ftp, nfs, samba, and inotify_of the file shareRsync Real-Time Backup

1. Implement vsftpd virtual user access based on mysql authentication

This scenario is implemented using two servers, one ftp server and one database server

1.1 Install Database

[root@c5 ~]#yum -y install mariadb-server
[root@c5 ~]#systemctl start mariadb.service
[root@c5 ~]#systemctl enable mariadb

1.2 Install vsftpd, mariadb-devel, pam-devel, and pam_on the FTP serverMySQL package (pam_mysql needs to be compiled and installed)

[root@c5 ~]# yum install vsftpd mariadb-devel pam-devel -y
[root@c5 ~]# yum -y groupinstall "Development Tools"
[root@c5 src]# tar xvf pam_mysql-0.7RC1.tar.gz
[root@c5 pam_mysql-0.7RC1]# cd pam_mysql-0.7RC1/
[root@c5 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
[root@c5 pam_mysql-0.7RC1]# make -j 4 && make install

1.3 Create virtual user accounts on database servers

1.3.1 Creating database users to store virtual user databases and connections

MariaDB [(none)]> CREATE DATABASE vsftpd;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |          
| mysql              |
| performance_schema |
| test               |
| vsftpd             |           
+--------------------+
7 rows in set (0.00 sec)

MariaDB [(none)]> GRANT SELECT ON vsftpd.* TO vsftpd@'%' IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

1.3.2 Preparing tables to store users

MariaDB [(none)]> USE vsftpd;
Database changed
MariaDB [vsftpd]> SHOW TABLES;
Empty set (0.01 sec)

MariaDB [vsftpd]> CREATE TABLE users (
    -> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
    -> name CHAR(50) BINARY NOT NULL,
    -> password CHAR(48) BINARY NOT NULL
    -> );
Query OK, 0 rows affected (0.06 sec)

MariaDB [vsftpd]> DESC users;
+----------+----------+------+-----+---------+----------------+
| Field    | Type     | Null | Key | Default | Extra          |
+----------+----------+------+-----+---------+----------------+
| id       | int(11)  | NO   | PRI | NULL    | auto_increment |
| name     | char(50) | NO   |     | NULL    |                |
| password | char(48) | NO   |     | NULL    |                |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

1.3.3 Test Connection

[root@c5 ~]# yum install mariadb -y
[root@c5 ~]# mysql -uvsftpd -pcentos -h 10.0.1.244 -e "show databases;"
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
| vsftpd             |
+--------------------+

1.3.4 Add virtual users

MariaDB [(none)]> use vsftpd;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [vsftpd]> INSERT INTO users(name,password) values('test1',password('centos'));
Query OK, 1 row affected (0.01 sec)

MariaDB [vsftpd]> INSERT INTO users(name,password) values('test2',password('centos'));
Query OK, 1 row affected (0.01 sec)

MariaDB [vsftpd]> SELECT * FROM users;
+----+-------+-------------------------------------------+
| id | name  | password                                  |
+----+-------+-------------------------------------------+
|  1 | test1 | *128977E278358FF80A246B5046F51043A2B1FCED |
|  2 | test2 | *128977E278358FF80A246B5046F51043A2B1FCED |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)

1.4 Configure vsftpd service on FTP server

1.4.1 Files required to establish pam authentication on FTP servers

[root@c5 ~]# cat /etc/pam.d/vsftpd.mysql ###Add the following two lines
auth required pam_mysql.so user=vsftpd passwd=centos host=10.0.1.244 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=10.0.1.244 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

* auth denotes authentication
* account verifies that the account password is working properly
* required indicates certification is required to pass
* pam_Mysql.soModule is the default relative path and can be written off relative to/lib64/security/path
For paths; parameters passed to this module later
* user=vsftpd is the user logged in to mysql
* passwd=magedu password to login to mysql
* host=hostname or ip address of mysqlserver MySQL server
* db=vsftpd specifies the database name to connect to msyql
* table=users specifies the name of the table in the connection database
* usercolumn=name as the user name field
* passwdcolumn=password as the password for the username field
* crypt=2 password is encrypted by the mysql password() function

