實(shí)現(xiàn)基于MYSQL驗(yàn)證的vsftpd虛擬用戶
mariadb-server
#安裝mariadb數(shù)據(jù)庫(kù)
[root@mariadb ~]# yum -y install mariadb-server
[root@mariadb ~]# systemctl enable --now mariadb.server
#建立存儲(chǔ)虛擬用戶數(shù)據(jù)庫(kù)和表
[root@mariadb ~]# mysql
MariaDB [(none)]> CREATE DATABASE vsftpd;
MariaDB [(none)]> USE vsftpd;
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
#添加虛擬用戶翩蘸,使用PASSWORD函數(shù)加密密碼
MariaDB [vsftpd]> INSERT INTO user(name,password) values('ftp_ddq',password('ddq.com'));
MariaDB [vsftpd]> select * from users;
+----+---------+-------------------------------------------+
| id | name | password |
+----+---------+-------------------------------------------+
| 1 | ftp_ddq | *35BAA7E3B0A28A8A75DAF9E0A8376E20DD18C71E |
+----+---------+-------------------------------------------+
1 row in set (0.00 sec)
#創(chuàng)建并授權(quán)連接的數(shù)據(jù)庫(kù)用戶
MariaDB [vsftpd]> GRANT SELECT ON vsftpd.* TO vsftpd@'192.168.100.%' IDENTIFIED BY 'ddq.com';
MariaDB [vsftpd]> GRANT SELECT ON vsftpd.* TO vsftpd@'192.168.100.%' IDENTIFIED BY 'ddq.com'
vsftpd-server
1.安裝vsftpd和pam_mysql相關(guān)包
[root@vsftp ~]# yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
#下載pam——mysql源碼進(jìn)行編譯安裝
[root@vsftp ~]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@vsftp ~]# tar zxf pam_mysql-0.7RC1.tar.gz
[root@vsftp ~]# cd pam_mysql-0.7RC1/
[root@vsftp pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@vsftp pam_mysql-0.7RC1]# make install
[root@vsftp pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql*
-rwxr-xr-x 1 root root 882 Aug 21 22:31 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141712 Aug 21 22:31 /lib64/security/pam_mysql.so
2.在FTP服務(wù)器上建立pam認(rèn)證所需文件
[root@vsftp ~]# vi /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=ddq.com host=mysqlserver db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=ddq.com host=mysqlserver db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
[root@vsftp ~]# echo 192.168.100.17 mysqlserver >> /etc/hosts
3.建立相應(yīng)用戶和修改vsftpd配置文件
#建立虛擬用戶映射的系統(tǒng)用戶及對(duì)應(yīng)的目錄
[root@vsftp ~]# useradd -s /sbin/nologin -d /data/ftproot -r vuser
#centos7 需除去ftp根目錄的寫權(quán)限
[root@vsftp ~]# mkdir -p /data/ftproot/upload
[root@vsftp ~]# setfacl -m u:vuser:rwx /data/ftproot/upload/
#確保/etc/vsftpd/vsftpd.conf中已經(jīng)啟用了以下選項(xiàng)
[root@vsftp ~]# vi /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
#添加下面兩項(xiàng)
guest_enable=YES
guest_username=vuser
#修改下面一項(xiàng)金抡,原系統(tǒng)用戶無(wú)法登錄
pam_service_name=vsftpd.mysql
#啟動(dòng)vsftpd服務(wù)
[root@vsftp ~]# systemctl enable --now vsftpd
4.在FTP服務(wù)器上配置虛擬用戶具有不同的訪問(wèn)權(quán)限
vsftpd可以在配置文件目錄中為每個(gè)用戶提供單獨(dú)的配置文件以定義其ftp服務(wù)訪問(wèn)權(quán)限删咱,每個(gè)虛擬用戶
的配置文件名同虛擬用戶的用戶名。配置文件目錄可以是任意未使用目錄,只需要在vsftpd.conf指定其
路徑及名稱即可
#配置vsftpd為虛擬用戶使用配置文件目錄
[root@vsftp ~]# vi /etc/vsftpd/vsftpd.conf
#添加如下選項(xiàng)
user_config_dir=/etc/vsftpd/conf.d/
#創(chuàng)建所需要目錄鸠窗,并為虛擬用戶提供配置文件
[root@vsftp ~]# mkdir /etc/vsftpd/conf.d/
