This Tutorial will show you How to install & Configure ISPConfig control panel on Ubuntu 18.04 and CentOS 7.
Here are the steps you need to follow to install the ISPConfig 3:
- Introduction to the ISPConfig
- Prerequisite
- Setup the FQDN (Fully Qualified Domain Name)
- Install and configure required apps and scripts, such as web server, php, mail server, database etc
Introduction to ISPConfig
ISPConfig is a web based hosting control panel that is fast, secure and has all the features needed for managing all aspects of web hosting. It is licensed under BSD and developed by the company ISPConfig UG.
ISPConfig is not fully open source and free. You need to pay for using few of its modules like customer billing system, malware scanner module and migration toolkit.
But one can use the rest of the services of ISPConfig without paying anything. Using customer billing system, one can run his/her own re-seller business with little cost as compared with other paid option like cPanel.
ISPConfig offers plenty of features which you may not find in any other web based hosting control panel. Using ISPConfig one can manage single or multiple servers and have three different access levels – Administrator, resellers and clients.
ISPConfig does not install any services like Apache, Postfix, IMAP/POP3 server, MySQL, BIND and other services for you. It is designed to manage these services at ease through its web interface.
Therefore before proceeding with installing ISPConfig in your server, you need to install these services beforehand.
Let’s get started with installing all the services and prerequisites before proceeding with installing ISPConfig 3 in Ubuntu 18.04 and CentOs 7.
- You have freshly minted Ubuntu 18.04 (or CentOS 7) system that you can connect through SSH by using root or sudo enabled user. If you haven’t install the SSH, follow these steps to install SSH in Ubuntu.
The process of configuring FQDN on CentOS 7 or Ubuntu 18.04 is same. Therefore, to configure FQDN in either Ubuntu 18 or CentOS 7, first set the hostname of the system using hostnamectl.
# hostnamectl set-hostname panel
Next edit /etc/hosts and add a line with following format towards the end of the file.
Format: IP_ADDRESS hostname.yourdomain.com HOSTNAME
# vi /etc/hosts ... ... 123.456.78.9 panel.yourdomain.com panel ... ...
Close and save the file. To verify FQDN of your system, type the following command from the terminal:
# hostname -f panel.yourdomain.com
Note: If you are hosting your server in a cloud service provider like AWS, Linode then you may also need to edit /etc/cloud/cloud.cfg and change the value of parameter preserve_hostname to true so that hostname persists after your server reboot.
Edit source list and update package list
Edit the main sources list in your Ubuntu 18.04 (or CentOS7) system. First comment out the installation CD from the file and then make sure the universe and multiverse repositories are enabled. This is because all the packages needed by ISPConfig are found in default repositories only. There is no need to install any third parties repositories.
The sources list should contain the following lines only once you have updated the same.
# vi /etc/apt/sources.list deb http://mirrors.linode.com/ubuntu/ bionic main restricted deb http://mirrors.linode.com/ubuntu/ bionic-updates main restricted deb http://mirrors.linode.com/ubuntu/ bionic universe deb http://mirrors.linode.com/ubuntu/ bionic-updates universe deb http://mirrors.linode.com/ubuntu/ bionic multiverse deb http://mirrors.linode.com/ubuntu/ bionic-updates multiverse deb http://mirrors.linode.com/ubuntu/ bionic-backports main restricted universe multiverse deb http://security.ubuntu.com/ubuntu bionic-security main restricted deb http://security.ubuntu.com/ubuntu bionic-security universe deb http://security.ubuntu.com/ubuntu bionic-security multiverse
Now update and upgrade the system to the latest and reboot the system. Reboot is needed in case new kernel get installed during update.
# apt update && apt upgrade # reboot
Edit default shell
ISPConfig needs /bin/bash as the default executing environment. It is possible that the default shell is other than /bin/bash like /bin/dash. To make /bin/bash as the default shell in your system use the following chsh command:
# chsh
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/bash]: /bin/bash
ISPConfig can be configured to use either Apache or NGINX. In this tutorial, we will use Apache to act as a web server for ISPConfig. To proceed with installing Apache in your server use the following apt command in the terminal:
# apt install apache2 apache2-utils
Once Apache is installed, make sure you have enabled the following modules of it.
# a2enmod suexec rewrite ssl actions include cgi dav_fs dav auth_digest headers
To protect your server against HTTPOXY attack, disable the HTTP_PROXY header in Apache.
To accomplish it, create a new Apache configuration file with your favorite text editor and paste the following.
# vi /etc/apache2/conf-available/httpoxy.conf
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
Further, if you are planning to run ruby files on the websites those will be created through ISPConfig at a later stage then you must add application/x-ruby rb in the mime types for Apache:
# vi /etc/mime.types ... ... application/x-ruby rb ... ...
To apply new settings for Apache, reload it.