1.4.2 Establish system users and corresponding directories for virtual user mapping

[root@c5 ~]# useradd -s /sbin/nologin -d /var/ftproot vuser
[root@c5 ~]# chmod 555 /var/ftproot
[root@c5 ~]# mkdir /var/ftproot/{upload,pub}
[root@c5 ~]# setfacl -m u:vuser:rwx /var/ftproot/upload

1.4.3 Modify the configuration file for vsftpd

[root@c5 ~]# cat /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql  ###Modification required
guest_enable=YES   ###Add one or two new items
guest_username=vuser

1.5 Test

1.5.1 Start vsftpd service

[root@c5 ~]# systemctl start vsftpd

1.5.2 Use FTP client tools to authenticate results with virtual user logins

[root@c1 ~]# yum install ftp -y
[root@c1 ~]# ftp c5
Connected to c5 (10.0.1.246).
220 (vsFTPd 3.0.2)
Name (c5:root): test1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

2. Server/ww Shared Access via NFS

2.1 nfs is a kernel module, so start the nfs service directly

[root@c1 ~]# systemctl start nfs-server
[root@c1 ~]# yum install nfs-utils -y    ###Install without nfs using this command

2.2 Create a shared directory

[root@c1 ~]# mkdir /www
[root@c1 ~]# chown nfsnobody /www

2.3 Add Configuration

[root@c1 ~]# cat /etc/exports
/www *(rw)

2.4 Testing

2.4.1 View all local shares

[root@c1 ~]# exportfs -v
/www   <world>(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)

2.4.2 Remote Mount

[root@centos7 ~]# mount 10.0.1.242:/www /mnt/nfsshare/
[root@centos7 ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root   60G   21G   40G  35% /
devtmpfs                 983M     0  983M   0% /dev
tmpfs                   1000M     0 1000M   0% /dev/shm
tmpfs                   1000M   98M  902M  10% /run
tmpfs                   1000M     0 1000M   0% /sys/fs/cgroup
/dev/sda1               1014M  166M  849M  17% /boot
tmpfs                    200M   44K  200M   1% /run/user/0
/dev/sr0                 3.8G  3.8G     0 100% /run/media/root/CentOS_6.10_Final
/dev/sr1                  11G   11G     0 100% /run/media/root/CentOS 7 x86_64
10.0.1.242:/www           42G  1.3G   41G   4% /mnt/nfsshare
[root@centos7 ~]# touch /mnt/nfsshare/test.txt
[root@centos7 ~]# cd /mnt/nfsshare/
[root@centos7 nfsshare]# ls
test.txt
[root@centos7 nfsshare]# cat test.txt 
[root@centos7 nfsshare]# echo 123 > test.txt
[root@centos7 nfsshare]# cat test.txt 
123
[root@c1 ~]# ll /www/
total 0
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 19 10:06 test.txt
[root@c1 ~]# cat /www/test.txt 
123

2.5 Configuration Start-up Auto-hang

[root@centos7 nfsshare]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Sat Jan  4 01:52:46 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=24b6bae0-d077-4259-8529-f778c9c120ce /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
10.0.1.242:/www                  /mnt/nfsshare/ nfs     defaults        0 0

3. Configure Samba Sharing for / WW Directory Sharing

3.1 Install samba packages on samba servers

[root@c4 ~]# yum -y install samba

3.2 Create samba users and groups

[root@c4 ~]# groupadd -r admins
[root@c4 ~]# useradd -s /sbin/nologin -G admins rick
[root@c4 ~]# smbpasswd -a rick
New SMB password:
Retype new SMB password:
Added user rick.
[root@c4 ~]# useradd -s /sbin/nologin mage
[root@c4 ~]# smbpasswd -a mage
New SMB password:
Retype new SMB password:
Added user mage.
[root@c4 ~]#

