Suggestions on moving to a new server

33 posts / 0 new
Last post
#1 Tue, 06/16/2009 - 15:40
marciano

Suggestions on moving to a new server

Hello, Because of yours and others suggestion I am planning to move to a new server. (security issues) I mean a new software installation. It is a remote dedicated server I do not need to update the hardware. I'm far away a master on this issues, this is because I am asking for some help. I think that I would ask to install the OS (they install CentOS, I always have used Fedora) tripwire (free version), apf, php-mysql. I also have to install postfix-clamAV-spamassassin and cron updates for them, squirrelmail, bind, SFTPD, phpMyAdmin and others When to install Webmin-Virtualmin? I can install mail server programs from Webmin. I suppose the more I install from Webmin better control from its CP I would have, isn't it? Tripwire is for tracking system changes so I suppose it should be installed on a fresh installation. Do you have any suggestions? Thank you

Tue, 06/16/2009 - 15:46
andreychek

What I would recommend is installing Webmin/Virtualmin as the first thing you do once you receive your newly setup CentOS system (if you want to install tripwire before Virtualmin, that's fine).

CentOS is a good server distro -- and what I would do is use the Virtualmin installer, the install.sh.

It will pull in all the dependencies needed for Apache, MySQL, BIND, Postix, SpamAssassin, Clam, and so forth -- and it'll set it all up for you.

At that point, you can just install whatever it is you need on top of that. -Eric

Tue, 06/16/2009 - 15:56
marciano

Hi Eric, So you say to install CentOS, Tripwire, Webmin/Virtualmin in that order, then run install.sh to install Apache, php-mysql and the other stuff? Thank you.

Tue, 06/16/2009 - 15:58
andreychek

Well, the steps would be:

  1. Install CentOS

  2. Install Tripwire

  3. Run install.sh

Step #3 handles installing the full "Virtualmin stack" as they call it -- including Webmin, Virtualmin, Apache, Postfix, and all the other goodies. -Eroc

Tue, 06/16/2009 - 20:42
Joe
Joe's picture

I would probably install tripwire after Virtualmin. You're going to have to regenerate the tripwire database after installing Virtualmin anyway.

--

Check out the forum guidelines!

Wed, 06/17/2009 - 15:36
marciano

Today no one can trust to be online for just a minute without a firewall. I use and like apf and bfd. bfd detects and bounces at least two force brute ssh attacks/day. Can I install them from install.sh? Can I choose sFTP instead proFTP and other software installed by default?

Wed, 06/17/2009 - 16:00 (Reply to #6)
Joe
Joe's picture

Can I install them from install.sh?

No.

You can use the Webmin firewall module to build a firewall, though, if you like. It's how I always build my firewalls. I'm unfamiliar with apf and bfd, but I believe a couple of Virtualmin users are using them with Virtualmin. But, Virtualmin and Webmin don't have any relation to them or any awareness of them. If they use standard iptables save files, they'll be able to usable along-side the Webmin firewall module...but if they don't use standard save files, then you'll have to choose one or the other.

Can I choose sFTP instead proFTP and other software installed by default?

No. install.sh is an exceedingly stupid script designed to get a working system and nothing more. Once Webmin is installed and working, you can then use the capabilities it provides (including a GUI for the native package manager, like yum or apt-get) to help out with things like installing additional software and such. You can't do anything with install.sh, beyond installing Virtualmin and related software.

The FTP servers that Virtualmin supports are ProFTPd and vsftpd. ProFTPd is the default, and is configured for use. If you want to switch to vsftpd, you'll need to make a few changes in your configuration.

I've never heard of sFTP, so I don't know if you'd be able to use it in a Virtualmin deployment easily.

--

Check out the forum guidelines!

Wed, 06/17/2009 - 17:19
marciano

I am currently using apf and bfd without problems so I suppose they will be okay in the new server. Just FYI Linux Firewall module displays:

[i]Webmin has detected 2 IPtables firewall rules currently in use, which are not recorded in the save file /etc/sysconfig/iptables. These rules were probably setup from a script, which this module does not know how to read and edit.

If you want to use this module to manage your IPtables firewall, click the button below to convert the existing rules to a save file, and then disable your existing firewall script.[/i]

I made a mistake, I meant VSFTP. I mentioned it because I found a bug within Fedora 8 and ProFTP that shifts log times in three hours (!) I suppose that it won't happen in the new server. Default ProFTP will be fine for me.

I hope that virtual servers will be exported okay. I made a moving process in the past.

