Linux相关知识的第二十三回合
文章目录
实现基于MYSQL验证的vsftpd虚拟用户访问
安装相关软件
# 安装MySQL数据库;因之前已经安装过,故此处略过
# 安装FTP及对应MySQL相关的依赖包
yum install -y vsftpd mariadb-devel pam-devel
# 下载及安装pam_mysql的lib包
wget -c http://repo.iotti.biz/CentOS/7/x86_64/pam_mysql-0.8.1-0.22.el7.lux.x86_64.rpm
yum -y install pam_mysql-0.8.1-0.22.el7.lux.x86_64.rpm
rpm -ql pam_mysql
/lib64/security/pam_mysql.so
/usr/share/doc/pam_mysql-0.8.1
/usr/share/doc/pam_mysql-0.8.1/AUTHORS
/usr/share/doc/pam_mysql-0.8.1/COPYING
/usr/share/doc/pam_mysql-0.8.1/ChangeLog
/usr/share/doc/pam_mysql-0.8.1/NEWS
/usr/share/doc/pam_mysql-0.8.1/README
创建数据库及虚拟用户
# 登录数据库
MariaDB [(none)]> CREATE DATABASE vsftpd;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
| vsftpd |
+--------------------+
7 rows in set (0.00 sec)
MariaDB [(none)]> GRANT SELECT ON vsftpd.* TO vsftpd@'%' IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
# 创建用户表
MariaDB [(none)]> USE vsftpd;
Database changed
MariaDB [vsftpd]> SHOW TABLES;
Empty set (0.01 sec)
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
Query OK, 0 rows affected (0.06 sec)
MariaDB [vsftpd]> DESC users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(50) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
# 添加虚拟用户
MariaDB [(none)]> use vsftpd;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [vsftpd]> INSERT INTO users(name,password) values('test1',password('centos'));
Query OK, 1 row affected (0.01 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('test2',password('centos'));
Query OK, 1 row affected (0.01 sec)
MariaDB [vsftpd]> SELECT * FROM users;
+----+-------+-------------------------------------------+
| id | name | password |
+----+-------+-------------------------------------------+
| 1 | test1 | *128977E278358FF80A246B5046F51043A2B1FCED |
| 2 | test2 | *128977E278358FF80A246B5046F51043A2B1FCED |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)
配置vsftpd服务
创建虚拟用户映射的系统用户及对应的目录
useradd -s /sbin/nologin -d /var/ftproot vuser
chmod 555 /var/ftproot
mkdir /var/ftproot/test{1,2}
setfacl -m u:vuser:rwx /var/ftproot/test*
修改相关配置文件
# 添加pam认证配置文件
cp -rp /etc/pam.d/vsftpd.mysql{,.`datebak`}
vim /etc/pam.d/vsftpd.mysql
######################################################################################
# 添加如下两行
# 针对用户认证的设置
auth required /lib64/security/pam_mysql.so user=vsftpd passwd=centos host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
# 针对用户时效的设置
account required /lib64/security/pam_mysql.so user=vsftpd passwd=centos host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
# user为数据库登陆用户名,passwd为用户名对应的登录密码,host为数据库登陆地址,db为对应的那个库名,crypt=2密码的加密方式为MySQL password()函数加密
######################################################################################
# 修改配置文件
cp -rp /etc/vsftpd/vsftpd.conf{,.`datebak`}
######################################################################################
# 需修改
pam_service_name=vsftpd.mysql
guest_enable=YES
# 新添加一下两项
guest_username=vuser
allow_writeable_chroot=YES
# 指定虚拟用户配置文件的路径
user_config_dir=/etc/vsftpd/vusers_config
######################################################################################
# 添加虚拟用户定制的配置文件
cat /etc/vsftpd/vusers_config/test1
######################################################################################
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/var/ftproot/test1/
######################################################################################
cat /etc/vsftpd/vusers_config/test2
######################################################################################
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/var/ftproot/test2/
######################################################################################
启动vsftpd服务
systemctl enable vsftpd --now
测试
# 在其他服务器上,安装ftp客户端
ftp 192.168.168.66
Connected to 192.168.168.66 (192.168.168.66).
220 (vsFTPd 3.0.2)
Name (c5:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,168,252,188,109).
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls
227 Entering Passive Mode (192,168,168,252,104,198).
150 Here comes the directory listing.
226 Directory send OK.
ftp> put t1
local: t1 remote: t1
227 Entering Passive Mode (192,168,168,252,117,202).
150 Ok to send data.
226 Transfer complete.
ftp> ls
227 Entering Passive Mode (192,168,168,252,88,231).
150 Here comes the directory listing.
-rw------- 1 1002 1002 0 Jun 07 12:25 t1
226 Directory send OK.
ftp> mkdir test
257 "/test" created
ftp> ls
227 Entering Passive Mode (192,168,168,252,154,236).
150 Here comes the directory listing.
-rw------- 1 1002 1002 0 Jun 07 12:25 t1
drwx------ 2 1002 1002 6 Jun 07 12:25 test
226 Directory send OK.
ftp> delete t1
250 Delete operation successful.
通过NFS实现服务器/www共享访问
安装NFS服务及修改相关配置文件
# 安装NFS服务
yum -y install nfs-utils rpcbind
# 创建目录
mkdir /www
chown nfsnobody /www
# 添加配置文件
echo "/www *(rw,no_root_squash)" > /etc/exports
# 查看本机所有共享信息
exportfs -v
/www <world>(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash)
远程挂载
showmount -e 192.168.168.66
# 挂载nfs到/data/nfs-client
mount 192.168.168.66:/www /data/nfs-client
# 查看挂载情况
df -h
# 添加开机自动挂载
echo '192.168.168.66:/www /data/nfs-client/ nfs defaults 0 0' >> /etc/fstab
配置samba共享,实现/www目录共享
安装samba服务
# 安装samba服务
yum -y install samba
# 创建samba用户及组
groupadd -r admins
useradd -s /sbin/nologin -G admins hooper
smbpasswd -a hooper
New SMB password:
Retype new SMB password:
Added user hooper.
useradd -s /sbin/nologin mage
smbpasswd -a mage
New SMB password:
Retype new SMB password:
Added user mage.
# 创建samba共享目录
mkdir -p /data/smbshare
chgrp admins /data/smbshare
chmod 2775 /data/smbshare
# 修改配置文件
cp -rp /etc/samba/smb.conf{,.`datebak`}
vim /etc/samba/smb.conf
######################################################################################
[share]
path = /data/smbshare
write list = @admins
######################################################################################
systemctl start smb nmb
客户端访问
# 安装客户端
yum -y install cifs-utils
# 用hooper用户挂载smb共享目录并访问
mkdir /data/smb-client
mount -o username=hooper //192.168.168.66/share /data/smb-client/
Password for hooper@//192.168.168.66/share: ******
# 查看挂载情况
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 42G 1.7G 40G 5% /
devtmpfs 909M 0 909M 0% /dev
tmpfs 920M 0 920M 0% /dev/shm
tmpfs 920M 17M 903M 2% /run
tmpfs 920M 0 920M 0% /sys/fs/cgroup
/dev/sda1 497M 130M 367M 27% /boot
tmpfs 184M 0 184M 0% /run/user/0
//192.168.168.66/share 42G 1.3G 41G 3% /mnt/rick
使用rsync+inotify实现/www目录实时同步
安装rsync服务
# 配置rsync配置文件
cp -rp /etc/rsyncd.conf{,.`datebak`}
vim /etc/rsyncd.conf
######################################################################################
# /etc/rsyncd: configuration file for rsync daemon mode
# See rsyncd.conf man page for more options.
# configuration example:
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.168.66/24
[backup]
path = /backup
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
######################################################################################
# 服务端生成验证文件及准备目录并启动rsync服务
echo "rsyncpass" > /etc/rsync.pass
chmod 600 /etc/rsync.pass
mkdir /backup
systemctl start rsyncd
客户端创建密码文件及同步目录
# 配置密码文件
echo "rsyncuser:rsyncpass" > /etc/rsync.pass
chmod 600 /etc/rsync.pass
# 创建同步目录
mkdir /data
touch /data/rsync-test.txt
# 测试
rsync -avz --password-file=/etc/rsync.pass /data/ rsyncuser@192.168.168.66::backup
客户端创建inotify_rsync.sh脚本实现实时同步
# 查看服务器内核是否支持inotify
ll /proc/sys/fs/inotify
# 安装inotify
# 安装epel-release源
yum install epel-release.noarch -y
# 安装inotify
yum install inotify-tools -y
cat /data/sh/inotify_rsync.sh
######################################################################################
#!/bin/bash
# 设置变量
SRC_DIR='/data/'
RSYNC_DIR='rsyncuser@192.168.168.66::backup'
# 脚本开始
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC_DIR} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC_DIR $RSYNC_DIR && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
######################################################################################
# 后台运行
nohup /bin/sh /data/sh/inotify_rsync.sh &
使用iptable实现: 放行telnet, ftp, web,samba服务,其他端口服务全部拒绝
# 放开telnet端口
iptables -A INPUT -p tcp -d 192.168.168.66 --dport 23 -j ACCEPT
# 放开FTP端口
iptables -A INPUT -p tcp -d 192.168.168.66 --dport 21 -j ACCEPT
# 放开web默认端口
iptables -A INPUT -p tcp -d 192.168.168.66 --dport 80 -j ACCEPT
# 放开samba默认端口
iptables -A INPUT -p tcp -d 192.168.168.66 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.168.66 --dport 445 -j ACCEPT
# 拒绝所有其他服务
iptables -A INPUT -j DROP
# 查看
iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
39 4962 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.66 tcp dpt:22
6 394 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.66 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.66 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.66 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.66 tcp dpt:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.66 tcp dpt:445
81 8786 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 49 packets, 5983 bytes)
pkts bytes target prot opt in out source destination