十八、FTP檔案儲存共享與iptables規則
阿新 • • 發佈:2021-07-13
一.實現基於MYSQL驗證的vsftpd虛擬使用者訪問
1.部署環境
一臺做為FTP伺服器,CentOS 7 IP:10.50.100.22
一臺做MySQL 資料庫伺服器 IP:10.50.100.7
關閉兩臺伺服器上防火牆設定
[root@ftp ~]# systemctl stop firewalld [root@ftp ~]# setenforce 0 [root@ftp ~]# getenforce Permissive [root@mysql ~]# systemctl stop firewalld [root@mysql ~]# setenforce 0 [root@mysql ~]# getenforce Permissive
2.在資料庫伺服器上安裝mysql資料庫
[root@mysql ~]# yum -y install mariadb-server [root@mysql ~]# systemctl enable --now mariadb.service Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service. Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service. Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.
3.在資料庫服務上配置資料庫支援vsftpd服務
#建立儲存虛擬使用者資料庫和表 [root@mysql ~]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8 Server version: 10.3.28-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database vsftpd; Query OK, 1 row affected (0.000 sec) MariaDB [(none)]> use vsftpd Database changed MariaDB [vsftpd]> CREATE TABLE users ( -> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, -> name CHAR(50) BINARY NOT NULL, -> password CHAR(48) BINARY NOT NULL -> ); Query OK, 0 rows affected (0.005 sec) #新增虛擬使用者,為了安全應該使用PASSWORD函式加密其密碼後儲存 MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftp_wang',password('magedu')); Query OK, 1 row affected (0.001 sec) MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftp_mage',password('magedu')); Query OK, 1 row affected (0.001 sec) #建立連線的資料庫使用者 MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@'10.50.100.%' identified by 'magedu'; Query OK, 0 rows affected (0.010 sec) MariaDB [vsftpd]> flush privileges; Query OK, 0 rows affected (0.001 sec)
4.在FTP伺服器上安裝vsftpd 和 pam_mysql包
#對於 centos7 和 8:無對應pam_mysql.rpm包,需手動編譯安裝
[root@ftp ~]# yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
[root@ftp ~]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@ftp ~]# ll
total 332
-rw-------. 1 root root 1416 Apr 14 16:33 anaconda-ks.cfg
-rw-r--r--. 1 root root 335240 Jul 8 17:07 pam_mysql-0.7RC1.tar.gz
[root@ftp ~]# tar xvf pam_mysql-0.7RC1.tar.gz
[root@ftp ~]# cd pam_mysql-0.7RC1
[root@ftp pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@ftp pam_mysql-0.7RC1]# make install
[root@ftp pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql*
-rwxr-xr-x. 1 root root 882 Jul 8 17:11 /lib64/security/pam_mysql.la
-rwxr-xr-x. 1 root root 141696 Jul 8 17:11 /lib64/security/pam_mysql.so
5.在FTP伺服器上建立pam認證所需檔案
[root@ftp ~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=magedu host=10.50.100.7 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=magedu host=10.50.100.7 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
6.建立相應使用者和修改vsftpd配置檔案
#建立虛擬使用者對映的系統使用者及對應的目錄
[root@ftp ~]# useradd -s /sbin/nologin -d /data/ftproot -r vuser
#centos7 需除去ftp根目錄的寫許可權
[root@ftp ~]# mkdir -pv /data/ftproot/upload
mkdir: created directory ‘/data/ftproot’
mkdir: created directory ‘/data/ftproot/upload’
