well maintained and more powerful compared to SquirrelMail.

Dusko Savic is a technical writer and Flutter programmer.

duskosavic.com

The post Set Up And Configure Postfix E-Mail Server with Dovecot On Ubuntu 16.04 appeared first on Low End Box.