第十八周作业—虚怀若谷
一、实现基于MYSQL验证的vsftpd虚拟用户访问
主机:两台,一台为FTP服务器,一台为MySQL服务器
1、配置MySQL服务,并创建相应库与表,并创建授权用户
[root@mysql ~]# yum install -y mariadb-server #安装数据库服务 [root@mysql ~]# systemctl start mariadb [root@mysql ~]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2 Server version: 5.5.60-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database vsftpd; #创建库 Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> use vsftpd; MariaDB [vsftpd]> CREATE TABLE users ( #创建用户表,用于保存用户信息 -> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, -> name CHAR(50) BINARY NOT NULL, -> password CHAR(48) BINARY NOT NULL); Query OK, 0 rows affected (0.02 sec) MariaDB [vsftpd]> insert into users (name,password) value('ftpuser1',password('centos')); #添加FTP用户 Query OK, 1 row affected (0.00 sec) MariaDB [vsftpd]> insert into users (name,password) value('ftpuser2',password('linux')); #添加FTP用户 Query OK, 1 row affected (0.01 sec) MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@'192.168.27.%' identified by 'centos'; #创建授权用户 Query OK, 0 rows affected (0.00 sec)
2、在FTP服务器上安装FTP服务,并编译安装pam_mysql模块
[root@ftpserver ~]# yum install -y vsftpd #安装FTP服务 [root@ftpserver ~]# ll pam_mysql-0.7RC1.tar.gz #准备pam_mysql安装包 -rw-r--r-- 1 root root 335240 Jan 9 2006 pam_mysql-0.7RC1.tar.gz [root@ftpserver ~]# tar -xf pam_mysql-0.7RC1.tar.gz [root@ftpserver ~]# cd pam_mysql-0.7RC1/ [root@ftpserver ~]# yum install -y gcc gcc-c++ pam-devel mariadb-devel #先安装相关依赖包 [root@ftpserver pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security/ #编译安装pam_mysql模块 [root@ftpserver pam_mysql-0.7RC1]# make && make install
3、创建pam认证文件
[root@ftpserver ~]# vim /etc/pam.d/vsftpd.mysql auth required pam_mysql.so user=vsftpd passwd=centos host=192.168.27.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 account required pam_mysql.so user=vsftpd passwd=centos host=192.168.27.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
4、创建FTP虚拟用户与共享目录,并修改 /etc/vsftpd/vsftpd.conf
[root@ftpserver ~]# useradd -d /data/ftproot -s /sbin/nologin vuser #创建虚拟用户 [root@ftpserver ~]# chmod 555 /data/ftproot #设置FTP目录权限 [root@ftpserver ~]# mkdir /data/ftproot/upload #创建FTP上传目录 [root@ftpserver ~]# setfacl -m u:vuser:rwx /data/ftproot/upload #设置上传目录权限 [root@ftpserver ~]# vim /etc/vsftpd/vsftpd.conf pam_service_name=vsftpd.mysql #修改此项 #添加以下三项 guest_enable=YES guest_username=vuser user_config_dir=/etc/vsftpd/vusers.d/ #独立用户配置目录
5、启动FTP服务,用数据库中的用户测试
[root@ftpserver ftproot]# systemctl start vsftpd [root@ftpserver ftproot]# ftp 192.168.27.27 Connected to 192.168.27.27 (192.168.27.27). 220 (vsFTPd 3.0.2) Name (192.168.27.27:root): ftpuser1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,27,27,164,138). 150 Here comes the directory listing. drwxrwxr-x 2 0 0 6 Mar 09 08:57 upload 226 Directory send OK
二、通过NFS实现服务器/www共享访问
主机:两台,一台为NFS服务器,一台为客户端
1、配置NFS服务器
[root@NFSserver ~]# mkdir /www #新建挂载目录 [root@NFSserver ~]# vim /etc/exports /www 192.168.27.0/24(rw,root_squash) #配置挂载目录 [root@NFSserver ~]# systemctl start nfs-server #启动NFS服务 [root@NFSserver ~]# exportfs -v #查看本机的NFS共享 /www 192.168.27.0/24(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
[root@NFSserver ~]# touch /www/f1.txt #创建一个文件
2、客户端挂载NFS目录
[root@Client ~]# showmount -e 192.168.27.27 #查看主机的共享信息 Export list for 192.168.27.27: /www 192.168.27.0/24 #开始手动挂载 [root@Client ~]# mount -o rw,nosuid,fg,hard,intr 192.168.27.27:/www /data/ [root@Client ~]# cd /data [root@Client data]# ls -l #可以挂载中的文件 total 0 -rw-r--r-- 1 root root 0 Mar 9 17:48 f1.txt #如要实现开机挂载,则在 /etc/fstab 文件中添加一行 192.168.27.27:/www /data nfs defaults 0 0
三、配置samba共享,实现/www目录共享
主机:一台服务器端(192.168.27.27),一台客户端(192.168.27.37)
软件:samba (服务器端),cifs-utils (客户端),光盘yum源
1、服务器端安装安装samba包
[root@server ~]# yum install -y samba
2、创建samba用户和组,并创建samba共享目录
[root@server ~]# groupadd -r smbgroup #新建smbgroup组 [root@server ~]# useradd -s /sbin/nologin -G smbgroup smbuser1 #新建smbuser1用户,并加入smbgroup组中 [root@server ~]# id smbuser1 uid=1001(smbuser1) gid=1001(smbuser1) groups=1001(smbuser1),981(smbgroup) [root@server ~]# smbpasswd -a smbuser1 #添加samba用户 New SMB password: #密码 centos Retype new SMB password: Added user smbuser1. [root@server ~]# useradd -s /sbin/nologin smbuser2 [root@server ~]# smbpasswd -a smbuser2 New SMB password: #密码 linux Retype new SMB password: Added user smbuser2. [root@server ~]# mkdir /www #新建共享目录 [root@server ~]# chgrp smbgroup /www #修改目录所属组