[root@ftp ~]# setfacl -m u:vuser:rwx /data/ftproot/upload/
#確保/etc/vsftpd/vsftpd.conf中已經啟用了以下選項
[root@ftp ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
#新增下面兩項
guest_enable=YES
guest_username=vuser
#修改下面一項,原系統使用者無法登入
pam_service_name=vsftpd.mysql
#啟動vsftpd服務
[root@ftp ~]# systemctl start vsftpd
7.測試,使用windows cmd進行FTP訪問
C:\Users\IOIOI>ftp 10.50.100.22
連線到 10.50.100.22。
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
使用者(10.50.100.22:(none)): ftp_wang
331 Please specify the password.
密碼:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
upload
226 Directory send OK.
ftp: 收到 11 位元組,用時 0.00秒 11000.00千位元組/秒。
二.通過NFS實現伺服器/www共享訪問。
1.部署環境
一臺做為NFS伺服器,CentOS 7 IP:10.50.100.20
一臺做NFS客戶端,CentOS 7 IP:10.50.100.22
關閉兩臺伺服器上防火牆設定
[root@nfs-server ~]# systemctl stop firewalld
[root@nfs-server ~]# setenforce 0
[root@nfs-server ~]# getenforce
Permissive
[root@nfs-client ~]# systemctl stop firewalld
[root@nfs-client ~]# setenforce 0
[root@nfs-client ~]# getenforce
Permissive
2.NFS伺服器配置
#安裝nfs服務
[root@nfs-server ~]# yum -y install nfs-utils
#建立www目錄
[root@nfs-server ~]# mkdir /www
#配置nfs共享/www目錄
[root@nfs-server ~]# vim /etc/exports
/www 10.50.100.22(rw,root_squash,all_squash)
#啟動nfs-server 服務
[root@nfs-server ~]# systemctl start nfs-server
#利用showmount -e hostname 檢視共享目錄
[root@nfs-server ~]# showmount -e 10.50.100.20
Export list for 10.50.100.20:
/www 10.50.100.22
3.NFS客戶端掛載
[root@nfs-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1002M 99G 1% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
[root@nfs-client ~]# mount 10.50.100.20:/www /mnt
[root@nfs-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1.2G 99G 2% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
10.50.100.20:/www 100G 1.2G 99G 2% /mnt
4.NFS測試
[root@nfs-client ~]# cd /mnt/
[root@nfs-client mnt]# ls
[root@nfs-client mnt]# ll
total 0
[root@nfs-client mnt]# cp /etc/fstab .
cp: cannot create regular file ‘./fstab’: Permission denied
#NFS伺服器端配置nfsnobody使用者許可權
[root@nfs-server ~]# setfacl -m u:nfsnobody:rwx /www/
[root@nfs-server ~]# getfacl /www/
getfacl: Removing leading '/' from absolute path names
# file: www/
# owner: root
# group: root
user::rwx
user:nfsnobody:rwx
group::r-x
mask::rwx
other::r-x
#驗證測試
[root@nfs-client mnt]# cp /etc/fstab .
[root@nfs-client mnt]# ls
fstab
[root@nfs-client mnt]# mkdir test
[root@nfs-client mnt]# ls
fstab test
[root@nfs-server ~]# ll /www/
total 4
-rw-r--r--. 1 nfsnobody nfsnobody 595 Jan 12 17:03 fstab
drwxr-xr-x. 2 nfsnobody nfsnobody 6 Jan 12 17:04 test
三.配置samba共享,實現/www目錄共享
1.部署環境
一臺做為Samba伺服器,CentOS 7 IP:10.50.100.20
一臺做Samba客戶端,CentOS 7 IP:10.50.100.22
關閉兩臺伺服器上防火牆設定
[root@samba-server ~]# systemctl stop firewalld
[root@samba-server ~]# setenforce 0
[root@samba-server ~]# getenforce
Permissive
[root@samba-client ~]# systemctl stop firewalld
[root@samba-client ~]# setenforce 0
[root@samba-client ~]# getenforce
Permissive
2.Samba伺服器配置
#在samba伺服器上安裝samba包
[root@samba-server ~]# yum -y install samba
#建立samba使用者和組
[root@samba-server ~]# groupadd -r admins
[root@samba-server ~]# useradd -s /sbin/nologin -G admins wang
[root@samba-server ~]# smbpasswd -a wang
New SMB password:
Retype new SMB password:
Added user wang.
