Starting from scratch with a new CentOS 7 Linode, I found that iptables is set by default to block (although not reject) packets to the IMAP and POP3 services.

Rackspace has a good primer on setting up Dovecot that includes these instructions, but here's the short answer:

sudo iptables -I INPUT 2 -p tcp --dport 587 -j ACCEPT sudo iptables -I INPUT 3 -p tcp --dport 110 -j ACCEPT sudo iptables -I INPUT 4 -p tcp --dport 143 -j ACCEPT sudo iptables -I INPUT 5 -p tcp --dport 993 -j ACCEPT sudo iptables -I INPUT 6 -p tcp --dport 995 -j ACCEPT sudo /etc/init.d/iptables save sudo /etc/init.d/iptables restart

That adds a rule to accept the IMAP and POP ports, both the regular and SSL versions. Then we save the chain table and restart iptables. Now you should be able to get in: $ telnet myhost.wlindley.com imap Trying myhost.wlindley.com... Connected to myhost.wlindley.com. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.

Asterisk is an open-source telephone solution that runs over the internet instead of running through copper lines. It offers a variety of features such as voicemail and conference calling, much like a land line telephone can.

For this guide we will install Asterisk from source rather than from Ubuntu's repositories. The newer version offers several additional features, including the ability to integrate a Google Voice account as a trunk. We will use FreePBX as a web interface for our Asterisk configuration.

Read the rest of the story on Linode's site

I used Debian 7.5 instead of Ubuntu. When I got to the section where it said to:

apt-get install linux-virtual

I actually had to follow the instructions here to get the local kernel matching the dahdi_dummy kernel module.

I also had to install the correct kernel source, from the hint here, before the make commands would work:

apt-get install linux-headers-`uname -r`

The php5-suhosin package does not exist in the stable repository, so I had to omit that from the php apt-get line.

By default, Debian has the Apache document root at /var/www; we want to change that to /var/www/html. The VirtualHost directive is in file /etc/apache2/sites-available/default − change the appropriate lines:

…
        DocumentRoot /var/www/html
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/html/>
…

To be able to install the Google Voice module, I had to:

# su - asterisk 
$ cd /var/www/html/admin/modules/
$ mkdir _cache

Loaded Virtualmin onto a Linode running Centos 6. Ran into some errors when trying to add a domain:

Failed to create virtual server : setquota: Cannot stat() mounted device /dev/root: No such file or directory setquota: Mountpoint (or device) / not found or has no quota enabled. setquota: Not all specified mountpoints are using quota.

And indeed, from a root prompt:

# <strong>quotaon -p -a</strong>
quotaon: Cannot stat() mounted device /dev/root: No such file or directory
group quota on /home (/dev/xvdc) is off
user quota on /home (/dev/xvdc) is off

Hmm, yep, that's the same error. This thread on Virtualmin's forum was a big clue, here's the first step to resolution:

# <strong>mount</strong>
...
/dev/xvda on / type ext3 (rw,noatime,grpquota,errors=remount-ro,usrquota)
...

Right, so our root / partition is indeed on /dev/xvda so we can create the missing symbolic link:

# <strong>ln -s /dev/xvda /dev/root</strong>
# <strong>quotaon -a</strong>
quotaon: cannot find /home/aquota.group on /dev/xvdc [/home]
quotaon: cannot find /home/aquota.user on /dev/xvdc [/home]
#

Good, no error message. But things are still not working yet:

# <strong>quotaon /home</strong>
quotaon: cannot find /home/aquota.group on /dev/xvdc [/home]
quotaon: cannot find /home/aquota.user on /dev/xvdc [/home]

Before proceeding, in /etc/fstab please be sure "usrquota" and "grpquota" are in the options line:

/dev/xvdc  /home  ext3  grpquota,errors=remount-ro,usrquota,grpquota,noatime,rw  0  1

Now, instead of going thru a dozen cryptic commands, go back to Webmin (if Virtualmin is up, click Webmin on the top line). Open the System tab and then Disk Quotas. You should see the /home partition listed, and it probably says that quotas are not active. Simply hit "Enable Quotas" and the display should change to:

*Filesystem *

*Type *

*Mounted From *

*Status *

*Action *

/home (users) /home (groups)

Linux Native Filesystem

Xen device C

User and Group Quotas Active

Disable Quotas

...Done!

Upon first install Virtualmin, you will need to set a few configuration parameters:

• I recommend running Clam and SpamAssassin as servers, if you handle email. If you delegate all email to a separate server, leave these off.

We will be disabling root login to webmin / virtualmin. Start by creating an administration group:

• From the Virtualmin control panel, click at the top: Webmin

• Open the webmin drop-down on the left

• Click Webmin Users

• Under Webmin Groups, click Create a new Webmin group

• Call it "admins" or "devel" or as you wish. There is a Select All link at the bottom of the list of permissions; use it.

• Back on the Webmin User panel, click Convert Unix users to Webmin users

• Click in the radio-button for "Users with group" and put "wheel" into the box (see previous post, where we set our administrator users into the wheel group)

The default should be to use Unix authentication for the Webmin users. That means, resetting your Unix password will update your Webmin login as well.

Logout of Webmin and then back in with your username. Go back to Webmin Users and click on the 'root' user in the list of users. Set the password to "No password accepted" and voilá, your Webmin is now a little more secure.

