Tecnologias da Informação
The Perfect Server – Debian 11 + ISPConfig

The Perfect Server – Debian 11 + ISPConfig

This tutorial shows how to install a Debian 11 – ….. – minimal server in detail with many screenshots. The purpose of this guide is to provide a minimal setup that can be used as the basis for our other Debian 10 tutorials here at howtoforge.com.

1 Requirements

To install a Debian 11 server system you will need the following:

The Debian Download links change regularly. If the above links do not work anymore, then go here to fetch the latest Debian netinst image: https://www.debian.org/distrib/netinst or from https://cdimage.debian.org/mirror/cdimage/

3 The Debian Base System

Login with username “root” and the root password that you have chosen during installation. When you log in by SSH, then use the username “administrator” as the root user is disabled for remote logins. Then run the command “su -“:

su -

To become root user.

4 Install The SSH Server (Optional)

If you did not install the OpenSSH server during the system installation, you could do it now:

apt-get -y install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian server and follow the remaining steps from this tutorial.

5 Configure The Network

You can get your current IP address with the command:

ip addr

By default, some network tools are not available. Install the package with:

apt-get install net-tools

Because the Debian installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100) (please note that I replace allow-hotplug ens33 with auto ens33; otherwise restarting the network doesn’t work, and we’d have to reboot the whole system):

nano /etc/network/interfaces

The interfaces file with DHCP enabled as created by the apt installer:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens33
iface ens33 inet dhcp
# This is an autoconfigured IPv6 interface
iface ens33 inet6 auto

And here the edited interfaces file with the static IP 192.168.0.100 configured.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens33
iface ens33 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

# This is an autoconfigured IPv6 interface
iface ens33 inet6 auto

Then restart your network:

systemctl restart networking

Then edit /etc/hosts. Make it look like this:

nano /etc/hosts
127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now edit the hostname in case you did not select the final hostname in the installer

nano /etc/hostname

The /etc/hostname file contains the hostname without the domain part, so in our case just “server1”.

Then reboot the server to apply the hostname change:

systemctl reboot

After you logged in again, run:

hostname
hostname -f

To verify that the new hostname is set correctly. The output should be:

root@server1:/home/administrator# hostname
server1
root@server1:/home/administrator# hostname -f
server1.example.com
root@server1:/home/administrator#

6 Update Your Debian Installation

First, make sure that your /etc/apt/sources.list contains the buster/updates repository (this makes sure you always get the newest updates), and that the contrib and non-free repositories are enabled.

nano /etc/apt/sources.list
deb http://deb.debian.org/debian/ buster main contrib non-free
deb-src http://deb.debian.org/debian/ buster main contrib non-free

deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb-src http://security.debian.org/debian-security buster/updates main contrib non-free

Run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).

7. Run the autoinstaller

We can now run the auto-installer. The basic setup contains the following software packages (plus their dependencies of course): Apache2, PHP (versions 5.6 – 8.0), MariaDB, Postfix, Dovecot, Rspamd, BIND, Jailkit, Roundcube, PHPMyAdmin, Mailman, Webalizer, AWStats and GoAccess. You can easily choose not to use certain functions or install extra services by passing arguments to the installer. You can view all arguments with:

wget -O - https://get.ispconfig.org | sh -s -- --help

You can now run the script with arguments. For example, if you want a normal install with a port range for Passive FTP + unattended-upgrades, run:

wget -O - https://get.ispconfig.org | sh -s -- --use-ftp-ports=40110-40210 --unattended-upgrades

After some time, you will see:

WARNING! This script will reconfigure your complete server!
It should be run on a freshly installed server and all current configuration that you have done will most likely be lost!
Type 'yes' if you really want to continue:

Answer “yes” and hit enter. The installer will now start.

When the installer is finished it will show you the ISPConfig admin and MySQL root password like this:

[INFO] Your ISPConfig admin password is: 5GvfSSSYsdfdYC
[INFO] Your MySQL root password is: kkAkft82d!kafMwqxdtYs

Make sure you write this information down, as you will need them later.

8. Setting up the firewall

The last thing to do is to set up our firewall.

Log in to the ISPConfig UI, and go to System -> Firewall. Then click “Add new firewall record”.

