Linux + Xen + Webmin: A Cheaper Way To Go VPS: Author: Tony Wang 04/2007
Linux + Xen + Webmin: A Cheaper Way To Go VPS: Author: Tony Wang 04/2007
com/
As many websites have outgrown the shared-hosting stage, webmasters want to seek
more advanced hosting services. As dedicated servers are very expensive (the cost
ranges from $80 - $200 USD per month), virtual private servers (VPS's) are a more
economical way to meet their needs for advanced hosting services.
In computing, Virtual private servers are a means of splitting a single physical server into
multiple virtual servers. Virtual private servers are sometimes called virtual dedicated
servers. The practice of partitioning a single server so that it appeared as multiple
servers was common practice in the days of mainframe computers, but has seen a
resurgence lately with the development of software such as User-mode Linux and Xen.
As you can see from the above definition, VPS functions just like dedicated server at a
much lower cost. You can also say VPS is like shared hosting, because a single physical
server (real machine) is split into several VPS's.
Linux
Again, based on the definition found on Google, Linux is a free open-source operating
system based on Unix. Linux was originally created by Linus Torvalds with the
assistance of developers from around the globe. At present, Linux has quite a few
different distributions such as Fedora Core/Red Hat, Debian, CentOS and so on. Most of
these distributions are free license, which is an important reason why it is cheaper to use
Linux compared to Windows. PHP, as a script language for dynamic web pages, has an
enormous support community and extensions. MySQL is open source and a freely
available yet full featured relational database. Running PHP and MySQL on Linux is very
cost-effecient, which gains its popularity nowadays.
This tutorial assumes your VPS is pre-installed with Linux OS by your service provider,
so I will not dover how to install Linux on your server. You always can google what you
want to know. ;)
Xen
The introduction to Xen below was adapted from a Xen Wikipedia article:
1
[Copyrights Reserved] Tony Wang http://www.shdol.com/
Xen is a free virtual machine monitor for IA-32, x86-64, IA-64 and PowerPC
architectures. It is software that runs on a host operating system and allows one to run
several guest operating systems on top of the host on the same computer hardware at
the same time. Modified versions of Linux and NetBSD can be used as hosts. Several
modified Unix-like systems may be employed as guest systems; since Xen version 3.0
unmodified versions of Windows and other systems can also be used as guests on
certain hardware.
Xen originated as a research project at the University of Cambridge, led by Ian Pratt,
senior lecturer at Cambridge and founder of XenSource, Inc. This company now
supports the development of the open source project and also sells enterprise versions
of the software. The first public release of Xen was made available in 2003.
Suppose you have a server that has a Linux Operating System and you would like
several people to share as if everyone had a physical server machine. In this situation,
you need virtualization of the hardwares on your real physical server so that everyone
hosted can manage "theirs". With Xen, you can have multiple operating system and
services running simultaneously. This is how Xen works to make VPS possible.
In addition to Xen, Virtuozzo Power Panel (VZPP) and VMware also can virtualize
servers. Because of the good support for commercial use, VZPP and VMware are more
widely used. However, the license of Xen is GPL, which means free for use. So why pay
for virtualization when there is free software available out there?
Before we talk about Webmin, we would like you to set up some basic stuffs in your
Linux (Fedora Core 6 in this example):
1. Install some necessary softwares through YUM that are needed later on:
Log in your remote server through SSH (Putty Client), run these yum lines:
• yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc
gcc-c++
• yum install quota
2
[Copyrights Reserved] Tony Wang http://www.shdol.com/
Then create the system startup links for MySQL (so that MySQL starts automatically
whenever the system boots) and start the MySQL server:
In Putty, type:
/etc/init.d/mysqld restart
To set the password for root user, otherwise anybody can access your MySQL database
server:
Alternatively, you can wait to install MySQL database until you have Webmin installed.
We will cover this in Webmin section.
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-
xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel
vi /etc/httpd/conf/httpd.conf
After that, press Esc key on your keyboard, and type ":wq" (without quote) in your Putty.
3
[Copyrights Reserved] Tony Wang http://www.shdol.com/
Start Apache:
/etc/init.d/httpd start
Up to this point, your web server is set up and ready to run PHP + MySQL applications.
However, you need something like Webmin to facilitate your operation in future.
