1.实现基于mysql验证的vsftpd虚拟用户访问
本场景使用两台服务器实现,一台ftp服务器,一台数据库服务器
1.1 安装数据库
[root@c5 ~]#yum -y install mariadb-server
[root@c5 ~]#systemctl start mariadb.service
[root@c5 ~]#systemctl enable mariadb
1.2 在FTP服务器上安装vsftpd,mariadb-devel,pam-devel和pam_mysql包(pam_mysql需要编译安装)
[root@c5 ~]# yum install vsftpd mariadb-devel pam-devel -y
[root@c5 ~]# yum -y groupinstall "Development Tools"
[root@c5 src]# tar xvf pam_mysql-0.7RC1.tar.gz
[root@c5 pam_mysql-0.7RC1]# cd pam_mysql-0.7RC1/
[root@c5 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
[root@c5 pam_mysql-0.7RC1]# make -j 4 && make install
1.3 在数据库服务器上创建虚拟用户账号
1.3.1 建立存储虚拟用户数据库和连接的数据库用户
MariaDB [(none)]> CREATE DATABASE vsftpd;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
| vsftpd |
+--------------------+
7 rows in set (0.00 sec)
MariaDB [(none)]> GRANT SELECT ON vsftpd.* TO vsftpd@'%' IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
1.3.2 准备存储用户的表
MariaDB [(none)]> USE vsftpd;
Database changed
MariaDB [vsftpd]> SHOW TABLES;
Empty set (0.01 sec)
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
Query OK, 0 rows affected (0.06 sec)
MariaDB [vsftpd]> DESC users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(50) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
1.3.3 测试连接
[root@c5 ~]# yum install mariadb -y
[root@c5 ~]# mysql -uvsftpd -pcentos -h 10.0.1.244 -e "show databases;"
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
| vsftpd |
+--------------------+
1.3.4 添加虚拟用户
MariaDB [(none)]> use vsftpd;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [vsftpd]> INSERT INTO users(name,password) values('test1',password('centos'));
Query OK, 1 row affected (0.01 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('test2',password('centos'));
Query OK, 1 row affected (0.01 sec)
MariaDB [vsftpd]> SELECT * FROM users;
+----+-------+-------------------------------------------+
| id | name | password |
+----+-------+-------------------------------------------+
| 1 | test1 | *128977E278358FF80A246B5046F51043A2B1FCED |
| 2 | test2 | *128977E278358FF80A246B5046F51043A2B1FCED |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)
1.4 在FTP服务器上配置vsftpd服务
1.4.1 在FTP服务器上建立pam认证所需文件
[root@c5 ~]# cat /etc/pam.d/vsftpd.mysql ###添加如下两行
auth required pam_mysql.so user=vsftpd passwd=centos host=10.0.1.244 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=10.0.1.244 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
• auth 表示认证
• account 验证账号密码正常使用
• required 表示认证要通过
• pam_mysql.so模块是默认的相对路径,是相对/lib64/security/路径而言,也可以写绝
对路径;后面为给此模块传递的参数
• user=vsftpd为登录mysql的用户
• passwd=magedu 登录mysql的的密码
• host=mysqlserver mysql服务器的主机名或ip地址
• db=vsftpd 指定连接msyql的数据库名称
• table=users 指定连接数据库中的表名
• usercolumn=name 当做用户名的字段
• passwdcolumn=password 当做用户名字段的密码
• crypt=2 密码的加密方式为mysql password()函数加密
1.4.2 建立虚拟用户映射的系统用户及对应的目录
[root@c5 ~]# useradd -s /sbin/nologin -d /var/ftproot vuser
[root@c5 ~]# chmod 555 /var/ftproot
[root@c5 ~]# mkdir /var/ftproot/test{1,2}
[root@c5 ~]# setfacl -m u:vuser:rwx /var/ftproot/test*
1.4.3 修改vsftpd的配置文件
[root@c5 ~]# cat /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql ###需修改
guest_enable=YES ###新添加一下两项
guest_username=vuser
allow_writeable_chroot=YES
user_config_dir=/etc/vsftpd/vusers_config ###指定虚拟用户配置文件的路径
1.4.4 为虚拟用户定制配置文件
[root@c4 vusers_config]# pwd
/etc/vsftpd/vusers_config
[root@c4 vusers_config]# cat test1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/var/ftproot/test1/
[root@c4 vusers_config]# cat test2
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/var/ftproot/test2/
1.5 测试
1.5.1 启动vsftpd服务
[root@c5 ~]# systemctl start vsftpd
1.5.2 利用FTP客户端工具,以虚拟用户登录验证结果
[root@c1 ~]# yum install ftp -y
[root@c1 ~]# ftp c5
Connected to c5 (10.0.1.246).