# a2enconf httpoxy # systemctl reload apache2
To install MariaDB, just use the following command from the terminal:
# apt install mariadb-client mariadb-server
Once MariaDB server installed, run the following script to secure mariadb by providing a strong root password. Further, press affirmatively to remove anonymous users, disallow root login remotely, and remove test database and reloading privilege tables.
# mysql_secure_installation
To manage and administer MariaDB database using any GUI based tool like PhpMyAdmin from a remote system, set the password authentication method to native. To do that, navigate to the MariaDB root shell by providing the password.
# mysql -u root -p Enter password:
Now change to the mysql database and run the following SQL query.
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names. You can turn off this feature to get a quicker startup with -A Database changed
MariaDB [mysql]> update mysql.user set plugin = 'mysql_native_password' where user="root"; Query OK, 0 rows affected (0.00 sec) Rows matched: 1 Changed: 0 Warnings: 0
Next enable MariaDB server to listen on all interfaces not just the localhost.
To do that edit the following MariaDB configuration file and make the following line commented.
# vi /etc/mysql/mariadb.conf.d/50-server.cnf ... ... # bind-address = 127.0.0.1 ... ...
Finally restart MariaDB server:
# systemctl restart mariadb
ISPConfig is written in PHP, therefore to install and use the ISPConfig control panel you need to install PHP and its various modules beforehand. To do that, run the following apt command in the terminal:
# apt install libapache2-mod-php php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-imap php7.2-cli php7.2-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt imagemagick libruby libapache2-mod-python php7.2-curl php7.2-intl php7.2-pspell php7.2-recode php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl memcached php-memcache php-imagick php-gettext php7.2-zip php7.2-mbstring php-soap php7.2-soap php7.2-fpm
Make sure to enable the fast CGI module of PHP along with FPM configuration file and restart Apache:
# a2enconf php7.2-fpm # a2enmod actions proxy_fcgi alias setenvif # systemctl restart apache2
For easy management and administration of MariaDB database, install PhpMyadmin with the following apt command:
# apt install phpmyadmin
Tick Apache as web server when the installer prompts you to choose a web server. Also choose ‘No’ to configuring database for phpMyAdmin with dbconfig-common. Access phpmyadmin page through http://server_ip_address/phpmyadmin
We are using Postfix as its a free and open source mail transfer agent (MTA) responsible for delivering & receiving emails in a mail server. To install it run the following command from the terminal:
# apt install postfix postfix-mysql
The installer will prompt you to choose the configuration for postfix.
- Choose ‘Internet site’ for mail configuration type.
- For System Mail Name, choose FQDN of the server that you want to use to send and receive mails.
- Provide an email address where mail sent to root@ and postmaster@ will be forwarded to this account.
Postfix needs few configuration tweaks in order to work with Dovecot. To start with take a backup of postfix main configuration file.
# mv /etc/postfix/main.cf /etc/postfix/main.cf.bk
Then create a new configuration and paste the following contents in it. Make sure to adjust domain name as per yours.
# vi /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtp_use_tls=yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/letsencrypt/live/website.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/website.com/privkey.pem
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
myhostname = website.com
myorigin = /etc/mailname
mydestination = localhost.$mydomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
Create a virtual mailbox domain since we have postfix was configured to use it previously. Edit a file for virtual mailbox domain and add the following entry in it.
# vi /etc/postfix/virtual_mailbox_domains website.com #domain
You need to run the following command whenever you edit the virtual mailbox file.
# postmap /etc/postfix/virtual_mailbox_domains
Finally edit the Postfix’s master configuration file and uncomment the following line:
# vi /etc/postfix/master.cf ... ... submission inet n - y - - smtpd ... ...
Restart postfix agent and test it with telnet command:
# systemctl restart postfix # telnet website.com 25 Trying 127.0.0.1... Connected to website.com Escape character is '^]'.
Connection closed by foreign host.
Install Dovecot
Dovecot is a mail delivery agent and delivers emails from/to the mail server by running IMAP, POP and LMTP protocol.
Run the following command to install dovecot along with all other dependencies.
# apt install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql
Test the dovecot service with following commands:
# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready. # doveconf protocols listen protocols = imap lmtp pop3 listen = *, ::
You may need to configure few other settings like user authentication mechanism, SSL for dovecot as per your requirement. But the default settings of dovecot is enough to run ISPConfig in your server.
Install Roundcube
Download latest roundcube and extract it to a suitable location. Also change the ownership of roundcube folder www user.
