How to Install ISPConfig 3 in Ubuntu 18.04 & CentOS 7

How to Install ISPConfig 3 in Ubuntu 18.04 & CentOS 7

This Tutorial will show you How to install & Configure ISPConfig control panel on Ubuntu 18.04 and CentOS 7.

Here are the steps you need to follow to install the ISPConfig 3:

  • Introduction to the ISPConfig
  • Prerequisite
  • Setup the FQDN (Fully Qualified Domain Name)
  • Install and configure required apps and scripts, such as web server, php, mail server, database etc

Introduction to ISPConfig

ISPConfig is a web based hosting control panel that is fast, secure and has all the features needed for managing all aspects of web hosting. It is licensed under BSD and developed by the company ISPConfig UG.

ISPConfig is not fully open source and free. You need to pay for using few of its modules like customer billing system, malware scanner module and migration toolkit.

But one can use the rest of the services of ISPConfig without paying anything. Using customer billing system, one can run his/her own re-seller business with little cost as compared with other paid option like cPanel.

ISPConfig offers plenty of features which you may not find in any other web based hosting control panel. Using ISPConfig one can manage single or multiple servers and have three different access levels – Administrator, resellers and clients.

ISPConfig does not install any services like Apache, Postfix, IMAP/POP3 server, MySQL, BIND and other services for you. It is designed to manage these services at ease through its web interface.

Therefore before proceeding with installing ISPConfig in your server, you need to install these services beforehand.

Let’s get started with installing all the services and prerequisites before proceeding with installing ISPConfig 3 in Ubuntu 18.04 and CentOs 7.

  • You have freshly minted Ubuntu 18.04 (or CentOS 7) system that you can connect through SSH by using root or sudo enabled user. If you haven’t install the SSH, follow these steps to install SSH in Ubuntu.

The process of configuring FQDN on CentOS 7 or Ubuntu 18.04 is same. Therefore, to configure FQDN in either Ubuntu 18 or CentOS 7, first set the hostname of the system using hostnamectl.

# hostnamectl set-hostname panel

Next edit /etc/hosts and add a line with following format towards the end of the file.

Format: IP_ADDRESS hostname.yourdomain.com HOSTNAME

# vi /etc/hosts
...
...
123.456.78.9 panel.yourdomain.com panel
...
...

Close and save the file. To verify FQDN of your system, type the following command from the terminal:

# hostname -f
panel.yourdomain.com 

Note: If you are hosting your server in a cloud service provider like AWS, Linode then you may also need to edit /etc/cloud/cloud.cfg and change the value of parameter preserve_hostname to true so that hostname persists after your server reboot.

Edit source list and update package list

Edit the main sources list in your Ubuntu 18.04 (or CentOS7) system. First comment out the installation CD from the file and then make sure the universe and multiverse repositories are enabled. This is because all the packages needed by ISPConfig are found in default repositories only. There is no need to install any third parties repositories.

The sources list should contain the following lines only once you have updated the same.

# vi /etc/apt/sources.list
deb http://mirrors.linode.com/ubuntu/ bionic main restricted
deb http://mirrors.linode.com/ubuntu/ bionic-updates main restricted
deb http://mirrors.linode.com/ubuntu/ bionic universe
deb http://mirrors.linode.com/ubuntu/ bionic-updates universe
deb http://mirrors.linode.com/ubuntu/ bionic multiverse
deb http://mirrors.linode.com/ubuntu/ bionic-updates multiverse
deb http://mirrors.linode.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse

Now update and upgrade the system to the latest and reboot the system. Reboot is needed in case new kernel get installed during update.

# apt update && apt upgrade
# reboot

Edit default shell

ISPConfig needs /bin/bash as the default executing environment. It is possible that the default shell is other than /bin/bash like /bin/dash. To make /bin/bash as the default shell in your system use the following chsh command:

# chsh

Changing the login shell for root

Enter the new value, or press ENTER for the default

Login Shell [/bin/bash]: /bin/bash

ISPConfig can be configured to use either Apache or NGINX. In this tutorial, we will use Apache to act as a web server for ISPConfig. To proceed with installing Apache in your server use the following apt command in the terminal:

# apt install apache2  apache2-utils

Once Apache is installed, make sure you have enabled the following modules of it.