Webmin
Webmin is a web-based interface for system administration for Unix-like system (Linux).
With Webmin, you can set up system user accounts, Apache web server, BIND DNS
server, FTP Server, SSH server, etc. Webmin simplies system administration for
Unix/Linux administrators, otherwise you would have to type command lines to configure
Unix/Linux, which is obviously not user-friendly. You also can access your Linux server
through SSH/Telnet. Putty, an open source SSH client, can be used to access your
remote Linux server from your local computer. Putty can be downloaded here.
4
[Copyrights Reserved] Tony Wang http://www.shdol.com/
totally changed at least twice. And more operating systems are supported; the original
was only for Solaris and Linux.
If you ever used Cpanel/DirectAdmin control panel, you will find Webmin not so
straightforward as its counterparts. However, Webmin is the lightest among these three
applications.
Webmin - Installation:
1. Log in your remote VPS (or Dedicated server) through SSH as root.
5.Type: cd webmin-1.330
5
[Copyrights Reserved] Tony Wang http://www.shdol.com/
If you did not install MySQL and/orApache web server, you can install them very easily
by going to Webmin --> Servers. Click the MySQL database or Apache webserver icon,
you will be prompted with a message like this:
The *** server /path/to/the/server could not be found on your system. Maybe it is
not installed, or your *** module configuration is incorrect.
All you need to do is click the link ' Click here ' to have the particular server installed by
YUM. It is just that simple! After installing the particular server, you can configure the
freshly installed servers by clicking the Server module icon again. This time you should
be able to go to the server configuration page, instead of being told that the server is not
installed yet. For Apache and MySQL database server, there isn't much needs to be
configured as long as the installation is successful. However, when we configure some
other Webmin modules (e.g. Postfix mail server, virtual server, tc), we will need to come
back to do some configuration in Apache/MySQL. But don't worry about them now, let's
keep moving.
Sendmail and postfix are both message transfer agents (MTAs). An MTA is a program
responsible for receiving, routing and delivering e-mails. MTAs receive e-mail messages
and recipient addresses from local users and remote hosts; perform alias creation and
forwarding functions; and deliver messages to their destinations. The most obvious
difference between these two MTAs is architecture in their design. Postfix uses a
modular approach and is composed of multiple independent executables. Sendmail has
a more monolithic design utilizing a single always running daemon. Sendmail and postfix
each have large installed bases and perform well for businesses of many sizes. They
are direct replacements for each other. Some will claim that one or the other is more
secure, faster or easier to administer. There is a wealth of good information available
online to enable you to dig deeper into these claims.
Although there is Sendmail modules pre-built in webmin, we won't use Sendmail as our
mail server but Postfix instead. Why are doing this? There is really no reason for that,
just personal preference ;) . In addition to Postfix, we will choose dovecot as our
POP3/IMAP server. Next, we will talk about how to install and configure Postfix &
Dovecot. You will need to open your Putty SSH/Telnet client again and access to your
remote server again.
Install Postfix:
Run the following command line to install postfix, dovecot and peripheral applications:
6
[Copyrights Reserved] Tony Wang http://www.shdol.com/
To restore your mail accounts information, you need to set up corresponding database
for postfix. run the following command line in your Putty window to create a database
called 'mail':
On the MySQL shell, we create the user mail_admin with the password admin@
(replace it with your own password) who has SELECT,INSERT,UPDATE,DELETE
privileges on the mail database. This user will be used by Postfix and dovecot to connect
to the mail database:
FLUSH PRIVILEGES;
Keep staying on the MySQL shell, we will create the database table that both Postfix and
Dovecot use. Run the commands below:
USE mail;
[Copyrights Reserved] Tony Wang http://www.shdol.com/
quit;
Configure Postfix:
So far, the Postfix has been installed successfully. However, we need to tell Postfix
where it can find all the information in the database. Therefore we have to create six text
files, in which I will tell Postfix to connect to MySQL on the IP address 127.0.0.1 instead
of localhost. This is because Postfix is running in a chroot jail and does not have access
to the MySQL socket which it
would try to connect if I told Postfix to use localhost. If I use 127.0.0.1 Postfix uses TCP
networking to connect to MySQL which is no problem even in a chroot jail (the
alternative would be to move the MySQL socket into the chroot jail which causes some
other problems).
