ISPConfig secure Multisite/Cluster

Discussion in 'General' started by jpcyrenne, May 23, 2017.

  1. jpcyrenne

    jpcyrenne Member HowtoForge Supporter

    Good day,

    I'm about to download the latest documentation of ISPConfig and I'd like to know if I'm dreaming or I could set up a small ISP multiserver environment with a cluster for Mail/DNS and Web/DB with a few dedicated servers.

    GOAL : I want it all secure and not spend all my days figuring out email issues from 'shared hosting' point of view (SSL only connections to send - never from local web servers).

    Server 1 and 2 with bigger SATA drives : email, DNS (local MySQL needs).
    Server 3 and 4 with smaller SSD drives : Nginx, MySQL.

    Eventually adding 5 and 6 as other Web/MySQL server pairs and so on. Always using servers 1 and 2 for SSL mail access (and maybe server management).

    - Could I install Policyd on 1 and 2 for rate limiting ?
    - With this setup, can we configure MX 1 and MX 5 for example (I would say yes)?
    - Is replication only 1 way with emails (Dovecot 2) ?
    - Can I install a MySQL DB on the mail servers for ISPConfig/DNS/Dovecot needs and then some stand alone Web/MySQL servers (as pairs) ?

    - Is replication only 1 way with Unison for web (/var/www/) ? (people always write on 3 and replicates to 4 for example)
    - Could I install HAproxy on the web server pairs (I have a failover IP block) ? I'm not sure how ISPConfig deals load balancing ? If it's a nginx config it could also be good (upstream backend).

    - Does ISPConfig check/validate the MySQL, Web and email replications? Alert if issue? (or good old Nagios will be needed?)

    - Is ISPConfig compatible with Linux Malware Detect (LMD)? (i know it is with chkrootkit, Lynis (formerly rkhunter) and ISPProtect $ from a howtoforge post). Would you see an issue using malware signature databases like SaneSecurity, ScamNailer, ExtremeShock on the same server ?

    - Would CSF (ConfigServer Security & Firewall) be overkill with fail2ban? It would add IDS and more? I could use iptables alone to block all non necessary ports (including port 25 since the web servers will only communicate with the Master Mail server through SSL / blocking anything that's not absolutely necessary).

    I the best approach:
    1- To install a multi environment and then add an 'ISPConfig/Mail/DNS/MySQL cluster' and a 'web clusters' ?
    2- Or build a full '2 machine' cluster on SATA and add some 'Web cluster pairs' to it to manage them ?
    (I like #2 for my needs, specially if I can Scale the Web server pairs)

    - check reputation of our IP address
    - setup SPF, DKIM,SPF, DKIM, DMARC, returnDNS/PTR - obviously
    - ALL outgoing mail must be authenticated / No open anonymous senders or open relay

    Any other measures you would consider useful to secure my ISPConfig nodes and avoid blacklisting ?

    Thanks ahead everyone,


Share This Page