# a2enmod suexec rewrite ssl actions include cgi dav_fs dav auth_digest headers

To protect your server against HTTPOXY attack, disable the HTTP_PROXY header in Apache.

To accomplish it, create a new Apache configuration file with your favorite text editor and paste the following.

# vi /etc/apache2/conf-available/httpoxy.conf
  <IfModule mod_headers.c>
     RequestHeader unset Proxy early
  </IfModule>

Further, if you are planning to run ruby files on the websites those will be created through ISPConfig at a later stage then you must add application/x-ruby rb in the mime types for Apache:

# vi /etc/mime.types
...
...
application/x-ruby rb
...
...

To apply new settings for Apache, reload it.

# a2enconf httpoxy
# systemctl reload apache2

To install MariaDB, just use the following command from the terminal:

# apt install mariadb-client mariadb-server

Once MariaDB server installed, run the following script to secure mariadb by providing a strong root password. Further, press affirmatively to remove anonymous users, disallow root login remotely, and remove test database and reloading privilege tables.

# mysql_secure_installation

To manage and administer MariaDB database using any GUI based tool like PhpMyAdmin from a remote system, set the password authentication method to native. To do that, navigate to the MariaDB root shell by providing the password.

# mysql -u root -p
Enter password:

Now change to the mysql database and run the following SQL query.

MariaDB [(none)]> use mysql;

Reading table information for completion of table and column names. You can turn off this feature to get a quicker startup with -A Database changed

MariaDB [mysql]> update mysql.user set plugin = 'mysql_native_password' where user="root";
Query OK, 0 rows affected (0.00 sec)
Rows matched: 1  Changed: 0  Warnings: 0

Next enable MariaDB server to listen on all interfaces not just the localhost.

To do that edit the following MariaDB configuration file and make the following line commented.

# vi /etc/mysql/mariadb.conf.d/50-server.cnf
...
...
# bind-address = 127.0.0.1
...
...

Finally restart MariaDB server:

# systemctl restart mariadb 

ISPConfig is written in PHP, therefore to install and use the ISPConfig control panel you need to install PHP and its various modules beforehand. To do that, run the following apt command in the terminal:

# apt install libapache2-mod-php php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-imap php7.2-cli php7.2-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt  imagemagick libruby libapache2-mod-python php7.2-curl php7.2-intl php7.2-pspell php7.2-recode php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl memcached php-memcache php-imagick php-gettext php7.2-zip php7.2-mbstring php-soap php7.2-soap php7.2-fpm

Make sure to enable the fast CGI module of PHP along with FPM configuration file and restart Apache:

# a2enconf php7.2-fpm
# a2enmod actions proxy_fcgi alias setenvif
# systemctl restart apache2

For easy management and administration of MariaDB database, install PhpMyadmin with the following apt command:

# apt install phpmyadmin

Tick Apache as web server when the installer prompts you to choose a web server. Also choose ‘No’ to configuring database for phpMyAdmin with dbconfig-common. Access phpmyadmin page through http://server_ip_address/phpmyadmin

We are using Postfix as its a free and open source mail transfer agent (MTA) responsible for delivering & receiving emails in a mail server. To install it run the following command from the terminal:

# apt install postfix postfix-mysql

The installer will prompt you to choose the configuration for postfix.

  • Choose ‘Internet site’ for mail configuration type.
  • For System Mail Name, choose FQDN of the server that you want to use to send and receive mails.
  • Provide an email address where mail sent to root@ and postmaster@ will be forwarded to this account.

Postfix needs few configuration tweaks in order to work with Dovecot. To start with take a backup of postfix main configuration file.

# mv /etc/postfix/main.cf /etc/postfix/main.cf.bk

Then create a new configuration and paste the following contents in it. Make sure to adjust domain name as per yours.

