码迷,mamicode.com
首页 > 其他好文 > 详细

第十八周

时间:2020-05-04 09:30:09      阅读:93      评论:0      收藏:0      [点我收藏+]

标签:ever   export   ice   smb   inotify   cond   director   var   inter   

1、实现基于MYSQL验证的vsftpd虚拟用户访问

环境:
192.168.43.127 centos7 mysql
192.168.43.106 centos6 vsfstp pam_mysql

1、127安装数据mariadb-server

[root@mysql1 ~]#yum –y install mariadb-server
[root@mysql1 ~]# systemctl start mariadb.service
[root@mysql1 ~]#systemctl enable mariadb

2、126安装vsftp和pam_mysql

yum install vsftpd pam_mysql

service start vsftpd
chkconfig vsftpd on

3、在数据库服务器上创建虚拟用户账号

[root@mysql1 ~]# mysql -uroot -p123456
MariaDB [(none)]> CREATE DATABASE vsftpd;

Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> SHOW DATABASES; 
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| vsftpd             |
+--------------------+
MariaDB [(none)]>** GRANT SELECT ON vsftpd.* TO   vsftpd@‘192.168.43.%‘  IDENTIFIED BY ‘123456‘;**
Query OK, 0 rows affected (0.233 sec)
MariaDB [(none)]>** flush privileges;**
Query OK, 0 rows affected (0.133 sec)

MariaDB [(none)]> USE vsftpd;
Database changed

MariaDB [vsftpd]> CREATE TABLE users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL );
Query OK, 0 rows affected (0.234 sec)

测试连接:

[root@centos6 ~]#mysql -uvsftpd -h192.168.43.205 -p123456
Welcome to the MySQL monitor.  Commands end with ; or \g.

插入用户:

MariaDB [vsftpd]>  **INSERT INTO users(name,password) values(‘wang‘,password(‘123456‘));**
Query OK, 1 row affected (0.038 sec)

MariaDB [vsftpd]> **INSERT INTO users(name,password) values(‘li‘,password(‘123456‘)); **
Query OK, 1 row affected (0.001 sec)
MariaDB [vsftpd]> SELECT * FROM users; 
+----+------+-------------------------------------------+
| id | name | password                                  |
+----+------+-------------------------------------------+
|  1 | wang | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
|  2 | li   | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
+----+------+-------------------------------------------+
2 rows in set (0.000 sec)

4、在FTP服务器上建立pam认证所需文件

[root@centos6 ~]#vim /etc/pam.d/vsftpd.mysql

auth required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

5、FTP服务器上创建映射用户:

[root@centos6 ~]#useradd -s /sbin/nologin -d /var/ftproot vuser
[root@centos6 ~]#chmod 555 /var/ftproot
[root@centos6 ~]#mkdir /var/ftproot/{upload,pub}

[root@centos6 ~]#tree -d /var/ftproot/
/var/ftproot/
├── pub
└── upload

6、配置ftp服务:

修改下列几项配置,使wang用户具有上传下载的权限,li用户使用单独的根文件夹,可以上传下载

[root@centos6 ~]#**vim /etc/vsftpd/vsftpd.conf **
anonymous_enable=YES
pam_service_name=vsftpd.mysql
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vusers_config
[root@centos6 ~]#tree /etc/vsftpd/vusers_config/
/etc/vsftpd/vusers_config/
├── li
└── wang
 wang用户配置文件
[root@centos6 vusers_config]#cat wang 
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
li用户配置文件
[root@centos6 vusers_config]#cat li 
local_root=/ftproot_li
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
创建li用户根目录
[root@centos6 ~]#setfacl -m u:vuser:rwx /var/ftproot/upload
[root@centos6 ~]#mkdir /ftproot_li 
[root@centos6 ~]#chmod  555 /ftproot_li 
[root@centos6 ~]#setfacl -m u:vuser:rwx li

7、重启vsftpd

[root@centos6 ~]#service vsftpd restart      
Shutting down vsftpd:                                      [FAILED]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@centos6 ~]#chkconfig vsftpd on

