18、網(wǎng)絡(luò)文件共享服務(wù)及防火墻iptables

1、實現(xiàn)基于MYSQL驗證的vsftpd虛擬用戶訪問

FTP服務(wù)器:192.168.45.202
數(shù)據(jù)庫服務(wù)器:192.168.45.203

1. FTP服務(wù)器安裝ftp、pam_mysql
[root@s202 ~]# yum install vsftpd -y

對于centos7,pam_mysql需要編譯安裝
首先下載pam_mysql

[root@s202 src]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz

解壓pam_mysql

[root@s202 src]# tar xvf pam_mysql-0.7RC1.tar.gz

安裝依賴包,然后對pam_mysql進行編譯安裝

[root@s202 pam_mysql-0.7RC1]# yum -y groupinstall "Development Tools" 
[root@s202 pam_mysql-0.7RC1]# yum -y install mariadb-devel pam-devel
[root@s202 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
[root@s202 pam_mysql-0.7RC1]# make && make install
/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include  -g -O2  -g -O2 -I/usr/include/mysql    -c pam_mysql.c
mkdir .libs
 gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include -g -O2 -g -O2 -I/usr/include/mysql -c pam_mysql.c  -fPIC -DPIC -o .libs/pam_mysql.o
pam_mysql.c: In function 'pam_mysql_converse':
pam_mysql.c:3192:4: warning: passing argument 2 of 'conv->conv' from incompatible pointer type [enabled by default]
    conv->appdata_ptr))) {
    ^
pam_mysql.c:3192:4: note: expected 'const struct pam_message **' but argument is of type 'struct pam_message **'
/bin/sh ./libtool --mode=link gcc  -g -O2 -I/usr/include/mysql     -o pam_mysql.la -rpath /lib64/security -module -avoid-version pam_mysql.lo  -L/usr/lib64/mysql -lmysqlclient -lpthread -lz -lm -ldl -lssl -lcrypto    -lcrypt
gcc -shared  .libs/pam_mysql.o  -L/usr/lib64/mysql -lmysqlclient -lpthread -lz -lm -ldl -lssl -lcrypto -lcrypt  -Wl,-soname -Wl,pam_mysql.so -o .libs/pam_mysql.so
creating pam_mysql.la
(cd .libs && rm -f pam_mysql.la && ln -s ../pam_mysql.la pam_mysql.la)
make[1]: Entering directory `/usr/local/src/pam_mysql-0.7RC1'
/bin/sh ./mkinstalldirs /lib64/security
/bin/sh ./libtool  --mode=install /usr/bin/install -c pam_mysql.la /lib64/security/pam_mysql.la
/usr/bin/install -c .libs/pam_mysql.so /lib64/security/pam_mysql.so
/usr/bin/install -c .libs/pam_mysql.lai /lib64/security/pam_mysql.la
PATH="$PATH:/sbin" ldconfig -n /lib64/security
----------------------------------------------------------------------
Libraries have been installed in:
   /lib64/security

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[1]: Nothing to be done for `install-data-am'.
make[1]: Leaving directory `/usr/local/src/pam_mysql-0.7RC1'

[root@s202 pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql.*
-rwxr-xr-x 1 root root    882 Sep 12 00:18 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141720 Sep 12 00:18 /lib64/security/pam_mysql.so
2. 數(shù)據(jù)庫服務(wù)器安裝數(shù)據(jù)庫,并創(chuàng)建虛擬賬號
[root@s203 ~]# yum install mariadb-server -y
[root@s203 ~]# systemctl start mariadb
[root@s203 ~]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.

登錄數(shù)據(jù)庫,創(chuàng)建數(shù)據(jù)庫及賬號

MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant select on vsftpd.* to vsftpd@'192.168.45.*' identified by 'qwe123';
Query OK, 0 rows affected (0.00 sec)

創(chuàng)建數(shù)據(jù)表,并創(chuàng)建虛擬用戶

MariaDB [(none)]> use vsftpd;
Database changed
MariaDB [vsftpd]> create table user (id int auto_increment not null primary key,name char(50) binary not null,password char(48) binary not null);
Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> desc users;
ERROR 1146 (42S02): Table 'vsftpd.users' doesn't exist
MariaDB [vsftpd]> desc user;
+----------+----------+------+-----+---------+----------------+
| Field    | Type     | Null | Key | Default | Extra          |
+----------+----------+------+-----+---------+----------------+
| id       | int(11)  | NO   | PRI | NULL    | auto_increment |
| name     | char(50) | NO   |     | NULL    |                |
| password | char(48) | NO   |     | NULL    |                |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

MariaDB [vsftpd]> insert into user(name,password) values ('yyt',password('qwe123'));
Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> insert into user(name,password) values ('mm',password('qwe123'));
Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> select * from user;
+----+------+-------------------------------------------+
| id | name | password                                  |
+----+------+-------------------------------------------+
|  1 | yyt  | *8DCDD69CE7D121DE8013062AEAEB2A148910D50E |
|  2 | mm   | *8DCDD69CE7D121DE8013062AEAEB2A148910D50E |
+----+------+-------------------------------------------+
2 rows in set (0.00 sec)
3. 在FTP服務(wù)器上配置vsftpd服務(wù)

