马哥Linux第十八周

Q1、实现基于MYSQL验证的vsftpd虚拟用户访问

1、安装ftp、mysql
[root@centos7 ~]# yum install vsftpd mariadb-server gcc gcc-c++ pam-devel mariadb-devel -y

2、mysql创建数据库,表及授权用户
[root@centos7 ~]# systemctl start mariadb
[root@centos7 ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.65-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> use vsftpd
Database changed
MariaDB [vsftpd]> CREATE TABLE users (
    -> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
    -> name CHAR(50) BINARY NOT NULL,
    -> password CHAR(48) BINARY NOT NULL
    -> );
Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftpuser1',password('centos'));
Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftpuser2',password('magedu'));
Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> grant select on vsftpd.users to vsftpd@'192.168.37.%' identified by 'centos';
Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.01 sec)

3、编译pam_mysql模块,Centos7没有对应的pam_mysql模块,需要编译
[root@centos7 ~]# cd /usr/local/src/
[root@centos7 src]# tar -xf pam_mysql-0.7RC1.tar.gz 
[root@centos7 src]# cd pam_mysql-0.7RC1/
[root@Centos7 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@Centos7 pam_mysql-0.7RC1]# make && make install

4、vsftpd添加pam配置文件
[root@centos7 ~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=centos host=192.168.37.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=192.168.37.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 

5、创建用户与目录
[root@centos7 ~]# useradd -d /data/ftproot -s /sbin/nologin vuser
[root@centos7 ~]# chmod 555 /data/ftproot
[root@centos7 ~]# mkdir -p /data/ftproot/upload
[root@centos7 ~]# setfacl -Rm u:vuser:rwx /data/ftproot/
[root@centos7 ~]# mkdir -p /data/ftproot2/upload
[root@centos7 ~]# chmod 555 /data/ftproot2
[root@centos7 ~]# setfacl -Rm u:vuser:rwx /data/ftproot2/

6、配置vsftpd文件
[root@centos7 ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES

userlist_enable=YES
tcp_wrappers=YES

user_config_dir=/etc/vsftpd/vusers.d/
guest_enable=yes
guest_username=vuser
pam_service_name=vsftpd.mysql
chroot_local_user=YES

[root@centos7 ~]# mkdir /etc/vsftpd/vusers.d
[root@centos7 ~]# vim /etc/vsftpd/vusers.d/ftpuser1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot

[root@centos7 ~]# vim /etc/vsftpd/vusers.d/ftpuser2
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot2

7、启动服务
[root@centos7 ~]# systemctl restart vsftpd

#测试
[root@centos6 ~]$ ftp 192.168.37.37
Connected to 192.168.37.37 (192.168.37.37).
220 (vsFTPd 3.0.2)
Name (192.168.37.37:root): ftpuser1             #ftpuser1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,37,37,190,215).
150 Here comes the directory listing.
drwxrwxr-x    2 0        0               6 Jun 20 16:26 upload
226 Directory send OK.
ftp> exit
221 Goodbye.

[root@centos6 ~]$ ftp 192.168.37.37
Connected to 192.168.37.37 (192.168.37.37).
220 (vsFTPd 3.0.2)
Name (192.168.37.37:root): ftpuser2             #ftpuser2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,37,37,149,241).
150 Here comes the directory listing.
drwxrwxr-x    2 1001     1001           29 Jun 20 17:35 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> put anaconda-ks.cfg                        #上传测试
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (192,168,37,37,190,213).
150 Ok to send data.
226 Transfer complete.
1536 bytes sent in 0.000178 secs (8629.21 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (192,168,37,37,204,220).
150 Here comes the directory listing.
-rw-------    1 1001     1001         1536 Jun 20 17:36 anaconda-ks.cfg
226 Directory send OK.
ftp> rm anaconda-ks.cfg                         #删除测试
550 Remove directory operation failed.          #删除失败
ftp> ls
227 Entering Passive Mode (192,168,37,37,222,109).
150 Here comes the directory listing.
-rw-------    1 1001     1001         1536 Jun 20 17:36 anaconda-ks.cfg
226 Directory send OK.
ftp> exit
221 Goodbye.

Q2、通过NFS实现服务器/www共享访问

#server端
[root@centos7 ~]# mkdir /www
[root@centos7 ~]# vim /etc/exports.d/www.exports
/www 192.168.37.0/24(rw,all_squash)
[root@centos7 ~]# systemctl start nfs-server
[root@centos7 ~]# exportfs -v
/www            192.168.37.0/24(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,all_squash)
[root@centos7 ~]# echo welcome > /www/test.txt


#client端
[root@centos6 ~]$ showmount -e 192.168.37.37
Export list for 192.168.37.37:
/www 192.168.37.0/24
[root@centos6 ~]$ mount 192.168.37.37:/www /mnt
[root@centos6 ~]$ ls /mnt
test.txt

#autofs挂载
[root@centos6 ~]$ umount /mnt
[root@centos6 ~]$ ls /net/192.168.37.37/www/
test.txt
#绝对路径挂载
[root@centos6 ~]$ vim /etc/auto.master
/- /etc/auto.nfs
[root@centos6 ~]$ vim /etc/auto.nfs
/misc/www -fstype=nfs,rw 192.168.37.37:/www
[root@centos6 ~]$ service autofs restart
Stopping automount:                                        [  OK  ]
Starting automount:                                        [  OK  ]
[root@centos6 ~]$ ls /misc/www/
test.txt