#虛擬用戶對(duì)vsftpd服務(wù)的訪問(wèn)權(quán)限是通過(guò)匿名用戶的相關(guān)指令進(jìn)行的停忿。如要讓用戶ftp_ddq具有上傳文件的權(quán)限中鼠,可修改/etc/vsftpd/vusers.d/ftp_ddq文件可婶,在里面添加如下選項(xiàng)并設(shè)置為YES即可,只讀則設(shè)為NO
#注意:需確保對(duì)應(yīng)的映射用戶對(duì)于文件系統(tǒng)有寫權(quán)限
[root@vsftp ~]# vi /etc/vsftpd/conf.d/ftp_ddq
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot1
[root@vsftp ~]# mkdir -p /data/ftproot1/upload
[root@vsftp ~]# setfacl -m u:vuser:rwx /data/ftproot/upload/
[root@vsftp ~]# systemctl restart vsftpd
通過(guò)NFS實(shí)現(xiàn)服務(wù)器/www共享訪問(wèn)
軟件包:nfs-utils(包括服務(wù)器和客戶端相關(guān)工具)
server端安裝啟動(dòng)nfs服務(wù)
[root@nfs-server ~]# yum -y install nfs-utils
[root@nfs-server ~]# systemctl enable --now nfs-server
[root@nfs-server ~]# vi /etc/exports
/www *(rw,no_root_squash,async)
[root@nfs-server ~]# mkdir /www
[root@nfs-server ~]# echo this is nfs-server >> /www/test.txt
[root@nfs-server ~]# exportfs -r
[root@nfs-server ~]# showmount -e
Export list for nfs-server:
/www *
client安裝nfs客戶端
[root@client ~]# yum -y install nfs-utils
[root@client ~]# showmount -e 192.168.100.17
Export list for 192.168.100.17:
/www *
[root@client ~]# mkdir /www
[root@client ~]# ls /www/
[root@client ~]# mount 192.168.100.17:/www /www
[root@client ~]# cat /www/test.txt
this is nfs-server
[root@client ~]# echo this is from client >> /www/client.txt
#在server上查看
[root@nfs-server ~]# cat /www/client.txt
this is from client
配置samba共享,實(shí)現(xiàn)/www目錄共享
在server端安裝配置samba服務(wù)
[root@samba-server ~]# yum -y install samba
[root@samba-server ~]# vi /etc/samba/smb.conf
#添加以下內(nèi)容
[www]
path = /www
write list = root
force group = root
create mask = 0664
directory mask = 0775
#啟動(dòng)samba服務(wù)
[root@samba-server ~]# systemctl enable --now smb.service
[root@samba-server ~]# echo this samba server >> /www/server.txt
#添加samba用戶
[root@samba-server ~]# smbpasswd -a root
[root@samba-server ~]# pdbedit -L -v root
Unix username: root
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3772874179-422699461-2662641436-1000
Primary Group SID: S-1-5-21-3772874179-422699461-2662641436-513
Full Name: root
Home Directory: \\samba-server\root
HomeDir Drive:
Logon Script:
Profile Path: \\samba-server\root\profile
Domain: SAMBA-SERVER
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 23:06:39 CST
Kickoff time: Wed, 06 Feb 2036 23:06:39 CST
Password last set: Sun, 22 Aug 2021 22:44:42 CST
Password can change: Sun, 22 Aug 2021 22:44:42 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
client端安裝使用samba-client工具
[root@client ~]# yum -y install samba-client
[root@client ~]# smbclient -L 192.168.100.17 -U root%ddq.com
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
www Disk
IPC$ IPC IPC Service (Samba 4.10.16)
root Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@client ~]# yum -y install cifs-utils
[root@client ~]# ls /www
[root@client ~]# mount -o user=root,password=ddq.com //192.168.100.17/www /www
[root@client ~]# cat /www/server.txt
this samba server
使用rsync+inotify實(shí)現(xiàn)/www目錄實(shí)時(shí)同步
