一贵扰、實(shí)現(xiàn)基于MYSQL驗(yàn)證的vsftpd虛擬用戶訪問
主機(jī):兩臺(tái)仇穗,一臺(tái)為FTP服務(wù)器,一臺(tái)為MySQL服務(wù)器
1戚绕、配置MySQL服務(wù)纹坐,并創(chuàng)建相應(yīng)庫與表,并創(chuàng)建授權(quán)用戶
[root@mysql ~]# yum install -y mariadb-server #安裝數(shù)據(jù)庫服務(wù)
[root@mysql ~]# systemctl start mariadb
[root@mysql ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database vsftpd; #創(chuàng)建庫
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> use vsftpd;
MariaDB [vsftpd]> CREATE TABLE users ( #創(chuàng)建用戶表舞丛,用于保存用戶信息
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL);
Query OK, 0 rows affected (0.02 sec)
MariaDB [vsftpd]> insert into users (name,password) value('ftpuser1',password('centos')); #添加FTP用戶
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> insert into users (name,password) value('ftpuser2',password('linux')); #添加FTP用戶
Query OK, 1 row affected (0.01 sec)
MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@'192.168.27.%' identified by 'centos'; #創(chuàng)建授權(quán)用戶
Query OK, 0 rows affected (0.00 sec)
2恰画、在FTP服務(wù)器上安裝FTP服務(wù),并編譯安裝pam_mysql模塊
[root@ftpserver ~]# yum install -y vsftpd #安裝FTP服務(wù)
[root@ftpserver ~]# ll pam_mysql-0.7RC1.tar.gz #準(zhǔn)備pam_mysql安裝包
-rw-r--r-- 1 root root 335240 Jan 9 2006 pam_mysql-0.7RC1.tar.gz
[root@ftpserver ~]# tar -xf pam_mysql-0.7RC1.tar.gz
[root@ftpserver ~]# cd pam_mysql-0.7RC1/
[root@ftpserver ~]# yum install -y gcc gcc-c++ pam-devel mariadb-devel #先安裝相關(guān)依賴包
[root@ftpserver pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security/ #編譯安裝pam_mysql模塊
[root@ftpserver pam_mysql-0.7RC1]# make && make install
3瓷马、創(chuàng)建pam認(rèn)證文件
[root@ftpserver ~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=centos host=192.168.27.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=192.168.27.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
4拴还、創(chuàng)建FTP虛擬用戶與共享目錄,并修改 /etc/vsftpd/vsftpd.conf
[root@ftpserver ~]# useradd -d /data/ftproot -s /sbin/nologin vuser #創(chuàng)建虛擬用戶
[root@ftpserver ~]# chmod 555 /data/ftproot #設(shè)置FTP目錄權(quán)限
[root@ftpserver ~]# mkdir /data/ftproot/upload #創(chuàng)建FTP上傳目錄
[root@ftpserver ~]# setfacl -m u:vuser:rwx /data/ftproot/upload #設(shè)置上傳目錄權(quán)限
[root@ftpserver ~]# vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql #修改此項(xiàng)
#添加以下三項(xiàng)
guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vusers.d/ #獨(dú)立用戶配置目錄
5欧聘、啟動(dòng)FTP服務(wù)片林,用數(shù)據(jù)庫中的用戶測(cè)試
[root@ftpserver ftproot]# systemctl start vsftpd
[root@ftpserver ftproot]# ftp 192.168.27.27
Connected to 192.168.27.27 (192.168.27.27).
(vsFTPd 3.0.2)
Name (192.168.27.27:root): ftpuser1
Please specify the password.
Password:
Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
Entering Passive Mode (192,168,27,27,164,138).