vi /etc/postfix/mysql-virtual_domains.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT domain AS
virtual FROM domains WHERE domain='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_forwardings.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT destination
FROM forwardings WHERE source='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_mailboxes.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT
CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
FROM users WHERE email='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_email2email.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT email FROM
users WHERE email='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_transports.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT transport FROM
transport WHERE domain='%s'hosts = 127.0.0.1
8
[Copyrights Reserved] Tony Wang http://www.shdol.com/
vi /etc/postfix/mysql-virtual_mailbox_limit_maps.cf
user = mail_adminpassword = admin@dbname = mailquery = SELECT quota FROM
users WHERE email='%s'hosts = 127.0.0.1
chmod o= /etc/postfix/mysql-virtual_*.cf
chgrp postfix /etc/postfix/mysql-virtual_*.cf
Now we create a user and group called vmail with the home directory /home/vmail. This
is
where all mail boxes will be stored.
9
[Copyrights Reserved] Tony Wang http://www.shdol.com/
<-- Enter your Country Name (e.g., "DE"). <-- Enter your State or Province Name. <--
Enter your City. <-- Enter your Organization Name (e.g., the name of your company). <--
Enter your Organizational Unit Name (e.g. "IT Department"). Common Name (eg, your
name or your server's hostname) []:server1.test.com
<-- Enter your Email Address. Then change the permissions of the smtpd.key: chmod o=
/etc/postfix/smtpd.key
Test Postfix:
ehlo localhost
250-server1.test.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
10
[Copyrights Reserved] Tony Wang http://www.shdol.com/
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
ctrl+]
That's pretty much about Postfix configuration. If you encounter any problem, you can
google it. Good luck!
We will move on to ProFTPd Server. With ProFTPd server, you can connect your virtual
server with any FTP client (e.g. CuteFTP Pro) and upload your website files/directories.
To install ProFTPd server, type the following command in your Putty window after you
log in the server as root:
To make ProFTPd server start automatically when you reboot server, type the following
command in Putty:
Alternatively, you can click the 'ProFTPd' server icon in Webmin if you don't want to
install by command lines and you will be asked to install it by Webmin, which is more
straightforward and easier.
11
[Copyrights Reserved] Tony Wang http://www.shdol.com/
BIND (Berkeley Internet Name Domain, previously: Berkeley Internet Name Daemon) is
the most commonly used DNS server on the Internet, especially on Linux/Unix system. If
you want to know more about BIND DNS, I suggest you go here
http://www.swelltech.com/support/webminguide-1.0/ch08.html to read more about it. The
BIND DNS server installation is very easy, just click the 'BIND DNS' icon in your Webmin
and you will be given a guide to install it.
Once you create a virtual server in your virtualmin, masterzone with the same name as
your domain will be created automatically in your BIND DNS server. If you want to
customize and use your own nameservers (i.e. ns1.yourdomain.com and
ns2.yourdomain.com), you will need to click the automatically created masterzone and
add 'A' address records, 'NS' name server records, 'C' CName records and 'MX' Mail
Server records.
Create an 'A' record (this sets the IP address for a domain). E.g. Enter a 'Name' of
"yourdomain.com." (include the trailing period, without the quotes). Set your IP Address.
Create an 'NS' record this will be the Name Server for the domain. E.g. Enter a "Zone
Name" of "yourdomain.com." (include the trailing period, without the quote). Set the
"Name Server", for example to "ns1.yourdomain.com." Add another record for
ns2.yourdomain.com. You will need to define ns1.yourdomain.com and
ns2.yourdomain.com (via CNAME or 'A' Address records).
Create a Name Alias ('CN' record). This creates a "Name" that resolves to a different
domain. For example enter a "Name" of "www". Or "www.yourdomain.com.". Enter a
"Real Name" like "yourdomain.com."
First, create a mail.yourdomain.com 'A' Address. Then create a Mail Server ('MX') record.
Use a "Name" of "yourdomain.com.". Set the 'Mail Server' field to mail.yourdomain.com.
Set a priority. 1 will do. If you have multiple mail servers, the mail server lowest priority
that is available is used).