# mkdir -p /var/www/webmail # cd /var/www/webmail # wget wget https://github.com/roundcube/roundcubemail/releases/download/1.3.9/roundcubemail-1.3.9-complete.tar.gz # tar xf roundcubemail-1.3.9-complete.tar.gz # mv roundcubemail-1.3.9/* . # rm -rf roundcubemail-1.3.9 # chown -R www-data:www-data /var/www/webmail/
Create a database and a user for roundcube:
MariaDB [(none)]> create database roundcubedb; MariaDB [(none)]> GRANT ALL PRIVILEGES ON roundcubedb.* TO roundcube@localhost IDENTIFIED BY 'Passw0rd!'; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> exit;
Next import Roundcube table layout into the empty database:
# mysql -u roundcube -p roundcubedb < /var/www/webmail/SQL/mysql.initial.sql
To configure Apache for Roundcube, create a configuration file for it and once done, restart apache:
# vi /etc/apache2/sites-available/roundcube.conf Alias /roundcube /var/www/webmail <Directory /var/www/webmail> Options -Indexes AllowOverride All Order allow,deny allow from all </Directory> # systemctl reload apache2
Copy the sample roundcube configuration file to a new file by the name config.inc.php:
# cd /var/www/webmail/config # cp config.inc.php.sample config.inc.php
Edit the database information in the file by providing database name, username and password.
# vi /var/www/webmail/config/config.inc.php ... ... $config['db_dsnw'] = 'mysql://roundcube:Passw0rd!@localhost/roundcubedb'; $config['mail_domain'] = '%n'; ... ...
Finally remove the sample configuration file:
# rm config.inc.php.sample
Access roundcube by pointing your browser to http://server_ip/roundcube
Install Rootkit Hunter
RootKit Hunter is a shell script that can scan file system for rootkits, back-doors and other local exploits apart from monitoring executed commands, startup files, network interfaces in your server.
Install it by using the following command in the terminal:
# apt install rkhunter
Install Amavisd-new, SpamAssassin and Clamav
Amavisd-new is an interface between MTAs such as Postfix and checks content for viruses whereas SpamAssassin is a tool for filtering unsolicited emails from telemarketers and hackers.
To install these packages, run the following apt command in the terminal:
# apt install amavisd-new spamassassin # systemctl restart spamassassin
The above apt command will also install Clamav that is built to detect viruses, Trojans, malware and other threats in your server. Stop the freshclam service and update the virus database with the following set of command and then restart clamav daemon:
# systemctl stop clamav-freshclam.service # freshclam # systemctl restart clamav-daemon
The amavisd-new package in Ubuntu 18.04 has a bug where emails get signed with DKIM incorrectly. To correct this anomaly patch the amavisd-new package by using the following procedure in the terminal:
# cd /tmp # wget https://git.ispconfig.org/ispconfig/ispconfig3/raw/stable-3.1/helper_scripts/ubuntu-amavisd-new-2.11.patch # cd /usr/sbin # cp -pf amavisd-new amavisd-new_bak # patch < /tmp/ubuntu-amavisd-new-2.11.patch Hunk #2 succeeded at 34363 (offset 1 line)
ISPConfig support free SSL certificate authority LetsEncrypt and using it you can fetch SSL certificates for the domains those are hosted in ISPConfig. Install certbot which is a free, open source software tool for automatically use LetsEncrypt certificates on websites to enable HTTPS.
Install it with the following command:
# apt install certbot
To enable users to upload and download files using FTP, install an FTP server like PureFTPd with TLS encryption and also install quota for efficient management of assigning disk space to users. To do that run the following command from the terminal.
# apt install pure-ftpd-common pure-ftpd-mysql quota quotatool
Configure the PureFTPd server to run as a standalone and allow users to see their home directories only by changing chroot environment to true.
# vi /etc/default/pure-ftpd-common ... ... STANDALONE_OR_INETD=standalone VIRTUALCHROOT=true ... ...
Make FTP session through TLS only.
# echo 1 > /etc/pure-ftpd/conf/TLS
Generate SSL certificate in order to use TLS by PureFTPd server.
# mkdir -p /etc/ssl/private/ # openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Assign correct permission to TLS certificate and restart PureFTPd:
# chmod 600 /etc/ssl/private/pure-ftpd.pem # systemctl restart pure-ftpd-mysql
To enable the quota limit mount the root partition through /etc/fstab. This makes sure that the file system knows it needs to check for quota while allocating memory to each user:
# vi /etc/fstab ... ... /dev/sda1/ ext4 usrquota,grpquota,errors=remount-ro 0 1 ... ...
Make sure to replace the file system which is /dev/sda1 in the above /etc/fstab file with your own. Save the file and run the following set of commands to enable quota for each user:
# apt install quota # touch /quota.user /quota.group # chmod 600 /quota.user /quota.group # mount -o remount / # quotacheck -avugm quotacheck: Scanning /dev/sda [/] done quotacheck: Checked 28152 directories and 142292 files # quotaon -avug /dev/sda [/]: group quotas turned on /dev/sda [/]: user quotas turned on
Install BIND DNS Server to have your own nameserver. Using ISPConfig you can interact with the nameserver to create, update and delete DNS entries very easily.