[root@samba-server ~]# useradd -s /sbin/nologin mage
[root@samba-server ~]# smbpasswd -a mage
New SMB password:
Retype new SMB password:
Added user mage.
#建立samba共享目錄,並設定SElinux
[root@samba-server ~]# mkdir /www
[root@samba-server ~]# chgrp admins /www
[root@samba-server ~]# chmod 775 /www/
#samba伺服器配置
[root@samba-server ~]# vim /etc/samba/smb.conf
...省略...
[share]
path = /www/
write list = @admins
#啟動samba
[root@samba-server ~]# systemctl enable --now smb nmb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/nmb.service to /usr/lib/systemd/system/nmb.service.
3.Samba客戶端配置與測試
#samba客戶端訪問
[root@samba-client ~]# yum -y install cifs-utils
#用wang使用者掛載smb共享並訪問
[root@samba-client ~]# mkdir /mnt/wang
[root@samba-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1.1G 99G 2% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
[root@samba-client ~]# mount -o username=wang,password=magedu //10.50.100.20/www /mnt/wang
[root@samba-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1.1G 99G 2% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
//10.50.100.20/www 100G 1.3G 99G 2% /mnt/wang
[root@samba-client ~]# echo "Hello wang" >/mnt/wang/wangfile.txt
#用mage使用者掛載smb共享並訪問
[root@samba-client ~]# mkdir /mnt/mage
[root@samba-client ~]# mount -o username=mage //10.50.100.20/www /mnt/mage
Password for mage@//10.50.100.20/www: ******
[root@samba-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1.1G 99G 2% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
//10.50.100.20/www 100G 1.3G 99G 2% /mnt/wang
//10.50.100.20/www 100G 1.3G 99G 2% /mnt/mage
[root@samba-client ~]# touch /mnt/mage/magefile.txt
touch: cannot touch ‘/mnt/mage/magefile.txt’: Permission denied
[root@samba-client ~]# ll /mnt/
total 0
drwxrwxr-x. 2 root printadmin 0 Jan 12 17:14 mage
drwxrwxr-x. 2 root printadmin 0 Jan 12 17:14 wang
[root@samba-client ~]# ll /mnt/wang/
total 4
-rw-r--r--. 1 1000 1000 11 Jan 12 17:14 wangfile.txt
[root@samba-client ~]# ll /mnt/mage/
total 4
-rw-r--r--. 1 1000 1000 11 Jan 12 17:14 wangfile.txt
四.使用rsync+inotify實現/www目錄實時同步
1.部署環境
一臺做為Data伺服器,CentOS 8 IP:10.50.100.7
一臺做為Backup伺服器,CentOS 8 IP:10.50.100.8
關閉兩臺伺服器上防火牆設定
[root@data-server ~]# systemctl stop firewalld
[root@data-server ~]# setenforce 0
[root@data-server ~]# getenforce
Permissive
[root@backup-server ~]# systemctl stop firewalld
[root@backup-server ~]# setenforce 0
[root@backup-server ~]# getenforce
Permissive
2.配置Data伺服器
#安裝rsync包
[root@data-server ~]# dnf -y install rsync rsync-daemon
#建立共享目錄/www,並寫入資料
[root@data-server ~]# mkdir /data/www
[root@data-server ~]# ls /data/www/
f1.txt f2.txt fstab
#建立rsync伺服器的配置檔案
[root@data-server ~]# vi /etc/rsyncd.conf
uid = root
gid = root
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
[www]
path = /data/www/
comment = www dir
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
#伺服器端生成驗證檔案
[root@data-server ~]# echo "rsyncuser:magedu" > /etc/rsync.pass
[root@data-server ~]# chmod 600 /etc/rsync.pass
#伺服器端啟動rsync服務
[root@data-server ~]# rsync --daemon
[root@data-server ~]# systemctl enable --now rsyncd
Created symlink /etc/systemd/system/multi-user.target.wants/rsyncd.service → /usr/lib/systemd/system/rsyncd.service.