1.在FTP服務(wù)器上建立pam認證所需文件
vim /etc/pam.d/vsftpd.mysql 添加如下兩行

auth required pam_mysql.so user=vsftpd passwd=qwe123 host=192.168.45.203 db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=qwe123 host=192.168.45.203 db=vsftpd table=user usercolum    n=name passwdcolumn=password crypt=2

2.建立相應(yīng)用戶和修改vsftpd配置文件,使其適應(yīng)mysql認證
建立虛擬用戶映射的系統(tǒng)用戶及對應(yīng)的目錄

[root@s202 pam_mysql-0.7RC1]# useradd -s /sbin/nologin -d /var/ftproot vuser
[root@s202 pam_mysql-0.7RC1]# chmod 555 /var/ftproot/
[root@s202 pam_mysql-0.7RC1]# mkdir /var/ftproot/{upload,pub} -pv
mkdir: created directory ‘/var/ftproot/upload’
mkdir: created directory ‘/var/ftproot/pub’
[root@s202 pam_mysql-0.7RC1]# setfacl -m u:vuser:rwx /var/ftproot/upload/

檢查修改/etc/vsftpd.conf
(1)確保/etc/vsftpd.conf中已經(jīng)啟用了以下選項
anonymous_enable=YES
(2)添加下面兩項
guest_enable=YES
guest_username=vuser
(3)修改下面一項,原系統(tǒng)用戶無法登錄
pam_service_name=vsftpd.mysql

4. 啟動ftp,并進行測試

啟動FTP

[root@s202 pam_mysql-0.7RC1]# systemctl start vsftpd

測試

root@ubuntu:~# ftp 192.168.45.202
Connected to 192.168.45.202.
220 (vsFTPd 3.0.2)
Name (192.168.45.202:root): yyt
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Sep 11 16:40 pub
drwxrwxr-x    2 0        0               6 Sep 11 16:40 upload
226 Directory send OK.

2、通過NFS實現(xiàn)服務(wù)器/www共享訪問。

1.CentOS7中帶有NFS服務(wù),直接啟動即可

[root@s202 ~]# systemctl start nfs-server
[root@s202 ~]# systemctl enable nfs-server

2.創(chuàng)建要分享的目錄,并授權(quán)

[root@s202 ~]# mkdir /www
[root@s202 ~]# chown nfsnobody /data

3.編輯共享配置文件

[root@s202 ~]# cat /etc/exports
/www 192.168.45.0/24(rw)

4.重讀配置文件使共享生效

[root@s202 ~]# exportfs -r
[root@s202 ~]# showmount -e  #查看服務(wù)端共享是否存在
Export list for s202:
/www 192.168.45.0/24

5.在客戶端進行掛載測試

root@ubuntu:/# mkdir /www
root@ubuntu:/# mount -t nfs 192.168.45.202:/www /www
mount: /data: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.

客戶端掛載時報錯,在Ubuntu環(huán)境下安裝nfs-common包即可

root@ubuntu:/# apt-get install nfs-common

安裝完成后重新掛載

root@ubuntu:/# mount -t nfs 192.168.45.202:/www /www
root@ubuntu:/# df -h
Filesystem            Size  Used Avail Use% Mounted on
udev                  955M     0  955M   0% /dev
tmpfs                 198M  9.6M  188M   5% /run
/dev/sda1             196G  4.2G  182G   3% /
tmpfs                 986M     0  986M   0% /dev/shm
tmpfs                 5.0M     0  5.0M   0% /run/lock
tmpfs                 986M     0  986M   0% /sys/fs/cgroup
tmpfs                 197M     0  197M   0% /run/user/0
overlay               196G  4.2G  182G   3% /var/lib/docker/overlay2/82eb04b48975cc18ee8b9b51c58f4e2d77b847ac2349361952e4600d5a8c1330/merged
shm                    64M     0   64M   0% /var/lib/docker/containers/d205ac0909bea88b9fdef109d0cc3828a240b04744eca21cd128f554018f9d83/mounts/shm
192.168.45.202:/www   50G   33M   50G   1% /www
root@ubuntu:/# cd /www/
root@ubuntu:/www# ls
nginx

到此共享設(shè)置完成,如果想要永久掛載,則需要在/etc/fstab文件中添加掛載即可
vim /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=0e817721-c384-48ca-ac25-acdaaa2cc2e8 /               ext4    errors=remount-ro 0       1
/swapfile                                 none            swap    sw              0       0
192.168.45.202:/www /www nfs defaults 0 0

mount -a 使掛載生效即可

3、配置samba共享,實現(xiàn)/www目錄共享

1、在samba服務(wù)器上安裝samba包

[root@s202 ~]# yum -y install samba

2、創(chuàng)建samba用戶組和用戶

[root@s202 ~]# groupadd -r admins
[root@s202 ~]# useradd -s /sbin/nologin -G admins mm
[root@s202 ~]# smbpasswd -a mm
New SMB password:
Retype new SMB password:
Added user mm.
[root@s202 ~]# useradd -s /sbin/nologin yuan
[root@s202 ~]# smbpasswd -a yuan
New SMB password:
Retype new SMB password:
Added user yuan.