[root@server ~]# chmod 2775 /www [root@server ~]# ls -ld /www drwxr-xr-x 2 root smbgroup 6 Mar 9 19:05 /www
3、修改samba配置文件 /etc/samba/smb.conf
[root@server ~]# vim /etc/samba/smb.conf #在结尾处添加以下自定义设置 [smbshare] path = /www writeable = no write list = @smbgroup #writeable = no时只有smbgroup组的用户才有写权限
4、启动samba服务
[root@server ~]# systemctl start smb nmb
5、 客户端安装cifs-utils包,并挂载
[root@client ~]# yum install -y cifs-utils [root@client ~]# mkdir /data/smbuser1 #创建挂载目录 [root@client ~]# mkdir /data/smbuser2 #创建挂载目录 #手动挂载,smbuser1 用户 [root@client ~]# mount -o username=smbuser1,password=centos //192.168.27.27/smbshare /data/smbuser1 #手动挂载,smbuser2 用户,使用隐藏密码的方式 [root@client ~]# mount -o username=smbuser2 //192.168.27.27/smbshare /data/smbuser2 Password for smbuser2@//192.168.2.27/smbshare: *****
6、在客户端上测试,根据上面配置,smbuser1是有写权限的,smbuser2没有写权限
[root@client ~]# cd /data/smbuser1 [root@client smbuser1]# touch f1.txt #smbuser1可以新建文件 [root@client smbuser1]# cd /data/smbuser2 [root@client smbuser2]# touch f2.txt #smbuser2不可以新建文件 touch: cannot touch ‘f2.txt’: Permission denied
四、使用rsync+inotify实现/www目录实时同步
主机:一台服务器端(192.168.27.27),一台客户端(192.168.27.37)
1、服务器端安装inotify-tools软件包(epel源)和 rsync包(光盘yum源)
[root@server ~]# yum install -y inotify-tools rsync
2、服务器端生成验证文件
[root@server ~]# echo "rsyncuser:centos" > /etc/rsync.pass [root@server ~]# chmod 600 /etc/rsync.pass
3.、服务器端准备要备份的目录
[root@server ~]# mkdir /data
4、 服务器端修改rsync的配置文件
[root@server ~]# vim /etc/rsyncd.conf uid = root gid = root use chroot = no max connections = 0 ignore errors exclude = lost+found/ log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsyncd.lock reverse lookup = no hosts allow = 192.168.27.0/24 [backup] path = /data/ comment = backup read only = no auth users = rsyncuser secrets file = /etc/rsync.pass
5、服务器端启动rsync服务
[root@server ~]# systemctl start rsyncd
6、客户端配置密码文件
[root@client ~]# echo "centos" > /etc/rsync.pass [root@client ~]# chmod 600 /etc/rsync.pass
7、客户端测试同步数据 rsync -avz --password-file=/etc/rsync.pass /data/ rsyncuser@rsync服务器IP::/data
[root@client ~]# cd /data [root@client data]# touch f1.txt #在客户端目录新建一个文件 [root@client data]# ll total 0 -rw-r--r-- 1 root root 0 Mar 9 20:03 f1.txt [root@server ~]# ll /data/ #此时服务器端备份目录还没有文件 total 0 [root@client data]# rsync -avz --password-file=/etc/rsync.pass /data/ rsyncuser@192.168.27.27::backup #使用rsync进行同步 sending incremental file list ./ f1.txt sent 104 bytes received 38 bytes 284.00 bytes/sec total size is 0 speedup is 0.00 #返回服务器端查看 [root@server ~]# ll /data/ #文件已同步过来 total 0 -rw-r--r-- 1 root root 0 Mar 9 20:03 f1.txt
8、上面的同步是一次性的,要实现实时同步,可用脚本实现,后台运行即可,脚本如下
[root@client ~]# cat inotify_rsync.sh #!/bin/bash SRC='/data/' #本地文件夹 DEST='rsyncuser@192.168.27.27::backup' # rsyncuser@rsync服务器IP::backup' LOG='/var/log/changelist.log' #日志输出 inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} | while read DATE TIME DIR FILE;do FILEPATH=${DIR}${FILE} rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> ${LOG} done
五、使用iptable实现:放行telnet,ftp,web服务,放行samba服务,其他端口服务全部拒绝
[root@server ~]# iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT [root@server ~]# iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT [root@server ~]# iptables -A INPUT -p tcp -m multiport --dports 20:23,80,139,445 -m state --state NEW -j ACCEPT [root@server ~]# iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT [root@server ~]# iptables -A INPUT -j DROP [root@server ~]# iptables -A OUTPUT -j DROP [root@server ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 939 63260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20:23,80,139,445 state NEW 9 702 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,138 state NEW 46 7085 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 391 36508 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
浙公网安备 33010602011771号