Here comes the directory listing.
drwxrwxr-x 2 0 0 6 Mar 09 08:57 upload
Directory send OK
二、通過NFS實(shí)現(xiàn)服務(wù)器/www共享訪問
主機(jī):兩臺(tái)怀骤,一臺(tái)為NFS服務(wù)器费封,一臺(tái)為客戶端
1、配置NFS服務(wù)器
[root@NFSserver ~]# mkdir /www #新建掛載目錄
[root@NFSserver ~]# vim /etc/exports
/www 192.168.27.0/24(rw,root_squash) #配置掛載目錄
[root@NFSserver ~]# systemctl start nfs-server #啟動(dòng)NFS服務(wù)
[root@NFSserver ~]# exportfs -v #查看本機(jī)的NFS共享
/www 192.168.27.0/24(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
[root@NFSserver ~]# touch /www/f1.txt #創(chuàng)建一個(gè)文件
2蒋伦、客戶端掛載NFS目錄
[root@Client ~]# showmount -e 192.168.27.27 #查看主機(jī)的共享信息
Export list for 192.168.27.27:
/www 192.168.27.0/24
#開始手動(dòng)掛載
[root@Client ~]# mount -o rw,nosuid,fg,hard,intr 192.168.27.27:/www /data/
[root@Client ~]# cd /data
[root@Client data]# ls -l #可以掛載中的文件
total 0
-rw-r--r-- 1 root root 0 Mar 9 17:48 f1.txt
#如要實(shí)現(xiàn)開機(jī)掛載弓摘,則在 /etc/fstab 文件中添加一行
192.168.27.27:/www /data nfs defaults 0 0
三、配置samba共享痕届,實(shí)現(xiàn)/www目錄共享
主機(jī):一臺(tái)服務(wù)器端(192.168.27.27)韧献,一臺(tái)客戶端(192.168.27.37);軟件:samba (服務(wù)器端),cifs-utils (客戶端)研叫,光盤yum源
1锤窑、服務(wù)器端安裝安裝samba包
[root@server ~]# yum install -y samba
2、創(chuàng)建samba用戶和組嚷炉,并創(chuàng)建samba共享目錄
[root@server ~]# groupadd -r smbgroup #新建smbgroup組
[root@server ~]# useradd -s /sbin/nologin -G smbgroup smbuser1 #新建smbuser1用戶渊啰,并加入smbgroup組中
[root@server ~]# id smbuser1
uid=1001(smbuser1) gid=1001(smbuser1) groups=1001(smbuser1),981(smbgroup)
[root@server ~]# smbpasswd -a smbuser1 #添加samba用戶
New SMB password: #密碼 centos
Retype new SMB password:
Added user smbuser1.
[root@server ~]# useradd -s /sbin/nologin smbuser2
[root@server ~]# smbpasswd -a smbuser2
New SMB password: #密碼 linux
Retype new SMB password:
Added user smbuser2.
[root@server ~]# mkdir /www #新建共享目錄
[root@server ~]# chgrp smbgroup /www #修改目錄所屬組
[root@server ~]# chmod 2775 /www
[root@server ~]# ls -ld /www
drwxr-xr-x 2 root smbgroup 6 Mar 9 19:05 /www
3、修改samba配置文件 /etc/samba/smb.conf
[root@server ~]# vim /etc/samba/smb.conf
#在結(jié)尾處添加以下自定義設(shè)置
[smbshare]
path = /www
writeable = no
write list = @smbgroup #writeable = no時(shí)只有smbgroup組的用戶才有寫權(quán)限
4、啟動(dòng)samba服務(wù)
[root@server ~]# systemctl start smb nmb
5绘证、 客戶端安裝cifs-utils包隧膏,并掛載
[root@client ~]# yum install -y cifs-utils
[root@client ~]# mkdir /data/smbuser1 #創(chuàng)建掛載目錄
[root@client ~]# mkdir /data/smbuser2 #創(chuàng)建掛載目錄
#手動(dòng)掛載,smbuser1 用戶
[root@client ~]# mount -o username=smbuser1,password=centos //192.168.27.27/smbshare /data/smbuser1
#手動(dòng)掛載嚷那,smbuser2 用戶胞枕,使用隱藏密碼的方式
[root@client ~]# mount -o username=smbuser2 //192.168.27.27/smbshare /data/smbuser2
Password for smbuser2@//192.168.2.27/smbshare: *****
6、在客戶端上測(cè)試车酣,根據(jù)上面配置,smbuser1是有寫權(quán)限的索绪,smbuser2沒有寫權(quán)限
[root@client ~]# cd /data/smbuser1
[root@client smbuser1]# touch f1.txt #smbuser1可以新建文件
