shell示例7
- 实现基于MYSQL验证的vsftpd虚拟用户访问
-
于192.168.20.27安装mysql
- 安装mysql
yum install -y mariadb-server systemctl start mariadb systemctl enable mariadb - 安全配置
mysql_secure_installation - 建库
CREATE DATABASE ftp; - 建用户
GRANT ALL ON ftp.* TO 'ftp'@'%' IDENTIFIED BY '123'; - 建表
USE ftp; SHOW TABLES; CREATE TABLE users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL );
- 安装mysql
-
于192.168.20.17安装vsftp
- 安装vsftp
yum install -y vsftp - 准备编译pam_mysql
yum groupinstall Development\ Tools
yum -y install mariadb-devel pam-devel vsftpd - 下载pam_mysql
wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz - 编译
tar xvf pam_mysql-0.7RC1.tar.gz cd pam_mysql-0.7RC1/ ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr make make install - 配置pam
vi /etc/pam.d/vsftpd.mysql # 添加如下两行
auth required pam_mysql.so user=ftp passwd=123 host=192.168.20.27 db=ftp table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=ftp passwd=123 host=192.168.20.27 db=ftp table=users usercolumn=name passwdcolumn=password crypt=2 - 建立相应用户和修改vsftpd配置文件
useradd -s /sbin/nologin -d /var/ftproot vuser chmod 555 /var/ftproot # centos7 需除去ftp根目录的写权限 mkdir /var/ftproot/{upload,pub} setfacl -m u:vuser:rwx /var/ftproot/upload # 确保/etc/vsftpd.conf中已经启用了以下选项 anonymous_enable=YES # 添加下面项 guest_enable=YES guest_username=vuser anon_upload_enable=YES # 修改下面一项,原系统用户无法登录 pam_service_name=vsftpd.mysql - 启动vsftpd服务
systemctl start vsftpd
- 安装vsftp
-
增加用户
INSERT users (name,password) VALUE ('chao',password('123'));
-
- 通过NFS实现服务器/var/www共享访问
- 安装NFS
yum install -y nfs-utils - 配置NFS-server
vim /etc/exports
/nfsdir 192.168.20.*(rw) - 建文件夹
mkdir /nfsdir
chown nfsnobody /nfsdir - 开启服务
systemctl start nfs-server - 连接nfs
mount 192.168.20.17:/nfsdir /var/www
- 安装NFS
- 配置samba共享,实现/var/www目录共享
- 安装samba服务
yum install -y samba - 创建samba用户和组
groupadd -r admins useradd -s /sbin/nologin -G admins chao smbpasswd -a chao - 创建共享目录
mkdir /smbdir chgrp admins /smbdir chmod 2775 /smbdir - 服务器配置
/etc/samba/smb.confsecurity = user passdb backend = tdbsam [share] path = /smbdir write list = @adminssystemctl start smb nmb - 客户端访问
mount -o username=chao,password=123 //192.168.20.17/share /var/www
- 安装samba服务
- 用rsync+inotify实现/var/www目录实时同步
- 备份服务器端
- 准备用户名和密码
echo "rsyncuser:123" > /etc/rsync.pass
chmod 600 /etc/rsync.pass - 准备备份文件夹
mkdir /backup - 配置
cat > /etc/rsync.conf <<EOF uid = root gid = root use chroot = no max connections = 0 ignore errors exclude = lost+found/ log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsyncd.lock reverse lookup = no hosts allow = 192.168.20.0/24 [backup] path = /backup/ comment = backup read only = no auth users = rsyncuser secrets file = /etc/rsync.pass EOF - 服务器端启动rsync服务
systemctl start rsyncd - 客户端配置密码
echo "123" > /etc/rsync.pass chmod 600 /etc/rsync.pass - 客户端创建inotify_rsync.sh脚本
#!/bin/bash SRC='/smbdir' DEST='rsyncuser@192.168.20.37::backup' inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do FILEPATH=${DIR}${FILE} rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log donechmod +x inotify_rsync.sh - 客户端安装 screen 和 inotify-tools(epel)
yum install screen inotify-tools -y - 后台执行
screen ./inotify_rsync.sh
- 准备用户名和密码
- 备份服务器端
- 使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝
- 开放telnet
iptables -A INPUT -p tcp --dport 23 -j ACCEPT - 开放ftp
修改/etc/sysconfig/iptables-configIPTABLES_MODULES="nf_conntrack_ftp"modproble nf_conntrack_ftp
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT - 开启web
iptables -A INPUT -p tcp --dport 80 -j ACCEPT - 开启samba
iptables -A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT - 禁用其它所有
iptables -A INPUT -j REJECT
- 开放telnet