Now, the main question. I need to keep online all virtual servers in the 'old' disk while building and debugging the new one. Is it possible? Can I handle it in Webmin/V? Two disks, one master, one slave, two different OSs? One IP pointing to one system and other IP poinitng to the other? My ignorance on these issues is shameful! Thanks Joe.

Wed, 06/17/2009 - 18:42 (Reply to #8)
andreychek

[quote]Now, the main question. I need to keep online all virtual servers in the 'old' disk while building and debugging the new one. Is it possible? Can I handle it in Webmin/V? Two disks, one master, one slave, two different OSs? One IP pointing to one system and other IP poinitng to the other?[/quote]

Well, ignoring for a moment the possibility of setting up a virtualized server, which really just makes this far more complex than it needs to be -- no, there's no good way to do that :-)

In general, you can boot one OS/distro at a time. If you need to setup a second OS/distro on a new hard drive for your server, the options are generally one of:

  1. Reboot the server, and boot into the new OS

  2. Setup the hard drive on another computer, then once it's working as you want, move the hard drive into the your current server

I would suggest option #2. If you can dig up even some low-powered computer that you can use temporarily to setup your hard drive -- you can use that to get things working perfectly -- then just move the hard drive into your server when everything is working correctly. -Eric

Fri, 06/19/2009 - 12:02
marciano

Hello all! I rent a dedicated server. I am in the way to rent a new one with CentOS installed only. I will have the present server for a couple of weeks so I will keep the 'old' server online while building the new system. My will is to control as much as possible with W/Virtualmin Main use of this server is Apache services. To plan moving process I would post some questions here. First one: I remember that new servers were built using server and hostnames something like CK-03Y.gyservice.com Can I change them from webmin? Thank you

Fri, 06/19/2009 - 12:29
ronald
ronald's picture

Can I change them from webmin? Thank you yes you can. through the module Networking under webmin - Network Configuration

Fri, 06/19/2009 - 19:11
marciano

From http://www.webmin.com/vinstall.html
and after run ./install.sh

Because it downloads numerous packages from the Virtualmin website and your Linux distribution's repository, it may take up to 30 minutes for the install to complete. Once it is done, you can login to Webmin at https://yourserver:10000/ to see the Virtualmin user interface.

I don't understand how could I login to Webmin if it is an empty server and no 'yourserver' is created.

Fri, 06/19/2009 - 19:12 (Reply to #12)
Joe
Joe's picture

I don't understand how could I login to Webmin if it is an empty server and no 'yourserver' is created.

"yourserver" means "whatever the name or address of your server is". Get it? "your server"? ;-)

--

Check out the forum guidelines!

Fri, 06/19/2009 - 19:25
marciano

Ha ha, yes I got it. I've just found in my notes what you mean. Thanks!

Fri, 06/19/2009 - 19:36
marciano

I am using apf and bfd, one as firewall and the other to bounce and add to deny_hosts.rules file those IPs that make more than 12 attempts to get access to the server (force brute attacks) Is it possible to do from webmin modules? Of course I mean about a substitute of bdf. 'Linux firewall' is as good as apf ? Thanks!

Sat, 06/20/2009 - 09:23
marciano

I am trying to plan an order of installations and data import.
1) Are there important differences between CentOS and Fedora I will have to care about?
I'm not an intensive linux user, just basic stuff and Apache environment.

Please correct me if I'm wrong.
I am looking my notes from my last move (external dedicated servers)

After installing W/V (Apache php-MySQL)

"Webmin-System-Software Packages-Upgrade All Install Packages from yum"

2) Does it worth to change smtp, ftp, ssh, smtp regular ports?

3)
Change hostname to my own
Install bind, innotop
Make some changes in Network settings (dns, hostname)
Enable suexec Apache module
From file sys, enable disk quotas
Install postfix-dovecot-clamAV-spamassassin-squirrelmail (uninstall sendmail program, I had problems with postfix and sendmail installed)
Install phpMyAdmin
Install tripwire
Install ImageMagick, linx, jhead, exiftool and other minor programs
Adjust setting from the old server (php, etc)

4) Should I first import 'human' user/groups or are they created when importing virtual hosts?

Sat, 06/20/2009 - 09:29
ronald
ronald's picture

I'm not familiar with Fedora, except that it and Centos are basically RedHat while Fedora has bleeding edge stuff in it and Centos is the stable one.

I don't think it is worth running services on different ports. I tried ssh once on a different port, but explaining that to clients.....and getting more support tickets is not worth the fake security feeling. There are portscanners... they will find you ;)

It is worth though to have complicated passwords and per haps a good ruleset in the firewall.

