1.实现基于mysql验证的vsftpd虚拟用户访问

本场景使用两台服务器实现,一台ftp服务器,一台数据库服务器

1.1 安装数据库

[root@c5 ~]#yum -y install mariadb-server
[root@c5 ~]#systemctl start mariadb.service
[root@c5 ~]#systemctl enable mariadb

1.2 在FTP服务器上安装vsftpd,mariadb-devel,pam-devel和pam_mysql包(pam_mysql需要编译安装)

[root@c5 ~]# yum install vsftpd mariadb-devel pam-devel -y
[root@c5 ~]# yum -y groupinstall "Development Tools"
[root@c5 src]# tar xvf pam_mysql-0.7RC1.tar.gz
[root@c5 pam_mysql-0.7RC1]# cd pam_mysql-0.7RC1/
[root@c5 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
[root@c5 pam_mysql-0.7RC1]# make -j 4 && make install

1.3 在数据库服务器上创建虚拟用户账号

1.3.1 建立存储虚拟用户数据库和连接的数据库用户

MariaDB [(none)]> CREATE DATABASE vsftpd;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |          
| mysql              |
| performance_schema |
| test               |
| vsftpd             |           
+--------------------+
7 rows in set (0.00 sec)

MariaDB [(none)]> GRANT SELECT ON vsftpd.* TO vsftpd@'%' IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

1.3.2 准备存储用户的表

MariaDB [(none)]> USE vsftpd;
Database changed
MariaDB [vsftpd]> SHOW TABLES;
Empty set (0.01 sec)

MariaDB [vsftpd]> CREATE TABLE users (
    -> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
    -> name CHAR(50) BINARY NOT NULL,
    -> password CHAR(48) BINARY NOT NULL
    -> );
Query OK, 0 rows affected (0.06 sec)

MariaDB [vsftpd]> DESC users;
+----------+----------+------+-----+---------+----------------+
| Field    | Type     | Null | Key | Default | Extra          |
+----------+----------+------+-----+---------+----------------+
| id       | int(11)  | NO   | PRI | NULL    | auto_increment |
| name     | char(50) | NO   |     | NULL    |                |
| password | char(48) | NO   |     | NULL    |                |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

1.3.3 测试连接

[root@c5 ~]# yum install mariadb -y
[root@c5 ~]# mysql -uvsftpd -pcentos -h 10.0.1.244 -e "show databases;"
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
| vsftpd             |
+--------------------+

1.3.4 添加虚拟用户

MariaDB [(none)]> use vsftpd;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [vsftpd]> INSERT INTO users(name,password) values('test1',password('centos'));
Query OK, 1 row affected (0.01 sec)

MariaDB [vsftpd]> INSERT INTO users(name,password) values('test2',password('centos'));
Query OK, 1 row affected (0.01 sec)

MariaDB [vsftpd]> SELECT * FROM users;
+----+-------+-------------------------------------------+
| id | name  | password                                  |
+----+-------+-------------------------------------------+
|  1 | test1 | *128977E278358FF80A246B5046F51043A2B1FCED |
|  2 | test2 | *128977E278358FF80A246B5046F51043A2B1FCED |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)

1.4 在FTP服务器上配置vsftpd服务

1.4.1 在FTP服务器上建立pam认证所需文件

[root@c5 ~]# cat /etc/pam.d/vsftpd.mysql ###添加如下两行
auth required pam_mysql.so user=vsftpd passwd=centos host=10.0.1.244 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=10.0.1.244 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

• auth 表示认证
• account 验证账号密码正常使用
• required 表示认证要通过
• pam_mysql.so模块是默认的相对路径,是相对/lib64/security/路径而言,也可以写绝
对路径;后面为给此模块传递的参数
• user=vsftpd为登录mysql的用户
• passwd=magedu 登录mysql的的密码
• host=mysqlserver mysql服务器的主机名或ip地址
• db=vsftpd 指定连接msyql的数据库名称
• table=users 指定连接数据库中的表名
• usercolumn=name 当做用户名的字段
• passwdcolumn=password 当做用户名字段的密码
• crypt=2 密码的加密方式为mysql password()函数加密

