1、实现基于 MYSQL 验证的 vsftpd 虚拟用户访问;
实验环境:CentOS 7、MariaDB
(1)mysql (MariaFB)安装配置
# 安装
yum install -y mariadb-server
# 启动(同时设置为开机启动)
systemctl enable --now mariadb
# 进入数据库
[root@localhost ~]# mysql
# 创建数据库
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.00 sec)
# 查看数据库
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
| vsftpd |
+--------------------+
5 rows in set (0.00 sec)
# 授权
MariaDB [(none)]> GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT SELECT ON vsftpd.* TO vsftpd@'127.0.0.1' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
# 测试连接(vsftpd 用户)
[root@localhost ~]# mysql -uvsftpd -h 127.0.0.1 -ppassword
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.65-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
| vsftpd |
+--------------------+
3 rows in set (0.00 sec)
MariaDB [vsftpd]> exit
Bye
# 创建表
mysql
MariaDB [(none)]> use vsftpd
Database changed
MariaDB [vsftpd]> show tables;
Empty set (0.00 sec)
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
Query OK, 0 rows affected (0.01 sec)
MariaDB [vsftpd]> DESC users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(50) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
# 添加用户信息
MariaDB [vsftpd]> INSERT INTO users(name,password) values('solin',password('password'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('yinxd',password('password'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> SELECT * FROM users;
+----+-------+-------------------------------------------+
| id | name | password |
+----+-------+-------------------------------------------+
| 1 | solin | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
| 2 | yinxd | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)
(2)vsftpd、pam_mysql 安装配置
# 安装mariadb-devel、pam-devel、vsftpd
yum -y install mariadb-devel pam-devel vsftpd
# 编译安装 pam_mysql-0.7RC1
wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
tar xvf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1/
yum -y groupinstall "Development Tools"
./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
make
make install
# 建立pam认证所需文件
vim /etc/pam.d/vsftpd.mysql
## 添加以下内容
auth required pam_mysql.so user=vsftpd passwd=password host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=password host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
# 建立相应用户和修改vsftpd配置文件
useradd -s /sbin/nologin -d /var/ftproot vuser
chmod 555 /var/ftproot
mkdir /var/ftproot/{upload,pub}
setfacl -m u:vuser:rwx /var/ftproot/upload
# vsftpd 配置文件
vim /etc/vsftpd.conf
## 确保以下配置为 yes
anonymous_enable=YES
## 修改以下行,由 vsftpd 改为 vsftpd.mysql
pam_service_name=vsftpd.mysql
## 添加以下配置
guest_enable=YES
guest_username=vuser
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
# 启动服务(同时设置为开机启动)
systemctl enable --now vsftpd
# 查看端口
[root@localhost var]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 50 *:3306 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 32 [::]:21 [::]:*
LISTEN 0 128 [::]:22 [::]:*
(3)测试
[root@localhost ~]# ftp 10.10.10.71
Connected to 10.10.10.71 (10.10.10.71).
220 (vsFTPd 3.0.2)
Name (10.10.10.71:root): yinxd
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,10,71,138,221).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 15 Aug 26 08:48 pub
drwxrwxr-x 2 0 0 47 Aug 26 08:59 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (10,10,10,71,66,153).
150 Here comes the directory listing.
226 Directory send OK.
ftp> put 1.txt
local: 1.txt remote: 1.txt
227 Entering Passive Mode (10,10,10,71,113,74).
150 Ok to send data.
226 Transfer complete.
5 bytes sent in 2.8e-05 secs (178.57 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (10,10,10,71,156,138).
150 Here comes the directory listing.
-rw------- 1 1000 1000 5 Aug 26 09:00 1.txt
226 Directory send OK.
ftp> put 1.txt 1.txt.bak
local: 1.txt remote: 1.txt.bak
227 Entering Passive Mode (10,10,10,71,80,191).
150 Ok to send data.
226 Transfer complete.
5 bytes sent in 2e-05 secs (250.00 Kbytes/sec)
ftp>
2、通过NFS实现服务器 /www 共享访问;
- 安装( NFS 服务器 10.10.10.71 )
yum install -y nfs-utils
- 启动服务(同时设置为开机启动)
systemctl enable --now nfs-server
- 创建目录及测试文件
mkdir /www
chown nfsnobody
echo nfstest > /www/test.txt
- 配置
echo /www 10.10.10.0/16(rw,all_squash) > /etc/exports.d/nfstest.exports
- 加载配置文件
exportfs -r
- 查看目录
[root@localhost /]# exportfs -v
/www 10.10.10.0/16(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,all_squash)
- 测试(测试服务器:10.10.10.72)
# 安装 showmount
yum install -y showmount
# 查看 NFS 服务器开放的目录
[root@localhost nfs1]# showmount -e 10.10.10.71
Export list for 10.10.10.71:
/www 10.10.10.0/16
# 创建挂载目录
mkdir /mnt/nfs1
# 挂载
mount 10.10.10.71:/www /mnt/nfs1
# 查看目录内容
[root@localhost ~]# ls /mnt/nfs1/
test.txt
# 创建文件
[root@localhost ~]# echo nfstest > /mnt/nfs1/nfstest.txt
[root@localhost ~]# ls /mnt/nfs1/
nfstest.txt test.txt
3、配置samba共享,实现/www目录共享;
- 安装( SMB 服务器 10.10.10.71 )
yum install -y samba
- 启动服务(同时设置为开机启动)
systemctl enable --now smb
- 配置
vim /etc/samba/smb.conf
# 添加以下内容
[www]
comment = Share /www
path = /www
writable = yes
valid users = smbuser
host allow = 10.10.10.
# 保存后重启服务
systemctl restart smb
- 用户管理
# 创建系统用户并设置密码
useradd smbuser
# 将系统用户添加到 smb 用户表(密码为password,客户端连接时会用)
smbpasswd -a smbuser
# 查看用户
pdbedit -L
- 目录
# 创建目录
mkdir /www
# 修改属主、属组
chown smbuser:smbuser /www
- 客户端
# 安装 samba-client
yum install -y samba-client
# 挂载
mount -o username=smbuser,password=password //10.10.10.71/www /mnt
# 测试
[root@localhost ~]# cd /mnt
[root@localhost mnt]# echo test > test.txt
[root@localhost mnt]# cat test.txt
test
[root@localhost mnt]# ls
test.txt
4、使用rsync+inotify实现/www目录实时同步;
(1)主服务器( 10.10.10.71 )
- 创建 /www 目录
mkdir /www
- 安装 rsync,inotify-tools
yum install -y rsync inotify-tools
- 生成验证文件
echo "password" > /etc/rsync.pass
chmod 600 /etc/rsync.pass
- 自动备份脚本
vim rsync.sh
# 添加以下内容
#!/bin/bash
SRC='/www/'
DEST='rsyncuser@10.10.10.72::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
- 授权、执行
chmod +x rsync.sh
./rsync.sh &
(2)备份服务器( 10.10.10.72 )
- 创建备份目录
mkdir /backup
- 安装 rsync
yum install -y rsync
- 配置文件
vim /etc/rsyncd.conf
# 插入以下内容
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 10.10.10.0/24
[backup]
path = /backup/
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
- 生成验证文件
echo "rsyncuser:password" > /etc/rsync.pass
chmod 600 /etc/rsync.pass
- 启动 rsync 服务
systemctl start rsyncd
5、使用iptable实现: 放行telnet,ftp,web服务,放行samba服务,其他端口服务全部拒绝。
iptables -A INPUT -p tcp -m multiport --dports 20,21,23,80 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT
iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT
扫一扫
3662
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
