1、实现基于MYSQL验证的vsftpd虚拟用户访问
1.1 安装mysql数据库
[root@localhost ~]# yum -y install mariadb-server.x86_64
[root@localhost ~]# systemctl enable --now mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
1.2 在数据库服务上配置数据库支持vsftpd服务
[root@localhost ~]# mysql
MariaDB [(none)]> CREATE DATABASE vsftpd;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> use vsftpd;
Database changed
MariaDB [vsftpd]> CREATE TABLE users (id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,name CHAR(50) BINARY NOT NULL,password CHAR(48) BINARY NOT NULL);
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ye',password('123456'));
Query OK, 1 row affected (0.01 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('test',password('123456'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> GRANT SELECT ON vsftpd.* TO vsftpd@'192.168.2.%' IDENTIFIED BY 'Jhd2021!';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
1.3 安装vsftpd 和 pam_mysql包
[root@localhost ~]# yum -y install vsftpd
# 编译安装pam_mysql
[root@localhost ~]# yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
# 下载pam_mysql
[root@localhost ~]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@localhost ~]# tar zxvf pam_mysql-0.7RC1.tar.gz
[root@localhost ~]# cd pam_mysql-0.7RC1/
[root@localhost pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@localhost pam_mysql-0.7RC1]# make install
[root@localhost pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql*
-rwxr-xr-x 1 root root 882 6月 22 09:10 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141768 6月 22 09:10 /lib64/security/pam_mysql.so
1.4 建立pam认证所需文件
[root@localhost ~]# vi /etc/pam.d/vsftpd.mysql
#添加如下两行
auth required pam_mysql.so user=vsftpd passwd=Jhd2021! host=127.0.0.1 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=Jhd2021! host=127.0.0.1 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
1.5 建立相应用户和修改vsftpd配置文件
[root@localhost ~]# useradd -s /sbin/nologin -d /data/ftproot -r vuser
[root@localhost ~]# mkdir -pv /data/ftproot/upload
[root@localhost ~]# setfacl -m u:vuser:rwx /data/ftproot/upload
[root@localhost ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
#添加下面两项
guest_enable=YES
guest_username=vuser
#修改下面一项,原系统用户无法登录
pam_service_name=vsftpd.mysql
#启动vsftpd服务
[root@localhost ~]# systemctl enable --now vsftpd
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
1.6 配置虚拟用户具有不同的访问权限
[root@localhost ~]# vim /etc/vsftpd/vsftpd.conf
#添加如下选项
user_config_dir=/etc/vsftpd/conf.d/
[root@localhost ~]# mkdir /etc/vsftpd/conf.d/
[root@localhost ~]# vim /etc/vsftpd/conf.d/test
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
#登录目录改变至指定的目录
local_root=/data/ftproot2
# 创建登录目录
[root@localhost ~]# mkdir /data/ftproot2
2、通过NFS实现服务器/www共享访问。
# 在共享服务器10.0.0.7上安装并设置
[root@centos7 ~]# yum -y install nfs-utils autofs
[root@centos7 ~]# systemctl enable --now nfs-server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.
[root@centos7 ~]# mkdir -pv /data/www
mkdir: created directory ‘/data’
mkdir: created directory ‘/data/www’
[root@centos7 www]# useradd -d /data/www/user1 -u 2000 user1
[root@centos7 www]# vim /etc/exports.d/test.exports
/data/www *(rw)
[root@centos7 www]# exportfs -r
#在NFS客户端主机10.0.0.17上实现相对路径法的autofs
[root@centos17 ~]#useradd -M -u 2000 user1
[root@centos17 ~]#vim /etc/auto.master
/home /etc/auto.home
[root@centos17 ~]# vim /etc/auto.home
* -fstype=nfs,vers=3 10.0.0.7:/data/www/&
[root@centos17 ~]# systemctl restart autofs.service
[root@centos17 ~]# su - user1
[user1@centos17 ~]$ ls
[user1@centos17 ~]$ pwd
/home/user1
[user1@centos17 ~]$ df /home/user1/
Filesystem 1K-blocks Used Available Use% Mounted on
10.0.0.7:/data/www/user1 38770304 1557888 37212416 5% /home/user1
3、配置samba共享,实现/www目录共享
# 安装samba包
[root@localhost ~]# yum -y install samba
# 创建samba用户和组
[root@localhost ~]# groupadd -r test
[root@localhost ~]# useradd -s /sbin/nologin -G test user
[root@localhost ~]# smbpasswd -a user
New SMB password:
Retype new SMB password:
Added user user.
#创建samba共享目录,并设置SElinux
[root@localhost ~]# mkdir /data/www -p
[root@localhost ~]# chgrp test /data/www
[root@localhost ~]# chmod 2775 /data/www
[root@localhost ~]# vim /etc/selinux/config
...
SELINUX=disabled
...
# samba服务配置
[root@localhost ~]# vim /etc/samba/smb.conf
# 在后面添加如下内容
[www]
path = /data/www
write list = @test
# 启动samba服务
[root@localhost ~]# systemctl enable --now smb nmb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/nmb.service to /usr/lib/systemd/system/nmb.service.
# 通过客户端访问
[root@localhost ~]# yum -y install samba-client
4、使用rsync+inotify实现/www目录实时同步
# 服务器配置rsync
vi /etc/rsyncd.conf
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 10.0.0.0/24 # 允许访问的ip段
[backup]
path = /data/www/
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
# 生成验证文件
[root@centos7 ~]# echo "rsyncuser:rsyncuser" > /etc/rsync.pass
[root@centos7 ~]# chmod 600 /etc/rsync.pass
# 创建目录
[root@centos7 ~]# mkdir /data/www -p
[root@centos7 ~]# systemctl restart rsyncd.service
# 客户端配置
[root@centos17 ~]# yum -y install inotify-tools
[root@centos17 ~]# echo "rsyncuser" > /etc/rsyncd.pass
[root@centos17 ~]# chmod 600 /etc/rsyncd.pass
# 用测试命令连接同步
[root@centos17 ~]# rsync -avz --password-file=/etc/rsyncd.pass /www/ [email protected]::backup
sending incremental file list
./
sent 47 bytes received 19 bytes 132.00 bytes/sec
total size is 0 speedup is 0.00
# 客户端创建脚本
[root@centos17 ~]# vim inotify_rsync.sh
#!/bin/bash
SRC='/www/' DEST='[email protected]::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --dports 21,23,80,139,445 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j REJECT
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,23,80,139,445
49 6276 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1916 bytes)
pkts bytes target prot opt in out source destination
