一、实现基于MYSQL验证的vsftpd虚拟用户访问。
- 安装数据库,在数据库创建ftp虚拟用户账号,授权
[root@ftpserver ~]#yum install mariadb-server -y
[root@ftpserver ~]#systemctl start mariadb
[root@ftpserver ~]#mysql
#创建虚拟用户数据库
MariaDB [(none)]> create database vsftpd;
MariaDB [(none)]> use vsftpd
#创建虚拟用户表
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
#创建虚拟用户test1
MariaDB [vsftpd]> insert users (name,password) value('test1',password('centos'));
#创建虚拟用户test2
MariaDB [vsftpd]> insert users (name,password) value('test2',password('magedu'));
#创建可以查询vsftpd.user表权限的数据库用户
MariaDB [vsftpd]> grant select on vsftpd.users to vsftpd@localhost identified by 'centos';
- 编译安装pam_mysql
[root@ftpserver ~]#yum install gcc gcc-c++ pam-devel mariadb-devel -y
[root@ftpserver ~]#tar xvf pam_mysql-0.7RC1.tar.gz
#指定pam_mysql的模块目录
[root@ftpserver pam_mysql-0.7RC1]#./configure --with-pam-mods-dir=/lib64/security/
[root@ftpserver pam_mysql-0.7RC1]#make && make install
- 安装vsftpd,并配置
[root@ftpserver ~]#yum install vsftpd -y
#建立虚拟用户映射的系统用户user及共享的目录/data/share
[root@ftpserver ~]#useradd -s /sbin/nologin -d /data/share vuser
[root@ftpserver ~]#chmod 555 /data/share
[root@ftpserver ~]#mkdir /data/share/{pub,upload}
[root@ftpserver ~]#setfacl -m u:vuser:rwx /data/share/upload
#修改vsftpd配置文件,指定pam配置文件
[root@ftpserver ~]#vim /etc/vsftpd/vsftpd.conf
...
guest_enable=YES
guest_username=vuser
pam_service_name=vsftpd.mysql
user_config_dir=/etc/vsftpd/vusers.d/
#指定test1用户可读写,其他用户只读
[root@ftpserver ~]#vim /etc/vsftpd/vusers.d/test1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
#创建pam配置文件/etc/pam.d/vsftpd.mysql
[root@ftpserver ~]#vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=centos host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
[root@ftpserver ~]#systemctl start vsftpd
- 测试访问
[root@centos7 ~]#ftp 192.168.45.7
Connected to 192.168.45.7 (192.168.45.7).
220 (vsFTPd 3.0.2)
Name (192.168.45.7:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,45,7,219,115).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Aug 27 06:16 pub
drwxrwxr-x 2 0 0 6 Aug 27 06:16 upload
226 Directory send OK.
[root@centos7 ~]#ftp 192.168.45.7
Connected to 192.168.45.7 (192.168.45.7).
220 (vsFTPd 3.0.2)
Name (192.168.45.7:root): test2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,45,7,221,184).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Aug 27 06:16 pub
drwxrwxr-x 2 0 0 6 Aug 27 06:16 upload
226 Directory send OK.
二、通过NFS实现服务器/www共享访问。
- 启动nfs-server服务,添加配置文件/etc/
[root@nfs-server ~]#systemctl start nfs-server
[root@nfs-server ~]#mkdir /www
[root@nfs-server ~]#vim /etc/exports.d/www.exports
/www anonymous (rw,all_squash) #默认只读权限
[root@nfs-server ~]#setfacl -m u:nfsnobody:rwx /www
[root@nfs-server ~]#exportfs -r
- 测试访问
[root@centos7 ~]#showmount -e 192.168.45.7
Export list for 192.168.45.7:
/www *
[root@centos7 ~]#mount 192.168.45.7:/www /mnt
[root@centos7 ~]#df
文件系统 容量 已用 可用 已用% 挂载点
devtmpfs 975M 0 975M 0% /dev
tmpfs 991M 0 991M 0% /dev/shm
tmpfs 991M 11M 981M 2% /run
tmpfs 991M 0 991M 0% /sys/fs/cgroup
/dev/sda2 50G 4.1G 46G 9% /
/dev/sda3 50G 33M 50G 1% /data
/dev/sda1 1014M 168M 847M 17% /boot
tmpfs 199M 12K 199M 1% /run/user/42
tmpfs 199M 0 199M 0% /run/user/0
192.168.45.7:/www 50G 4.3G 46G 9% /mnt
[root@centos7 ~]#cd /mnt/
[root@centos7 mnt]#touch f1.txt
[root@nfs-server ~]#ll /www
总用量 0
-rw-r--r-- 1 nfsnobody nfsnobody 0 8月 27 15:28 f1.txt
三、配置samba共享,实现/www目录共享。
- 安装samba,创建smb用户
[root@smb-server ~]#yum install samba -y
[root@smb-server ~]#useradd -r -s /sbin/nologin smbuser
[root@smb-server ~]#smbpasswd -a smbuser
New SMB password:
Retype new SMB password:
Added user smbuser.
