十八、FTP文件存储共享与iptables规则
一.实现基于MYSQL验证的vsftpd虚拟用户访问
1.部署环境
一台做为FTP服务器,CentOS 7 IP:10.50.100.22
一台做MySQL 数据库服务器 IP:10.50.100.7
关闭两台服务器上防火墙设置
[root@ftp ~]# systemctl stop firewalld
[root@ftp ~]# setenforce 0
[root@ftp ~]# getenforce
Permissive
[root@mysql ~]# systemctl stop firewalld
[root@mysql ~]# setenforce 0
[root@mysql ~]# getenforce
Permissive
2.在数据库服务器上安装mysql数据库
[root@mysql ~]# yum -y install mariadb-server
[root@mysql ~]# systemctl enable --now mariadb.service
Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.
3.在数据库服务上配置数据库支持vsftpd服务
#建立存储虚拟用户数据库和表
[root@mysql ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.28-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> use vsftpd
Database changed
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
Query OK, 0 rows affected (0.005 sec)
#添加虚拟用户,为了安全应该使用PASSWORD函数加密其密码后存储
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftp_wang',password('magedu'));
Query OK, 1 row affected (0.001 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('ftp_mage',password('magedu'));
Query OK, 1 row affected (0.001 sec)
#创建连接的数据库用户
MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@'10.50.100.%' identified by 'magedu';
Query OK, 0 rows affected (0.010 sec)
MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.001 sec)
4.在FTP服务器上安装vsftpd 和 pam_mysql包
#对于 centos7 和 8:无对应pam_mysql.rpm包,需手动编译安装
[root@ftp ~]# yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
[root@ftp ~]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@ftp ~]# ll
total 332
-rw-------. 1 root root 1416 Apr 14 16:33 anaconda-ks.cfg
-rw-r--r--. 1 root root 335240 Jul 8 17:07 pam_mysql-0.7RC1.tar.gz
[root@ftp ~]# tar xvf pam_mysql-0.7RC1.tar.gz
[root@ftp ~]# cd pam_mysql-0.7RC1
[root@ftp pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@ftp pam_mysql-0.7RC1]# make install
[root@ftp pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql*
-rwxr-xr-x. 1 root root 882 Jul 8 17:11 /lib64/security/pam_mysql.la
-rwxr-xr-x. 1 root root 141696 Jul 8 17:11 /lib64/security/pam_mysql.so
5.在FTP服务器上建立pam认证所需文件
[root@ftp ~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=magedu host=10.50.100.7 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=magedu host=10.50.100.7 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
6.建立相应用户和修改vsftpd配置文件
#建立虚拟用户映射的系统用户及对应的目录
[root@ftp ~]# useradd -s /sbin/nologin -d /data/ftproot -r vuser
#centos7 需除去ftp根目录的写权限
[root@ftp ~]# mkdir -pv /data/ftproot/upload
mkdir: created directory ‘/data/ftproot’
mkdir: created directory ‘/data/ftproot/upload’
[root@ftp ~]# setfacl -m u:vuser:rwx /data/ftproot/upload/
#确保/etc/vsftpd/vsftpd.conf中已经启用了以下选项
[root@ftp ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
#添加下面两项
guest_enable=YES
guest_username=vuser
#修改下面一项,原系统用户无法登录
pam_service_name=vsftpd.mysql
#启动vsftpd服务
[root@ftp ~]# systemctl start vsftpd
7.测试,使用windows cmd进行FTP访问
C:\Users\IOIOI>ftp 10.50.100.22
连接到 10.50.100.22。
220 (vsFTPd 3.0.2)
200 Always in UTF8 mode.
用户(10.50.100.22:(none)): ftp_wang
331 Please specify the password.
密码:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
upload
226 Directory send OK.
ftp: 收到 11 字节,用时 0.00秒 11000.00千字节/秒。
二.通过NFS实现服务器/www共享访问。
1.部署环境
一台做为NFS服务器,CentOS 7 IP:10.50.100.20
一台做NFS客户端,CentOS 7 IP:10.50.100.22
关闭两台服务器上防火墙设置
[root@nfs-server ~]# systemctl stop firewalld
[root@nfs-server ~]# setenforce 0
[root@nfs-server ~]# getenforce
Permissive
[root@nfs-client ~]# systemctl stop firewalld
[root@nfs-client ~]# setenforce 0
[root@nfs-client ~]# getenforce
Permissive
2.NFS服务器配置
#安装nfs服务
[root@nfs-server ~]# yum -y install nfs-utils
#创建www目录
[root@nfs-server ~]# mkdir /www
#配置nfs共享/www目录
[root@nfs-server ~]# vim /etc/exports
/www 10.50.100.22(rw,root_squash,all_squash)
#启动nfs-server 服务
[root@nfs-server ~]# systemctl start nfs-server
#利用showmount -e hostname 查看共享目录
[root@nfs-server ~]# showmount -e 10.50.100.20
Export list for 10.50.100.20:
/www 10.50.100.22
3.NFS客户端挂载
[root@nfs-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1002M 99G 1% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
[root@nfs-client ~]# mount 10.50.100.20:/www /mnt
[root@nfs-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1.2G 99G 2% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
10.50.100.20:/www 100G 1.2G 99G 2% /mnt
4.NFS测试
[root@nfs-client ~]# cd /mnt/
[root@nfs-client mnt]# ls
[root@nfs-client mnt]# ll
total 0
[root@nfs-client mnt]# cp /etc/fstab .
