第十八週

一、實現基於MYSQL驗證的vsftpd虛擬用戶訪問

環境：
192.168.43.127 centos7 mysql
192.168.43.106 centos6 vsfstp pam_mysql

一、127安裝數據mariadb-server

[root@mysql1 ~]#yum –y install mariadb-server
[root@mysql1 ~]# systemctl start mariadb.service
[root@mysql1 ~]#systemctl enable mariadb

二、126安裝vsftp和pam_mysql

yum install vsftpd pam_mysql

service start vsftpd
chkconfig vsftpd on

三、在數據庫服務器上建立虛擬用戶帳號

[root@mysql1 ~]# mysql -uroot -p123456
MariaDB [(none)]> CREATE DATABASE vsftpd;

Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> SHOW DATABASES; 
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| vsftpd             |
+--------------------+

MariaDB [(none)]>** GRANT SELECT ON vsftpd.* TO   vsftpd@'192.168.43.%'  IDENTIFIED BY '123456';**
Query OK, 0 rows affected (0.233 sec)

MariaDB [(none)]>** flush privileges;**
Query OK, 0 rows affected (0.133 sec)

MariaDB [(none)]> USE vsftpd;
Database changed

MariaDB [vsftpd]> CREATE TABLE users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL );
Query OK, 0 rows affected (0.234 sec)

測試鏈接：

[root@centos6 ~]#mysql -uvsftpd -h192.168.43.205 -p123456
Welcome to the MySQL monitor.  Commands end with ; or \g.

插入用戶：

MariaDB [vsftpd]>  **INSERT INTO users(name,password) values('wang',password('123456'));**
Query OK, 1 row affected (0.038 sec)

MariaDB [vsftpd]> **INSERT INTO users(name,password) values('li',password('123456')); **
Query OK, 1 row affected (0.001 sec)

MariaDB [vsftpd]> SELECT * FROM users; 
+----+------+-------------------------------------------+
| id | name | password                                  |
+----+------+-------------------------------------------+
|  1 | wang | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
|  2 | li   | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
+----+------+-------------------------------------------+
2 rows in set (0.000 sec)

四、在FTP服務器上創建pam認證所需文件

[root@centos6 ~]#vim /etc/pam.d/vsftpd.mysql

auth required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

五、FTP服務器上建立映射用戶：

[root@centos6 ~]#useradd -s /sbin/nologin -d /var/ftproot vuser
[root@centos6 ~]#chmod 555 /var/ftproot
[root@centos6 ~]#mkdir /var/ftproot/{upload,pub}

[root@centos6 ~]#tree -d /var/ftproot/
/var/ftproot/
├── pub
└── upload

六、配置ftp服務：

修改下列幾項配置，使wang用戶具備上傳下載的權限，li用戶使用單獨的根文件夾,能夠上傳下載

[root@centos6 ~]#**vim /etc/vsftpd/vsftpd.conf **
anonymous_enable=YES
pam_service_name=vsftpd.mysql
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vusers_config
[root@centos6 ~]#tree /etc/vsftpd/vusers_config/
/etc/vsftpd/vusers_config/
├── li
└── wang

wang用戶配置文件
[root@centos6 vusers_config]#cat wang 
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
li用戶配置文件
[root@centos6 vusers_config]#cat li 
local_root=/ftproot_li
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
建立li用戶根目錄
[root@centos6 ~]#setfacl -m u:vuser:rwx /var/ftproot/upload
[root@centos6 ~]#mkdir /ftproot_li 
[root@centos6 ~]#chmod  555 /ftproot_li 
[root@centos6 ~]#setfacl -m u:vuser:rwx li

七、重啓vsftpd

[root@centos6 ~]#service vsftpd restart      
Shutting down vsftpd:                                      [FAILED]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@centos6 ~]#chkconfig vsftpd on

