运维开发网

vsftpd,nfs,samba,rsync,inotify,iptables

运维开发网 https://www.qedev.com 2020-12-01 12:07 出处:51CTO 作者:蜗牛漫步者
实验要求:1、实现基于MYSQL验证的vsftpd虚拟用户访问2、通过NFS实现服务器/www共享访问。3、配置samba共享,实现/www目录共享4、使用rsync+inotify实现/www目录实时同步5、使用iptable实现:放行telnet,ftp,web服务,放行samba服务,其他端口服务全部拒绝实验环境:node1:192.168.2.27node2:192.168.2.37OS:

实验要求:

1、实现基于MYSQL验证的vsftpd虚拟用户访问

2、通过NFS实现服务器/www共享访问。

3、配置samba共享,实现/www目录共享

4、使用rsync+inotify实现/www目录实时同步

5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝

注意:本次实验只是完成最基本的需求

实验环境:

node1:192.168.2.27 node2:192.168.2.37

OS:centos7 OS:centos7

开始实验前的三步骤

实现基于MYSQL验证的vsftpd虚拟用户访问

1、node1上yum安装 mariadb-devel pam-devel vsftpd gcc

[root@node1 ~]$yum -y install mariadb-devel pam-devel vsftpd gcc gcc-c++
...

2、编译安装 pam_mysql-0.7RC1.tar.gz

[root@node1 ~]$cd /data
[root@node1 data]$ls
pam_mysql-0.7RC1.tar.gz

[root@node1 data]$tar xf pam_mysql-0.7RC1.tar.gz -C /usr/local
[root@node1 data]$cd /usr/local/pam_mysql-0.7RC1/

[root@node1 pam_mysql-0.7RC1]$./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
...
[root@node1 pam_mysql-0.7RC1]$make && make install
...

3、在node2上安装数据库mariadb-server

[root@node2 ~]$yum -y install mariadb-server
...
[root@node2 ~]$systemctl enable --now mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.

[root@node2 ~]$ss -tnl
State       Recv-Q Send-Q                                            Local Address:Port                                                           Peer Address:Port              
LISTEN      0      100                                                   127.0.0.1:25                                                                        *:*                  
LISTEN      0      50                                                            *:3306                                                                      *:*                  
LISTEN      0      128                                                           *:22                                                                        *:*                  
LISTEN      0      100                                                       [::1]:25                                                                     [::]:*                  
LISTEN      0      128                                                        [::]:22 

4、创建数据库和表并授权用户

[root@node2 ~]$mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.68-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| test               |
| vsftpd             |
+--------------------+
5 rows in set (0.01 sec)

MariaDB [(none)]> use vsftpd
Database changed
MariaDB [vsftpd]> create table users(id int auto_increment not null primary key,name char(50) binary not null, password char(48) binary not null);
Query OK, 0 rows affected (0.02 sec)

MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field    | Type     | Null | Key | Default | Extra          |
+----------+----------+------+-----+---------+----------------+
| id       | int(11)  | NO   | PRI | NULL    | auto_increment |
| name     | char(50) | NO   |     | NULL    |                |
| password | char(48) | NO   |     | NULL    |                |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@'192.168.2.%' identified by 'centos';
Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> \q
Bye

5、测试(为了保证不受到mysql反解析域名的影响,在/etc/my.cnf添加了skip_name_resolve=on)

[root@node2 ~]$mysql -uvsftpd -pcentos -h192.168.2.37
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 21
Server version: 5.5.68-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \q
Bye

6、添加虚拟用户

MariaDB [vsftpd]> show tables;
+------------------+
| Tables_in_vsftpd |
+------------------+
| users            |
+------------------+
1 row in set (0.00 sec)

MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field    | Type     | Null | Key | Default | Extra          |
+----------+----------+------+-----+---------+----------------+
| id       | int(11)  | NO   | PRI | NULL    | auto_increment |
| name     | char(50) | NO   |     | NULL    |                |
| password | char(48) | NO   |     | NULL    |                |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

MariaDB [vsftpd]> insert into users(name,password) values('kyle',password('123.com'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> insert into users(name,password) values('kevin',password('123.com'));
Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> select * from users;
+----+-------+-------------------------------------------+
| id | name  | password                                  |
+----+-------+-------------------------------------------+
|  1 | kyle  | *AC241830FFDDC8943AB31CBD47D758E79F7953EA |
|  2 | kevin | *AC241830FFDDC8943AB31CBD47D758E79F7953EA |
+----+-------+-------------------------------------------+
2 rows in set (0.01 sec)

7、配置vsftpd

在FTP服务器(node1)创建pam认证文件

[root@node1 pam_mysql-0.7RC1]$cat /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=centos host=192.168.2.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=192.168.2.37 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
[root@node1 pam_mysql-0.7RC1]$