# apt install bind9 dnsutils
Restart BIND service:
# systemctl restart bind9.service # systemctl status bind9.service
Install AWStats
Apache log analyzer or AWstats is a handy tool that can generate advance graphs and statistics by analyzing Apache log files, ftp or mail servers.
# apt install awstats
Next create an Apache configuration for AWstats. To do that, edit the following file using any text editor:
# vi /etc/apache2/conf-available/awstats.conf ScriptAlias /awstats/ /usr/lib/cgi-bin/ Alias /awstats-icon/ /usr/share/awstats/icon/ Alias /awstatsclasses/ /usr/share/java/awstats/ <Directory "/usr/lib/cgi-bin/"> Options None AllowOverride None <IfModule mod_authz_core.c> # Apache 2.4 Require host 192.168.0.0/24 </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order allow,deny Allow from 192.168.0.0/24 Allow from ::1 </IfModule> </Directory>
Enable the CGI module and also enable Awstats apache configuration:
# a2enmod cgi # a2enconf awstats # systemctl restart apache2
Next create a configuration file for your chosen domain by copying the default configuration file in a separate file.
# cp /etc/awstats/awstats.conf /etc/awstats/awstats.website.com.conf
Edit the following parameters in the configuration file:
# vi /etc/awstats/awstats.website.com.conf ... ... LogFile="/var/log/apache2/website.com-access_log" SiteDomain="website.com" ... ...
Run the following command to update records from Apache log file:
# /usr/lib/cgi-bin/awstats.pl -config=website.com -update
To access awstats point your browser to the URL http://server_ip/awstats/awstats.pl?config=website.com. Make sure you have appended your domain name at the end of the URL.
Install fail2ban
Fail2ban is an application that monitors system logs(/var/log) for failed login attempts or automated attack on your server. When a compromise is found after analyzing the log file then fail2ban blocks the IP address temporarily or permanently from gaining access to the server.
Install fail2ban by using following apt command in the terminal:
# apt install fail2ban
The order of reading configuration file is .conf file followed by .local file. Therefore it is recommended to save the custom configuration in .local file leaving .conf file unchanged.
Copy the default .conf file to .local file
# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
You can now edit the local configuration to monitor specific services matching your requirement using fail2ban. To start with add the ftp, dovecot and Postfix block the configuration .local configuration file.
# vi /etc/fail2ban/jail.local [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3
Finally restart fail2ban
# systemctl restart fail2ban
Configure UFW
UFW is installed and enabled by default in Ubuntu 18.04. However if it is not the case then you can install and enable UFW with the following apt command:
# apt install ufw # ufw enable
In general, the following TCP/UDP ports are used by ISPConfig. Among all these services, few like web interface(8080), SSH(22), HTTP(80)needs to be opened in UFW for outside access.
TCP ports 20 - FTP Data 21 - FTP Command 22 - SSH 25 - Email 53 - DNS 80 - HTTP (Webserver) 110 - POP3 (Email) 143 -Imap (Email) 443 - HTTPS (Secure web server) 993 - IMAPS (Secure Imap) 995 - POP3S (Secure POP3) 3306 - MySQL Database server 8080 - ISPConfig web interface 8081- ISPConfig apps vhost UDP ports 53 - DNS 3306 - MySQL
Use the following ufw command to open port used by ISPConfig:
# ufw allow 80/tcp # ufw allow 8080/tcp # ufw reload
Install ISPConfig 3.1
Download latest ISPConfig and extract it to a suitable location. Navigate to the folder containing install script and run it with php command. The installer will prompt for several parameters like language of installation, FQDN, MySQL password and few others. Answer them as per your settings.
# wget https://ispconfig.org/downloads/ISPConfig-3.1.14p1.tar.gz # tar xfz ISPConfig-3.1.14p1.tar.gz # cd ispconfig3*/install/ # php -q install.php
Once the installation process is complete, point your browser to http://SERVER_IP:8080 and login with the username ‘admin’ and configured password.
To fetch LetsEncrypt certificate for your domain, use the following certbot command by specifying few other parameters.
# certbot certonly --agree-tos --email @email --webroot --webroot-path /usr/local/ispconfig/interface/acme -d domain.tld
Conclusion
That’s it! You will now have an ISPConfig control panel installed and running in your environment.
Using ISPConfig you can now manage domain, DNS, email and more with its web interface at ease. For more about using ISPConfig consider buying the user manual of from here.