1.4.2 建立虚拟用户映射的系统用户及对应的目录

[root@c5 ~]# useradd -s /sbin/nologin -d /var/ftproot vuser
[root@c5 ~]# chmod 555 /var/ftproot
[root@c5 ~]# mkdir /var/ftproot/test{1,2}
[root@c5 ~]# setfacl -m u:vuser:rwx /var/ftproot/test*

1.4.3 修改vsftpd的配置文件

[root@c5 ~]# cat /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql  ###需修改
guest_enable=YES   ###新添加一下两项
guest_username=vuser
allow_writeable_chroot=YES
user_config_dir=/etc/vsftpd/vusers_config  ###指定虚拟用户配置文件的路径

1.4.4 为虚拟用户定制配置文件

[root@c4 vusers_config]# pwd
/etc/vsftpd/vusers_config
[root@c4 vusers_config]# cat test1 
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/var/ftproot/test1/
[root@c4 vusers_config]# cat test2
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/var/ftproot/test2/

1.5 测试

1.5.1 启动vsftpd服务

[root@c5 ~]# systemctl start vsftpd

1.5.2 利用FTP客户端工具,以虚拟用户登录验证结果

[root@c1 ~]# yum install ftp -y
[root@c1 ~]# ftp c5
Connected to c5 (10.0.1.246).
220 (vsFTPd 3.0.2)
Name (c5:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,1,245,188,109).
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls
227 Entering Passive Mode (10,0,1,245,104,198).
150 Here comes the directory listing.
226 Directory send OK.
ftp> put t1
local: t1 remote: t1
227 Entering Passive Mode (10,0,1,245,117,202).
150 Ok to send data.
226 Transfer complete.
ftp> ls
227 Entering Passive Mode (10,0,1,245,88,231).
150 Here comes the directory listing.
-rw-------    1 1002     1002            0 Jun 07 12:25 t1
226 Directory send OK.
ftp> mkdir test
257 "/test" created
ftp> ls
227 Entering Passive Mode (10,0,1,245,154,236).
150 Here comes the directory listing.
-rw-------    1 1002     1002            0 Jun 07 12:25 t1
drwx------    2 1002     1002            6 Jun 07 12:25 test
226 Directory send OK.
ftp> delete t1
250 Delete operation successful.

2.通过NFS实现服务器/www共享访问

2.1 nfs属于内核模块,所以直接启动nfs服务

[root@c1 ~]# systemctl start nfs-server
[root@c1 ~]# yum install nfs-utils -y    ###没有nfs时用此命令安装

2.2 创建共享目录

[root@c1 ~]# mkdir /www
[root@c1 ~]# chown nfsnobody /www

2.3 添加配置

[root@c1 ~]# cat /etc/exports
/www *(rw)

2.4 测试

2.4.1 查看本机所有共享

[root@c1 ~]# exportfs -v
/www   (sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)

2.4.2 远程挂载

[root@centos7 ~]# mount 10.0.1.242:/www /mnt/nfsshare/
[root@centos7 ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root   60G   21G   40G  35% /
devtmpfs                 983M     0  983M   0% /dev
tmpfs                   1000M     0 1000M   0% /dev/shm
tmpfs                   1000M   98M  902M  10% /run
tmpfs                   1000M     0 1000M   0% /sys/fs/cgroup
/dev/sda1               1014M  166M  849M  17% /boot
tmpfs                    200M   44K  200M   1% /run/user/0
/dev/sr0                 3.8G  3.8G     0 100% /run/media/root/CentOS_6.10_Final
/dev/sr1                  11G   11G     0 100% /run/media/root/CentOS 7 x86_64
10.0.1.242:/www           42G  1.3G   41G   4% /mnt/nfsshare
[root@centos7 ~]# touch /mnt/nfsshare/test.txt
[root@centos7 ~]# cd /mnt/nfsshare/
[root@centos7 nfsshare]# ls
test.txt
[root@centos7 nfsshare]# cat test.txt 
[root@centos7 nfsshare]# echo 123 > test.txt
[root@centos7 nfsshare]# cat test.txt 
123
[root@c1 ~]# ll /www/
total 0
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 19 10:06 test.txt
[root@c1 ~]# cat /www/test.txt 
123

