1、实现基于MYSQL验证的vsftpd虚拟用户访问
两台服务器:一台ftp服务器192.168.5.11 一台mariadb服务器192.168.5.12
(1)mariadb服务器
yum install -y mariadb-server
systemctl start mariadb
mysql
create database vsftpd ;
use vsftpd ;
CREATE TABLE users (
id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
name CHAR(50) BINARY NOT NULL,
password CHAR(48) BINARY NOT NULL) ;
insert into users (name,password) value('ftpuser1',password('123456')) ;
insert into users (name,password) value('ftpuser2',password('123456'));
grant select on vsftpd.* to vsftpd@'192.168.5.%' identified by '123456';
(2)ftp服务器,安装ftp,编译按章pam_mysql
yum install -y vsftpd
tar -xf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1/
yum install -y gcc gcc-c++ pam-devel mariadb-devel
./configure --with-pam-mods-dir=/lib64/security/
make && make install
(3)创建pam认证文件
vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=123456 host=192.168.5.12 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=123456 host=192.168.5.12 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
(4)创建FTP虚拟用户与共享目录,并修改 /etc/vsftpd/vsftpd.conf
useradd -d /data/ftproot -s /sbin/nologin vuser
chmod 555 /data/ftproot
mkdir /data/ftproot/upload
setfacl -m u:vuser:rwx /data/ftproot/upload
vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql #修改此项
#添加以下三项
guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vusers.d/ #独立用户配置目录
(5)启动FTP服务,用数据库中的用户测试
systemctl start vsftpd
ftp 192.168.5。11
ftpuser1
123456
2、通过NFS实现服务器/www共享访问
(1)NFS服务器配置
systemctl start nfs-server
systemctl enable nfs-server
mkdir /www
vim /etc/exports
/www 192.168.5. /24 (rw,root_squash)
systemctl start nfs-server
exportfs -v
touch /www/f1.txt![](https://img2020.cnblogs.com/blog/1111107/202008/1111107-20200830202942676-833370099.png)
(2)客户端挂载NFS目录
showmount -e 192.168.5.11
mount -o rw,nosuid,fg,hard,intr 192.168.5.11:/www /data/
cd /data
ls -l
3、配置samba共享,实现/www目录共享
(1)安装samba包
yum install -y samba
(2)创建samba用户和组,并创建samba共享目录
groupadd -r smbgroup
useradd -s /sbin/nologin -G smbgroup smbuser1
id smbuser1
smbpasswd -a smbuser1
useradd -s /sbin/nologin smbuser2
smbpasswd -a smbuser2
mkdir /www
chgrp smbgroup /www
chmod 2775 /www
ls -ld /www
(3)修改samba配置文件 /etc/samba/smb.conf
vim /etc/samba/smb.conf
[smbshare]
path = /www
writeable = no
write list = @smbgroup
(4)启动samba服务
systemctl start smb nmb
(5)客户端安装cifs-utils包,并挂载
yum install -y cifs-utils
mkdir /data/smbuser1
mkdir /data/smbuser2
mount -o username=smbuser1,password=centos //192.168.5.12/smbshare /data/smbuser1
mount -o username=smbuser2 //192.168.27.27/smbshare /data/smbuser2
4、使用rsync+inotify实现/www目录实时同步
(1)服务端安装inotify-tools软件包(epel源)和 rsync包(光盘yum源)
yum install -y inotify-tools rsync
(2)服务端生成验证文件
echo "rsyncuser:123456" > /etc/rsync.pass
chmod 600 /etc/rsync.pass
(3)服务端准备要备份的目录
mkdir data
(4)服务端修改rsync的配置文件
vim /etc/rsyncd.conf
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.5.0/24
[backup]
path = /data/
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass
(5)服务端启动rsync服务
systemctl start rsyncd
(6)客户端配置密码文件
echo "123456" > /etc/rsync.pass
chmod 600 /etc/rsync.pass
(7)客户端测试同步数据
cd /data
touch f1.txt
ll
服务端 ll /data/
rsync -avz --password-file=/etc/rsync.pass /data/ rsyncuser@192.168.5.11::backup
服务端 ll /data/
(8)vim inotify_rsyns.sh
#!/bin/bash
SRC='/data/' #本地文件夹
DEST='rsyncuser@192.168.5.11::backup' # rsyncuser@rsync服务器IP::backup'
LOG='/var/log/changelist.log' #日志输出
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} | while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> ${LOG}
done
5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 20:23,80,139,445 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -vnL