# vi /etc/postfix/main.cf
   smtpd_banner = $myhostname ESMTP $mail_name
   biff = no
   append_dot_mydomain = no
   readme_directory = no
   smtp_use_tls=yes
   smtp_tls_security_level = may
   smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
   smtpd_use_tls=yes
   smtpd_tls_security_level = may
   smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
   smtpd_tls_cert_file=/etc/letsencrypt/live/website.com/fullchain.pem
   smtpd_tls_key_file=/etc/letsencrypt/live/website.com/privkey.pem
   smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
   smtpd_sasl_auth_enable = yes
   smtpd_sasl_type = dovecot
   smtpd_sasl_path = private/auth
   virtual_transport = lmtp:unix:private/dovecot-lmtp
   virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
   myhostname = website.com
   myorigin = /etc/mailname
   mydestination =  localhost.$mydomain, localhost
   relayhost =
   mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
   mailbox_size_limit = 0
   recipient_delimiter = +
   inet_interfaces = all
   inet_protocols = all
   alias_maps = hash:/etc/aliases
   alias_database = hash:/etc/aliases

Create a virtual mailbox domain since we have postfix was configured to use it previously. Edit a file for virtual mailbox domain and add the following entry in it.

# vi /etc/postfix/virtual_mailbox_domains
website.com #domain

You need to run the following command whenever you edit the virtual mailbox file.

# postmap /etc/postfix/virtual_mailbox_domains

Finally edit the Postfix’s master configuration file and uncomment the following line:

# vi /etc/postfix/master.cf
...
...
submission inet n - y - - smtpd
...
...

Restart postfix agent and test it with telnet command:

# systemctl restart postfix
# telnet website.com 25
Trying 127.0.0.1...
Connected to website.com
Escape character is '^]'.

Connection closed by foreign host.

Install Dovecot

Dovecot is a mail delivery agent and delivers emails from/to the mail server by running IMAP, POP and LMTP protocol.

Run the following command to install dovecot along with all other dependencies.

# apt install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql

Test the dovecot service with following commands:

# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.
# doveconf protocols listen
protocols =  imap lmtp pop3
listen = *, ::

You may need to configure few other settings like user authentication mechanism, SSL for dovecot as per your requirement. But the default settings of dovecot is enough to run ISPConfig in your server.

Install Roundcube

Download latest roundcube and extract it to a suitable location. Also change the ownership of roundcube folder www user.

# mkdir -p /var/www/webmail
# cd /var/www/webmail
# wget wget https://github.com/roundcube/roundcubemail/releases/download/1.3.9/roundcubemail-1.3.9-complete.tar.gz
# tar xf roundcubemail-1.3.9-complete.tar.gz
# mv roundcubemail-1.3.9/* .
# rm -rf roundcubemail-1.3.9
# chown -R www-data:www-data /var/www/webmail/

Create a database and a user for roundcube:

MariaDB [(none)]> create database roundcubedb;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON roundcubedb.* TO roundcube@localhost IDENTIFIED BY 'Passw0rd!';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> exit;

Next import Roundcube table layout into the empty database:

#  mysql -u roundcube -p roundcubedb < /var/www/webmail/SQL/mysql.initial.sql

To configure Apache for Roundcube, create a configuration file for it and once done, restart apache:

# vi /etc/apache2/sites-available/roundcube.conf
Alias /roundcube /var/www/webmail
<Directory /var/www/webmail>
Options -Indexes
AllowOverride All
Order allow,deny
allow from all
</Directory>
# systemctl reload apache2

Copy the sample roundcube configuration file to a new file by the name config.inc.php:

# cd /var/www/webmail/config
# cp config.inc.php.sample config.inc.php

Edit the database information in the file by providing database name, username and password.

# vi /var/www/webmail/config/config.inc.php
...
...
$config['db_dsnw'] = 'mysql://roundcube:Passw0rd!@localhost/roundcubedb';
$config['mail_domain'] = '%n';
...
...

