1. Implement vsftpd virtual user access based on mysql authentication
This scenario is implemented using two servers, one ftp server and one database server
1.1 Install Database
[root@c5 ~]#yum -y install mariadb-server [root@c5 ~]#systemctl start mariadb.service [root@c5 ~]#systemctl enable mariadb
1.2 Install vsftpd, mariadb-devel, pam-devel, and pam_on the FTP serverMySQL package (pam_mysql needs to be compiled and installed)
[root@c5 ~]# yum install vsftpd mariadb-devel pam-devel -y
[root@c5 ~]# yum -y groupinstall "Development Tools" [root@c5 src]# tar xvf pam_mysql-0.7RC1.tar.gz [root@c5 pam_mysql-0.7RC1]# cd pam_mysql-0.7RC1/ [root@c5 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr [root@c5 pam_mysql-0.7RC1]# make -j 4 && make install
1.3 Create virtual user accounts on database servers
1.3.1 Creating database users to store virtual user databases and connections
MariaDB [(none)]> CREATE DATABASE vsftpd; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | test | | vsftpd | +--------------------+ 7 rows in set (0.00 sec) MariaDB [(none)]> GRANT SELECT ON vsftpd.* TO vsftpd@'%' IDENTIFIED BY 'centos'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec)
1.3.2 Preparing tables to store users
MariaDB [(none)]> USE vsftpd; Database changed MariaDB [vsftpd]> SHOW TABLES; Empty set (0.01 sec) MariaDB [vsftpd]> CREATE TABLE users ( -> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, -> name CHAR(50) BINARY NOT NULL, -> password CHAR(48) BINARY NOT NULL -> ); Query OK, 0 rows affected (0.06 sec) MariaDB [vsftpd]> DESC users; +----------+----------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+----------+------+-----+---------+----------------+ | id | int(11) | NO | PRI | NULL | auto_increment | | name | char(50) | NO | | NULL | | | password | char(48) | NO | | NULL | | +----------+----------+------+-----+---------+----------------+ 3 rows in set (0.00 sec)
1.3.3 Test Connection
[root@c5 ~]# yum install mariadb -y [root@c5 ~]# mysql -uvsftpd -pcentos -h 10.0.1.244 -e "show databases;" +--------------------+ | Database | +--------------------+ | information_schema | | test | | vsftpd | +--------------------+
1.3.4 Add virtual users
MariaDB [(none)]> use vsftpd; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [vsftpd]> INSERT INTO users(name,password) values('test1',password('centos')); Query OK, 1 row affected (0.01 sec) MariaDB [vsftpd]> INSERT INTO users(name,password) values('test2',password('centos')); Query OK, 1 row affected (0.01 sec) MariaDB [vsftpd]> SELECT * FROM users; +----+-------+-------------------------------------------+ | id | name | password | +----+-------+-------------------------------------------+ | 1 | test1 | *128977E278358FF80A246B5046F51043A2B1FCED | | 2 | test2 | *128977E278358FF80A246B5046F51043A2B1FCED | +----+-------+-------------------------------------------+ 2 rows in set (0.00 sec)
1.4 Configure vsftpd service on FTP server
1.4.1 Files required to establish pam authentication on FTP servers
[root@c5 ~]# cat /etc/pam.d/vsftpd.mysql ###Add the following two lines auth required pam_mysql.so user=vsftpd passwd=centos host=10.0.1.244 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 account required pam_mysql.so user=vsftpd passwd=centos host=10.0.1.244 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
* auth denotes authentication
* account verifies that the account password is working properly
* required indicates certification is required to pass
* pam_Mysql.soModule is the default relative path and can be written off relative to/lib64/security/path
For paths; parameters passed to this module later
* user=vsftpd is the user logged in to mysql
* passwd=magedu password to login to mysql
* host=hostname or ip address of mysqlserver MySQL server
* db=vsftpd specifies the database name to connect to msyql
* table=users specifies the name of the table in the connection database
* usercolumn=name as the user name field
* passwdcolumn=password as the password for the username field
* crypt=2 password is encrypted by the mysql password() function
1.4.2 Establish system users and corresponding directories for virtual user mapping
[root@c5 ~]# useradd -s /sbin/nologin -d /var/ftproot vuser [root@c5 ~]# chmod 555 /var/ftproot [root@c5 ~]# mkdir /var/ftproot/{upload,pub} [root@c5 ~]# setfacl -m u:vuser:rwx /var/ftproot/upload
1.4.3 Modify the configuration file for vsftpd
[root@c5 ~]# cat /etc/vsftpd/vsftpd.conf pam_service_name=vsftpd.mysql ###Modification required guest_enable=YES ###Add one or two new items guest_username=vuser
1.5 Test
1.5.1 Start vsftpd service
[root@c5 ~]# systemctl start vsftpd
1.5.2 Use FTP client tools to authenticate results with virtual user logins
[root@c1 ~]# yum install ftp -y [root@c1 ~]# ftp c5 Connected to c5 (10.0.1.246). 220 (vsFTPd 3.0.2) Name (c5:root): test1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files.
2. Server/ww Shared Access via NFS
2.1 nfs is a kernel module, so start the nfs service directly
[root@c1 ~]# systemctl start nfs-server [root@c1 ~]# yum install nfs-utils -y ###Install without nfs using this command
2.2 Create a shared directory
[root@c1 ~]# mkdir /www [root@c1 ~]# chown nfsnobody /www
2.3 Add Configuration
[root@c1 ~]# cat /etc/exports /www *(rw)
2.4 Testing
2.4.1 View all local shares
[root@c1 ~]# exportfs -v /www <world>(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
2.4.2 Remote Mount
[root@centos7 ~]# mount 10.0.1.242:/www /mnt/nfsshare/ [root@centos7 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/centos-root 60G 21G 40G 35% / devtmpfs 983M 0 983M 0% /dev tmpfs 1000M 0 1000M 0% /dev/shm tmpfs 1000M 98M 902M 10% /run tmpfs 1000M 0 1000M 0% /sys/fs/cgroup /dev/sda1 1014M 166M 849M 17% /boot tmpfs 200M 44K 200M 1% /run/user/0 /dev/sr0 3.8G 3.8G 0 100% /run/media/root/CentOS_6.10_Final /dev/sr1 11G 11G 0 100% /run/media/root/CentOS 7 x86_64 10.0.1.242:/www 42G 1.3G 41G 4% /mnt/nfsshare [root@centos7 ~]# touch /mnt/nfsshare/test.txt [root@centos7 ~]# cd /mnt/nfsshare/ [root@centos7 nfsshare]# ls test.txt [root@centos7 nfsshare]# cat test.txt [root@centos7 nfsshare]# echo 123 > test.txt [root@centos7 nfsshare]# cat test.txt 123
[root@c1 ~]# ll /www/ total 0 -rw-r--r-- 1 nfsnobody nfsnobody 0 May 19 10:06 test.txt [root@c1 ~]# cat /www/test.txt 123
2.5 Configuration Start-up Auto-hang
[root@centos7 nfsshare]# cat /etc/fstab # # /etc/fstab # Created by anaconda on Sat Jan 4 01:52:46 2020 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=24b6bae0-d077-4259-8529-f778c9c120ce /boot xfs defaults 0 0 /dev/mapper/centos-swap swap swap defaults 0 0 10.0.1.242:/www /mnt/nfsshare/ nfs defaults 0 0
3. Configure Samba Sharing for / WW Directory Sharing
3.1 Install samba packages on samba servers
[root@c4 ~]# yum -y install samba
3.2 Create samba users and groups
[root@c4 ~]# groupadd -r admins [root@c4 ~]# useradd -s /sbin/nologin -G admins rick [root@c4 ~]# smbpasswd -a rick New SMB password: Retype new SMB password: Added user rick. [root@c4 ~]# useradd -s /sbin/nologin mage [root@c4 ~]# smbpasswd -a mage New SMB password: Retype new SMB password: Added user mage. [root@c4 ~]#
3.3 Create samba shared directory
[root@c4 ~]# mkdir -p /testdir/smbshare [root@c4 ~]# chgrp admins /testdir/smbshare [root@c4 ~]# chmod 2775 /testdir/smbshare
3.4 samba server configuration
vim /etc/samba/smb.conf ###Add the following two lines [share] path = /testdir/smbshare write list = @admins [root@c4 ~]# systemctl start smb nmb
3.5 samba client access
3.5.1 Install Client
[root@c5 ~]# yum -y install cifs-utils
3.5.2Mount smb share with rick user and access it
[root@c5 ~]# mkdir /mnt/rick [root@c5 ~]# mount -o username=rick //10.0.1.245/share /mnt/rick/ Password for rick@//10.0.1.245/share: ****** [root@c5 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 42G 1.7G 40G 5% / devtmpfs 909M 0 909M 0% /dev tmpfs 920M 0 920M 0% /dev/shm tmpfs 920M 17M 903M 2% /run tmpfs 920M 0 920M 0% /sys/fs/cgroup /dev/sda1 497M 130M 367M 27% /boot tmpfs 184M 0 184M 0% /run/user/0 //10.0.1.245/share 42G 1.3G 41G 3% /mnt/rick [root@c5 ~]# echo "Hello rick." > /mnt/rick/rick.txt
[root@c4 ~]# ls /testdir/smbshare/ -l total 4 -rwxr--r-- 1 rick admins 12 May 19 15:41 rick.txt [root@c4 ~]# ll /testdir/smbshare/ total 4 -rwxr--r-- 1 rick admins 12 May 19 15:41 rick.txt [root@c4 ~]# cat /testdir/smbshare/rick.txt Hello rick.
3.5.3Mount smb share with mage user and access it
[root@c5 ~]# mkdir /mnt/mage [root@c5 ~]# mount -o username=mage //10.0.1.245/share /mnt/mage/ Password for mage@//10.0.1.245/share: ****** [root@c5 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 42G 1.7G 40G 5% / devtmpfs 909M 0 909M 0% /dev tmpfs 920M 0 920M 0% /dev/shm tmpfs 920M 17M 903M 2% /run tmpfs 920M 0 920M 0% /sys/fs/cgroup /dev/sda1 497M 130M 367M 27% /boot tmpfs 184M 0 184M 0% /run/user/0 //10.0.1.245/share 42G 1.3G 41G 3% /mnt/rick //10.0.1.245/share 42G 1.3G 41G 3% /mnt/mage
[root@c5 ~]# mount -o username=mage //10.0.1.245/share /mnt/mage/ Password for mage@//10.0.1.245/share: ****** [root@c5 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 42G 1.7G 40G 5% / devtmpfs 909M 0 909M 0% /dev tmpfs 920M 0 920M 0% /dev/shm tmpfs 920M 17M 903M 2% /run tmpfs 920M 0 920M 0% /sys/fs/cgroup /dev/sda1 497M 130M 367M 27% /boot tmpfs 184M 0 184M 0% /run/user/0 //10.0.1.245/share 42G 1.3G 41G 3% /mnt/rick //10.0.1.245/share 42G 1.3G 41G 3% /mnt/mage [root@c5 ~]# touch /mnt/mage/magefile.txt touch: cannot touch '/mnt/mage/magefile.txt': Permission denied ###Note: Because mage users do not belong to admin group, they do not have write permission
4. Real-time synchronization of/ww directories using rsync+inotify
4.1Real-time synchronization
1. To use the monitoring service (inotify), monitor changes in information in the synchronous data server directory 2. Discover changes in the data in the directory and use the rsync service to push it to the backup server 3. Using scripts to combine
4.2Check if the server kernel supports inotify
[root@c5 ~]# ll /proc/sys/fs/inotify #List the following files to show that the server kernel supports inotify total 0 -rw-r--r-- 1 root root 0 May 19 15:57 max_queued_events -rw-r--r-- 1 root root 0 May 19 15:57 max_user_instances -rw-r--r-- 1 root root 0 May 19 15:57 max_user_watches
4.3Install inotify
4.3.1Install epel source
[root@c5 ~]# yum install epel-release.noarch -y
4.3.2Install inotify software
[root@c5 ~]# yum install inotify-tools -y
4.3.3Configure rsync server-side configuration files
[root@c4 ~]# cat /etc/rsyncd.conf # /etc/rsyncd: configuration file for rsync daemon mode # See rsyncd.conf man page for more options. # configuration example: uid = root gid = root use chroot = no max connections = 0 ignore errors exclude = lost+found/ log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsyncd.lock reverse lookup = no hosts allow = 10.0.1.0/24 [backup] path = /backup comment = backup read only = no auth users = rsyncuser secrets file = /etc/rsync.pass
4.3.4Server side generates validation file, prepares directory and starts rsync service
[root@c4 ~]# echo "centos" > /etc/rsync.pass [root@c4 ~]# chmod 600 /etc/rsync.pass [root@c4 ~]# mkdir /backup [root@c4 ~]# systemctl start rsyncd
4.3.5Client Configuration Password File and Create Directory to Synchronize
[root@c5 ~]# echo "rsyncuser:centos" > /etc/rsync.pass [root@c5 ~]# chmod 600 /etc/rsync.pass [root@c5 ~]# mkdir /data [root@c5 ~]# touch /data/123.txt
4.4Client Test Synchronization Data
[root@c5 ~]# rsync -avz --password-file=/etc/rsync.pass /data/ rsyncuser@10.0.1.245::backup sending incremental file list ./ 123.txt sent 105 bytes received 38 bytes 286.00 bytes/sec total size is 0 speedup is 0.00
[root@c4 ~]# ls /backup/ 123.txt
4.5Client creates inotify_Rsync.shScript for real-time synchronization
4.5.1Create script
[root@c5 ~]# cat inotify_rsync.sh #!/bin/bash SRC='/data/' DEST='rsyncuser@10.0.1.245::backup' inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do FILEPATH=${DIR}${FILE} rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log done
4.5.2Run scripts in the background for testing
[root@c5 ~]# nohup sh inotify_rsync.sh & [1] 24745 [root@c5 ~]# nohup: ignoring input and appending output to 'nohup.out' [root@c5 ~]# touch /data/test1.txt [root@c5 ~]# echo hello > /data/test1.txt [root@c5 ~]# tailf /var/log/changelist.log At 22:32 on 2020-05-19, file /data/123.txt was backuped up via rsync At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync At 22:40 on 2020-05-19, file /data/test1.txt was backuped up via rsync
###Server Side [root@c4 backup]# pwd /backup [root@c4 backup]# ll total 4 -rw-r--r-- 1 root root 6 May 19 22:40 test1.txt [root@c4 backup]# cat test1.txt hello
5. Implement with iptables: release Telnet, ftp, web server, square samba service, all other port services are rejected
[root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 80 -j ACCEPT [root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 21 -j ACCEPT [root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 23 -j ACCEPT [root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 139 -j ACCEPT [root@centos6 ~]# iptables -A INPUT -p tcp -d 10.1.1.110 --dport 445 -j ACCEPT [root@centos6 ~]# iptables -A INPUT -j DROP [root@centos6 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 39 4962 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:22 6 394 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:21 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:23 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:139 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.1.110 tcp dpt:445 81 8786 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 49 packets, 5983 bytes) pkts bytes target prot opt in out source destination
###test [root@centos6 ~]# yum install httpd -y [root@centos6 ~]# ls /var/www/html/ [root@centos6 ~]# echo this is for iptables > /var/www/html/index.html [root@centos6 ~]# cat /var/www/html/index.html this is for iptables [root@centos6 ~]# service httpd start [root@c5 ~]# curl 10.1.1.110 this is for iptables