For a normal setup, it would look like this:

TCP:

20,21,22,25,80,443,40110:40210,110,143,465,587,993,995,53,8080,8081

UDP:

53

The necessary ports for every service are:

Web: 20, 21, 22, 80, 443 and 40110:40210 (All TCP, no UDP)

Mail: 25, 110, 143, 465, 587, 993, and 995 (All TCP, no UDP)

DNS: 53 (TCP and UDP)

Panel: 8080 and 8081 (All TCP, no UDP)

Your server is now set up and ready for use. You can log in at https://server1.example.com:8080

9. Advanced Options

The auto-installer has various command-line options to fine-tune the setup. You can e.g. choose between Apache and Nginx webserver and which services shall be installed on the system. The command-line arguments are:

Usage: ispc3-ai.sh [] [...]

This script automatically installs all needed packages for an ISPConfig 3 setup using the guidelines from the "Perfect Server Setup" howtos on www.howtoforge.com.

Possible arguments are:
    --help          Show this help page
    --debug         Enable verbose logging (logs each command with the exit code)
    --channel       Choose the channel to use for ISPConfig. --channel=<stable|dev>
                    "stable" is the latest ISPConfig release available on www.ispconfig.org
                    "dev" is the latest stable-branch from the ISPConfig git repository: https://git.ispconfig.org/ispconfig/ispconfig3/tree/stable-3.1
                    -> The dev channel might contain bugs and less-tested features and should only be used in production by very experienced users.
    --lang          Use language for ISPConfig installation. Specify with --lang=en|de (only en (English) and de (German) supported currently).
    --interactive   Don't install ISPConfig in non-interactive mode. This is needed if you want to use expert mode, e. g. to install a slave server that shall be integrated into an existing
                    multiserver setup.
    --use-nginx     Use nginx webserver instead of apache2
    --use-amavis    Use amavis instead of rspamd for mail filtering
    --use-unbound   Use unbound instead of bind9 for local resolving. Only allowed if --no-dns is set.
    --use-php       Use specific PHP versions, comma separated, instead of installing multiple PHP, e.g. --use-php=7.4,8.0 (5.6, 7.0, 7.1, 7.2, 7.3, 7.4 and 8.0 available).
                    --use-php=system disables the sury repository and just installs the system's default PHP version.
                    ommiting the argument (use all versions)
    --use-ftp-ports This option sets the passive port range for pure-ftpd. You have to specify the port range separated by hyphen, e. g. --use-ftp-ports=40110-40210.
                    If not provided the passive port range will not be configured.
    --use-certbot   Use Certbot instead of acme.sh for issuing Let's Encrypt certificates. Not adviced unless you are migrating from a old server that uses Certbot.
    --no-web        Do not use ISPConfig on this server to manage webserver setting and don't install nginx/apache or pureftpd. This will also prevent installing an ISPConfig UI and implies
                    --no-roundcube as well as --no-pma
    --no-mail       Do not use ISPConfig on this server to manage mailserver settings. This will install postfix for sending system mails, but not dovecot and not configure any settings for
                    ISPConfig mail. It implies --no-mailman.
    --no-dns        Do not use ISPConfig on this server to manage DNS entries. Bind will be installed for local DNS caching / resolving only.
    --no-local-dns  Do not install local DNS caching / resolving via bind.
    --no-firewall   Do not install ufw and tell ISPConfig to not manage firewall settings on this server.
    --no-roundcube  Do not install roundcube webmail.
    --roundcube     Install Roundcube even when --no-mail is used. Manual configuration of Roundcube config is needed.
    --no-pma        Do not install PHPMyAdmin on this server.
    --no-mailman    Do not install Mailman mailing list manager.
    --no-quota      Disable file system quota
    --no-ntp        Disable NTP setup
    --unattended-upgrades
                    Install UnattendedUpgrades. You can add extra arguments for automatic cleanup and automatic reboots when necessary with --unattended-upgrades=autoclean,reboot (or only
                    one of them).
    --i-know-what-i-am-doing
                    Prevent the autoinstaller to ask for confirmation before continuing to reconfigure the server.

For example, to install a ‘Perfect Server’ like setup with Nginx instead of Apache, use this command:

wget -O - https://get.ispconfig.org | sh -s -- --use-nginx --use-ftp-ports=40110-40210 --unattended-upgrades

Or to install an Nginx web server without Email and DNS services:

wget -O - https://get.ispconfig.org | sh -s -- --use-nginx --no-dns --no-mail --use-ftp-ports=40110-40210 --unattended-upgrades

10. Finalizing

Your setup is now done!

You can support ISPConfig by purchasing our manual: https://www.ispconfig.org/documentation/

The followings links are some useful tutorials/pointers for further setup: