随笔18_tww

1、实现基于MYSQL验证的vsftpd虚拟用户访问

准备两台CentOS主机,一台作为FTP服务器,一台作为数据库服务器

# 1.数据库服务器[IP:192.168.47.101]

[root@centos7_2 ~]# yum install mariadb-server -y

[root@centos7_2 ~]# systemctl start mariadb

## 1.1创建数据库

[root@centos7_2 ~]# mysql

MariaDB [(none)]> create database vsftpd;

## 1.2创建表

MariaDB [(none)]> use vsftpd

CREATE TABLE users (

id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,

name CHAR(50) BINARY NOT NULL,

password CHAR(48) BINARY NOT NULL

);

### 插入虚拟用户数据

        INSERT INTO users(name,password) values('user1',password('pass1'));

        INSERT INTO users(name,password) values('user2',password('pass2'));

## 1.3创建用户

GRANT SELECT ON vsftpd.users TO vsftpd@'192.168.47.%' IDENTIFIED BY 'centos';

# 2.FTP服务器[IP:192.168.47.100]

[root @ centos7 data]#yum  install gcc gcc-c++ pam-devel  mariadb-devel  -y

centos7：无对应rpm包，需手动编译安装

## 2.1 手动编译安装pam_mysql

[root @ centos7 data]#ls

pam_mysql-0.7RC1.tar.gz

[root @ centos7 data]#tar xvf pam_mysql-0.7RC1.tar.gz 

[root @ centos7 data]#ls

pam_mysql-0.7RC1  pam_mysql-0.7RC1.tar.gz

[root @ centos7 data]#cd pam_mysql-0.7RC1/

[root @ centos7 pam_mysql-0.7RC1]#./configure --with-pam-mods-dir=/lib64/security/

[root @ centos7 pam_mysql-0.7RC1]#make && make install

## 2.2 建立pam认证所需文件

[root @ centos7 pam_mysql-0.7RC1]#cd /etc/pam.d/

[root @ centos7 pam.d]#vim vsftpd.mysql

auth required pam_mysql.so user=vsftpd passwd=centos host=192.168.47.101 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

account required pam_mysql.so user=vsftpd passwd=centos host=192.168.47.101 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 

