Q1、实现基于MYSQL验证的vsftpd虚拟用户访问
1、安装ftp、mysql
[root@centos7 ~]# yum install vsftpd mariadb-server gcc gcc-c++ pam-devel mariadb-devel -y
2、mysql创建数据库,表及授权用户
[root@centos7 ~]# systemctl start mariadb
[root@centos7 ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.65-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> use vsftpd
Database changed
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftpuser1',password('centos'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftpuser2',password('magedu'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> grant select on vsftpd.users to vsftpd@'192.168.37.%' identified by 'centos';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.01 sec)
3、编译pam_mysql模块,Centos7没有对应的pam_mysql模块,需要编译
[root@centos7 ~]# cd /usr/local/src/
[root@centos7 src]# tar -xf pam_mysql-0.7RC1.tar.gz
[root@centos7 src]# cd pam_mysql-0.7RC1/
[root@Centos7 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@Centos7 pam_mysql-0.7RC1]# make && make install
4、vsftpd添加pam配置文件
[root@centos7 ~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=centos host=192.168.37.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=192.168.37.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
5、创建用户与目录
[root@centos7 ~]# useradd -d /data/ftproot -s /sbin/nologin vuser
[root@centos7 ~]# chmod 555 /data/ftproot
[root@centos7 ~]# mkdir -p /data/ftproot/upload
[root@centos7 ~]# setfacl -Rm u:vuser:rwx /data/ftproot/
[root@centos7 ~]# mkdir -p /data/ftproot2/upload
[root@centos7 ~]# chmod 555 /data/ftproot2
[root@centos7 ~]# setfacl -Rm u:vuser:rwx /data/ftproot2/
6、配置vsftpd文件
[root@centos7 ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
userlist_enable=YES
tcp_wrappers=YES
user_config_dir=/etc/vsftpd/vusers.d/
guest_enable=yes
guest_username=vuser
pam_service_name=vsftpd.mysql
chroot_local_user=YES
[root@centos7 ~]# mkdir /etc/vsftpd/vusers.d
[root@centos7 ~]# vim /etc/vsftpd/vusers.d/ftpuser1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot
[root@centos7 ~]# vim /etc/vsftpd/vusers.d/ftpuser2
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot2
7、启动服务
[root@centos7 ~]# systemctl restart vsftpd
#测试
[root@centos6 ~]$ ftp 192.168.37.37
Connected to 192.168.37.37 (192.168.37.37).
220 (vsFTPd 3.0.2)
Name (192.168.37.37:root): ftpuser1 #ftpuser1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,37,37,190,215).
150 Here comes the directory listing.
drwxrwxr-x 2 0 0 6 Jun 20 16:26 upload
226 Directory send OK.
ftp> exit
221 Goodbye.
[root@centos6 ~]$ ftp 192.168.37.37
Connected to 192.168.37.37 (192.168.37.37).
220 (vsFTPd 3.0.2)
Name (192.168.37.37:root): ftpuser2 #ftpuser2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,37,37,149,241).
150 Here comes the directory listing.
drwxrwxr-x 2 1001 1001 29 Jun 20 17:35 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> put anaconda-ks.cfg #上传测试
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (192,168,37,37,190,213).
150 Ok to send data.
226 Transfer complete.
1536 bytes sent in 0.000178 secs (8629.21 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (192,168,37,37,204,220).
150 Here comes the directory listing.
-rw------- 1 1001 1001 1536 Jun 20 17:36 anaconda-ks.cfg
226 Directory send OK.
ftp> rm anaconda-ks.cfg #删除测试
550 Remove directory operation failed. #删除失败
ftp> ls
227 Entering Passive Mode (192,168,37,37,222,109).
150 Here comes the directory listing.
-rw------- 1 1001 1001 1536 Jun 20 17:36 anaconda-ks.cfg
226 Directory send OK.
ftp> exit
221 Goodbye.
Q2、通过NFS实现服务器/www共享访问
#server端
[root@centos7 ~]# mkdir /www
[root@centos7 ~]# vim /etc/exports.d/www.exports
/www 192.168.37.0/24(rw,all_squash)
[root@centos7 ~]# systemctl start nfs-server
[root@centos7 ~]# exportfs -v
/www 192.168.37.0/24(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,all_squash)
[root@centos7 ~]# echo welcome > /www/test.txt
#client端
[root@centos6 ~]$ showmount -e 192.168.37.37
Export list for 192.168.37.37:
/www 192.168.37.0/24
[root@centos6 ~]$ mount 192.168.37.37:/www /mnt
[root@centos6 ~]$ ls /mnt
test.txt
#autofs挂载
[root@centos6 ~]$ umount /mnt
[root@centos6 ~]$ ls /net/192.168.37.37/www/
test.txt
#绝对路径挂载
[root@centos6 ~]$ vim /etc/auto.master
/- /etc/auto.nfs
[root@centos6 ~]$ vim /etc/auto.nfs
/misc/www -fstype=nfs,rw 192.168.37.37:/www
[root@centos6 ~]$ service autofs restart
Stopping automount: [ OK ]
Starting automount: [ OK ]
[root@centos6 ~]$ ls /misc/www/
test.txt
Q3、配置samba共享,实现/www目录共享
#服务端
[root@centos7 ~]# yum install samba -y
[root@centos7 ~]# useradd -s /sbin/nologin smbuser1
[root@centos7 ~]# smbpasswd -a smbuser1
New SMB password:
Retype new SMB password:
Added user smbuser1.