[root@smb-server ~]#pdbedit -L
smbuser:987:
- 修改配置文件/etc/samba/smb.conf
[root@smb-server ~]#vim /etc/samba/smb.conf
...
[share]
comment=smbshare
path=/www
read only=no
[root@smb-server ~]#systemctl start smb
[root@smb-server ~]#setfacl -m u:smbuser:rwx /www
- 测试访问
[root@centos7 ~]#smbclient -L 192.168.45.7
Enter SAMBA\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk smbshare
IPC$ IPC IPC Service (Samba 4.10.4)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@centos7 ~]#smbclient //192.168.45.7/share -U smbuser
Enter SAMBA\smbuser's password:
Try "help" to get a list of possible commands.
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (186.0 kb/s) (average 186.0 kb/s)
[root@smb-server ~]#ll /www
总用量 4
-rwxr--r-- 1 smbuser smbuser 1905 8月 27 16:25 anaconda-ks.cfg
四、使用rsync+inotify实现/www目录实时同步。
- 在备份服务器上配置rsync服务
#修改rsync配置文件/etc/rsyncd.conf
[root@centos7 ~]#vim /etc/rsyncd.conf
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.45.0/24
[backup]
path = /backup/
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
#创建rsync备份目录及验证信息
[root@centos7 ~]#mkdir /backup
[root@centos7 ~]#echo "rsyncuser:magedu" > /etc/rsync.pass
[root@centos7 ~]#chmod 600 /etc/rsync.pass
[root@centos7 ~]#systemctl start rsyncd
- 在共享服务器安装inotify-tools,配置rsync验证信息
[root@smb-server ~]#yum install inotify-tools -y
[root@smb-server ~]#echo "magedu" > /etc/rsync.pass
[root@smb-server ~]#chmod 600 /etc/rsync.pass
- 在共享服务器编写inotify_rsync.sh脚本实现自动同步
[root@smb-server ~]#vim inotify_rsync.sh
#!/bin/bash
SRC='/www/'
DEST='rsyncuser@192.168.45.17::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
[root@smb-server ~]#chmod +x inotify_rsync.sh
- 测试同步
[root@smb-server ~]#./inotify_rsync.sh
[root@smb-server ~]#cp /etc/fstab /www/f1.txt
[root@smb-server ~]#mkdir /www/test
[root@smb-server ~]#ll /www
总用量 4
-rw-r--r-- 1 root root 595 8月 31 09:19 f1.txt
drwxr-xr-x 2 root root 6 8月 31 09:19 test
[root@centos7 ~]#ll /backup/
总用量 4
-rw-r--r-- 1 root root 595 8月 31 09:19 f1.txt
drwxr-xr-x 2 root root 6 8月 31 09:19 test
五、使用iptable实现: 放行telnet、ftp、web服务,放行samba服务,其他端口服务全部拒绝。
[root@centos7 ~]#modprobe nf_conntrack_ftp #加载ftp连接追踪的专用模块
[root@centos7 ~]#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@centos7 ~]#iptables -A INPUT -j REJECT
[root@centos7 ~]#iptables -I INPUT 2 -p tcp -m multiport --dports 21,23,80,443,139,445 -j ACCEPT
[root@centos7 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
895 54052 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,23,80,443,139,445
1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1188 bytes)
pkts bytes target prot opt in out source destination