第十八周

原创

wyy1991 2020-05-03 04:44:46 ©著作权

©著作权归作者所有：来自51CTO博客作者wyy1991的原创作品，谢绝转载，否则将追究法律责任

1、实现基于MYSQL验证的vsftpd虚拟用户访问

环境： 192.168.43.127 centos7 mysql 192.168.43.106 centos6 vsfstp pam_mysql

1、127安装数据mariadb-server

[root@mysql1 ~]#yum –y install mariadb-server [root@mysql1 ~]# systemctl start mariadb.service
[root@mysql1 ~]#systemctl enable mariadb

2、126安装vsftp和pam_mysql

yum install vsftpd pam_mysql

service start vsftpd chkconfig vsftpd on

**3、在数据库服务器上创建虚拟用户账号 **

[root@mysql1 ~]#** mysql -uroot -p123456** MariaDB [(none)]> ** CREATE DATABASE vsftpd; **

> Query OK, 1 row affected (0.001 sec)
> 
> MariaDB [(none)]> SHOW DATABASES; 
> +--------------------+
> | Database           |
> +--------------------+
> | information_schema |
> | mysql              |
> | performance_schema |
> | vsftpd             |
> +--------------------+
>

> MariaDB [(none)]>** GRANT SELECT ON vsftpd.* TO   vsftpd@'192.168.43.%'  IDENTIFIED BY '123456';**
> Query OK, 0 rows affected (0.233 sec)

> MariaDB [(none)]>** flush privileges;**
> Query OK, 0 rows affected (0.133 sec)

MariaDB [(none)]> USE vsftpd; Database changed

MariaDB [vsftpd]> CREATE TABLE users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL ); Query OK, 0 rows affected (0.234 sec)

测试连接：

> [root@centos6 ~]#mysql -uvsftpd -h192.168.43.205 -p123456
> Welcome to the MySQL monitor.  Commands end with ; or \g.

插入用户：

> MariaDB [vsftpd]>  **INSERT INTO users(name,password) values('wang',password('123456'));**
> Query OK, 1 row affected (0.038 sec)
> 
> MariaDB [vsftpd]> **INSERT INTO users(name,password) values('li',password('123456')); **
> Query OK, 1 row affected (0.001 sec)

> MariaDB [vsftpd]> SELECT * FROM users; 
> +----+------+-------------------------------------------+
> | id | name | password                                  |
> +----+------+-------------------------------------------+
> |  1 | wang | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
> |  2 | li   | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
> +----+------+-------------------------------------------+
> 2 rows in set (0.000 sec)

4、在FTP服务器上建立pam认证所需文件

[root@centos6 ~]#vim /etc/pam.d/vsftpd.mysql

> auth required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
> account required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

5、FTP服务器上创建映射用户：

[root@centos6 ~]#**useradd -s /sbin/nologin -d /var/ftproot vuser ** [root@centos6 ~]#chmod 555 /var/ftproot [root@centos6 ~]#mkdir /var/ftproot/{upload,pub}

[root@centos6 ~]#tree -d /var/ftproot/ /var/ftproot/ ├── pub └── upload

6、配置ftp服务：

修改下列几项配置，使wang用户具有上传下载的权限，li用户使用单独的根文件夹,可以上传下载

> [root@centos6 ~]#**vim /etc/vsftpd/vsftpd.conf **
> anonymous_enable=YES
> pam_service_name=vsftpd.mysql
> userlist_enable=YES
> tcp_wrappers=YES
> guest_enable=YES
> guest_username=vuser
> user_config_dir=/etc/vsftpd/vusers_config
> [root@centos6 ~]#tree /etc/vsftpd/vusers_config/
> /etc/vsftpd/vusers_config/
> ├── li
> └── wang
> 
>```

wang用户配置文件 [root@centos6 vusers_config]#cat wang anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES li用户配置文件 [root@centos6 vusers_config]#cat li local_root=/ftproot_li anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES 创建li用户根目录 [root@centos6 ~]#setfacl -m u:vuser:rwx /var/ftproot/upload [root@centos6 ~]#mkdir /ftproot_li [root@centos6 ~]#chmod 555 /ftproot_li [root@centos6 ~]#setfacl -m u:vuser:rwx li

> 


**7、重启vsftpd**

[root@centos6 ~]#service vsftpd restart
Shutting down vsftpd: [FAILED] Starting vsftpd for vsftpd: [ OK ] [root@centos6 ~]#chkconfig vsftpd on



**8、验证：**
**li用户登录，根目录/ftproot_li**

[root@mysql1 ~]# ftp 192.168.43.106 Name (192.168.43.106:root): li 331 Please specify the password. 230 Login successful. ftp> cd li 250 Directory successfully changed. ftp> put anaconda-ks.cfg local: anaconda-ks.cfg remote: anaconda-ks.cfg 227 Entering Passive Mode (192,168,43,106,46,74). 150 Ok to send data. 226 Transfer complete. 980 bytes sent in 6.7e-05 secs (14626.86 Kbytes/sec) ftp> get a local: a remote: a 227 Entering Passive Mode (192,168,43,106,197,240). 150 Opening BINARY mode data connection for a (2 bytes). 226 Transfer complete. 2 bytes received in 2.1e-05 secs (95.24 Kbytes/sec) ftp> !ls 2345 a anaconda-ks.cfg b c


**wang用户登录，根目录/var/ftproot/**

[root@mysql1 ~]# ftp 192.168.43.106

ftp> ls 227 Entering Passive Mode (192,168,43,106,64,16). 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Apr 26 01:19 pub drwxrwxr-x 2 0 0 4096 Apr 26 02:24 upload 226 Directory send OK. ftp> cd upload ftp> ls -rw------- 1 501 501 980 Apr 26 02:24 anaconda-ks.cfg 226 Directory send OK. ftp> put a local: a remote: a 227 Entering Passive Mode (192,168,43,106,205,1). 150 Ok to send data. 226 Transfer complete. 2 bytes sent in 0.000109 secs (18.35 Kbytes/sec) ftp> ls 227 Entering Passive Mode (192,168,43,106,165,68). 150 Here comes the directory listing. -rw------- 1 501 501 2 Apr 26 02:58 a -rw------- 1 501 501 980 Apr 26 02:24 anaconda-ks.cfg 226 Directory send OK.




# 2、通过NFS实现服务器/www共享访问。

**环境：
nfs服务器192.168.43.197
客户端：192.168.43.205**

**1、nfs服务器配置**

[root@197]#yum -y install nfs-utils [root@197]#systemctl start nfs [root@197]#systemctl enable nfs [root@197]#mkdir /www [root@197]#touch 197.txt [root@197]#vim /etc/exports /www 192.168.43.0/24(rw,no_root_squash)
43.0网络的主机都可以访问/www共享，且具有rw权限，并不对root用户进行压榨 [root@197]#exportfs -rv exporting 192.168.43.0/24:/www



**
2、客户端205：**
> **查看服务器共享信息**
> [root@205]# showmount  -e 192.168.43.197
> Export list for 192.168.43.197:
> /www 192.168.43.0/24
> 手动挂载：

[root@205 ~]# mkdir /www [root@205 ~]# touch 205.txt [root@205 ~]# mount -o hard,intr,nosuid,nodev,noexec 192.168.43.197:/www /www [root@205 ~]# df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 979M 0 979M 0% /dev tmpfs 991M 0 991M 0% /dev/shm tmpfs 991M 9.6M 981M 1% /run tmpfs 991M 0 991M 0% /sys/fs/cgroup /dev/mapper/centos-root 100G 3.0G 97G 3% / /dev/sda1 497M 139M 358M 28% /boot tmpfs 199M 0 199M 0% /run/user/0 192.168.43.197:/www 100G 7.1G 93G 8% /www

> 
> 
> 
> [root@205 ~]  ll  mkdir /www
> -rw-r--r-- 1 root root 0 May  2 18:13 197.txt
![](https://s4.51cto.com/images/blog/202005/03/390e601a9b29a4cfcc2b83dccb252006.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
![](https://s4.51cto.com/images/blog/202005/03/a34e5f5c8370a516fee14002761290c7.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)

完成

# 3、配置samba共享，实现/www目录共享
**环境：
samba服务器192.168.43.197
客户端：192.168.43.205**

> **1、samba服务器配置**：

[root@197 ~]#yum install samba [root@197 ~]#systemctl start smb [root@197 ~]#systemctl enable smb [root@197 ~]#groupadd -r admins [root@197 ~]#useradd -s /sbin/nologin -G admins wangyan