[root@data-server ~]# ls -l /proc/sys/fs/inotify/
total 0
-rw-r--r-- 1 root root 0 Aug 22 22:59 max_queued_events
-rw-r--r-- 1 root root 0 Aug 22 22:59 max_user_instances
-rw-r--r-- 1 root root 0 Aug 22 22:59 max_user_watches
**源數(shù)據(jù)服務(wù)器端安裝inotify-tools:基于epel源 **
[root@data-server ~]# yum -y install inotify-tools rsync
#后臺(tái)監(jiān)控目錄
[root@data-server ~]# inotifywait -o /root/inotify.log -drq /www --timefmt "%Y-%m-%d %H:%M:%s" --format "%T %w%f event: %e"
[root@data-server ~]# ssh-keygen
[root@data-server ~]# ssh-copy-id 192.168.100.27
備份服務(wù)器使用rsync服務(wù)
[root@backup-server ~]# yum -y install rsync
[root@backup-server ~]# vi /etc/rsyncd.conf
#添加以下內(nèi)容
uid = root
gid = root
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
[backup]
path = /www
comment = --- backup dir ---
read only = no
auth users = rsyncuser
secrets file = /etc/rsyncd.pas
[root@backup-server ~]# echo "rsyncuser:ddq.com" > /etc/rsyncd.pas
[root@backup-server ~]# chmod 600 /etc/rsyncd.pas
[root@backup-server ~]# systemctl enable --now rsyncd
#指定目錄給nobody權(quán)限援雇,默認(rèn)用戶以nobody訪問(wèn)此目錄
[root@backup-server ~]# setfacl -m u:nobody:rwx /www
#數(shù)據(jù)服務(wù)器上查看rsync服務(wù)器的備份目錄
[root@data-server ~]# rsync 192.168.100.27::
backup --- backup dir ---
[root@data-server ~]# echo ddq.com >/etc/rsync.pas
[root@data-server ~]# rsync -avz --delete --password-file=/etc/rsync.pas /www/ rsyncuser@192.168.100.27::backup
shell腳本實(shí)現(xiàn)實(shí)時(shí)數(shù)據(jù)同步
[root@data-server ~]#vim inotify_rsync.sh
#!/bin/bash
SRC='/www/'
DEST='rsyncuser@192.168.100.27::backup'
rpm -q rsync &> /dev/null || yum -y install rsync
inotifywait -mrq --exclude=".*\.swp" --timefmt '%Y-%m-%d %H:%M:%S' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pas $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
#添加腳本到/etc/rc.local開(kāi)機(jī)啟動(dòng)
[root@data-server ~]# chmod +x /root/inotify_rsync.sh
[root@data-server ~]# chmod +x /etc/rc.d/rc.local
[root@data-server ~]# echo /root/inotify_rsync.sh >> /etc/rc.local
#查看文件傳輸日志
[root@data-server ~]# ./inotify_rsync.sh &
[root@data-server ~]# tail -f /var/log/changelist.log
使用iptable實(shí)現(xiàn):放行telnet矛渴、ftp、web惫搏、samba服務(wù)具温,其他端口服務(wù)全部拒絕
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --dport 21,23,80,139,445 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j REJECT
#敲完全部拒絕的命令會(huì)直接丟失連接,從其他客戶端用telnet重新登錄筐赔,telnet需要使用普通用戶登錄
[root@client ~]# telnet 192.168.100.37
Trying 192.168.100.37...
Connected to 192.168.100.37.
Escape character is '^]'.
Kernel 3.10.0-1160.36.2.el7.x86_64 on an x86_64
localhost login: wx562635
Password:
Last login: Tue Aug 24 14:45:27 from ::ffff:192.168.100.1
[wx562635@localhost ~]$ sudo -i
[sudo] password for wx562635:
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
295 15897 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,23,80,139,445
35 4388 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 253 packets, 27467 bytes)
pkts bytes target prot opt in out source destination