cp: cannot create regular file ‘./fstab’: Permission denied
#NFS服务器端配置nfsnobody用户权限
[root@nfs-server ~]# setfacl -m u:nfsnobody:rwx /www/
[root@nfs-server ~]# getfacl /www/
getfacl: Removing leading '/' from absolute path names
# file: www/
# owner: root
# group: root
user::rwx
user:nfsnobody:rwx
group::r-x
mask::rwx
other::r-x
#验证测试
[root@nfs-client mnt]# cp /etc/fstab .
[root@nfs-client mnt]# ls
fstab
[root@nfs-client mnt]# mkdir test
[root@nfs-client mnt]# ls
fstab test
[root@nfs-server ~]# ll /www/
total 4
-rw-r--r--. 1 nfsnobody nfsnobody 595 Jan 12 17:03 fstab
drwxr-xr-x. 2 nfsnobody nfsnobody 6 Jan 12 17:04 test
三.配置samba共享,实现/www目录共享
1.部署环境
一台做为Samba服务器,CentOS 7 IP:10.50.100.20
一台做Samba客户端,CentOS 7 IP:10.50.100.22
关闭两台服务器上防火墙设置
[root@samba-server ~]# systemctl stop firewalld
[root@samba-server ~]# setenforce 0
[root@samba-server ~]# getenforce
Permissive
[root@samba-client ~]# systemctl stop firewalld
[root@samba-client ~]# setenforce 0
[root@samba-client ~]# getenforce
Permissive
2.Samba服务器配置
#在samba服务器上安装samba包
[root@samba-server ~]# yum -y install samba
#创建samba用户和组
[root@samba-server ~]# groupadd -r admins
[root@samba-server ~]# useradd -s /sbin/nologin -G admins wang
[root@samba-server ~]# smbpasswd -a wang
New SMB password:
Retype new SMB password:
Added user wang.
[root@samba-server ~]# useradd -s /sbin/nologin mage
[root@samba-server ~]# smbpasswd -a mage
New SMB password:
Retype new SMB password:
Added user mage.
#创建samba共享目录,并设置SElinux
[root@samba-server ~]# mkdir /www
[root@samba-server ~]# chgrp admins /www
[root@samba-server ~]# chmod 775 /www/
#samba服务器配置
[root@samba-server ~]# vim /etc/samba/smb.conf
...省略...
[share]
path = /www/
write list = @admins
#启动samba
[root@samba-server ~]# systemctl enable --now smb nmb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/nmb.service to /usr/lib/systemd/system/nmb.service.
3.Samba客户端配置与测试
#samba客户端访问
[root@samba-client ~]# yum -y install cifs-utils
#用wang用户挂载smb共享并访问
[root@samba-client ~]# mkdir /mnt/wang
[root@samba-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1.1G 99G 2% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
[root@samba-client ~]# mount -o username=wang,password=magedu //10.50.100.20/www /mnt/wang
[root@samba-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1.1G 99G 2% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
//10.50.100.20/www 100G 1.3G 99G 2% /mnt/wang
[root@samba-client ~]# echo "Hello wang" >/mnt/wang/wangfile.txt
#用mage用户挂载smb共享并访问
[root@samba-client ~]# mkdir /mnt/mage
[root@samba-client ~]# mount -o username=mage //10.50.100.20/www /mnt/mage
Password for mage@//10.50.100.20/www: ******
[root@samba-client ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 100G 1.1G 99G 2% /
devtmpfs 983M 0 983M 0% /dev
tmpfs 993M 0 993M 0% /dev/shm
tmpfs 993M 17M 976M 2% /run
tmpfs 993M 0 993M 0% /sys/fs/cgroup
/dev/sda2 50G 33M 50G 1% /data
/dev/sda1 1014M 119M 896M 12% /boot
tmpfs 199M 0 199M 0% /run/user/0
//10.50.100.20/www 100G 1.3G 99G 2% /mnt/wang
//10.50.100.20/www 100G 1.3G 99G 2% /mnt/mage
[root@samba-client ~]# touch /mnt/mage/magefile.txt
touch: cannot touch ‘/mnt/mage/magefile.txt’: Permission denied
[root@samba-client ~]# ll /mnt/
total 0
drwxrwxr-x. 2 root printadmin 0 Jan 12 17:14 mage
drwxrwxr-x. 2 root printadmin 0 Jan 12 17:14 wang
[root@samba-client ~]# ll /mnt/wang/
total 4
-rw-r--r--. 1 1000 1000 11 Jan 12 17:14 wangfile.txt
[root@samba-client ~]# ll /mnt/mage/
total 4
-rw-r--r--. 1 1000 1000 11 Jan 12 17:14 wangfile.txt
四.使用rsync+inotify实现/www目录实时同步
1.部署环境
一台做为Data服务器,CentOS 8 IP:10.50.100.7
一台做为Backup服务器,CentOS 8 IP:10.50.100.8
关闭两台服务器上防火墙设置
[root@data-server ~]# systemctl stop firewalld
[root@data-server ~]# setenforce 0
[root@data-server ~]# getenforce
Permissive
[root@backup-server ~]# systemctl stop firewalld
[root@backup-server ~]# setenforce 0
[root@backup-server ~]# getenforce
Permissive
2.配置Data服务器
#安装rsync包
[root@data-server ~]# dnf -y install rsync rsync-daemon
#创建共享目录/www,并写入数据
[root@data-server ~]# mkdir /data/www
[root@data-server ~]# ls /data/www/
f1.txt f2.txt fstab
#创建rsync服务器的配置文件
[root@data-server ~]# vi /etc/rsyncd.conf
uid = root
gid = root
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
[www]
path = /data/www/
comment = www dir
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
#服务器端生成验证文件
[root@data-server ~]# echo "rsyncuser:magedu" > /etc/rsync.pass
[root@data-server ~]# chmod 600 /etc/rsync.pass
#服务器端启动rsync服务
[root@data-server ~]# rsync --daemon
[root@data-server ~]# systemctl enable --now rsyncd
Created symlink /etc/systemd/system/multi-user.target.wants/rsyncd.service → /usr/lib/systemd/system/rsyncd.service.