2.5 配置开机自动挂在

[root@centos7 nfsshare]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Sat Jan  4 01:52:46 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=24b6bae0-d077-4259-8529-f778c9c120ce /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
10.0.1.242:/www                  /mnt/nfsshare/ nfs     defaults        0 0

3.配置Samba共享,实现/www目录共享

3.1 在samba服务器上安装samba包

[root@c4 ~]# yum -y install samba

3.2 创建samba用户和组

[root@c4 ~]# groupadd -r admins
[root@c4 ~]# useradd -s /sbin/nologin -G admins rick
[root@c4 ~]# smbpasswd -a rick
New SMB password:
Retype new SMB password:
Added user rick.
[root@c4 ~]# useradd -s /sbin/nologin mage
[root@c4 ~]# smbpasswd -a mage
New SMB password:
Retype new SMB password:
Added user mage.
[root@c4 ~]#

3.3 创建samba共享目录

[root@c4 ~]# mkdir -p /testdir/smbshare
[root@c4 ~]# chgrp admins /testdir/smbshare
[root@c4 ~]# chmod 2775 /testdir/smbshare

3.4 samba服务器配置

vim /etc/samba/smb.conf    ###增加如下两行
[share]
path = /testdir/smbshare
write list = @admins
[root@c4 ~]# systemctl start smb nmb

3.5 samba客户端访问

3.5.1 安装客户端

[root@c5 ~]# yum -y install cifs-utils

3.5.2 用rick用户挂载smb共享并访问

[root@c5 ~]# mkdir /mnt/rick
[root@c5 ~]# mount -o username=rick //10.0.1.245/share /mnt/rick/
Password for rick@//10.0.1.245/share:  ******
[root@c5 ~]# df -h
Filesystem          Size  Used Avail Use% Mounted on
/dev/sda2            42G  1.7G   40G   5% /
devtmpfs            909M     0  909M   0% /dev
tmpfs               920M     0  920M   0% /dev/shm
tmpfs               920M   17M  903M   2% /run
tmpfs               920M     0  920M   0% /sys/fs/cgroup
/dev/sda1           497M  130M  367M  27% /boot
tmpfs               184M     0  184M   0% /run/user/0
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/rick
[root@c5 ~]# echo "Hello rick." > /mnt/rick/rick.txt
[root@c4 ~]# ls /testdir/smbshare/ -l
total 4
-rwxr--r-- 1 rick admins 12 May 19 15:41 rick.txt
[root@c4 ~]# ll /testdir/smbshare/
total 4
-rwxr--r-- 1 rick admins 12 May 19 15:41 rick.txt
[root@c4 ~]# cat /testdir/smbshare/rick.txt 
Hello rick.

3.5.3 用mage用户挂载smb共享并访问

[root@c5 ~]# mkdir /mnt/mage
[root@c5 ~]# mount -o username=mage //10.0.1.245/share /mnt/mage/
Password for mage@//10.0.1.245/share:  ******
[root@c5 ~]# df -h
Filesystem          Size  Used Avail Use% Mounted on
/dev/sda2            42G  1.7G   40G   5% /
devtmpfs            909M     0  909M   0% /dev
tmpfs               920M     0  920M   0% /dev/shm
tmpfs               920M   17M  903M   2% /run
tmpfs               920M     0  920M   0% /sys/fs/cgroup
/dev/sda1           497M  130M  367M  27% /boot
tmpfs               184M     0  184M   0% /run/user/0
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/rick
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/mage
[root@c5 ~]# mount -o username=mage //10.0.1.245/share /mnt/mage/
Password for mage@//10.0.1.245/share:  ******
[root@c5 ~]# df -h
Filesystem          Size  Used Avail Use% Mounted on
/dev/sda2            42G  1.7G   40G   5% /
devtmpfs            909M     0  909M   0% /dev
tmpfs               920M     0  920M   0% /dev/shm
tmpfs               920M   17M  903M   2% /run
tmpfs               920M     0  920M   0% /sys/fs/cgroup
/dev/sda1           497M  130M  367M  27% /boot
tmpfs               184M     0  184M   0% /run/user/0
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/rick
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/mage
[root@c5 ~]# touch /mnt/mage/magefile.txt
touch: cannot touch ‘/mnt/mage/magefile.txt’: Permission denied
###注:因为mage用户不属于admin组,所以没有写权限

