第十八周

1、实现基于MYSQL验证的vsftpd虚拟用户访问

环境:
192.168.43.127 centos7 mysql
192.168.43.106 centos6 vsfstp pam_mysql

1、127安装数据mariadb-server

[ ~]#yum –y install mariadb-server
[ ~]# systemctl start mariadb.service
[ ~]#systemctl enable mariadb

2、126安装vsftp和pam_mysql

yum install vsftpd pam_mysql

service start vsftpd
chkconfig vsftpd on

3、在数据库服务器上创建虚拟用户账号

[ ~]# mysql -uroot -p123456
MariaDB [(none)]> CREATE DATABASE vsftpd;

Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> SHOW DATABASES; 
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| vsftpd             |
+--------------------+
MariaDB [(none)]>** GRANT SELECT ON vsftpd.* TO   ‘192.168.43.%‘  IDENTIFIED BY ‘123456‘;**
Query OK, 0 rows affected (0.233 sec)
MariaDB [(none)]>** flush privileges;**
Query OK, 0 rows affected (0.133 sec)

MariaDB [(none)]> USE vsftpd;
Database changed

MariaDB [vsftpd]> CREATE TABLE users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL );
Query OK, 0 rows affected (0.234 sec)

测试连接:

[ ~]#mysql -uvsftpd -h192.168.43.205 -p123456
Welcome to the MySQL monitor.  Commands end with ; or \g.

插入用户:

MariaDB [vsftpd]>  **INSERT INTO users(name,password) values(‘wang‘,password(‘123456‘));**
Query OK, 1 row affected (0.038 sec)

MariaDB [vsftpd]> **INSERT INTO users(name,password) values(‘li‘,password(‘123456‘)); **
Query OK, 1 row affected (0.001 sec)
MariaDB [vsftpd]> SELECT * FROM users; 
+----+------+-------------------------------------------+
| id | name | password                                  |
+----+------+-------------------------------------------+
|  1 | wang | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
|  2 | li   | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
+----+------+-------------------------------------------+
2 rows in set (0.000 sec)

4、在FTP服务器上建立pam认证所需文件

[ ~]#vim /etc/pam.d/vsftpd.mysql

auth required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

5、FTP服务器上创建映射用户:

[ ~]#useradd -s /sbin/nologin -d /var/ftproot vuser
[ ~]#chmod 555 /var/ftproot
[ ~]#mkdir /var/ftproot/{upload,pub}

[ ~]#tree -d /var/ftproot/
/var/ftproot/
├── pub
└── upload

6、配置ftp服务:

修改下列几项配置,使wang用户具有上传下载的权限,li用户使用单独的根文件夹,可以上传下载

[ ~]#**vim /etc/vsftpd/vsftpd.conf **
anonymous_enable=YES
pam_service_name=vsftpd.mysql
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vusers_config
[ ~]#tree /etc/vsftpd/vusers_config/
/etc/vsftpd/vusers_config/
├── li
└── wang
wang用户配置文件
[ vusers_config]#cat wang 
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
li用户配置文件
[ vusers_config]#cat li 
local_root=/ftproot_li
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
创建li用户根目录
[ ~]#setfacl -m u:vuser:rwx /var/ftproot/upload
[ ~]#mkdir /ftproot_li 
[ ~]#chmod  555 /ftproot_li 
[ ~]#setfacl -m u:vuser:rwx li

7、重启vsftpd

[ ~]#service vsftpd restart      
Shutting down vsftpd:                                      [FAILED]
Starting vsftpd for vsftpd:                                [  OK  ]
[ ~]#chkconfig vsftpd on

8、验证:
li用户登录,根目录/ftproot_li

[ ~]# ftp 192.168.43.106
Name (192.168.43.106:root): li 
331 Please specify the password.
230 Login successful.
ftp> cd li
250 Directory successfully changed.
ftp> put anaconda-ks.cfg 
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (192,168,43,106,46,74).
150 Ok to send data.
226 Transfer complete.
980 bytes sent in 6.7e-05 secs (14626.86 Kbytes/sec)
ftp> get a
local: a remote: a
227 Entering Passive Mode (192,168,43,106,197,240).
150 Opening BINARY mode data connection for a (2 bytes).
226 Transfer complete.
2 bytes received in 2.1e-05 secs (95.24 Kbytes/sec)
ftp> !ls
2345  a  anaconda-ks.cfg  b  c

wang用户登录,根目录/var/ftproot/

[ ~]# ftp 192.168.43.106

ftp> ls
227 Entering Passive Mode (192,168,43,106,64,16).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Apr 26 01:19 pub
drwxrwxr-x    2 0        0            4096 Apr 26 02:24 upload
226 Directory send OK.
ftp> cd upload
ftp> ls
-rw-------    1 501      501           980 Apr 26 02:24 anaconda-ks.cfg
226 Directory send OK.
ftp> put a
local: a remote: a
227 Entering Passive Mode (192,168,43,106,205,1).
150 Ok to send data.
226 Transfer complete.
2 bytes sent in 0.000109 secs (18.35 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (192,168,43,106,165,68).
150 Here comes the directory listing.
-rw-------    1 501      501             2 Apr 26 02:58 a
-rw-------    1 501      501           980 Apr 26 02:24 anaconda-ks.cfg
226 Directory send OK.