8、配置虚拟账户,并修改vsftpd的配置文件

[root@node1 ~]$useradd -r -s /sbin/nologin -d /var/ftproot vuser
[root@node1 ~]$mkdir /var/ftproot
[root@node1 ~]$chmod 555 /var/ftproot              #centos7需要去掉ftp根目录的写的权限
[root@node1 ~]$mkdir /var/ftproot/{upload,pub}
[root@node1 ~]$setfacl -m u:vuser:rwx /var/ftproot/upload/
[root@node1 ~]$vim /etc/vsftpd/vsftpd.conf
write_enable=YES
anon_upload_enable=YES                    #write_enable和anon_upload_enable开启才能保证上传
pam_service_name=vsftpd.mysql         #禁止原系统用户登录
guest_enable=YES
guest_username=vuser

[root@node1 ~]$systemctl enable --now vsftpd
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
[root@node1 ~]$ss -tnl
State       Recv-Q Send-Q                                            Local Address:Port                                                           Peer Address:Port              
LISTEN      0      100                                                   127.0.0.1:25                                                                        *:*                  
LISTEN      0      128                                                           *:22                                                                        *:*                  
LISTEN      0      100                                                       [::1]:25                                                                     [::]:*                  
LISTEN      0      32                                                         [::]:21                                                                     [::]:*                  
LISTEN      0      128                                                        [::]:22                                                                     [::]:*

9、node2测试

[root@node2 data]$yum -y install lftp
...
[root@node2 data]$touch test.txt
[root@node2 data]$ls
test.txt

[root@node2 data]$lftp -ukyle 192.168.2.27
Password: 
lftp kyle@192.168.2.27:~> ls         
drwxr-xr-x    2 0        0               6 Nov 25 12:18 pub
drwxrwxr-x    2 0        0               6 Nov 25 12:41 upload
lftp kyle@192.168.2.27:/> cd upload/
lftp kyle@192.168.2.27:/upload> ls
lftp kyle@192.168.2.27:/upload> put test.txt
lftp kyle@192.168.2.27:/upload> ls
-rw-------    1 998      996             0 Nov 25 12:41 test.txt
lftp kyle@192.168.2.27:/upload> bye

[root@node1 ~]$ll /var/ftproot/upload
total 0
-rw------- 1 vuser vuser 0 Nov 25 20:41 test.txt

通过NFS实现服务器/www共享访问

1、node1要安装NFS,需要两个包:rpcbind,nfs-utils

[root@node1 ~]$rpm -q nfs-utils
package nfs-utils is not installed
[root@node1 ~]$rpm -q rpcbind
package rpcbind is not installed

[root@node1 ~]$yum -y install nfs-utils rpcbind
...

2、配置共享目录/www

[root@node1 ~]$vim /etc/exports
[root@node1 ~]$cat /etc/exports
/www    192.168.2.0/24(ro)

[root@node1 ~]$mkdir /www
[root@node1 ~]$echo /www/nfs.txt > /www/nfs.txt

[root@node1 ~]$systemctl enable --now rpcbind
[root@node1 ~]$systemctl enable --now nfs
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.

3、先在node1使用showmount测试,然后再node2上安装nfs-utils使用showmount

[root@node1 ~]$showmount -e 
Export list for node1:
/www 192.168.2.0/24

[root@node2 ~]$yum -y install nfs-utils
...
[root@node2 ~]$mkdir /nfsdir
[root@node2 ~]$showmount -e 192.168.2.27
Export list for 192.168.2.27:
/www 192.168.2.0/24

[root@node2 ~]$mount -t nfs 192.168.2.27:/www /nfsdir/
[root@node2 ~]$cd /nfsdir/
[root@node2 nfsdir]$ls
nfs.txt
[root@node2 nfsdir]$cat nfs.txt 
/www/nfs.txt

配置samba共享,实现/www目录共享

1、node1安装samba

[root@node1 ~]$yum -y install samba
...

2、配置samba

[root@node1 ~]$vim /etc/samba/smb.conf
[root@node1 ~]$tail -5 /etc/samba/smb.conf
[share]
    comment = This is a share directory
    path = /www
    browsable = yes
    guest ok = yes

[root@node1 ~]$systemctl enable --now smb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
[root@node1 ~]$systemctl enable --now nmb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nmb.service to /usr/lib/systemd/system/nmb.service