Disabling Unused Cronjobs

CentOS in particular puts unwanted tasks in the cron entries. They do not appear in the 'crontab' proper but in /etc/cron.daily and /etc/cron.hourly. Rename these files to be their hidden dotfile equivalents:

cron.daily/.00webalizer
cron.daily/.freshclam
cron.daily/.makewhatis.cron
cron.hourly/.awstats

Otherwise, awstats will run every hour for every domain, regardless of the settings you make in Virtualmin. Also I disabled 'makewhatis' 'webalizer' and 'freshclam' as I am not using them.

Ready to move your hosted websites to a new a Virtualmin + LAMP (Linux/Apache/MySQL/Perl-PHP) server on a Linode? Here's the steps to get everything working smoothly with a minimum of hassle:

Initial Preparation

First, starting with a freshly provisioned CentOS install, ssh into the root account. Let's see what we actually have for a distribution:

$ cat /etc/issue
CentOS Linux release 6.0 (Final)
Kernel r on an m

First, create regular user accounts for the administrators, and disable direct root login. We will place these administrators into the 'wheel' group so they can sudo, and also create a developer group:

# groupadd devel
# useradd -c "Winston Smith" -g devel --groups wheel -m -s /bin/bash wsmith

Use the visudo* *command to edit the /etc/sudoers file, removing the leading # to un-comment this line:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

Now, set a password for yourself:

# passwd wsmith

The logout, and ssh back in as wsmith

If you haven't read the Linode Security Basics article, now's a good time. At the very least, disable root logins by editing the /etc/ssh/sshd_config file to modify the PermitRootLogin option as follows:

PermitRootLogin no

Then restart ssh:

$ sudo service sshd restart

I also recommend fail2ban, which should reduce the clutter and risk of repeated ssh attacks:

$ sudo yum install fail2ban
$ sudo chkconfig --level 23 fail2ban on
$ sudo service fail2ban start

Next, edit /etc/sysconfig/network and change the hostname. If there is no HOSTNAME line, add one with your desired machine name in your domain; it should look like:

HOSTNAME=linode1.example.com

That file is read at boot, so you might also want to set the hostname for the current session:

`

$ sudo hostname linode1.example.com `

Be sure that your DNS server has an A Record with that exact name, pointing to your new server.

Install Updates before Virtualmin

Now we will update the base system --

`

$ sudo yum update `

We haven't installed PHP and MySQL yet, but let's see what versions will be installed from our currently selected repositories:

$ yum search php
Loaded plugins: fastestmirror
============================================ Matched: php ============================================
php.i686 : PHP scripting language for creating dynamic web sites
php-bcmath.i686 : A module for PHP applications for using the bcmath library
php-cli.i686 : Command-line interface for PHP
php-common.i686 : Common files for PHP
...
$ yum list php
Loaded plugins: fastestmirror
Available Packages
mysql.i686             5.1.52-1.el6_0.1    updates
php.i686               5.3.2-6.el6_0.1     updates

OK, well that's not the latest, but Centos assures us (as of mid-October 2011) that Centos 6.1 will have updates. Meantime, the folks at Centos recommend the use of the Continuous Release (CR) repository, see this article.

$ sudo yum install centos-release-cr
$ sudo yum update

That installed, on my system, 144 new and updated packages. Now let's see what that will do for us in terms of PHP and MySQL:

$ yum list php mysql
Loaded plugins: fastestmirror
...
Available Packages
mysql.i686              5.1.52-1.el6_0.1   updates
php.i686                5.3.3-3.el6        cr

Ah, a nice fresh version of PHP. Before going much further, I find it convenient to also install the console version of emacs for editing, and the 'screen' package for multi-virtual-screen remote administration:

`

$ sudo yum install emacs-nox screen `

Load Virtualmin

Download the install.sh script from http://www.virtualmin.com/download.html into /usr/src ... and then execute it:

`

$ sudo bash # cd /usr/src # wget http://software.virtualmin.com/gpl/scripts/install.sh

sh install.sh

`

That may take some time indeed! Eventually you should see:

INFO - Updating SpamAssassin rules...
INFO - Rule updates done
[root@linode1 src]#

Once it completes, login, as root, to your new virtualmin configuration at your linode's address: https://linode1.example.com:10000 .. and then read the next part of this article.

Useful Tools

sudo yum install emacs-nox screen

For PHP with Graphics support

sudo yum install gd php-gd ImageMagick ImageMagick-devel php-devel httpd-devel
sudo pecl install imagick
<em>(and, as root) </em>echo "extension=imagick.so" > /etc/php.d/imagick.ini
sudo apachectl graceful

The php-devel module is required for loading ImageMagick into PHP; without it, you will get phpize: command not found. Note that the pecl command above actually compiles some code, so you need the gcc compilers and the various development modules.

Webmin and fail2ban

If you ever use Webmin to edit your firewall rules, you should be sure to do this last step. It's also handy if you lock yourself out of your secure shell, to be able to do a one-time reset of fail2ban's rules from the webmin interface.

Login to Webmin. Under Networking, on the “Linux Firewall” main page, click Module Config in the upper-left of the pane. On the configuration page, in the “Configurable options” section, look for the line “Command to run after applying configuration.” Click the button next to the text box on that line, and in the text box enter service fail2ban restart and then click the Save button at the bottom of the page. Now, whenever you click “Apply Configuration” on the Firewall rule page, it will automatically restart fail2ban.