3.配置Backup伺服器
#安裝rsync包
[root@backup-server ~]# dnf -y install rsync
#建立備份目錄
[root@backup-server ~]# mkdir -pv /data/backup
mkdir: created directory '/data/backup'
#客戶端配置密碼檔案
[root@backup-server ~]# echo "magedu" > /etc/rsync.pass
[root@backup-server ~]# chmod 600 /etc/rsync.pass
#檢視遠端rsync伺服器的模組資訊
[root@backup-server ~]# rsync rsync://10.50.100.7
www www dir
4.同步測試
#Backup伺服器
[root@backup-server ~]# rsync -avz --delete --password-file=/etc/rsync.pass /data/backup/ [email protected]::backup
sending incremental file list
deleting fstab
deleting f2.txt
deleting f1.txt
./
sent 47 bytes received 48 bytes 190.00 bytes/sec
total size is 0 speedup is 0.00
[root@backup-server ~]# ls /data/backup/
[root@backup-server ~]#
#Data伺服器
[root@data-server ~]# ls /data/www/
[root@data-server ~]#
4.配置inotify自動指令碼
#官網(https://github.com/rvoicilas/inotify-tools/wiki)下載inotify-tools,並編譯安裝
[root@backup-server ~]# ll
total 96
-rw-------. 1 root root 1544 Nov 9 2020 anaconda-ks.cfg
-rw-r--r--. 1 root root 485 Jul 13 10:55 inotify_rsync.sh
-rw-r--r--. 1 root root 84827 Jul 13 10:16 inotify-tools-3.20.11.0.tar.gz
[root@backup-server ~]# tar zxvf inotify-tools-3.20.11.0.tar.gz
[root@backup-server ~]# cd inotify-tools-3.20.11.0
[root@backup-server ~]# dnf install autoconf automake libtool make
[root@backup-server ~]# ./autogen.sh && ./configure --prefix=/usr --disable-dependency-tracking && make && su -c 'make install'
#建立inotify指令碼
[root@backup-server ~]# vi inotify_rsync.sh
#!/bin/bash
SRC='/data/backup/'
DEST='[email protected]::backup'
rpm -q rsync &> /dev/null || yum -y install rsync
inotifywait -mrq --exclude=".*\.swp" --timefmt '%Y-%m-%d %H:%M:%S' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
5.測試inotify自動指令碼
[root@data-server ~]# ll /data/www/
total 4
-rw-r--r--. 1 root root 0 Jul 12 17:37 f1.txt
-rw-r--r--. 1 root root 0 Jul 12 17:37 f2.txt
-rw-r--r--. 1 root root 0 Jul 13 10:49 f3.txt
-rw-r--r--. 1 root root 709 Jul 12 17:37 fstab
[root@backup-server ~]# bash inotify_rsync.sh
[root@backup-server ~]# ll /data/backup/
total 4
-rw-r--r--. 1 root root 709 Jul 13 10:54 fstab
[root@backup-server ~]# cp /etc/fstab /data/backup/f1.txt
[root@data-server ~]# ll /data/www/
total 8
-rw-r--r--. 1 root root 709 Jul 13 10:55 f1.txt
-rw-r--r--. 1 root root 709 Jul 13 10:54 fstab
五.使用iptable實現: 放行telnet, ftp, web服務,放行samba服務,其他埠服務全部拒絕
[root@localhost ~]# iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp -m multiport --dports 20:23,80,139,445 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j DROP
[root@localhost ~]# iptables -A OUTPUT -j DROP
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 7619 packets, 13M bytes)
pkts bytes target prot opt in out source destination
1139 81548 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20:23,80,139,445 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,138 state NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5348 packets, 282K bytes)
pkts bytes target prot opt in out source destination
304 31752 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]#