[root@client smbuser1]# cd /data/smbuser2
[root@client smbuser2]# touch f2.txt #smbuser2不可以新建文件
touch: cannot touch ‘f2.txt’: Permission denied
四湖员、使用rsync+inotify實(shí)現(xiàn)/www目錄實(shí)時(shí)同步
主機(jī):一臺(tái)服務(wù)器端(192.168.27.27),一臺(tái)客戶端(192.168.27.37)
1瑞驱、服務(wù)器端安裝inotify-tools軟件包(epel源)和 rsync包(光盤yum源)
[root@server ~]# yum install -y inotify-tools rsync
2娘摔、服務(wù)器端生成驗(yàn)證文件
[root@server ~]# echo "rsyncuser:centos" > /etc/rsync.pass
[root@server ~]# chmod 600 /etc/rsync.pass
3.、服務(wù)器端準(zhǔn)備要備份的目錄
[root@server ~]# mkdir /data
4唤反、 服務(wù)器端修改rsync的配置文件
[root@server ~]# vim /etc/rsyncd.conf
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.27.0/24
[backup]
path = /data/
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
5凳寺、服務(wù)器端啟動(dòng)rsync服務(wù)
[root@server ~]# systemctl start rsyncd
6、客戶端配置密碼文件
[root@client ~]# echo "centos" > /etc/rsync.pass
[root@client ~]# chmod 600 /etc/rsync.pass
7彤侍、客戶端測(cè)試同步數(shù)據(jù) rsync -avz --password-file=/etc/rsync.pass /data/ rsyncuser@rsync服務(wù)器IP::/data
[root@client ~]# cd /data
[root@client data]# touch f1.txt #在客戶端目錄新建一個(gè)文件
[root@client data]# ll
total 0
-rw-r--r-- 1 root root 0 Mar 9 20:03 f1.txt
[root@server ~]# ll /data/ #此時(shí)服務(wù)器端備份目錄還沒有文件
total 0
[root@client data]# rsync -avz --password-file=/etc/rsync.pass /data/ rsyncuser@192.168.27.27::backup #使用rsync進(jìn)行同步
sending incremental file list
./
f1.txt
sent 104 bytes received 38 bytes 284.00 bytes/sec
total size is 0 speedup is 0.00
#返回服務(wù)器端查看
[root@server ~]# ll /data/ #文件已同步過來
total 0
-rw-r--r-- 1 root root 0 Mar 9 20:03 f1.txt
8肠缨、上面的同步是一次性的,要實(shí)現(xiàn)實(shí)時(shí)同步盏阶,可用腳本實(shí)現(xiàn)晒奕,后臺(tái)運(yùn)行即可,腳本如下
[root@client ~]# cat inotify_rsync.sh
#!/bin/bash
SRC='/data/' #本地文件夾
DEST='rsyncuser@192.168.27.27::backup' # rsyncuser@rsync服務(wù)器IP::backup'
LOG='/var/log/changelist.log' #日志輸出
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} | while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> ${LOG}
done
五名斟、使用iptable實(shí)現(xiàn):放行telnet脑慧,ftp,web服務(wù)砰盐,放行samba服務(wù)闷袒,其他端口服務(wù)全部拒絕
[root@server ~]# iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@server ~]# iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
[root@server ~]# iptables -A INPUT -p tcp -m multiport --dports 20:23,80,139,445 -m state --state NEW -j ACCEPT
[root@server ~]# iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT
[root@server ~]# iptables -A INPUT -j DROP
[root@server ~]# iptables -A OUTPUT -j DROP
[root@server ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
63260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20:23,80,139,445 state NEW
702 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,138 state NEW
7085 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36508 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