3、創(chuàng)建samba共享目錄

[root@s202 ~]# mkdir /www
[root@s202 ~]# chgrp admins /www
[root@s202 ~]# chmod 2775 /www

4、samba服務(wù)器配置,設(shè)置允許admins組中的用戶創(chuàng)建、編輯共享目錄文件
vim /etc/samba/smb.conf

[global]
    workgroup = SAMBA
    security = user

    passdb backend = tdbsam

[share]
    path = /www
    write list = @admins

5、啟動服務(wù)

[root@s202 ~]# systemctl start smb nmb
[root@s202 ~]# systemctl enable smb nmb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/nmb.service to /usr/lib/systemd/system/nmb.service.

6、在客戶端測試
安裝cifs-utils包

root@ubuntu:~# apt-get -y install cifs-utils
root@ubuntu:~# mkdir /www/mm
root@ubuntu:~# mount -o username=mm //192.168.45.202/share /www/mm
Password for mm@//192.168.45.202/share:  ******
root@ubuntu:~# echo hello mm > /www/mm/mmfile.txt
root@ubuntu:~# cat /www/mm/mmfile.txt
hello mm

#由于yuan用戶不在admins用戶組中,所以yuan不能編輯、創(chuàng)建文件
root@ubuntu:~# mkdir /www/yuan
root@ubuntu:~# mount -o username=yuan //192.168.45.202/share /www/yuan
Password for yuan@//192.168.45.202/share:  ******
root@ubuntu:~# echo hello yuan > /www/yuan/yuanfile.txt
-bash: /www/yuan/yuanfile.txt: Permission denied

4、使用rsync+inotify實現(xiàn)/www目錄實時同步

數(shù)據(jù)服務(wù)器:192.168.45.202
備份服務(wù)器:192.168.45.203
1、在數(shù)據(jù)服務(wù)器端安裝inotify-tools(需要epel源)

[root@s202 ~]# yum -y install inotify-tools

2、在備份服務(wù)器端配置rsyncd.conf文件
vim /etc/rsyncd.conf

uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.45.0/24
[backup]
path = /backup/
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass

3、在備份服務(wù)器端生成驗證文件

[root@s203 ~]# echo "rsyncuser:qwe123" > /etc/rsync.pass
[root@s203 ~]# chmod 600 /etc/rsync.pass

4、在備份服務(wù)器端創(chuàng)建備份數(shù)據(jù)存放目錄,并啟動rsync服務(wù)

[root@s203 ~]# mkdir /backup
[root@s203 ~]# systemctl start rsyncd

5、在數(shù)據(jù)服務(wù)器端配置密碼文件,并測試數(shù)據(jù)同步

[root@s202 ~]# echo "qwe123"> /etc/rsync.pass
[root@s202 ~]# chmod 600 /etc/rsync.pass 
[root@s202 ~]# rsync -avz --password-file=/etc/rsync.pass /data/www/ rsyncuser@192.168.45.203::backup

6、在數(shù)據(jù)服務(wù)器端創(chuàng)建監(jiān)控腳本

[root@s202 data]# vim inotify_rsync.sh
[root@s202 data]# cat inotify_rsync.sh 
#!/bin/bash
SRC='/data/www/'
DEST='rsyncuser@192.168.45.203::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done

7、添加執(zhí)行權(quán)限,并運行測試效果

[root@s202 data]# chmod +x inotify_rsync.sh
[root@s202 data]# ./inotify_rsync.sh

在備份服務(wù)器端監(jiān)控同步效果

[root@s202 data]# watch -n1 ls -l /backup

測試同步成功

5、使用iptable實現(xiàn): 放行telnet, ftp, web服務(wù),放行samba服務(wù),其他端口服務(wù)全部拒絕

  • 開放telnet
    [root@centos7 ~]# iptables -A INPUT -p tcp --dport 23 -j ACCEPT
  • 開放ftp
    修改/etc/sysconfig/iptables-config
    IPTABLES_MODULES="nf_conntrack_ftp" 
[root@centos7 ~]# modproble nf_conntrack_ftp
[root@centos7 ~]# iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
  • 開放web,默認端口80
    [root@centos7 ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • 開放samba
    tcp端口139,445,udp端口137,138
[root@centos7 ~]# iptables -A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT
  • 禁用其它所有
    [root@centos7 ~]# iptables -A INPUT -j REJECT 
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:23
  679 54856 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  197 11820 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 139,445
    3   702 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 137,138
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6 packets, 644 bytes)
 pkts bytes target     prot opt in     out     source               destination
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

友情鏈接更多精彩內(nèi)容