Finally remove the sample configuration file:

# rm config.inc.php.sample

Access roundcube by pointing your browser to http://server_ip/roundcube

Install Rootkit Hunter

RootKit Hunter is a shell script that can scan file system for rootkits, back-doors and other local exploits apart from monitoring executed commands, startup files, network interfaces in your server.

Install it by using the following command in the terminal:

# apt install rkhunter

Install Amavisd-new, SpamAssassin and Clamav

Amavisd-new is an interface between MTAs such as Postfix and checks content for viruses whereas SpamAssassin is a tool for filtering unsolicited emails from telemarketers and hackers.

To install these packages, run the following apt command in the terminal:

# apt install amavisd-new spamassassin
# systemctl restart spamassassin

The above apt command will also install Clamav that is built to detect viruses, Trojans, malware and other threats in your server. Stop the freshclam service and update the virus database with the following set of command and then restart clamav daemon:

# systemctl stop clamav-freshclam.service
# freshclam
# systemctl restart clamav-daemon

The amavisd-new package in Ubuntu 18.04 has a bug where emails get signed with DKIM incorrectly. To correct this anomaly patch the amavisd-new package by using the following procedure in the terminal:

# cd /tmp
# wget https://git.ispconfig.org/ispconfig/ispconfig3/raw/stable-3.1/helper_scripts/ubuntu-amavisd-new-2.11.patch
# cd /usr/sbin
# cp -pf amavisd-new amavisd-new_bak
# patch < /tmp/ubuntu-amavisd-new-2.11.patch
Hunk #2 succeeded at 34363 (offset 1 line)

ISPConfig support free SSL certificate authority LetsEncrypt and using it you can fetch SSL certificates for the domains those are hosted in ISPConfig. Install certbot which is a free, open source software tool for automatically use LetsEncrypt certificates on websites to enable HTTPS.

Install it with the following command:

# apt install certbot

To enable users to upload and download files using FTP, install an FTP server like PureFTPd with TLS encryption and also install quota for efficient management of assigning disk space to users. To do that run the following command from the terminal.

# apt install pure-ftpd-common pure-ftpd-mysql quota quotatool

Configure the PureFTPd server to run as a standalone and allow users to see their home directories only by changing chroot environment to true.

# vi /etc/default/pure-ftpd-common
...
...
STANDALONE_OR_INETD=standalone
VIRTUALCHROOT=true
...
...

Make FTP session through TLS only.

# echo 1 > /etc/pure-ftpd/conf/TLS

Generate SSL certificate in order to use TLS by PureFTPd server.

# mkdir -p /etc/ssl/private/
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Assign correct permission to TLS certificate and restart PureFTPd:

# chmod 600 /etc/ssl/private/pure-ftpd.pem
# systemctl restart pure-ftpd-mysql

To enable the quota limit mount the root partition through /etc/fstab. This makes sure that the file system knows it needs to check for quota while allocating memory to each user:

#  vi /etc/fstab
...
...
/dev/sda1/ ext4     usrquota,grpquota,errors=remount-ro     0       1
...
...

Make sure to replace the file system which is /dev/sda1 in the above /etc/fstab file with your own. Save the file and run the following set of commands to enable quota for each user:

# apt install quota
# touch /quota.user /quota.group
# chmod 600 /quota.user /quota.group
# mount -o remount /
# quotacheck -avugm
quotacheck: Scanning /dev/sda [/] done
quotacheck: Checked 28152 directories and 142292 files
# quotaon -avug
/dev/sda [/]: group quotas turned on
/dev/sda [/]: user quotas turned on 

Install BIND DNS Server to have your own nameserver. Using ISPConfig you can interact with the nameserver to create, update and delete DNS entries very easily.

# apt install bind9 dnsutils

Restart BIND service:

# systemctl restart bind9.service
# systemctl status bind9.service

Install AWStats

Apache log analyzer or AWstats is a handy tool that can generate advance graphs and statistics by analyzing Apache log files, ftp or mail servers.