220 (vsFTPd 3.0.2)
Name (c5:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,1,245,188,109).
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls
227 Entering Passive Mode (10,0,1,245,104,198).
150 Here comes the directory listing.
226 Directory send OK.
ftp> put t1
local: t1 remote: t1
227 Entering Passive Mode (10,0,1,245,117,202).
150 Ok to send data.
226 Transfer complete.
ftp> ls
227 Entering Passive Mode (10,0,1,245,88,231).
150 Here comes the directory listing.
-rw------- 1 1002 1002 0 Jun 07 12:25 t1
226 Directory send OK.
ftp> mkdir test
257 "/test" created
ftp> ls
227 Entering Passive Mode (10,0,1,245,154,236).
150 Here comes the directory listing.
-rw------- 1 1002 1002 0 Jun 07 12:25 t1
drwx------ 2 1002 1002 6 Jun 07 12:25 test
226 Directory send OK.
ftp> delete t1
250 Delete operation successful.
2.通过NFS实现服务器/www共享访问
2.1 nfs属于内核模块,所以直接启动nfs服务
[root@c1 ~]# systemctl start nfs-server
[root@c1 ~]# yum install nfs-utils -y ###没有nfs时用此命令安装
2.2 创建共享目录
[root@c1 ~]# mkdir /www
[root@c1 ~]# chown nfsnobody /www
2.3 添加配置
[root@c1 ~]# cat /etc/exports
/www *(rw)
2.4 测试
2.4.1 查看本机所有共享
[root@c1 ~]# exportfs -v
/www (sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
2.4.2 远程挂载
[root@centos7 ~]# mount 10.0.1.242:/www /mnt/nfsshare/
[root@centos7 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos-root 60G 21G 40G 35% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 1000M 0 1000M 0% /dev/shm
tmpfs 1000M 98M 902M 10% /run
tmpfs 1000M 0 1000M 0% /sys/fs/cgroup
/dev/sda1 1014M 166M 849M 17% /boot
tmpfs 200M 44K 200M 1% /run/user/0
/dev/sr0 3.8G 3.8G 0 100% /run/media/root/CentOS_6.10_Final
/dev/sr1 11G 11G 0 100% /run/media/root/CentOS 7 x86_64
10.0.1.242:/www 42G 1.3G 41G 4% /mnt/nfsshare
[root@centos7 ~]# touch /mnt/nfsshare/test.txt
[root@centos7 ~]# cd /mnt/nfsshare/
[root@centos7 nfsshare]# ls
test.txt
[root@centos7 nfsshare]# cat test.txt
[root@centos7 nfsshare]# echo 123 > test.txt
[root@centos7 nfsshare]# cat test.txt
123
[root@c1 ~]# ll /www/
total 0
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 19 10:06 test.txt
[root@c1 ~]# cat /www/test.txt
123
2.5 配置开机自动挂在
[root@centos7 nfsshare]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Sat Jan 4 01:52:46 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=24b6bae0-d077-4259-8529-f778c9c120ce /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
10.0.1.242:/www /mnt/nfsshare/ nfs defaults 0 0
3.配置Samba共享,实现/www目录共享
3.1 在samba服务器上安装samba包
[root@c4 ~]# yum -y install samba
3.2 创建samba用户和组
[root@c4 ~]# groupadd -r admins
[root@c4 ~]# useradd -s /sbin/nologin -G admins rick
[root@c4 ~]# smbpasswd -a rick
New SMB password:
Retype new SMB password:
Added user rick.
