第十八周

第十八周

文章目录

  • 第十八周
    • 1、实现基于MySQL的虚拟用户FTP服务
    • 2、通过NFS实现服务器/www共享访问
    • 3、配置samba共享,实现/www目录共享
    • 4、使用rsync+inotify实现/www目录实时同步
    • 5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝

1、实现基于MySQL的虚拟用户FTP服务

1.1 创建数据库

[root@centos7 ~]# yum -y install mariadb-server
[root@centos7 ~]# systemctl start mariadb
[root@centos7 ~]# mysql
MariaDB [(none)]> 
create database ftp;
create table users ( id int auto_increment not null primary key,name char(50) binary not null,password char(50) binary not null);
insert into users (name,password) value ('user1',password('123456'));
insert into users (name,password) value ('user2',password('123456'));
grant select on ftp.users to ftpuser@'localhost' identified by '123456';

1.2 安装pam_mysql

下载地址:http://pam-mysql.sourceforge.net/

[root@centos7 ~]# yum install gcc gcc-c++ pam-devel mariadb-devel
[root@centos7 ~]# tar xvf pam_mysql-0.7RC1.tar.gz  
[root@centos7 ~]# cd pam_mysql-0.7RC1/
[root@centos7 pam_mysql-0.7RC1]# ./configure  --with-pam-mods-dir=/lib64/security/
[root@centos7 pam_mysql-0.7RC1]# make && make install

1.3 添加用户配置pam

[root@centos7 ~]# useradd -d /data/ftproot -s /sbin//nologin vuser
[root@centos7 ~]# mkdir -pv /data/ftproot
[root@centos7 ~]# chmod 555 /data/ftproot
[root@centos7 ~]# mkdir /data/ftproot/user{1,2}/upload
[root@centos7 ~]# setfacl -m u:vuser:rwx /data/ftproot/user1/upload
[root@centos7 ~]# setfacl -m u:vuser:rwx /data/ftproot/user2/upload
[root@centos7 ~]# vi /etc/pam.d/vsftpd.mysql
#添加
auth required pam_mysql.so user=ftpuser passwd=123456 host=localhost db=ftp table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=ftpuser passwd=123456 host=localhost db=ftp table=users usercolumn=name passwdcolumn=password crypt=2

1.4 安装vsftpd

[root@centos7 ~]# yum -y install vsftpd

vi /etc/vsftpd/vsftpd.conf
#修改
pam_service_name=vsftpd.mysql
#添加
guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vusers.d/

[root@centos7 ~]# mkdir /etc/vsftpd/vusers.d/

vi /etc/vsftpd/vusers.d/user1
#添加
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot/user1

vi /etc/vsftpd/vusers.d/user2
#添加
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot/user2

2、通过NFS实现服务器/www共享访问

准备两台主机:192.168.175.10,192.168.175.11

192.168.175.10做nfs共享服务器

192.168.175.11做http服务器

2.1 安装nfs(两台机器都安装)

[root@localhost ~]# yum -y install nfs-utils
#启动
[root@localhost ~]# systemctl start nfs
#查看进程
[root@localhost ~]# systemctl status nfs rpcbind

2.2 修改配置文件

[root@localhost ~]# vi /etc/exports
#添加
data/nfs 192.168.175.0/24(rw,all_squash,anonuid=48,anongid=48)
#我设的是apache用户这里可以更具需求自己修改
[root@localhost ~]# getent passwd|grep apache
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
#重启
[root@localhost ~]# systemctl restart nfs
#查看
[root@localhost ~]# exportfs -v
/data/nfs     	192.168.175.0/24(sync,wdelay,hide,no_subtree_check,anonuid=48,anongid=48,sec=sys,rw,secure,root_squash,all_squash)

2.3 挂载

#查看
[root@centos7 ~]# showmount -e 192.168.175.11
Export list for 192.168.175.11:
/data/nfs 192.168.175.0/24
#挂载
[root@centos7 ~]# mount 192.168.175.11:/data/nfs /var/www/html
#查看
[root@centos7 ~]# df -h
192.168.175.11:/data/nfs   17G  2.2G   15G  13% /var/www/html

