实现基于MYSQL验证的vsftpd虚拟用户
mariadb-server
#安装mariadb数据库
[root@mariadb ~]# yum -y install mariadb-server
[root@mariadb ~]# systemctl enable --now mariadb.server
#建立存储虚拟用户数据库和表
[root@mariadb ~]# mysql
MariaDB [(none)]> CREATE DATABASE vsftpd;
MariaDB [(none)]> USE vsftpd;
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
#添加虚拟用户,使用PASSWORD函数加密密码
MariaDB [vsftpd]> INSERT INTO user(name,password) values('ftp_ddq',password('ddq.com'));
MariaDB [vsftpd]> select * from users;
+----+---------+-------------------------------------------+
| id | name | password |
+----+---------+-------------------------------------------+
| 1 | ftp_ddq | *35BAA7E3B0A28A8A75DAF9E0A8376E20DD18C71E |
+----+---------+-------------------------------------------+
1 row in set (0.00 sec)
#创建并授权连接的数据库用户
MariaDB [vsftpd]> GRANT SELECT ON vsftpd.* TO vsftpd@'192.168.100.%' IDENTIFIED BY 'ddq.com';
MariaDB [vsftpd]> GRANT SELECT ON vsftpd.* TO vsftpd@'192.168.100.%' IDENTIFIED BY 'ddq.com'
vsftpd-server
1.安装vsftpd和pam_mysql相关包
[root@vsftp ~]# yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
#下载pam——mysql源码进行编译安装
[root@vsftp ~]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@vsftp ~]# tar zxf pam_mysql-0.7RC1.tar.gz
[root@vsftp ~]# cd pam_mysql-0.7RC1/
[root@vsftp pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@vsftp pam_mysql-0.7RC1]# make install
[root@vsftp pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql*
-rwxr-xr-x 1 root root 882 Aug 21 22:31 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141712 Aug 21 22:31 /lib64/security/pam_mysql.so
2.在FTP服务器上建立pam认证所需文件
[root@vsftp ~]# vi /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=ddq.com host=mysqlserver db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=ddq.com host=mysqlserver db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
[root@vsftp ~]# echo 192.168.100.17 mysqlserver >> /etc/hosts
3.建立相应用户和修改vsftpd配置文件
#建立虚拟用户映射的系统用户及对应的目录
[root@vsftp ~]# useradd -s /sbin/nologin -d /data/ftproot -r vuser
#centos7 需除去ftp根目录的写权限
[root@vsftp ~]# mkdir -p /data/ftproot/upload
[root@vsftp ~]# setfacl -m u:vuser:rwx /data/ftproot/upload/
#确保/etc/vsftpd/vsftpd.conf中已经启用了以下选项
[root@vsftp ~]# vi /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
#添加下面两项
guest_enable=YES
guest_username=vuser
#修改下面一项,原系统用户无法登录
pam_service_name=vsftpd.mysql
#启动vsftpd服务
[root@vsftp ~]# systemctl enable --now vsftpd
4.在FTP服务器上配置虚拟用户具有不同的访问权限
vsftpd可以在配置文件目录中为每个用户提供单独的配置文件以定义其ftp服务访问权限,每个虚拟用户
的配置文件名同虚拟用户的用户名。配置文件目录可以是任意未使用目录,只需要在vsftpd.conf指定其
路径及名称即可
#配置vsftpd为虚拟用户使用配置文件目录
[root@vsftp ~]# vi /etc/vsftpd/vsftpd.conf
#添加如下选项
user_config_dir=/etc/vsftpd/conf.d/
#创建所需要目录,并为虚拟用户提供配置文件
[root@vsftp ~]# mkdir /etc/vsftpd/conf.d/
#虚拟用户对vsftpd服务的访问权限是通过匿名用户的相关指令进行的。如要让用户ftp_ddq具有上传文件的权限,可修改/etc/vsftpd/vusers.d/ftp_ddq文件,在里面添加如下选项并设置为YES即可,只读则设为NO
#注意:需确保对应的映射用户对于文件系统有写权限
[root@vsftp ~]# vi /etc/vsftpd/conf.d/ftp_ddq
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot1
[root@vsftp ~]# mkdir -p /data/ftproot1/upload
[root@vsftp ~]# setfacl -m u:vuser:rwx /data/ftproot/upload/
[root@vsftp ~]# systemctl restart vsftpd
通过NFS实现服务器/www共享访问
软件包:nfs-utils(包括服务器和客户端相关工具)
server端安装启动nfs服务
[root@nfs-server ~]# yum -y install nfs-utils
[root@nfs-server ~]# systemctl enable --now nfs-server
[root@nfs-server ~]# vi /etc/exports
/www *(rw,no_root_squash,async)
[root@nfs-server ~]# mkdir /www
[root@nfs-server ~]# echo this is nfs-server >> /www/test.txt
[root@nfs-server ~]# exportfs -r
[root@nfs-server ~]# showmount -e
Export list for nfs-server:
/www *
client安装nfs客户端
[root@client ~]# yum -y install nfs-utils
[root@client ~]# showmount -e 192.168.100.17
Export list for 192.168.100.17:
/www *
[root@client ~]# mkdir /www
[root@client ~]# ls /www/
[root@client ~]# mount 192.168.100.17:/www /www
[root@client ~]# cat /www/test.txt
this is nfs-server
[root@client ~]# echo this is from client >> /www/client.txt
#在server上查看
[root@nfs-server ~]# cat /www/client.txt
this is from client
配置samba共享,实现/www目录共享
在server端安装配置samba服务
[root@samba-server ~]# yum -y install samba
[root@samba-server ~]# vi /etc/samba/smb.conf
#添加以下内容
[www]
path = /www
write list = root
force group = root
create mask = 0664