3.配置Backup服务器
#安装rsync包
[root@backup-server ~]# dnf -y install rsync
#创建备份目录
[root@backup-server ~]# mkdir -pv /data/backup
mkdir: created directory '/data/backup'
#客户端配置密码文件
[root@backup-server ~]# echo "magedu" > /etc/rsync.pass
[root@backup-server ~]# chmod 600 /etc/rsync.pass
#查看远程rsync服务器的模块信息
[root@backup-server ~]# rsync rsync://10.50.100.7
www www dir
4.同步测试
#Backup服务器
[root@backup-server ~]# rsync -avz --delete --password-file=/etc/rsync.pass /data/backup/ rsyncuser@10.50.100.7::backup
sending incremental file list
deleting fstab
deleting f2.txt
deleting f1.txt
./
sent 47 bytes received 48 bytes 190.00 bytes/sec
total size is 0 speedup is 0.00
[root@backup-server ~]# ls /data/backup/
[root@backup-server ~]#
#Data服务器
[root@data-server ~]# ls /data/www/
[root@data-server ~]#
4.配置inotify自动脚本
#官网(https://github.com/rvoicilas/inotify-tools/wiki)下载inotify-tools,并编译安装
[root@backup-server ~]# ll
total 96
-rw-------. 1 root root 1544 Nov 9 2020 anaconda-ks.cfg
-rw-r--r--. 1 root root 485 Jul 13 10:55 inotify_rsync.sh
-rw-r--r--. 1 root root 84827 Jul 13 10:16 inotify-tools-3.20.11.0.tar.gz
[root@backup-server ~]# tar zxvf inotify-tools-3.20.11.0.tar.gz
[root@backup-server ~]# cd inotify-tools-3.20.11.0
[root@backup-server ~]# dnf install autoconf automake libtool make
[root@backup-server ~]# ./autogen.sh && ./configure --prefix=/usr --disable-dependency-tracking && make && su -c 'make install'
#创建inotify脚本
[root@backup-server ~]# vi inotify_rsync.sh
#!/bin/bash
SRC='/data/backup/'
DEST='rsyncuser@10.50.100.7::backup'
rpm -q rsync &> /dev/null || yum -y install rsync
inotifywait -mrq --exclude=".*\.swp" --timefmt '%Y-%m-%d %H:%M:%S' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
5.测试inotify自动脚本
[root@data-server ~]# ll /data/www/
total 4
-rw-r--r--. 1 root root 0 Jul 12 17:37 f1.txt
-rw-r--r--. 1 root root 0 Jul 12 17:37 f2.txt
-rw-r--r--. 1 root root 0 Jul 13 10:49 f3.txt
-rw-r--r--. 1 root root 709 Jul 12 17:37 fstab
[root@backup-server ~]# bash inotify_rsync.sh
[root@backup-server ~]# ll /data/backup/
total 4
-rw-r--r--. 1 root root 709 Jul 13 10:54 fstab
[root@backup-server ~]# cp /etc/fstab /data/backup/f1.txt
[root@data-server ~]# ll /data/www/
total 8
-rw-r--r--. 1 root root 709 Jul 13 10:55 f1.txt
-rw-r--r--. 1 root root 709 Jul 13 10:54 fstab
五.使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝
[root@localhost ~]# iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp -m multiport --dports 20:23,80,139,445 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j DROP
[root@localhost ~]# iptables -A OUTPUT -j DROP
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 7619 packets, 13M bytes)
pkts bytes target prot opt in out source destination
1139 81548 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20:23,80,139,445 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,138 state NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5348 packets, 282K bytes)
pkts bytes target prot opt in out source destination
304 31752 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]#