> **添加samba用户**

[root@197 ~]#pdbedit -a wangyan new password: retype new password: [root@197 ~]#useradd -s /sbin/nologin -G admins lucy [root@197 ~]#smbpasswd -a lucy New SMB password: Retype new SMB password: Added user lucy. [root@197 ~]#pdbedit -L wangyan:1001: lucy:1002:

> **创建共享文件夹：**

[root@197 ~]#mkdir /wangyanshare [root@197 ~]#touch wangyanshare.txt

> **编辑samba配置文件，添加配置：**

[root@197 ~]#vim /etc/samba/smb.conf [wangyanshare] comment = wangyan's share path = /wangyanshare valid users = wangyan,@admins write list = wangyan writeable = no browseable = yes




**2、客户端：**

[root@205 ~]yum -y install cifs-utils samba-client

[root@205 ~]# smbclient -L 192.168.43.197 -Uwangyan

Enter SAMBA\wangyan's password:

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    wangyanshare    Disk      wangyan's share
    IPC$            IPC       IPC Service (Samba 4.9.1)
    wangyan         Disk      Home Directories


> **手动挂载：**

[root@205 ~]# mount -o username=wangyan,password=123456 //192.168.43.197/wangyanshare /mnt/wangyan
[root@205 ~]# df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 979M 0 979M 0% /dev tmpfs 991M 0 991M 0% /dev/shm tmpfs 991M 9.6M 981M 1% /run tmpfs 991M 0 991M 0% /sys/fs/cgroup /dev/mapper/centos-root 100G 3.0G 97G 3% / /dev/sda1 497M 139M 358M 28% /boot tmpfs 199M 0 199M 0% /run/user/0 //192.168.43.197/wangyanshare 100G 7.1G 93G 8% /mnt/wangyan



![](https://s4.51cto.com/images/blog/202005/03/fedaa55519a511c3cb3c46aed9519d05.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)


# 4、使用rsync+inotify实现/www目录实时同步

**环境：
rsync客户端：192.168.43.197
rsync服务器：192.168.43.187**

**1、rsync客户端安装配置inotify：**
`[root@187 ~]#yum -y install  inotify-tools`



**2、配置rsync服务器:**

> 
> 安装rsync

[root@197 ~]#yum -y install rsync [root@197 ~]#systemctl start rsyncd [root@197 ~]#systemctl enable rsyncd

> 准备账号密码文件

[root@197 ~]#echo "rsyncuser:123456" > /etc/rsync.pass [root@197 ~]#chmod 600 /etc/rsync.pass

> 准备同步数据目录

[root@197 ~]#mkdir /backup

> 改rsync配置文件

[root@197 ~]#vim /etc/rsyncd.conf uid = root gid = root use chroot = no max connections = 0 ignore errors exclude = lost+found/ l og file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsyncd.lock reverse lookup = no hosts allow = 192.168.43.0/24

[backup] path = /backup comment = data backup read only = no auth users = rsyncuser secrets file = /etc/rsync.pass

> [root@197 ~]#systemctl restart rsyncd
> 


**3、rsync客户端**：

[root@187 ~]#echo "123456" > /inotify/rsync.pass [root@187 ~]#chmod 600 /inotify/rsync.pass [root@187 ~]#cat /inotify/rsync.pass 123456 [root@187 ~]#vim /inotify/inotify_rsync.sh #!/bin/bash SRC='/data/test' DEST='rsyncuser@192.168.43.197::backup' inotifywait -mrq ${SRC} --timefmt "%F %H:%M" --format "%T %w%f event:%;e" -e create,delete,moved_to,close_write,attrib| while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE} rsync -az --delete --password-file=/inotify/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /inotify/changelist.log done


	
**4、测试**

![](https://s4.51cto.com/images/blog/202005/03/17c746f1439900025d0d7f7c8df8ddc5.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)

# 5、使用iptable实现: 放行telnet, ftp, web服务,放行samba服务,其他端口服务全部拒绝

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 80,443,21,22,23,139,445 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP


![](https://s4.51cto.com/images/blog/202005/03/148b4ea8728d483b47af8c37f138acdf.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)





架构班作业看这里：

1、安装配置promethues和alertmanager，实现对k8s的监控，并将监控数据展示到grafana