3.3 Create samba shared directory

[root@c4 ~]# mkdir -p /testdir/smbshare
[root@c4 ~]# chgrp admins /testdir/smbshare
[root@c4 ~]# chmod 2775 /testdir/smbshare

3.4 samba server configuration

vim /etc/samba/smb.conf    ###Add the following two lines
[share]
path = /testdir/smbshare
write list = @admins
[root@c4 ~]# systemctl start smb nmb

3.5 samba client access

3.5.1 Install Client

[root@c5 ~]# yum -y install cifs-utils

3.5.2Mount smb share with rick user and access it

[root@c5 ~]# mkdir /mnt/rick
[root@c5 ~]# mount -o username=rick //10.0.1.245/share /mnt/rick/
Password for rick@//10.0.1.245/share:  ******
[root@c5 ~]# df -h
Filesystem          Size  Used Avail Use% Mounted on
/dev/sda2            42G  1.7G   40G   5% /
devtmpfs            909M     0  909M   0% /dev
tmpfs               920M     0  920M   0% /dev/shm
tmpfs               920M   17M  903M   2% /run
tmpfs               920M     0  920M   0% /sys/fs/cgroup
/dev/sda1           497M  130M  367M  27% /boot
tmpfs               184M     0  184M   0% /run/user/0
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/rick
[root@c5 ~]# echo "Hello rick." > /mnt/rick/rick.txt
[root@c4 ~]# ls /testdir/smbshare/ -l
total 4
-rwxr--r-- 1 rick admins 12 May 19 15:41 rick.txt
[root@c4 ~]# ll /testdir/smbshare/
total 4
-rwxr--r-- 1 rick admins 12 May 19 15:41 rick.txt
[root@c4 ~]# cat /testdir/smbshare/rick.txt 
Hello rick.

3.5.3Mount smb share with mage user and access it

[root@c5 ~]# mkdir /mnt/mage
[root@c5 ~]# mount -o username=mage //10.0.1.245/share /mnt/mage/
Password for mage@//10.0.1.245/share:  ******
[root@c5 ~]# df -h
Filesystem          Size  Used Avail Use% Mounted on
/dev/sda2            42G  1.7G   40G   5% /
devtmpfs            909M     0  909M   0% /dev
tmpfs               920M     0  920M   0% /dev/shm
tmpfs               920M   17M  903M   2% /run
tmpfs               920M     0  920M   0% /sys/fs/cgroup
/dev/sda1           497M  130M  367M  27% /boot
tmpfs               184M     0  184M   0% /run/user/0
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/rick
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/mage
[root@c5 ~]# mount -o username=mage //10.0.1.245/share /mnt/mage/
Password for mage@//10.0.1.245/share:  ******
[root@c5 ~]# df -h
Filesystem          Size  Used Avail Use% Mounted on
/dev/sda2            42G  1.7G   40G   5% /
devtmpfs            909M     0  909M   0% /dev
tmpfs               920M     0  920M   0% /dev/shm
tmpfs               920M   17M  903M   2% /run
tmpfs               920M     0  920M   0% /sys/fs/cgroup
/dev/sda1           497M  130M  367M  27% /boot
tmpfs               184M     0  184M   0% /run/user/0
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/rick
//10.0.1.245/share   42G  1.3G   41G   3% /mnt/mage
[root@c5 ~]# touch /mnt/mage/magefile.txt
touch: cannot touch '/mnt/mage/magefile.txt': Permission denied
###Note: Because mage users do not belong to admin group, they do not have write permission

4. Real-time synchronization of/ww directories using rsync+inotify

4.1Real-time synchronization

1. To use the monitoring service (inotify), monitor changes in information in the synchronous data server directory
 2. Discover changes in the data in the directory and use the rsync service to push it to the backup server
 3. Using scripts to combine