[root@c4 ~]# useradd -s /sbin/nologin mage
[root@c4 ~]# smbpasswd -a mage
New SMB password:
Retype new SMB password:
Added user mage.
[root@c4 ~]#
3.3 创建samba共享目录
[root@c4 ~]# mkdir -p /testdir/smbshare
[root@c4 ~]# chgrp admins /testdir/smbshare
[root@c4 ~]# chmod 2775 /testdir/smbshare
3.4 samba服务器配置
vim /etc/samba/smb.conf ###增加如下两行
[share]
path = /testdir/smbshare
write list = @admins
[root@c4 ~]# systemctl start smb nmb
3.5 samba客户端访问
3.5.1 安装客户端
[root@c5 ~]# yum -y install cifs-utils
3.5.2 用rick用户挂载smb共享并访问
[root@c5 ~]# mkdir /mnt/rick
[root@c5 ~]# mount -o username=rick //10.0.1.245/share /mnt/rick/
Password for rick@//10.0.1.245/share: ******
[root@c5 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 42G 1.7G 40G 5% /
devtmpfs 909M 0 909M 0% /dev
tmpfs 920M 0 920M 0% /dev/shm
tmpfs 920M 17M 903M 2% /run
tmpfs 920M 0 920M 0% /sys/fs/cgroup
/dev/sda1 497M 130M 367M 27% /boot
tmpfs 184M 0 184M 0% /run/user/0
//10.0.1.245/share 42G 1.3G 41G 3% /mnt/rick
[root@c5 ~]# echo "Hello rick." > /mnt/rick/rick.txt
[root@c4 ~]# ls /testdir/smbshare/ -l
total 4
-rwxr--r-- 1 rick admins 12 May 19 15:41 rick.txt
[root@c4 ~]# ll /testdir/smbshare/
total 4
-rwxr--r-- 1 rick admins 12 May 19 15:41 rick.txt
[root@c4 ~]# cat /testdir/smbshare/rick.txt
Hello rick.
3.5.3 用mage用户挂载smb共享并访问
[root@c5 ~]# mkdir /mnt/mage
[root@c5 ~]# mount -o username=mage //10.0.1.245/share /mnt/mage/
Password for mage@//10.0.1.245/share: ******
[root@c5 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 42G 1.7G 40G 5% /
devtmpfs 909M 0 909M 0% /dev
tmpfs 920M 0 920M 0% /dev/shm
tmpfs 920M 17M 903M 2% /run
tmpfs 920M 0 920M 0% /sys/fs/cgroup
/dev/sda1 497M 130M 367M 27% /boot
tmpfs 184M 0 184M 0% /run/user/0
//10.0.1.245/share 42G 1.3G 41G 3% /mnt/rick
//10.0.1.245/share 42G 1.3G 41G 3% /mnt/mage
[root@c5 ~]# mount -o username=mage //10.0.1.245/share /mnt/mage/
Password for mage@//10.0.1.245/share: ******
[root@c5 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 42G 1.7G 40G 5% /
devtmpfs 909M 0 909M 0% /dev
tmpfs 920M 0 920M 0% /dev/shm
tmpfs 920M 17M 903M 2% /run
tmpfs 920M 0 920M 0% /sys/fs/cgroup
/dev/sda1 497M 130M 367M 27% /boot
tmpfs 184M 0 184M 0% /run/user/0
//10.0.1.245/share 42G 1.3G 41G 3% /mnt/rick
//10.0.1.245/share 42G 1.3G 41G 3% /mnt/mage
[root@c5 ~]# touch /mnt/mage/magefile.txt
touch: cannot touch ‘/mnt/mage/magefile.txt’: Permission denied
###注:因为mage用户不属于admin组,所以没有写权限
4.使用rsync+inotify实现/www目录实时同步
4.1 实现实时同步
1.要利用监控服务(inotify),监控同步数据服务器目录中信息的变化
2.发现目录中数据产生变化,就利用rsync服务推送到备份服务器上
3.利用脚本进行结合
4.2 查看服务器内核是否支持inotify
[root@c5 ~]# ll /proc/sys/fs/inotify #列出下面的文件,说明服务器内核支持inotify
total 0
-rw-r--r-- 1 root root 0 May 19 15:57 max_queued_events
-rw-r--r-- 1 root root 0 May 19 15:57 max_user_instances
-rw-r--r-- 1 root root 0 May 19 15:57 max_user_watches
