- 实现基于MYSQL验证的vsftpd虚拟用户访问
- 于192.168.20.27安装mysql
- 安装mysql
shell yum install -y mariadb-server systemctl start mariadb systemctl enable mariadb
- 安全配置
mysql_secure_installation
- 建库
CREATE DATABASE ftp;
- 建用户
GRANT ALL ON ftp.* TO 'ftp'@'%' IDENTIFIED BY '123';
建表
USE ftp; SHOW TABLES; CREATE TABLE users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL );
- 安装mysql
- 于192.168.20.17安装vsftp
- 安装vsftp
yum install -y vsftp
- 准备编译pam_mysql
yum groupinstall Development\ Tools
yum -y install mariadb-devel pam-devel vsftpd
- 下载pam_mysql
wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
- 编译
shell tar xvf pam_mysql-0.7RC1.tar.gz cd pam_mysql-0.7RC1/ ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr make make install
- 配置pam
vi /etc/pam.d/vsftpd.mysql # 添加如下两行
auth required pam_mysql.so user=ftp passwd=123 host=192.168.20.27 db=ftp table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=ftp passwd=123 host=192.168.20.27 db=ftp table=users usercolumn=name passwdcolumn=password crypt=2 - 建立相应用户和修改vsftpd配置文件
shell useradd -s /sbin/nologin -d /var/ftproot vuser chmod 555 /var/ftproot # centos7 需除去ftp根目录的写权限 mkdir /var/ftproot/{upload,pub} setfacl -m u:vuser:rwx /var/ftproot/upload # 确保/etc/vsftpd.conf中已经启用了以下选项 anonymous_enable=YES # 添加下面项 guest_enable=YES guest_username=vuser anon_upload_enable=YES # 修改下面一项,原系统用户无法登录 pam_service_name=vsftpd.mysql
- 启动vsftpd服务
systemctl start vsftpd
- 安装vsftp
- 增加用户
INSERT users (name,password) VALUE ('chao',password('123'));
- 于192.168.20.27安装mysql
- 通过NFS实现服务器/var/www共享访问
- 安装NFS
yum install -y nfs-utils
- 配置NFS-server
vim /etc/exports
/nfsdir 192.168.20.*(rw) - 建文件夹
mkdir /nfsdir
chown nfsnobody /nfsdir
- 开启服务
systemctl start nfs-server
- 连接nfs
mount 192.168.20.17:/nfsdir /var/www
- 安装NFS
- 配置samba共享,实现/var/www目录共享
- 安装samba服务
yum install -y samba
- 创建samba用户和组
shell groupadd -r admins useradd -s /sbin/nologin -G admins chao smbpasswd -a chao
- 创建共享目录
shell mkdir /smbdir chgrp admins /smbdir chmod 2775 /smbdir
- 服务器配置
/etc/samba/smb.conf
conf security = user passdb backend = tdbsam [share] path = /smbdir write list = @admins
systemctl start smb nmb
- 客户端访问
mount -o username=chao,password=123 //192.168.20.17/share /var/www
- 安装samba服务
- 用rsync+inotify实现/var/www目录实时同步
- 备份服务器端
- 准备用户名和密码
echo "rsyncuser:123" > /etc/rsync.pass
chmod 600 /etc/rsync.pass
- 准备备份文件夹
mkdir /backup
配置
cat > /etc/rsync.conf <<EOF uid = root gid = root use chroot = no max connections = 0 ignore errors exclude = lost+found/ log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsyncd.lock reverse lookup = no hosts allow = 192.168.20.0/24 [backup] path = /backup/ comment = backup read only = no auth users = rsyncuser secrets file = /etc/rsync.pass EOF
- 服务器端启动rsync服务
systemctl start rsyncd
- 客户端配置密码
shell echo "123" > /etc/rsync.pass chmod 600 /etc/rsync.pass
- 客户端创建inotify_rsync.sh脚本
shell #!/bin/bash SRC='/smbdir' DEST='[email protected]::backup' inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do FILEPATH=${DIR}${FILE} rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log done
chmod +x inotify_rsync.sh
- 客户端安装 screen 和 inotify-tools(epel)
yum install screen inotify-tools -y
- 后台执行
screen ./inotify_rsync.sh
- 准备用户名和密码
- 备份服务器端
- 使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝
- 开放telnet
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
- 开放ftp
修改/etc/sysconfig/iptables-config
conf IPTABLES_MODULES="nf_conntrack_ftp"
modproble nf_conntrack_ftp
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
- 开启web
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- 开启samba
iptables -A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT
- 禁用其它所有
iptables -A INPUT -j REJECT
- 开放telnet
shell示例7
猜你喜欢
转载自www.cnblogs.com/chaoyiyang/p/12361305.html
今日推荐
周排行