12
[Copyrights Reserved] Tony Wang http://www.shdol.com/
Congratulations, your VPS is set up and good for use now. If you want to secure and
optimize it, I suggest you read this thread on Webhostingtalk.com
http://www.webhostingtalk.com/showthread.php?t=468168
Here's a quick abstrct for securing your VPS, if you don't time reading that long
thread:
Want to harden the security on your server? The first thing you should do is shut down
any public services that you don't need.
To see the ports on which you are accepting connections (sshd, http, ftp, etc) , run
"netstat -l" (-l for ports that are listening).
You should be interested in both what ports are open, and on what addresses is your
server listening. e.g. listening on the localhost address is usually pretty harmless. But
you'd want to make sure that anything listening on a public (or *) IP address is supposed
to be publicly accessible
If you see a port number that you don't recognise, run lsof | grep theportnumber. This will
tell you the process listening on this port.
The xinetd daemon controls a number of services (like FTP, pop3, et al.). If you don't
want them running a) shutdown xinetd or b) configure that service by editing the
appropriate file in /etc/xinet.d/ and setting "disable = yes".
Tip: To quickly find enabled services, run: grep -i disable /etc/xinetd.d/* | grep -i no
NMap
Securing Your Server: Setting up a Linux Firewall Using IPTables and Webmin
13
[Copyrights Reserved] Tony Wang http://www.shdol.com/
A firewall prevents all network access to your server (with certain exceptions that you will
specify).
You can configure a firewall on your VPS using the Webmin control panel. The iptables
command will actually implement the firewall rules.
Before you decide to set up a firewall, please consider... 1) Misconfiguring a firewall can
prevent you from accessing your own server. 2) The best way to prevent someone from
accessing services on your VPS is to simply not run those services. 3) Firewalls don't
protect you from insecure services. So keep your server up to date with the latest
security patches. For example, using apt-get update; apt-get upgrade.
Note: A few people with mulitple IPs have reported this HOWTO does not work for them.
So we recommend following this HOWTO on servers with a single IP only.
Discouraged yet? If you still want to proceed setting up a firewall, here goes...
Go to your Webmin control panel. Select Networking | Linux Firewall. Webmin will offer
to create default rules for you. Select the "Block all except SSH, IDENT, ping and high
ports on interface" option. You don't need to enter anything in the input to the right of the
"eth0" combo.
On the resulting page there will be an option "If protocol is TCP and destination port is
ssh". Select that option. On the Edit Rule page, go down to the "Destination TCP or UDP
port" option. Change the option from equalling "ssh" to equalling
"ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000". Add in whatever other ports you
need, or remove ports you want to exclude. Hit Save.
Click 'Add Rule'. For Rule Comment set "Allow traceroutes". Action to Take is 'Accept'.
Set Network Protocol 'Equals' 'UDP'. Set Destination TCP or UDP port 'Equals' 'Port
Range' '33434' to '33523'.
On your VPS you should now be able to run iptables --list and get a list of all your iptable
rules. You can remove all the rules by stopping iptables: /etc/init.d/iptables stop. You can
also stop the iptables service from running at startup by running chkconfig --del iptables.
Or you can remove the iptables rules by running echo "" > /etc/sysconfig/iptables
When you're done, you will have an /etc/sysconfig/iptables file like this:
[Copyrights Reserved] Tony Wang http://www.shdol.com/
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*mangle
:PREROUTING ACCEPT [353:47034]
:INPUT ACCEPT [353:47034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [323:141426]
:POSTROUTING ACCEPT [323:141426]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports
ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
15
[Copyrights Reserved] Tony Wang http://www.shdol.com/
Be careful with configuring Linux Firewall, as misconfigured firewall can block any traffic
and prevent you from accessing it. In case you are blocked by Linux firewall, you can
ask your system administrator to reset the firewall for you. Once, I misconfigured the
firewall, which stopped my name servers working. Actually, the prtocol for nameserver is
UDP not TCP and nameservers use the default port 53. To prevent malicious connection
to your SSH server, I suggest you change the default port 22 to some unused port
number like 4545 or anything you please.
Disclaimer:
This tutorial is aimed to help you get an idea about how to set up a VPS and is not 100%
accurate. I take no responsibility for any misconfiguration, loss or damage of your server.
I wish you best of luck!!!
16