## 2.3 安装vsfptd

[root @ centos7 pam.d]#yum install vsftpd -y

### 2.3.1 修改配置文件

[root @ centos7 pam.d]#vim /etc/vsftpd/vsftpd.conf 

#### (1)pam_service_name=vsftpd.mysql   

#### (2)虚拟账号映射成vuser

        guest_enable=YES

        guest_username=vuser

#### (3)允许虚拟账号登录

        anonymous_enable=YES

#### (3)设置每个虚拟账号独立的配置

        user_config_dir=/etc/vsftpd/vusers.d/

### 2.3.2 创建一个系统账户，用于虚拟账户的映射

#### (1)[root @ centos7 pam.d]#useradd -d /data/ftproot -s /sbin/nologin vuser 

[root @ centos7 pam.d]#cd /data/

[root @ centos7 data]#ls

ftproot  pam_mysql-0.7RC1  pam_mysql-0.7RC1.tar.gz

[root @ centos7 data]#ll

total 332

drwx------ 3 vuser vuser     78 Dec 14 22:50 ftproot

drwxrwxrwx 3 tao   tao     4096 Dec 14 22:37 pam_mysql-0.7RC1

-rw-r--r-- 1 root  root  335240 Jun  7  2020 pam_mysql-0.7RC1.tar.gz

#### (2)[root @ centos7 data]#chmod 555  ftproot/     #修改文件权限，不能有写得权限

[root @ centos7 data]#ll

total 332

dr-xr-xr-x 3 vuser vuser     78 Dec 14 22:50 ftproot

drwxrwxrwx 3 tao   tao     4096 Dec 14 22:37 pam_mysql-0.7RC1

-rw-r--r-- 1 root  root  335240 Jun  7  2020 pam_mysql-0.7RC1.tar.gz

#### (3)[root @ centos7 data]#mkdir /data/ftproot/upload

[root @ centos7 data]#ll /data/ftproot/

total 0

drwxr-xr-x 2 root root 6 Dec 14 22:52 upload

#### (4)[root @ centos7 data]#setfacl -m u:vuser:rwx /data/ftproot/upload/

#### (5)设置每个虚拟账户独立的配置

[root @ centos7 data]#mkdir /etc/vsftpd/vusers.d/

设置user1可以匿名上传

[root @ centos7 vusers.d]#vim user1

        anon_upload_enable=YES

        anon_mkdir_write_enable=YES

        anon_other_write_enable=YES

设置user2的共享目录为/data/ftproot2

mkdir /data/ftproot2

touch /data/ftproot2/ftproot2.txt

[root @ centos7 vusers.d]#vim user2

        local_root=/data/ftproot2/   

### 2.3.3重启服务

[root @ centos7 data]#systemctl restart vsftpd

### 2.3.4测试

[root@centos7_2 ~]# ftp 192.168.47.100

Connected to 192.168.47.100 (192.168.47.100).

220 (vsFTPd 3.0.2)

Name (192.168.47.100:root): user1

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> quit

221 Goodbye.

[root@centos7_2 ~]# ftp 192.168.47.100

Connected to 192.168.47.100 (192.168.47.100).

220 (vsFTPd 3.0.2)

Name (192.168.47.100:root): user2

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

2、通过NFS实现服务器/www共享访问

准备两台机器：一台搭载nfs服务器;一台用于测试

192.168.47.100机器

[root @ centos7 data]#systemctl start nfs-server

[root @ centos7 data]#mkdir /www 

[root @ centos7 data]#touch /www/www.txt

共享目录规则的配置文件(/etc/exports  或者/etc/exports.d/*.exports)

[root @ centos7 data]#vim /etc/exports

/www          *

说明:* 代表共享给所有的主机

也可以如下设置

### 1)/www  *(rw)   给可读可写权限，但是需要设置权限：setfacl -m u:nfsnobody:rwx nfsdir1 ，才能够修改及创建文件

权限的压榨:本机的root权限，跑到远程服务器上去，变成了nobody

普通用户是不压榨；用户ID与远程服务器上的相同的用户ID匹配；没有对应的用户就以用户ID表示

### 2)/www  *(rw,all_squash)       所有的都压榨

### 3)/www  *(rw,no_root_squash)   root用户不压榨

### 4)/www  *(rw,no_root_squash,all_squash,anonuid=987,anongid=981)  所有的都压榨;都压榨成UID为987的用户

### 4)/www   192.168.47.101        共享给某台主机

### 4)/www   192.168.47.0/24       共享给某个网段

在服务启动的状态，重新加载配置文件

[root @ centos7 data]#exportfs -r

查看共享的文件

[root @ centos7 data]#exportfs -v

/data/nfsdir1   <world>(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)

/wwww           <world>(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)

192.168.47.101机器

查看主机共享的信息

[root@centos7_3 data]# showmount -e 192.168.47.100

Export list for 192.168.47.100:

/wwww         *

/data/nfsdir1 *

将远程目录，挂载到本地目录中

[root@centos7_3 data]# mkdir /data/www

[root@centos7_3 ~]# mount 192.168.47.100:/www /data/www/

[root@centos7_3 ~]# ll /data/www/

total 0

-rw-r--r-- 1 root root 0 Dec 15  2020 www.txt

3、配置samba共享，实现/www目录共享

准备两台主机,一台配置samba服务器，一台配置客户端

1.samba服务器:

#1)安装samba包

[root @ centos7 ~]#yum install samba -y

#2)创建samba用户和组

[root @ centos7 ~]#useradd -s /sbin/nologin -G admins smbuser1

[root @ centos7 ~]#useradd -s /sbin/nologin smbuser2

[root @ centos7 ~]#smbpasswd -a smbuser1

New SMB password:

Retype new SMB password:

Added user smbuser1.

[root @ centos7 ~]#smbpasswd -a smbuser2

New SMB password:

Retype new SMB password:

Added user smbuser2.