directory mask = 0775
#启动samba服务
[root@samba-server ~]# systemctl enable --now smb.service
[root@samba-server ~]# echo this samba server >> /www/server.txt
#添加samba用户
[root@samba-server ~]# smbpasswd -a root
[root@samba-server ~]# pdbedit -L -v root
Unix username: root
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3772874179-422699461-2662641436-1000
Primary Group SID: S-1-5-21-3772874179-422699461-2662641436-513
Full Name: root
Home Directory: \\samba-server\root
HomeDir Drive:
Logon Script:
Profile Path: \\samba-server\root\profile
Domain: SAMBA-SERVER
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 23:06:39 CST
Kickoff time: Wed, 06 Feb 2036 23:06:39 CST
Password last set: Sun, 22 Aug 2021 22:44:42 CST
Password can change: Sun, 22 Aug 2021 22:44:42 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
client端安装使用samba-client工具
[root@client ~]# yum -y install samba-client
[root@client ~]# smbclient -L 192.168.100.17 -U root%ddq.com
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
www Disk
IPC$ IPC IPC Service (Samba 4.10.16)
root Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@client ~]# yum -y install cifs-utils
[root@client ~]# ls /www
[root@client ~]# mount -o user=root,password=ddq.com //192.168.100.17/www /www
[root@client ~]# cat /www/server.txt
this samba server
使用rsync+inotify实现/www目录实时同步
[root@data-server ~]# ls -l /proc/sys/fs/inotify/
total 0
-rw-r--r-- 1 root root 0 Aug 22 22:59 max_queued_events
-rw-r--r-- 1 root root 0 Aug 22 22:59 max_user_instances
-rw-r--r-- 1 root root 0 Aug 22 22:59 max_user_watches
**源数据服务器端安装inotify-tools:基于epel源 **
[root@data-server ~]# yum -y install inotify-tools rsync
#后台监控目录
[root@data-server ~]# inotifywait -o /root/inotify.log -drq /www --timefmt "%Y-%m-%d %H:%M:%s" --format "%T %w%f event: %e"
[root@data-server ~]# ssh-keygen
[root@data-server ~]# ssh-copy-id 192.168.100.27
备份服务器使用rsync服务
[root@backup-server ~]# yum -y install rsync
[root@backup-server ~]# vi /etc/rsyncd.conf
#添加以下内容
uid = root
gid = root
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
[backup]
path = /www
comment = --- backup dir ---
read only = no
auth users = rsyncuser
secrets file = /etc/rsyncd.pas
[root@backup-server ~]# echo "rsyncuser:ddq.com" > /etc/rsyncd.pas
[root@backup-server ~]# chmod 600 /etc/rsyncd.pas
[root@backup-server ~]# systemctl enable --now rsyncd
#指定目录给nobody权限,默认用户以nobody访问此目录
[root@backup-server ~]# setfacl -m u:nobody:rwx /www
#数据服务器上查看rsync服务器的备份目录
[root@data-server ~]# rsync 192.168.100.27::
backup --- backup dir ---
[root@data-server ~]# echo ddq.com >/etc/rsync.pas
[root@data-server ~]# rsync -avz --delete --password-file=/etc/rsync.pas /www/ rsyncuser@192.168.100.27::backup
shell脚本实现实时数据同步
[root@data-server ~]#vim inotify_rsync.sh
#!/bin/bash
SRC='/www/'
DEST='rsyncuser@192.168.100.27::backup'
rpm -q rsync &> /dev/null || yum -y install rsync
inotifywait -mrq --exclude=".*\.swp" --timefmt '%Y-%m-%d %H:%M:%S' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pas $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
#添加脚本到/etc/rc.local开机启动
[root@data-server ~]# chmod +x /root/inotify_rsync.sh
[root@data-server ~]# chmod +x /etc/rc.d/rc.local
[root@data-server ~]# echo /root/inotify_rsync.sh >> /etc/rc.local
#查看文件传输日志
[root@data-server ~]# ./inotify_rsync.sh &
[root@data-server ~]# tail -f /var/log/changelist.log
使用iptable实现:放行telnet、ftp、web、samba服务,其他端口服务全部拒绝
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --dport 21,23,80,139,445 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j REJECT
#敲完全部拒绝的命令会直接丢失连接,从其他客户端用telnet重新登录,telnet需要使用普通用户登录
[root@client ~]# telnet 192.168.100.37
Trying 192.168.100.37...
Connected to 192.168.100.37.
Escape character is '^]'.
Kernel 3.10.0-1160.36.2.el7.x86_64 on an x86_64
localhost login: wx562635
Password:
Last login: Tue Aug 24 14:45:27 from ::ffff:192.168.100.1
[wx562635@localhost ~]$ sudo -i
[sudo] password for wx562635:
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
295 15897 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,23,80,139,445
35 4388 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 253 packets, 27467 bytes)
pkts bytes target prot opt in out source destination