4.2Check if the server kernel supports inotify

[root@c5 ~]# ll /proc/sys/fs/inotify #List the following files to show that the server kernel supports inotify
total 0
-rw-r--r-- 1 root root 0 May 19 15:57 max_queued_events
-rw-r--r-- 1 root root 0 May 19 15:57 max_user_instances
-rw-r--r-- 1 root root 0 May 19 15:57 max_user_watches

4.3Install inotify

4.3.1Install epel source

[root@c5 ~]# yum install epel-release.noarch -y

4.3.2Install inotify software

[root@c5 ~]# yum install inotify-tools -y

4.3.3Configure rsync server-side configuration files

[root@c4 ~]# cat /etc/rsyncd.conf
# /etc/rsyncd: configuration file for rsync daemon mode

# See rsyncd.conf man page for more options.

# configuration example:

uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 10.0.1.0/24

[backup]
path = /backup
comment = backup
read only = no
auth users = rsyncuser
secrets file = /etc/rsync.pass

4.3.4Server side generates validation file, prepares directory and starts rsync service

[root@c4 ~]# echo "centos" > /etc/rsync.pass
[root@c4 ~]# chmod 600 /etc/rsync.pass
[root@c4 ~]# mkdir /backup
[root@c4 ~]# systemctl start rsyncd

4.3.5Client Configuration Password File and Create Directory to Synchronize

[root@c5 ~]# echo "rsyncuser:centos" > /etc/rsync.pass
[root@c5 ~]# chmod 600 /etc/rsync.pass
[root@c5 ~]# mkdir /data
[root@c5 ~]# touch /data/123.txt

4.4Client Test Synchronization Data

[root@c5 ~]# rsync -avz --password-file=/etc/rsync.pass /data/ rsyncuser@10.0.1.245::backup
sending incremental file list
./
123.txt

sent 105 bytes  received 38 bytes  286.00 bytes/sec
total size is 0  speedup is 0.00
[root@c4 ~]# ls /backup/
123.txt

4.5Client creates inotify_Rsync.shScript for real-time synchronization

4.5.1Create script

[root@c5 ~]# cat inotify_rsync.sh 
#!/bin/bash
SRC='/data/'
DEST='rsyncuser@10.0.1.245::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done

4.5.2Run scripts in the background for testing

[root@c5 ~]# nohup sh inotify_rsync.sh &
[1] 24745
[root@c5 ~]# nohup: ignoring input and appending output to 'nohup.out'
[root@c5 ~]# touch /data/test1.txt
[root@c5 ~]# echo hello > /data/test1.txt
[root@c5 ~]# tailf /var/log/changelist.log 
At 22:32 on 2020-05-19, file /data/123.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
###Server Side
[root@c4 backup]# pwd
/backup
[root@c4 backup]# ll
total 4
-rw-r--r-- 1 root root 6 May 19 22:40 test1.txt
[root@c4 backup]# cat test1.txt 
hello

5. Implement with iptables: release Telnet, ftp, web server, square samba service, all other port services are rejected

[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 80 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 21 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 23 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 139 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 445 -j ACCEPT
[root@centos6 ~]# iptables -A INPUT -j DROP
[root@centos6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   39  4962 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:22 
    6   394 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:23 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.110          tcp dpt:445 
   81  8786 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 49 packets, 5983 bytes)
 pkts bytes target     prot opt in     out     source               destination    
###test
[root@centos6 ~]# yum install httpd -y
[root@centos6 ~]# ls /var/www/html/
[root@centos6 ~]# echo this is for iptables > /var/www/html/index.html
[root@centos6 ~]# cat /var/www/html/index.html
this is for iptables
[root@centos6 ~]# service httpd start

[root@c5 ~]# curl 10.1.1.110
this is for iptables

Tags: Linux vsftpd rsync MariaDB Database

Posted on Tue, 19 May 2020 13:38:09 -0400 by ScOrPi