八、驗證：
li用戶登陸，根目錄/ftproot_li

[root@mysql1 ~]# ftp 192.168.43.106
Name (192.168.43.106:root): li 
331 Please specify the password.
230 Login successful.
ftp> cd li
250 Directory successfully changed.
ftp> put anaconda-ks.cfg 
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (192,168,43,106,46,74).
150 Ok to send data.
226 Transfer complete.
980 bytes sent in 6.7e-05 secs (14626.86 Kbytes/sec)
ftp> get a
local: a remote: a
227 Entering Passive Mode (192,168,43,106,197,240).
150 Opening BINARY mode data connection for a (2 bytes).
226 Transfer complete.
2 bytes received in 2.1e-05 secs (95.24 Kbytes/sec)
ftp> !ls
2345  a  anaconda-ks.cfg  b  c

wang用戶登陸，根目錄/var/ftproot/

[root@mysql1 ~]# ftp 192.168.43.106

ftp> ls
227 Entering Passive Mode (192,168,43,106,64,16).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Apr 26 01:19 pub
drwxrwxr-x    2 0        0            4096 Apr 26 02:24 upload
226 Directory send OK.
ftp> cd upload
ftp> ls
-rw-------    1 501      501           980 Apr 26 02:24 anaconda-ks.cfg
226 Directory send OK.
ftp> put a
local: a remote: a
227 Entering Passive Mode (192,168,43,106,205,1).
150 Ok to send data.
226 Transfer complete.
2 bytes sent in 0.000109 secs (18.35 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (192,168,43,106,165,68).
150 Here comes the directory listing.
-rw-------    1 501      501             2 Apr 26 02:58 a
-rw-------    1 501      501           980 Apr 26 02:24 anaconda-ks.cfg
226 Directory send OK.

二、經過NFS實現服務器/www共享訪問。

環境：
nfs服務器192.168.43.197
客戶端：192.168.43.205

一、nfs服務器配置

[root@197]#yum -y install nfs-utils
[root@197]#systemctl start nfs 
[root@197]#systemctl enable  nfs
[root@197]#mkdir /www
[root@197]#touch 197.txt
[root@197]#vim /etc/exports
/www  192.168.43.0/24(rw,no_root_squash)   
43.0網絡的主機均可以訪問/www共享，且具備rw權限，並不對root用戶進行壓榨
[root@197]#exportfs  -rv
exporting 192.168.43.0/24:/www

二、客戶端205：

查看服務器共享信息
[root@205]# showmount -e 192.168.43.197
Export list for 192.168.43.197:
/www 192.168.43.0/24
手動掛載：

[root@205 ~]# mkdir /www
[root@205 ~]# touch 205.txt
[root@205 ~]# mount -o hard,intr,nosuid,nodev,noexec 192.168.43.197:/www /www
[root@205 ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
devtmpfs                 979M     0  979M   0% /dev
tmpfs                    991M     0  991M   0% /dev/shm
tmpfs                    991M  9.6M  981M   1% /run
tmpfs                    991M     0  991M   0% /sys/fs/cgroup
/dev/mapper/centos-root  100G  3.0G   97G   3% /
/dev/sda1                497M  139M  358M  28% /boot
tmpfs                    199M     0  199M   0% /run/user/0
192.168.43.197:/www      100G  7.1G   93G   8% /www

[root@205 ~] ll mkdir /www
-rw-r--r-- 1 root root 0 May 2 18:13 197.txt

完成

三、配置samba共享，實現/www目錄共享

環境：
samba服務器192.168.43.197
客戶端：192.168.43.205

一、samba服務器配置：

[root@197 ~]#yum install samba
[root@197 ~]#systemctl start smb 
[root@197 ~]#systemctl enable smb
[root@197 ~]#groupadd -r admins 
[root@197 ~]#useradd -s /sbin/nologin -G admins wangyan

添加samba用戶

[root@197 ~]#pdbedit  -a wangyan
new password:
retype new password:
[root@197 ~]#useradd -s /sbin/nologin -G admins lucy
[root@197 ~]#smbpasswd  -a lucy
New SMB password:
Retype new SMB password:
Added user lucy.
[root@197 ~]#pdbedit  -L
wangyan:1001:
lucy:1002:

建立共享文件夾：

[root@197 ~]#mkdir /wangyanshare
[root@197 ~]#touch wangyanshare.txt

編輯samba配置文件，添加配置：

[root@197 ~]#vim /etc/samba/smb.conf
[wangyanshare]
comment = wangyan's share
path = /wangyanshare
valid users = wangyan,@admins
write list = wangyan
writeable = no
browseable = yes

二、客戶端：

[root@205 ~]yum -y install cifs-utils  samba-client

[root@205 ~]# smbclient  -L 192.168.43.197 -Uwangyan

Enter SAMBA\wangyan's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        wangyanshare    Disk      wangyan's share
        IPC$            IPC       IPC Service (Samba 4.9.1)
        wangyan         Disk      Home Directories

手動掛載：

[root@205 ~]# mount -o username=wangyan,password=123456  //192.168.43.197/wangyanshare /mnt/wangyan    
[root@205 ~]# df -h
Filesystem                     Size  Used Avail Use% Mounted on
devtmpfs                       979M     0  979M   0% /dev
tmpfs                          991M     0  991M   0% /dev/shm
tmpfs                          991M  9.6M  981M   1% /run
tmpfs                          991M     0  991M   0% /sys/fs/cgroup
/dev/mapper/centos-root        100G  3.0G   97G   3% /
/dev/sda1                      497M  139M  358M  28% /boot
tmpfs                          199M     0  199M   0% /run/user/0
//192.168.43.197/wangyanshare  100G  7.1G   93G   8% /mnt/wangyan

四、使用rsync+inotify實現/www目錄實時同步

環境：
rsync客戶端：192.168.43.197
rsync服務器：192.168.43.187

一、rsync客戶端安裝配置inotify：
[root@187 ~]#yum -y install inotify-tools

二、配置rsync服務器:

安裝rsync

[root@197 ~]#yum -y  install rsync
[root@197 ~]#systemctl start rsyncd
[root@197 ~]#systemctl enable rsyncd

準備帳號密碼文件

[root@197 ~]#echo "rsyncuser:123456" > /etc/rsync.pass
[root@197 ~]#chmod 600 /etc/rsync.pass

準備同步數據目錄

[root@197 ~]#mkdir /backup

改rsync配置文件

[root@197 ~]#vim /etc/rsyncd.conf 
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/ l
og file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.43.0/24

[backup]
        path = /backup
        comment = data backup
        read only = no
        auth users = rsyncuser
        secrets file = /etc/rsync.pass

[root@197 ~]#systemctl restart rsyncd

三、rsync客戶端：

[root@187 ~]#echo "123456"  > /inotify/rsync.pass
[root@187 ~]#chmod 600 /inotify/rsync.pass
[root@187 ~]#cat /inotify/rsync.pass 
123456
[root@187 ~]#vim /inotify/inotify_rsync.sh 
    #!/bin/bash
    SRC='/data/test'
    DEST='rsyncuser@192.168.43.197::backup'
    inotifywait -mrq ${SRC} --timefmt "%F %H:%M" --format "%T %w%f  event:%;e" -e  create,delete,moved_to,close_write,attrib| while read DATE TIME DIR FILE;do                                                       
            FILEPATH=${DIR}${FILE}
            rsync -az --delete  --password-file=/inotify/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /inotify/changelist.log
    done

四、測試

五、使用iptable實現: 放行telnet, ftp, web服務,放行samba服務,其餘端口服務所有拒絕

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A INPUT -p tcp -m multiport --dports  80,443,21,22,23,139,445  -m state --state NEW -j ACCEPT 
iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT
iptables -A OUTPUT  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP 
iptables -P OUTPUT DROP

架構班做業看這裏：

一、安裝配置promethues和alertmanager，實現對k8s的監控，並將監控數據展現到grafana