# apt install awstats

Next create an Apache configuration for AWstats. To do that, edit the following file using any text editor:

# vi /etc/apache2/conf-available/awstats.conf
ScriptAlias /awstats/ /usr/lib/cgi-bin/
Alias /awstats-icon/ /usr/share/awstats/icon/
Alias /awstatsclasses/ /usr/share/java/awstats/
<Directory "/usr/lib/cgi-bin/">
    Options None
    AllowOverride None
    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require host 192.168.0.0/24
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order allow,deny
        Allow from 192.168.0.0/24
        Allow from ::1
    </IfModule>
</Directory>

Enable the CGI module and also enable Awstats apache configuration:

# a2enmod cgi
# a2enconf awstats
# systemctl restart apache2

Next create a configuration file for your chosen domain by copying the default configuration file in a separate file.

# cp /etc/awstats/awstats.conf /etc/awstats/awstats.website.com.conf

Edit the following parameters in the configuration file:

# vi /etc/awstats/awstats.website.com.conf
...
...
LogFile="/var/log/apache2/website.com-access_log"
SiteDomain="website.com"
...
...

Run the following command to update records from Apache log file:

# /usr/lib/cgi-bin/awstats.pl -config=website.com -update

To access awstats point your browser to the URL http://server_ip/awstats/awstats.pl?config=website.com. Make sure you have appended your domain name at the end of the URL.

Install fail2ban

Fail2ban is an application that monitors system logs(/var/log) for failed login attempts or automated attack on your server. When a compromise is found after analyzing the log file then fail2ban blocks the IP address temporarily or permanently from gaining access to the server.

Install fail2ban by using following apt command in the terminal:

# apt install fail2ban

The order of reading configuration file is .conf file followed by .local file. Therefore it is recommended to save the custom configuration in .local file leaving .conf file unchanged.

Copy the default .conf file to .local file

# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

You can now edit the local configuration to monitor specific services matching your requirement using fail2ban. To start with add the ftp, dovecot and Postfix block the configuration .local configuration file.

# vi /etc/fail2ban/jail.local
[pure-ftpd]
enabled  = true
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/syslog
maxretry = 3
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5
[postfix]
enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 3

Finally restart fail2ban

# systemctl restart fail2ban

Configure UFW

UFW is installed and enabled by default in Ubuntu 18.04. However if it is not the case then you can install and enable UFW with the following apt command:

# apt install ufw
# ufw enable

In general, the following TCP/UDP ports are used by ISPConfig. Among all these services, few like web interface(8080), SSH(22), HTTP(80)needs to be opened in UFW for outside access.

TCP ports
20 - FTP Data
21 - FTP Command
22 - SSH
25 - Email
53 - DNS
80 - HTTP (Webserver)
110 - POP3 (Email)
143 -Imap (Email)
443 - HTTPS (Secure web server)
993 - IMAPS (Secure Imap)
995 - POP3S (Secure POP3)
3306 - MySQL Database server
8080 - ISPConfig web interface
8081- ISPConfig apps vhost
UDP ports
53 - DNS
3306 - MySQL

Use the following ufw command to open port used by ISPConfig:

# ufw allow 80/tcp
# ufw allow 8080/tcp
# ufw reload

Install ISPConfig 3.1

Download latest ISPConfig and extract it to a suitable location. Navigate to the folder containing install script and run it with php command. The installer will prompt for several parameters like language of installation, FQDN, MySQL password and few others. Answer them as per your settings.

# wget https://ispconfig.org/downloads/ISPConfig-3.1.14p1.tar.gz
# tar xfz ISPConfig-3.1.14p1.tar.gz
# cd ispconfig3*/install/
# php -q install.php

Once the installation process is complete, point your browser to http://SERVER_IP:8080 and login with the username ‘admin’ and configured password.

To fetch LetsEncrypt certificate for your domain, use the following certbot command by specifying few other parameters.

# certbot certonly --agree-tos --email @email --webroot --webroot-path /usr/local/ispconfig/interface/acme -d domain.tld

Conclusion

That’s it! You will now have an ISPConfig control panel installed and running in your environment.

Using ISPConfig you can now manage domain, DNS, email and more with its web interface at ease. For more about using ISPConfig consider buying the user manual of from here.