4.3 安装inotify
4.3.1 安装epel源
[root@c5 ~]# yum install epel-release.noarch -y
4.3.2 安装inotify软件
[root@c5 ~]# yum install inotify-tools -y
4.3.3 配置 rsync 服务器端的配置文件
[root@c4 ~]# cat /etc/rsyncd.conf
# /etc/rsyncd: configuration file for rsync daemon mode
# See rsyncd.conf man page for more options.
# configuration example:
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 10.0.1.0/24
[backup]
path = /backup
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
4.3.4 服务器端生成验证文件,准备目录并启动rsync服务
[root@c4 ~]# echo "centos" > /etc/rsync.pass
[root@c4 ~]# chmod 600 /etc/rsync.pass
[root@c4 ~]# mkdir /backup
[root@c4 ~]# systemctl start rsyncd
4.3.5 客户端配置密码文件和创建要同步的目录
[root@c5 ~]# echo "rsyncuser:centos" > /etc/rsync.pass
[root@c5 ~]# chmod 600 /etc/rsync.pass
[root@c5 ~]# mkdir /data
[root@c5 ~]# touch /data/123.txt
4.4 客户端测试同步数据
[root@c5 ~]# rsync -avz --password-file=/etc/rsync.pass /data/ [email protected]::backup
sending incremental file list
./
123.txt
sent 105 bytes received 38 bytes 286.00 bytes/sec
total size is 0 speedup is 0.00
[root@c4 ~]# ls /backup/
123.txt
4.5 客户端创建inotify_rsync.sh脚本实现实时同步
4.5.1 创建脚本
[root@c5 ~]# cat inotify_rsync.sh
#!/bin/bash
SRC='/data/'
DEST='[email protected]::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
4.5.2 后台运行脚本进行测试
[root@c5 ~]# nohup sh inotify_rsync.sh &
[1] 24745
[root@c5 ~]# nohup: ignoring input and appending output to ‘nohup.out’
[root@c5 ~]# touch /data/test1.txt
[root@c5 ~]# echo hello > /data/test1.txt
[root@c5 ~]# tailf /var/log/changelist.log
At 22:32 on 2020-05-19, file /data/123.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
###服务器端
[root@c4 backup]# pwd
/backup
[root@c4 backup]# ll
total 4
-rw-r--r-- 1 root root 6 May 19 22:40 test1.txt
[root@c4 backup]# cat test1.txt
hello
5.使用iptables实现:放行Telnet,ftp,web服务器,方行samba服务,其他端口服务全部拒绝
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 80 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 21 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 23 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 139 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 445 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -j DROP
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
39 4962 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:22
6 394 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:445
81 8786 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 49 packets, 5983 bytes)
pkts bytes target prot opt in out source destination
###测试
[root@centos6 ~]# yum install httpd -y
[root@centos6 ~]# ls /var/www/html/
[root@centos6 ~]# echo this is for iptables > /var/www/html/index.html
[root@centos6 ~]# cat /var/www/html/index.html
this is for iptables
[root@centos6 ~]# service httpd start
[root@c5 ~]# curl 10.1.1.110
this is for iptables