vsftp文件共享服务

发表于

1)基于虚拟用户的访问形式

2)匿名用户只允许下载,不允许上传

3)禁锢所有的用户于其家目录当中

4)限制最大并发连接数为200

5)匿名用户的最大传输速率512KB/s

6)虚拟用户的账号存储在mysql数据库当中

7)数据库通过NFS进行共享

先科(zhuang)普(bi)

我们登录FTP有三种方式,匿名登录、本地用户登录和虚拟用户登录。

匿名登录:在登录FTP时使用默认的用户名,一般是ftp或anonymous。

本地用户登录:使用系统用户登录,在/etc/passwd中。

虚拟用户登录:这是FTP专有用户,有两种方式实现虚拟用户,本地数据文件和数据库服务器。

FTP虚拟用户是FTP服务器的专有用户,使用虚拟用户登录FTP,只能访问FTP服务器提供的资源,大大增强了系统的安全。

测试环境

NFS&MySQL服务器 192.168.0.248

vsftp 服务器 192.168.0.235

一、通过NFS服务器共享数据库

1、在192.168.0.248服务器上启动nfs服务,设置共享目录为/nfs_data

[root@CentOS6 ~]# mkdir -pv /nfs_data
mkdir: created directory `/nfs_data’

2、安装组件

yum install rpcbind nfs-server nfs-lock nfs-idmap

3、启动nfs服务

1
2
3
4
5
6
7
8
9
10
11
[root@CentOS7 ~]# systemctl start nfs-server.service
[root@CentOS7 ~]# systemctl status nfs-server.service 
● nfs-server.service - NFS server and services
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; enabled; vendor preset: disabled)
   Active: active (exited) since 五 2017-03-24 16:38:33 CST; 1 day 7h ago
 Main PID: 37384 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/nfs-server.service

3月 24 16:38:33 CentOS7 systemd[1]: Starting NFS server and services...
3月 24 16:38:33 CentOS7 systemd[1]: Started NFS server and services.
[root@CentOS7 ~]#

4、编辑 vim /etc/exports

添加一下内容

1
/nfs_data 192.168.0.0/24(rw,no_root_squash,sync)

exportfs -r 一下使其生效

注:配置文件说明:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/nfs_data为共享目录

192.168.0.0/24  可以为一个网段,一个IP,也可以是域名,域名支持通配符 如: *.qq.com

rw:read-write,可读写;

ro:read-only,只读;

sync:文件同时写入硬盘和内存;

async:文件暂存于内存,而不是直接写入内存;

no_root_squash:NFS客户端连接服务端时如果使用的是:root的话,那么对服务端分享的目录来说,也拥有root权限。显然开启这项是不安全的。

root_squash:NFS客户端连接服务端时如果使用的是root的话,那么对服务端分享的目录来说,拥有匿名用户权限,通常他将使用nobody或nfsnobody身份;

all_squash:不论NFS客户端连接服务端时使用什么用户,对服务端分享的目录来说都是拥有匿名用户权限;

二、vsftp mysql 服务器挂载nfs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@CentOS6 ~]# showmount -e 192.168.0.235
Export list for 192.168.0.235:
/nfs_data 192.168.0.0/24

[root@CentOS6 ~]# mount -t nfs 192.168.0.235:/nfs_data /nfs_data

[root@CentOS6 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_centos6-lv_root
                       18G  3.3G   13G  21% /
tmpfs                 3.9G     0  3.9G   0% /dev/shm
/dev/sda1             477M   69M  383M  16% /boot
192.168.0.235:/nfs_data
                       17G  6.9G   11G  41% /nfs_data

客户端在挂载的时候遇到的一个问题如下,可能是网络不太稳定,NFS默认是用UDP协议,换成TCP协议即可

mount -t nfs 192.168.0.235:/nfs_data /nfs_data -o proto=tcp -o nolock

在客户端写入一个有内容的文件测试,嘿嘿,服务端马上看到了,欧耶

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177



**vsftp mysql 服务器 192.168.0.235安装MySQL/MariaDB**

这里我就直接yum安装MariaDB了

yum install mariadb-server.x86_64 mariadb-devel.x86_64 openssl-devel.x86_64
systemctl start mariadb.service 
systemctl enable mariadb.service 