3、配置samba共享,实现/www目录共享

3.1 安装samba服务

[root@centos7 ~]# yum -y install samba

3.2 添加用户

[root@centos7 ~]# useradd -s /sbin/nologin smbuser1
[root@centos7 ~]# smbpasswd -a smbuser1
#查看
pdbedit -L
#赋权限
setfacl -m u:smbuser1:rwx /www

3.3 修改配置文件

[root@centos7 ~]# vi /etc/samba/smb.conf
#添加
[share]
       path=/data/smb
       valid users=smbuser1
       writeable=yes

3.4 挂载机配置

#安装包
[root@centos7 ~]# yum -y install cifs-utils
#挂载
[root@centos7 ~]# mount -o user=smbuser1,password=123456 //192.168.175.11/share /www
#查看
[root@centos7 ~]# df -h

4、使用rsync+inotify实现/www目录实时同步

rsync同步,inotify监控数据变化

rsyncserver:192.168.214.21

rsyncclient+inotify-tools:192.168.214.20

4.1 rsyncserver端配置

4.1.1 修改配置文件

[root@rsyncserver ~]# vi /etc/rsyncd.conf
#添加
uid=root
gid=root
use chroot=no
max connnections=0
ignore errors
exclude=lost+found/
log file=/var/log/rsyncd.log
pid file=/var/run/rsyncd.pid
lock file=/var/run/rsyncd.lock
reverse lookup=no
host allow=192.168.214.0/24
#被同步的目录
[www]
path=/var/www/html
comment=www
read only=no
auth users=rsyncuser
secrets file=/etc/rsync.pass

4.1.2 添加用户

#添加用户
[root@rsyncserver ~]# echo "rsyncuser:123456" > /etc/rsync.pass
[root@rsyncserver ~]# chmod 600 /etc/rsync.pass

4.1.3 启动服务

[root@rsyncserver ~]# systemctl start rsyncd

4.2 rsyncclient+inotify-tools配置

4.2.1 安装inotify-tools

[root@rsyncclient ~]# yum -y install epel-release
[root@rsyncclient ~]# yum -y install inotify-tools

4.2.2 添加用户密码

[root@rsyncclient ~]# echo '123456' > /etc/rsync.pass
[root@rsyncclient ~]# chmod 600 /etc/rsync.pass

4.2.3 编写同步脚本

[root@rsyncclient ~]# vi inotify_rsync.sh
#添加
#!/bin/bash
src='/var/www/html/'
dest='[email protected]::www'
inotifywait -qmr --timefmt "%Y-%m-%d %H:%M" --format "%T %w %f" -e create,delete,moved_to,close_write,attrib ${src}|while read date time dir file;do
    filepath=${dir}${file}
    rsync -az --delete --password-file=/etc/rsync.pass $src $dest && echo "at ${time} on ${date},file $filepath was rsync" >> /var/log/changelist.log
done

5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝

添加自动补全包

[root@centos7 ~]# yum -y install bash-completion #重新打开会话

ssh :22
ftp tcp:20、21
telnet tcp:23
web tcp:80、443
samba udp:137、138
         tcp:139、445

#允许本机访问ssh端口
[root@centos7 ~]# iptables -I INPUT -s 192.168.175.11 -p tcp --dport 22 -j ACCEPT
#保持后续连接
[root@centos7 ~]# iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#放行端口
[root@centos7 ~]# iptables -A INPUT -p tcp -m multiport --dports 20,21,23,80,443,139,445 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
#拒绝连接
[root@centos7 ~]# iptables -A INPUT -j REJECT

显示

[root@centos7 ~]# iptables -vnL --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      146  9864 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     tcp  --  *      *       192.168.175.11       0.0.0.0/0            tcp dpt:22
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 20,21,23,80,443,139,445
4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:138
5        4   352 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 34 packets, 3156 bytes)
num   pkts bytes target     prot opt in     out     source               destination

你可能感兴趣的:(第十八周)