8、验证:
li用户登录,根目录/ftproot_li

[root@mysql1 ~]# ftp 192.168.43.106
Name (192.168.43.106:root): li 
331 Please specify the password.
230 Login successful.
ftp> cd li
250 Directory successfully changed.
ftp> put anaconda-ks.cfg 
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (192,168,43,106,46,74).
150 Ok to send data.
226 Transfer complete.
980 bytes sent in 6.7e-05 secs (14626.86 Kbytes/sec)
ftp> get a
local: a remote: a
227 Entering Passive Mode (192,168,43,106,197,240).
150 Opening BINARY mode data connection for a (2 bytes).
226 Transfer complete.
2 bytes received in 2.1e-05 secs (95.24 Kbytes/sec)
ftp> !ls
2345  a  anaconda-ks.cfg  b  c

wang用户登录,根目录/var/ftproot/

[root@mysql1 ~]# ftp 192.168.43.106

ftp> ls
227 Entering Passive Mode (192,168,43,106,64,16).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Apr 26 01:19 pub
drwxrwxr-x    2 0        0            4096 Apr 26 02:24 upload
226 Directory send OK.
ftp> cd upload
ftp> ls
-rw-------    1 501      501           980 Apr 26 02:24 anaconda-ks.cfg
226 Directory send OK.
ftp> put a
local: a remote: a
227 Entering Passive Mode (192,168,43,106,205,1).
150 Ok to send data.
226 Transfer complete.
2 bytes sent in 0.000109 secs (18.35 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (192,168,43,106,165,68).
150 Here comes the directory listing.
-rw-------    1 501      501             2 Apr 26 02:58 a
-rw-------    1 501      501           980 Apr 26 02:24 anaconda-ks.cfg
226 Directory send OK.

2、通过NFS实现服务器/www共享访问。

环境:
nfs服务器192.168.43.197
客户端:192.168.43.205

1、nfs服务器配置

[root@197]#yum -y install nfs-utils
[root@197]#systemctl start nfs 
[root@197]#systemctl enable  nfs
[root@197]#mkdir /www
[root@197]#touch 197.txt
[root@197]#vim /etc/exports
/www  192.168.43.0/24(rw,no_root_squash)   
43.0网络的主机都可以访问/www共享,且具有rw权限,并不对root用户进行压榨
[root@197]#exportfs  -rv
exporting 192.168.43.0/24:/www


2、客户端205:

查看服务器共享信息
[root@205]# showmount -e 192.168.43.197
Export list for 192.168.43.197:
/www 192.168.43.0/24
手动挂载:

[root@205 ~]# mkdir /www
[root@205 ~]# touch 205.txt
[root@205 ~]# mount -o hard,intr,nosuid,nodev,noexec 192.168.43.197:/www /www
[root@205 ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
devtmpfs                 979M     0  979M   0% /dev
tmpfs                    991M     0  991M   0% /dev/shm
tmpfs                    991M  9.6M  981M   1% /run
tmpfs                    991M     0  991M   0% /sys/fs/cgroup
/dev/mapper/centos-root  100G  3.0G   97G   3% /
/dev/sda1                497M  139M  358M  28% /boot
tmpfs                    199M     0  199M   0% /run/user/0
192.168.43.197:/www      100G  7.1G   93G   8% /www

[root@205 ~] ll mkdir /www
-rw-r--r-- 1 root root 0 May 2 18:13 197.txt
技术图片
技术图片

完成

3、配置samba共享,实现/www目录共享

环境:
samba服务器192.168.43.197
客户端:192.168.43.205

1、samba服务器配置

[root@197 ~]#yum install samba
[root@197 ~]#systemctl start smb 
[root@197 ~]#systemctl enable smb
[root@197 ~]#groupadd -r admins 
[root@197 ~]#useradd -s /sbin/nologin -G admins wangyan

添加samba用户

[root@197 ~]#pdbedit  -a wangyan
new password:
retype new password:
[root@197 ~]#useradd -s /sbin/nologin -G admins lucy
[root@197 ~]#smbpasswd  -a lucy
New SMB password:
Retype new SMB password:
Added user lucy.
[root@197 ~]#pdbedit  -L
wangyan:1001:
lucy:1002:

创建共享文件夹:

[root@197 ~]#mkdir /wangyanshare
[root@197 ~]#touch wangyanshare.txt

编辑samba配置文件,添加配置:

[root@197 ~]#vim /etc/samba/smb.conf
[wangyanshare]
comment = wangyan‘s share
path = /wangyanshare
valid users = wangyan,@admins
write list = wangyan
writeable = no
browseable = yes

2、客户端:

[root@205 ~]yum -y install cifs-utils  samba-client

[root@205 ~]# smbclient  -L 192.168.43.197 -Uwangyan 
Enter SAMBA\wangyan‘s password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        wangyanshare    Disk      wangyan‘s share
        IPC$            IPC       IPC Service (Samba 4.9.1)
        wangyan         Disk      Home Directories

手动挂载:

[root@205 ~]# mount -o username=wangyan,password=123456  //192.168.43.197/wangyanshare /mnt/wangyan    
[root@205 ~]# df -h
Filesystem                     Size  Used Avail Use% Mounted on
devtmpfs                       979M     0  979M   0% /dev
tmpfs                          991M     0  991M   0% /dev/shm
tmpfs                          991M  9.6M  981M   1% /run
tmpfs                          991M     0  991M   0% /sys/fs/cgroup
/dev/mapper/centos-root        100G  3.0G   97G   3% /
/dev/sda1                      497M  139M  358M  28% /boot
tmpfs                          199M     0  199M   0% /run/user/0
//192.168.43.197/wangyanshare  100G  7.1G   93G   8% /mnt/wangyan

技术图片

4、使用rsync+inotify实现/www目录实时同步

环境:
rsync客户端:192.168.43.197
rsync服务器:192.168.43.187

1、rsync客户端安装配置inotify:
[root@187 ~]#yum -y install inotify-tools

2、配置rsync服务器:

安装rsync

[root@197 ~]#yum -y  install rsync
[root@197 ~]#systemctl start rsyncd
[root@197 ~]#systemctl enable rsyncd

准备账号密码文件

[root@197 ~]#echo "rsyncuser:123456" > /etc/rsync.pass
[root@197 ~]#chmod 600 /etc/rsync.pass

准备同步数据目录

[root@197 ~]#mkdir /backup

改rsync配置文件

[root@197 ~]#vim /etc/rsyncd.conf 
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/ l
og file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.43.0/24

[backup]
        path = /backup
        comment = data backup
        read only = no
        auth users = rsyncuser
        secrets file = /etc/rsync.pass

[root@197 ~]#systemctl restart rsyncd

3、rsync客户端

[root@187 ~]#echo "123456"  > /inotify/rsync.pass
[root@187 ~]#chmod 600 /inotify/rsync.pass
[root@187 ~]#cat /inotify/rsync.pass 
123456
[root@187 ~]#vim /inotify/inotify_rsync.sh 
    #!/bin/bash
    SRC=‘/data/test‘
    DEST=‘rsyncuser@192.168.43.197::backup‘
    inotifywait -mrq ${SRC} --timefmt "%F %H:%M" --format "%T %w%f  event:%;e" -e  create,delete,moved_to,close_write,attrib| while read DATE TIME DIR FILE;do                                                       
            FILEPATH=${DIR}${FILE}
            rsync -az --delete  --password-file=/inotify/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /inotify/changelist.log
    done

4、测试

技术图片

5、使用iptable实现:?放行telnet,?ftp,?web服务,放行samba服务,其他端口服务全部拒绝

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A INPUT -p tcp -m multiport --dports  80,443,21,22,23,139,445  -m state --state NEW -j ACCEPT 
iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT
iptables -A OUTPUT  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP 
iptables -P OUTPUT DROP

技术图片

架构班作业看这里:

1、安装配置promethues和alertmanager,实现对k8s的监控,并将监控数据展示到grafana

第十八周

标签:ever   export   ice   smb   inotify   cond   director   var   inter   

原文地址:https://blog.51cto.com/5440126/2492199

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!