I think you can just import virtualhosts and it will create the user/groups, You may want to test that by importing 1 virtual domain first.

Mon, 06/22/2009 - 17:01
marciano

Hello Ronald!
I don't know very much about these issues, I did suspected that they would find each port.

I have a pending question
I am using apf and bfd, one as firewall and the other to bounce and add to deny_hosts.rules file those IPs that make more than 12 attempts to get access to the server (force brute attacks) Is it possible to do from webmin modules? Of course I mean about a substitute of bdf. 'Linux firewall' is as good as apf ?

Thank you.

Mon, 06/22/2009 - 18:01
ronald
ronald's picture

in the old forum was a long thread about this. Someone had posted a way to configure linux firewall on port 22 to block those scripted brute force attempts. Helas I can not find it anymore, it might be in the queue to be migrated over to this new site. Per haps it will show up or Im just blinded.

Thu, 06/25/2009 - 10:23
marciano

Hello, here I come... ./install.sh

/tmp directory is mounted noexec. Installation cannot continue.

Thu, 06/25/2009 - 10:33 (Reply to #20)
andreychek

Howdy,

Sounds like /tmp is mounted with "noexec", which is preventing the installation from continuing ;-)

Setting the tmp partition to use the "noexec" option is not a default for any distro I'm familiar with, so that was likely added in manually. You'll need to remove that option in order for Virtualmin to install.

-Eric

Thu, 06/25/2009 - 10:38
marciano

Hello Eric,

This is my new Centos installation (external rented dedicated server). I don't know if this is by default or if it has been modified. How can I fix this please?

Thu, 06/25/2009 - 10:48 (Reply to #22)
andreychek

Yeah, CentOS doesn't add that in -- your provider may have though.

To disable it, you'll need to do two things:

  1. Edit /etc/fstab, and remove the noexec option from the line that sets up /tmp. That'll make sure the mount options are correct next time you reboot.

  2. To change the current options /tmp is mounted with, you cna type: mount -o remount,exec /tmp

You'll want to do both of those steps -- one fixes things now, the other makes sure they stay fixed later :-)

-Eric

Thu, 06/25/2009 - 11:09
marciano

Ah, okay, I understand, thank you.

Should I have to remount it as noexec after installation?

I track /tmp updates twice a day in my present server (the old one). Below is a typical report. Thank you,

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/acl [Inodes: 426007 - 393239, Sizes: 7685 - 8122, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/apache
[Inodes: 425986 - 393218, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/at
[Inodes: 425997 - 393229, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/bind8
[Inodes: 425987 - 393219, Sizes: 1462 - 1494, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/cron
[Inodes: 425998 - 393230, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/logrotate
[Inodes: 425989 - 393221, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/mailcap
[Inodes: 425990 - 393222, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/mount
[Inodes: 425988 - 393220, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/net
[Inodes: 425991 - 393223, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/pam
[Inodes: 425992 - 393224, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/postfix
[Inodes: 425993 - 393225, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/procmail
[Inodes: 425995 - 393227, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/proftpd
[Inodes: 425994 - 393226, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/spam
[Inodes: 425999 - 393231, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/sshd
[Inodes: 425996 - 393228, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/status
[Inodes: 426002 - 393234, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/syslog
[Inodes: 426000 - 393232, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/time
[Inodes: 426001 - 393233, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/useradmin
[Inodes: 426003 - 393235, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/virtual-server
[Inodes: 426004 - 393236, Sizes: 2373 - 2424, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/webalizer
[Inodes: 426005 - 393237, Sizes: 3880 - 3991, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]

WARNING: ["MyDomain.com"] /tmp/backup-config-manifests/webmin
[Inodes: 426006 - 393238, Times: Jun 24 03:00 2009 - Jun 25 03:00 2009]
Thu, 06/25/2009 - 11:35
andreychek

Howdy,

Whether or not you re-set the "noexec" option is up to you -- it's an option a few people set for additional security, but as you're seeing, it can interfere with things. I don't have it set on my system :-)

As for the report you're seeing -- I don't personally track updates in /tmp.

It's pretty common for apps, including Webmin/Virtualmin, to modify files in /tmp, so I'd imagine those are all harmless.

-Eric

Thu, 06/25/2009 - 13:59
marciano

LABEL=/tmp1 /tmp ext3 defaults,nosuid,noexec,nodev 1 2 changed to LABEL=/tmp1 /tmp ext3 defaults,nosuid,nodev 1 2

mount -o remount,exec /tmp

./install.sh is working hard now!