#3)创建samba共享目录

[root @ centos7 ~]#mkdir /www

[root @ centos7 ~]#touch /www/www.txt

[root @ centos7 ~]#chgrp admins /www/

[root @ centos7 ~]#chmod 775 /www/

#4)samba配置文件修改

[root @ centos7 ~]#vim /etc/samba/smb.conf

[share]

path=/www

write list =@admins 

#5)启动服务

[root @ centos7 ~]#systemctl start smb.service

2.客户端

#1)测试

[root@centos7_2 ~]# smbclient -L 192.168.47.100 -U smbuser1%123

        Sharename       Type      Comment

        ---------       ----      -------

        print$          Disk      Printer Drivers

        share           Disk      

        IPC$            IPC       IPC Service (Samba 4.10.16)

        smbuser1        Disk      Home Directories

Reconnecting with SMB1 for workgroup listing.

        Server               Comment

        ---------            -------

        Workgroup            Master

        ---------            -------

[root@centos7_2 tt]# smbclient //192.168.47.100/share -U smbuser2%123

#2)挂载到目录

[root@centos7_2 tt]# yum -y install cifs-utils

[root@centos7_2 tt]# mkdir /data/tt

[root@centos7_2 tt]# mkdir /data/user2

[root@centos7_2 tt]# mount -o sec=ntlmssp,username=smbuser1,password=123 //192.168.47.100/share /data/tt

[root@centos7_2 data]# mount -o sec=ntlmssp,username=smbuser2,password=123 //192.168.47.100/share /data/user2

查看：

[root @ centos7 ~]#ll /www/

total 0

-rwxr--r-- 1 smbuser1 smbuser1 0 Dec 16 23:47 aliyun.txt

-rwxr--r-- 1 smbuser1 smbuser1 0 Dec 16 23:42 tt.txt

-rw-r--r-- 1 root     root     0 Dec 16 23:31 www.txt

[root@centos7_2 tt]# ll /data/tt

total 0

-rwxr-xr-x 1 root root 0 Dec 16  2020 aliyun.txt

-rwxr-xr-x 1 root root 0 Dec 16  2020 tt.txt

-rwxr-xr-x 1 root root 0 Dec 16  2020 www.txt

[root@centos7_2 data]# ll /data/user2/

total 0

-rwxr-xr-x 1 root root 0 Dec 16  2020 aliyun.txt

-rwxr-xr-x 1 root root 0 Dec 16 08:01 haha.txt

-rwxr-xr-x 1 root root 0 Dec 16  2020 www.txt

4、使用rsync+inotify实现/www目录实时同步

配置两台主机；一台配置rsync服务器[192.168.48.100]，一台配置客户端 [192.168.48.100]

rsync 服务端配置

[root @ centos7 ~]#yum install rsync -y 

[root @ centos7 www]#vim /etc/rsyncd.conf 

uid = root

gid = root

use chroot = no

max connections = 0

ignore errors

exclude = lost+found/

log file = /var/log/rsyncd.log

pid file = /var/run/rsyncd.pid

lock file = /var/run/rsyncd.lock

reverse lookup = no

hosts allow = 192.168.47.0/24                                                                                            

[backup]

path = /backup/

comment = backup

read only = no

auth users = rsyncuser

secrets file = /etc/rsync.pass

[root @ centos7 www]#mkdir /backup

[root @ centos7 www]#echo "rsyncuser:tao123" >/etc/rsync.pass

[root @ centos7 www]#chmod 600 /etc/rsync.pass 

[root @ centos7 www]#systemctl start rysncd

客户端配置

[root@centos7_2 data]# yum install -y inotify-tools

[root@centos7_2 data]# echo "tao123" > /etc/rsync.pass

[root@centos7_2 data]# chmod 600 /etc/rsync.pass 

[root@centos7_2 data]# mkdir /www

[root@centos7_2 data]# vim inotify_rsync.sh 

#!/bin/bash

SRC='/www/'

DEST='rsyncuser@192.168.47.100::backup'

inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do

FILEPATH=${DIR}${FILE}

rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log

done

[root@centos7_2 data]# chmod +x  inotify_rsync.sh 

[root@centos7_2 data]# ./inotify_rsync.sh 

5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝

ftp        tcp   20   21

telnet    tcp   23

web       tcp  80   443

samba   udp 137  138

            tcp  139  445

yum remove libvirt-daemon

iptables -A INPUT -s 192.168.47.1 -j ACCEPT

iptables -A INPUT -p tcp -m multiport --dports  80,443,20,21,23,139,445  -j ACCEPT

iptables -A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT

iptables -A INPUT -j DROP