4.使用rsync+inotify实现/www目录实时同步

4.1 实现实时同步

1.要利用监控服务(inotify),监控同步数据服务器目录中信息的变化
2.发现目录中数据产生变化,就利用rsync服务推送到备份服务器上
3.利用脚本进行结合

4.2 查看服务器内核是否支持inotify

[root@c5 ~]# ll /proc/sys/fs/inotify #列出下面的文件,说明服务器内核支持inotify
total 0
-rw-r--r-- 1 root root 0 May 19 15:57 max_queued_events
-rw-r--r-- 1 root root 0 May 19 15:57 max_user_instances
-rw-r--r-- 1 root root 0 May 19 15:57 max_user_watches

4.3 安装inotify

4.3.1 安装epel源

[root@c5 ~]# yum install epel-release.noarch -y

4.3.2 安装inotify软件

[root@c5 ~]# yum install inotify-tools -y

4.3.3 配置 rsync 服务器端的配置文件

[root@c4 ~]# cat /etc/rsyncd.conf
# /etc/rsyncd: configuration file for rsync daemon mode

# See rsyncd.conf man page for more options.

# configuration example:

uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 10.0.1.0/24

[backup]
path = /backup
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass

4.3.4 服务器端生成验证文件,准备目录并启动rsync服务

[root@c4 ~]# echo "centos" > /etc/rsync.pass
[root@c4 ~]# chmod 600 /etc/rsync.pass
[root@c4 ~]# mkdir /backup
[root@c4 ~]# systemctl start rsyncd

4.3.5 客户端配置密码文件和创建要同步的目录

[root@c5 ~]# echo "rsyncuser:centos" > /etc/rsync.pass
[root@c5 ~]# chmod 600 /etc/rsync.pass
[root@c5 ~]# mkdir /data
[root@c5 ~]# touch /data/123.txt

4.4 客户端测试同步数据

[root@c5 ~]# rsync -avz --password-file=/etc/rsync.pass /data/ [email protected]::backup
sending incremental file list
./
123.txt

sent 105 bytes  received 38 bytes  286.00 bytes/sec
total size is 0  speedup is 0.00
[root@c4 ~]# ls /backup/
123.txt

4.5 客户端创建inotify_rsync.sh脚本实现实时同步

4.5.1 创建脚本

[root@c5 ~]# cat inotify_rsync.sh 
#!/bin/bash
SRC='/data/'
DEST='[email protected]::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done

4.5.2 后台运行脚本进行测试

[root@c5 ~]# nohup sh inotify_rsync.sh &
[1] 24745
[root@c5 ~]# nohup: ignoring input and appending output to ‘nohup.out’
[root@c5 ~]# touch /data/test1.txt
[root@c5 ~]# echo hello > /data/test1.txt
[root@c5 ~]# tailf /var/log/changelist.log 
At 22:32 on 2020-05-19, file /data/123.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
###服务器端
[root@c4 backup]# pwd
/backup
[root@c4 backup]# ll
total 4
-rw-r--r-- 1 root root 6 May 19 22:40 test1.txt
[root@c4 backup]# cat test1.txt 
hello

5.使用iptables实现:放行Telnet,ftp,web服务器,方行samba服务,其他端口服务全部拒绝

[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 80 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 21 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 23 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 139 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 445 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -j DROP
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   39  4962 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:22 
    6   394 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:23 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:445 
   81  8786 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 49 packets, 5983 bytes)
 pkts bytes target     prot opt in     out     source               destination    
###测试
[root@centos6 ~]# yum install httpd -y
[root@centos6 ~]# ls /var/www/html/
[root@centos6 ~]# echo this is for iptables > /var/www/html/index.html
[root@centos6 ~]# cat /var/www/html/index.html
this is for iptables
[root@centos6 ~]# service httpd start

[root@c5 ~]# curl 10.1.1.110
this is for iptables