Thu, 06/25/2009 - 16:51
marciano

ps aux is displaying tasks I guess are from qmail while it is not running (by virtualmin default)
/usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
Is it safe to uninstall Qmail? I will not use it. Postfix (your default starting mail server) is OK.
I remember some mail problems about installed qmail despite it was not started.

I have installed afp and bfd for firewall from www.rfxn.com
This is what I am using in my old server. Here, if I enter in Linux Firewall I see

Webmin has detected 2 IPtables firewall rules currently in use, which are not recorded in the save file /etc/sysconfig/iptables. These rules were probably setup from a script, which this module does not know how to read and edit.
If you want to use this module to manage your IPtables firewall, click the button below to convert the existing rules to a save file, and then disable your existing firewall script.

but I don't see such warning in the new server.
Is there something I have to check or to care about?
Thank you!

Thu, 06/25/2009 - 17:12
andreychek

The processes you're seeing there are actually part of the mailman mailing list software, rather than qmail.

As far as the firewall stuff goes -- I'm not sure I'd worry about it. It's probably not all that important that rules added by afp and bfd get saved so that they survive a reboot. But that's all personal preference ;-)

-Eric

Fri, 06/26/2009 - 13:46
marciano

Good morning all!

I've been comparing network settings and seem to be okay.
On my registrar I've set ns1.AAAA.com and ns2.AAAA.com nameservers pointing to two IP for this purpose.

At new server I only have Root Zone in Bind while at the old server there are also
Zone 0 (/var/named/named.empty)
$TTL 3H
@ IN SOA @ mail.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @

Zone 0000::1 (/var/named/named.loopback)
$TTL 1D
@ IN SOA @ mail.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
PTR localhost.

and
127.0.0.1 (/var/named/named.loopback)
$TTL 1D
@ IN SOA @ mail.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
PTR localhost.

From Virtualmin I have created the virtual host AAAA.com
and changed/added
AAAA. IN SOA ns.AAAA.com. mail.com. (
ns IN A xxx.81
ns1 IN A xxx.81
ns2 IN A xxx.82

By default this record: @ IN NS AAAA.com.

I've added
AAAA. IN NS ns1.AAAA.com.
AAAA. IN NS ns2.AAAA.com.

I don't know much about networks, I am just copying some previous named files.
I get some errors from intoDNS.com checking AAAA.com

Can you help me please?
Thanks!

Fri, 06/26/2009 - 14:18 (Reply to #29)
andreychek

For future reference, you should probably start a new thread :-)

However, let's see here...

The domain aaaa.com has two nameservers listed at the registrar:

ns1.anything.com ns2.anything.com

Now, using "dig" to resolve that domain name, I see:

dig @ns1.anything.com ns1.anything.com

;; AUTHORITY SECTION:
anything.com.       21600   IN  NS  a.ns.anything.com.
anything.com.       21600   IN  NS  b.ns.anything.com.
anything.com.       21600   IN  NS  ns1.anything.com.
anything.com.       21600   IN  NS  ns2.anything.com.
 
;; ADDITIONAL SECTION:
a.ns.anything.com.  3600    IN  A   66.114.124.147
b.ns.anything.com.  3600    IN  A   66.114.124.148
ns2.anything.com.   21600   IN  A   204.228.229.165

So, it looks like you have a.ns.anything.com and b.ns.anything.com setup as NS records, in addition to ns1.anything.com and ns2.anything.com.

While I don't have a good understanding of your setup there, I'm not sure why you'd need those other two names (the a. and b. addresses) -- you may be able to remove them.

-Eric

Fri, 06/26/2009 - 14:27 (Reply to #30)
marciano

Okay, let's start a new thread.

Fri, 06/26/2009 - 19:48 (Reply to #31)
marciano

:-)

I was bracking my brain trying to understand your post. Sorry, I put AAAA just to hide the real domain name. How can I send you the real name?

What about those three zones? I believe they were created by Virtualmin.

Fri, 06/26/2009 - 21:11 (Reply to #32)
andreychek

Heh, amusingly, I thought that at first... but just to be sure, I went to intodns.com and entered aaaa.com -- and it listed a series of issues that sounded like what you were describing.

So I thought "wow, he's got a short domain name", and started tossing out answers :-)

I guess what that means is that whoever owns aaaa.com should post here so we can fix their DNS issues too!

Anyhow, I'll follow up in the other thread.

-Eric

Topic locked