Q3、配置samba共享,实现/www目录共享

#服务端
[root@centos7 ~]# yum install samba -y
[root@centos7 ~]# useradd -s /sbin/nologin smbuser1
[root@centos7 ~]# smbpasswd -a smbuser1
New SMB password:
Retype new SMB password:
Added user smbuser1.

vim /etc/samba/smb.conf
[global]
        workgroup = WORKGROUP
        security = user
        netbios_name = centos7

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

        log file = /var/log/samba/log.%m                
        log level = 2

[www]
path=/www
valid users=smbuser1
write list=smbuser1
browseable=yes

[root@centos7 ~]# setfacl -Rm u:smbuser1:rwx /www
[root@centos7 ~]# systemctl start smb nmb

#客户端
[root@centos6 ~]$ smbclient -L 192.168.37.37 -U smbuser1%centos
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.10.4]

    Sharename       Type      Comment
    ---------       ----      -------
    www             Disk      
    IPC$            IPC       IPC Service (Samba 4.10.4)
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.10.4]

    Server               Comment
    ---------            -------
    CENTOS7              Samba 4.10.4

    Workgroup            Master
    ---------            -------
    WORKGROUP
    
[root@centos6 ~]$ smbclient  //192.168.37.37/www -U smbuser1%centos
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.10.4]
smb: \> ls
  .                                   D        0  Sun Jun 21 16:54:12 2020
  ..                                  D        0  Sun Jun 21 15:58:15 2020
  test.txt                                     8  Sun Jun 21 16:08:19 2020
  win                                 D        0  Sun Jun 21 16:54:03 2020

        51175 blocks of size 2097152. 48677 blocks available
smb: \> mkdir linux
smb: \> ls
  .                                   D        0  Sun Jun 21 16:59:01 2020
  ..                                  D        0  Sun Jun 21 15:58:15 2020
  test.txt                                     8  Sun Jun 21 16:08:19 2020
  win                                 D        0  Sun Jun 21 16:54:03 2020
  linux                               D        0  Sun Jun 21 16:59:01 2020

        51175 blocks of size 2097152. 48677 blocks available
smb: \>
image.png

Q4、使用rsync+inotify实现/www目录实时同步

1、配置server端
[root@centos7 ~]# vim /etc/rsyncd.conf 
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.37.0/24

[backup]
        path = /data/www/
        comment = backup
        read only = no
        auth users = rsyncuser
        secrets file = /etc/rsync.pass

[root@centos7 ~]# echo "rsyncuser:magedu" > /etc/rsync.pass
[root@centos7 ~]# chmod 600 /etc/rsync.pass
[root@centos7 ~]# mkdir /data/www
[root@centos7 ~]# systemctl start rsyncd

2、配置client
[root@centos6 ~]$ echo "magedu" > /etc/rsync.pass
[root@centos6 ~]$ chmod 600 /etc/rsync.pass
[root@centos6 ~]$ mkdir /www
[root@centos6 ~]$ echo test > /www/index.html
[root@centos6 ~]$ service xinetd start      #centos7:systemctl start rsyncd

#一次性测试(client)
[root@centos6 ~]$ rsync -avz --password-file=/etc/rsync.pass /www/ rsyncuser@192.168.37.37::backup
sending incremental file list
./
index.html

sent 89 bytes  received 30 bytes  238.00 bytes/sec
total size is 5  speedup is 0.04

#server
[root@centos7 ~]# ls /data/www/
index.html

3、利用inotify监控同步到服务端
[root@centos6 ~]$ yum install inotify-tools -y
[root@centos6 ~]$ vim inotify_rsync.sh 
#!/bin/bash
SRC='/www/'
DEST='rsyncuser@192.168.37.37::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${S
RC} | while read DATE TIME DIR FILE;do
        FILEPATH=${DIR}${FILE}
        rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILE
PATH was backuped up via rsync" >> /var/log/changelist.log
done

4、测试脚本
#client端
[root@centos6 ~]$ bash inotify_rsync.sh
[root@centos6 ~]$ dd if=/dev/zero of=/www/block bs=1 count=2
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000360658 s, 5.5 kB/s

[root@centos6 ~]$ dd if=/dev/zero of=/www/test bs=1 count=20
20+0 records in
20+0 records out
20 bytes (20 B) copied, 0.0004456 s, 44.9 kB/s

#server端
[root@centos7 ~]# ls /data/www/         #打开脚本前
index.html
[root@centos7 ~]# ls /data/www/
block  index.html
[root@centos7 ~]# ls /data/www/
block  index.html  test

Q5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝

#telnet
[root@centos7 ~]# iptables -A INPUT -p tcp --dport 23 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p udp --dport 23 -j ACCEPT
#web
[root@centos7 ~]# iptables -A INPUT -m multiport -p tcp --dport 80,443 -j ACCEPT
#samba
[root@centos7 ~]# iptables -A INPUT -m multiport -p tcp --dport 139,445 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
#ftp
[root@centos7 ~]# modprobe nf_conntrack_ftp
[root@centos7 ~]# iptables -A INPUT -p udp --dport 21 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#拒绝所有
[root@centos7 ~]# iptables -A INPUT -j REJECT
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。
禁止转载,如需转载请通过简信或评论联系作者。