vim /etc/samba/smb.conf
[global]
workgroup = WORKGROUP
security = user
netbios_name = centos7
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log file = /var/log/samba/log.%m
log level = 2
[www]
path=/www
valid users=smbuser1
write list=smbuser1
browseable=yes
[root@centos7 ~]# setfacl -Rm u:smbuser1:rwx /www
[root@centos7 ~]# systemctl start smb nmb
#客户端
[root@centos6 ~]$ smbclient -L 192.168.37.37 -U smbuser1%centos
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.10.4]
Sharename Type Comment
--------- ---- -------
www Disk
IPC$ IPC IPC Service (Samba 4.10.4)
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.10.4]
Server Comment
--------- -------
CENTOS7 Samba 4.10.4
Workgroup Master
--------- -------
WORKGROUP
[root@centos6 ~]$ smbclient //192.168.37.37/www -U smbuser1%centos
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.10.4]
smb: \> ls
. D 0 Sun Jun 21 16:54:12 2020
.. D 0 Sun Jun 21 15:58:15 2020
test.txt 8 Sun Jun 21 16:08:19 2020
win D 0 Sun Jun 21 16:54:03 2020
51175 blocks of size 2097152. 48677 blocks available
smb: \> mkdir linux
smb: \> ls
. D 0 Sun Jun 21 16:59:01 2020
.. D 0 Sun Jun 21 15:58:15 2020
test.txt 8 Sun Jun 21 16:08:19 2020
win D 0 Sun Jun 21 16:54:03 2020
linux D 0 Sun Jun 21 16:59:01 2020
51175 blocks of size 2097152. 48677 blocks available
smb: \>
image.png
Q4、使用rsync+inotify实现/www目录实时同步
1、配置server端
[root@centos7 ~]# vim /etc/rsyncd.conf
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.37.0/24
[backup]
path = /data/www/
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
[root@centos7 ~]# echo "rsyncuser:magedu" > /etc/rsync.pass
[root@centos7 ~]# chmod 600 /etc/rsync.pass
[root@centos7 ~]# mkdir /data/www
[root@centos7 ~]# systemctl start rsyncd
2、配置client
[root@centos6 ~]$ echo "magedu" > /etc/rsync.pass
[root@centos6 ~]$ chmod 600 /etc/rsync.pass
[root@centos6 ~]$ mkdir /www
[root@centos6 ~]$ echo test > /www/index.html
[root@centos6 ~]$ service xinetd start #centos7:systemctl start rsyncd
#一次性测试(client)
[root@centos6 ~]$ rsync -avz --password-file=/etc/rsync.pass /www/ rsyncuser@192.168.37.37::backup
sending incremental file list
./
index.html
sent 89 bytes received 30 bytes 238.00 bytes/sec
total size is 5 speedup is 0.04
#server
[root@centos7 ~]# ls /data/www/
index.html
3、利用inotify监控同步到服务端
[root@centos6 ~]$ yum install inotify-tools -y
[root@centos6 ~]$ vim inotify_rsync.sh
#!/bin/bash
SRC='/www/'
DEST='rsyncuser@192.168.37.37::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${S
RC} | while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILE
PATH was backuped up via rsync" >> /var/log/changelist.log
done
4、测试脚本
#client端
[root@centos6 ~]$ bash inotify_rsync.sh
[root@centos6 ~]$ dd if=/dev/zero of=/www/block bs=1 count=2
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000360658 s, 5.5 kB/s
[root@centos6 ~]$ dd if=/dev/zero of=/www/test bs=1 count=20
20+0 records in
20+0 records out
20 bytes (20 B) copied, 0.0004456 s, 44.9 kB/s
#server端
[root@centos7 ~]# ls /data/www/ #打开脚本前
index.html
[root@centos7 ~]# ls /data/www/
block index.html
[root@centos7 ~]# ls /data/www/
block index.html test
Q5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝
#telnet
[root@centos7 ~]# iptables -A INPUT -p tcp --dport 23 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p udp --dport 23 -j ACCEPT
#web
[root@centos7 ~]# iptables -A INPUT -m multiport -p tcp --dport 80,443 -j ACCEPT
#samba
[root@centos7 ~]# iptables -A INPUT -m multiport -p tcp --dport 139,445 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
#ftp
[root@centos7 ~]# modprobe nf_conntrack_ftp
[root@centos7 ~]# iptables -A INPUT -p udp --dport 21 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#拒绝所有
[root@centos7 ~]# iptables -A INPUT -j REJECT