2、通过NFS实现服务器/www共享访问。

环境:
nfs服务器192.168.43.197
客户端:192.168.43.205

1、nfs服务器配置

[]#yum -y install nfs-utils
[]#systemctl start nfs 
[]#systemctl enable  nfs
[]#mkdir /www
[]#touch 197.txt
[]#vim /etc/exports
/www  192.168.43.0/24(rw,no_root_squash)   
43.0网络的主机都可以访问/www共享,且具有rw权限,并不对root用户进行压榨
[]#exportfs  -rv
exporting 192.168.43.0/24:/www


2、客户端205:

查看服务器共享信息
[]# showmount -e 192.168.43.197
Export list for 192.168.43.197:
/www 192.168.43.0/24
手动挂载:

[ ~]# mkdir /www
[ ~]# touch 205.txt
[ ~]# mount -o hard,intr,nosuid,nodev,noexec 192.168.43.197:/www /www
[ ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
devtmpfs                 979M     0  979M   0% /dev
tmpfs                    991M     0  991M   0% /dev/shm
tmpfs                    991M  9.6M  981M   1% /run
tmpfs                    991M     0  991M   0% /sys/fs/cgroup
/dev/mapper/centos-root  100G  3.0G   97G   3% /
/dev/sda1                497M  139M  358M  28% /boot
tmpfs                    199M     0  199M   0% /run/user/0
192.168.43.197:/www      100G  7.1G   93G   8% /www

[ ~] ll mkdir /www
-rw-r--r-- 1 root root 0 May 2 18:13 197.txt
第十八周
第十八周

完成

3、配置samba共享,实现/www目录共享

环境:
samba服务器192.168.43.197
客户端:192.168.43.205

1、samba服务器配置

[ ~]#yum install samba
[ ~]#systemctl start smb 
[ ~]#systemctl enable smb
[ ~]#groupadd -r admins 
[ ~]#useradd -s /sbin/nologin -G admins wangyan

添加samba用户

[ ~]#pdbedit  -a wangyan
new password:
retype new password:
[ ~]#useradd -s /sbin/nologin -G admins lucy
[ ~]#smbpasswd  -a lucy
New SMB password:
Retype new SMB password:
Added user lucy.
[ ~]#pdbedit  -L
wangyan:1001:
lucy:1002:

创建共享文件夹:

[ ~]#mkdir /wangyanshare
[ ~]#touch wangyanshare.txt

编辑samba配置文件,添加配置:

[ ~]#vim /etc/samba/smb.conf
[wangyanshare]
comment = wangyan‘s share
path = /wangyanshare
valid users = wangyan,@admins
write list = wangyan
writeable = no
browseable = yes

2、客户端:

[ ~]yum -y install cifs-utils  samba-client

[ ~]# smbclient  -L 192.168.43.197 -Uwangyan
Enter SAMBA\wangyan‘s password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        wangyanshare    Disk      wangyan‘s share
        IPC$            IPC       IPC Service (Samba 4.9.1)
        wangyan         Disk      Home Directories

手动挂载:

[ ~]# mount -o username=wangyan,password=123456  //192.168.43.197/wangyanshare /mnt/wangyan    
[ ~]# df -h
Filesystem                     Size  Used Avail Use% Mounted on
devtmpfs                       979M     0  979M   0% /dev
tmpfs                          991M     0  991M   0% /dev/shm
tmpfs                          991M  9.6M  981M   1% /run
tmpfs                          991M     0  991M   0% /sys/fs/cgroup
/dev/mapper/centos-root        100G  3.0G   97G   3% /
/dev/sda1                      497M  139M  358M  28% /boot
tmpfs                          199M     0  199M   0% /run/user/0
//192.168.43.197/wangyanshare  100G  7.1G   93G   8% /mnt/wangyan

第十八周

4、使用rsync+inotify实现/www目录实时同步

环境:
rsync客户端:192.168.43.197
rsync服务器:192.168.43.187

1、rsync客户端安装配置inotify:
[ ~]#yum -y install inotify-tools

2、配置rsync服务器:

安装rsync

[ ~]#yum -y  install rsync
[ ~]#systemctl start rsyncd
[ ~]#systemctl enable rsyncd

准备账号密码文件

[ ~]#echo "rsyncuser:123456" > /etc/rsync.pass
[ ~]#chmod 600 /etc/rsync.pass

准备同步数据目录

[ ~]#mkdir /backup

改rsync配置文件

[ ~]#vim /etc/rsyncd.conf 
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/ l
og file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.43.0/24

[backup]
        path = /backup
        comment = data backup
        read only = no
        auth users = rsyncuser
        secrets file = /etc/rsync.pass

[ ~]#systemctl restart rsyncd

3、rsync客户端

[ ~]#echo "123456"  > /inotify/rsync.pass
[ ~]#chmod 600 /inotify/rsync.pass
[ ~]#cat /inotify/rsync.pass 
123456
[ ~]#vim /inotify/inotify_rsync.sh 
    #!/bin/bash
    SRC=‘/data/test‘
    DEST=‘::backup‘
    inotifywait -mrq ${SRC} --timefmt "%F %H:%M" --format "%T %w%f  event:%;e" -e  create,delete,moved_to,close_write,attrib| while read DATE TIME DIR FILE;do                                                       
            FILEPATH=${DIR}${FILE}
            rsync -az --delete  --password-file=/inotify/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /inotify/changelist.log
    done

4、测试

第十八周

5、使用iptable实现:?放行telnet,?ftp,?web服务,放行samba服务,其他端口服务全部拒绝

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A INPUT -p tcp -m multiport --dports  80,443,21,22,23,139,445  -m state --state NEW -j ACCEPT 
iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT
iptables -A OUTPUT  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP 
iptables -P OUTPUT DROP

第十八周

架构班作业看这里:

1、安装配置promethues和alertmanager,实现对k8s的监控,并将监控数据展示到grafana

相关推荐