[root@node1 ~]$ss -tnl
State       Recv-Q Send-Q                                            Local Address:Port                                                           Peer Address:Port              
LISTEN      0      100                                                   127.0.0.1:25                                                                        *:*                  
LISTEN      0      50                                                            *:445                                                                       *:*                  
LISTEN      0      64                                                            *:2049                                                                      *:*                  
LISTEN      0      50                                                            *:139                                                                       *:*                  
LISTEN      0      128                                                           *:111                                                                       *:*                  
LISTEN      0      128                                                           *:20048                                                                     *:*                  
LISTEN      0      64                                                            *:40689                                                                     *:*                  
LISTEN      0      128                                                           *:49046                                                                     *:*                  
LISTEN      0      128                                                           *:22                                                                        *:*                  
LISTEN      0      100                                                       [::1]:25                                                                     [::]:*                  
LISTEN      0      50                                                         [::]:445                                                                    [::]:*                  
LISTEN      0      64                                                         [::]:43903                                                                  [::]:*                  
LISTEN      0      64                                                         [::]:2049                                                                   [::]:*                  
LISTEN      0      128                                                        [::]:52388                                                                  [::]:*                  
LISTEN      0      50                                                         [::]:139                                                                    [::]:*                  
LISTEN      0      128                                                        [::]:111                                                                    [::]:*                  
LISTEN      0      128                                                        [::]:20048                                                                  [::]:*                  
LISTEN      0      32                                                         [::]:21                                                                     [::]:*                  
LISTEN      0      128                                                        [::]:22

3、node2安装samba-client测试

[root@node2 ~]$yum -y install samba-client
...
[root@node2 ~]$smbclient -L 192.168.2.27
Enter SAMBA\root's password: 
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    share           Disk      This is a share directory
    IPC$            IPC       IPC Service (Samba 4.10.16)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    SAMBA                NODE1

使用rsync+inotify实现/www目录实时同步

1、查看当前系统是否支持inotify

[root@node1 ~]$ll /proc/sys/fs/inotify/
total 0
-rw-r--r-- 1 root root 0 Nov 25 21:41 max_queued_events
-rw-r--r-- 1 root root 0 Nov 25 21:41 max_user_instances
-rw-r--r-- 1 root root 0 Nov 25 21:41 max_user_watches

能够列出上面三个文件,表示当前系统支持

2、安装inotify-tools(epel源)

[root@node1 ~]$yum -y install inotify-tools
...

3、安装rsync

[root@node1 ~]$yum -y install rsync
...

4、配置密钥登录

[root@node1 ~]$ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:i67K4zBEEPaLjEtDMwY2egl9CeWokPgumlcjdW4IYko root@node1
The key's randomart image is:
+---[RSA 2048]----+
|=*.o..           |
|Bo++o            |
|=*+o.            |
|OE= o .          |
|*B.+ +  S        |
|+oo + o. .       |
|= .o o. .        |
|.*o  .           |
|oo+o...          |
+----[SHA256]-----+
[root@node1 ~]$ssh-copy-id 192.168.2.37
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.2.37 (192.168.2.37)' can't be established.
ECDSA key fingerprint is SHA256:lEpmjIrBGcZwxS0Zm28QhHVyVr9tNFH7rk/H4CXRNl4.
ECDSA key fingerprint is MD5:44:18:af:95:83:55:8c:8f:a8:70:49:4e:99:cb:92:f8.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.2.37's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.2.37'"
and check to make sure that only the key(s) you wanted were added.

[root@node1 ~]$ssh 192.168.2.37
Last login: Wed Nov 25 20:30:30 2020 from afocl-605021336.lan
[root@node2 ~]$exit
logout
Connection to 192.168.2.37 closed.
[root@node1 ~]$

5、编写脚本

[root@node1 ~]$cat inotify_rsync.sh 
#!/bin/bash
SRC=/www
DEST='root@192.168.2.37:/backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} | while read DATE TIME DIR FILE;do
    FILEPATH=${DIR}${FILE}
    rsync -az --delete ${SRC} ${DEST} && echo "At ${TIME} on ${DATE}, file ${FILEPATH} was backuped up via rsync" >> /var/log/changelist.log
done

6、测试(node1开两个终端,因为运行这个脚本后这个终端会卡住)

[root@node1 ~]$./inotify_rsync.sh

[root@node1 ~]$touch /www/2.txt
[root@node1 ~]$touch /www/3.txt
[root@node1 ~]$ls /www/
1.txt    2.txt    3.txt    nfs.txt  test
[root@node2 ~]$ls /backup/www/
1.txt  2.txt  3.txt  nfs.txt  test

[root@node1 ~]$rm -rf /www/nfs.txt
[root@node2 ~]$ls /backup/www/
1.txt  2.txt  3.txt  test

使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝

[root@node1 ~]$iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@node1 ~]$iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
[root@node1 ~]$iptables -A INPUT -p tcp -m multiport --dports 20,21,23,80,139,445 -m state --state NEW -j ACCEPT
[root@node1 ~]$iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT
[root@node1 ~]$iptables -A INPUT -j DROP
[root@node1 ~]$iptables -A OUTPUT -j DROP

vsftpd,nfs,samba,rsync,inotify,iptables

0

精彩评论

暂无评论...
验证码 换一张
取 消