**安装PAM-MySQL,要跟vsftp安装在同一台机器上**

下载源码包,加压

安装前再次确认依赖包

yum install pam-devel openssl-devel mariadb-devel

**CentOS7**
./configure --with-mysql=/usr --with-openssl --with-pam=/usr --with-pam-mods-dir=/usr/lib64/security

**CentOS6**
./configure --with-mysql=/usr --with-openssl --with-pam=/usr --with-pam-mods-dir=/lib64/security/

make -j 4 && make install



**配置数据库,创建vsftpd的库和表**

```mysql
[root@CentOS7 pam_mysql-0.7RC1]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.52-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| test               |
| vsftpd             |
+--------------------+
5 rows in set (0.00 sec)

MariaDB [(none)]> use vsftpd;
Database changed
MariaDB [vsftpd]> create table users (
    -> id int auto_increment not null primary key,
    -> name char(30) not null,
    -> password char(48) binary not null );
Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field    | Type     | Null | Key | Default | Extra          |
+----------+----------+------+-----+---------+----------------+
| id       | int(11)  | NO   | PRI | NULL    | auto_increment |
| name     | char(30) | NO   |     | NULL    |                |
| password | char(48) | NO   |     | NULL    |                |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

MariaDB [vsftpd]> insert into users(name,password) values ('jerry',password('mageedu'));
Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> insert into users(name,password) values ('tom',password('mageedu111'));
Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> select * from users;
+----+-------+-------------------------------------------+
| id | name  | password                                  |
+----+-------+-------------------------------------------+
|  1 | jerry | *9A94EE7D14C10908118B62D2DA88E6932E11E438 |
|  2 | tom   | *67CF267D9D554496768C605C2D66754EAE874C12 |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [vsftpd]> 

#我这边vsftpd跟mysql不是同一台机器,所以开启远程授权    
MariaDB [mysql]> grant select on vsftpd.* to vsftpd@'192.168.0.248' identified by 'mageedu';
Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

[root@CentOS7 pam_mysql-0.7RC1]# mysql -uvsftpd -pmageedu
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 5.5.52-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
| vsftpd             |
+--------------------+
3 rows in set (0.00 sec)

MariaDB [(none)]> use vsftpd;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [vsftpd]> select * from users;
+----+-------+-------------------------------------------+
| id | name  | password                                  |
+----+-------+-------------------------------------------+
|  1 | jerry | *9A94EE7D14C10908118B62D2DA88E6932E11E438 |
|  2 | tom   | *67CF267D9D554496768C605C2D66754EAE874C12 |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [vsftpd]> exit
Bye
[root@CentOS7 pam_mysql-0.7RC1]# 
```

   



**迁移MariaDB的数据库默认数据存放目录,放到/nfs_data/目录中,形成NFS共享**

```bash
[root@CentOS7 /]# systemctl stop mariadb.service 

[root@CentOS7 /]# cp -r /var/lib/mysql/ /nfs_data/

[root@CentOS7 /]#vim /etc/my.cnf

修改成:datadir=/nfs_data/mysql

[root@CentOS7 /]#cd /nfs_data/

[root@CentOS7 /]# chown -R mysql:mysql mysql/

[root@CentOS7 /]#systemctl start mariadb.service 

[root@CentOS7 /]#systemctl status mariadb.service

● mariadb.service - MariaDB database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since 日 2017-03-26 15:16:34 CST; 18min ago
  Process: 94278 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
  Process: 94247 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS)
 Main PID: 94277 (mysqld_safe)
   CGroup: /system.slice/mariadb.service
           ├─94277 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
           └─94435 /usr/libexec/mysqld --basedir=/usr --datadir=/nfs_data...

3月 26 15:16:32 CentOS7 systemd[1]: Starting MariaDB database server...
3月 26 15:16:32 CentOS7 mysqld_safe[94277]: 170326 15:16:32 mysqld_safe....
3月 26 15:16:32 CentOS7 mysqld_safe[94277]: 170326 15:16:32 mysqld_safe...l
3月 26 15:16:34 CentOS7 systemd[1]: Started MariaDB database server.
Hint: Some lines were ellipsized, use -l to show in full.
```

这时候,两边机器的NFS目录都看看,OK啦

安装vsftpd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
[root@CentOS6 mysql]# yum install vsftpd
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * epel: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:2.2.2-21.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================
 Package         Arch            Version                Repository     Size
============================================================================
Installing:
 vsftpd          x86_64          2.2.2-21.el6           base          155 k

Transaction Summary
============================================================================
Install       1 Package(s)

Total download size: 155 k
Installed size: 340 k
Is this ok [y/N]: y
Downloading Packages:
vsftpd-2.2.2-21.el6.x86_64.rpm                       | 155 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : vsftpd-2.2.2-21.el6.x86_64                               1/1 
  Verifying  : vsftpd-2.2.2-21.el6.x86_64                               1/1 

Installed:
  vsftpd.x86_64 0:2.2.2-21.el6                                              

Complete!

配置vsftpd的pam文件

[root@CentOS6 ~]# vim /etc/pam.d/vsftpd.mysql

输入以下内容:

1
2
3
auth required pam_mysql.so user=vsftpd passwd=mageedu host=192.168.0.235 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

account required pam_mysql.so user=vsftpd passwd=mageedu host=192.168.0.235 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

创建系统用户

因为虚拟用户最终要映射为系统用户,所以得创建用于vsftpd映射使用滴用户啦。。。。。

1
2
3
4
[root@CentOS6 ~]# mkdir -pv /ftproot
mkdir: created directory `/ftproot'

[root@CentOS6 /]# useradd -s /sbin/nologin -d /ftproot vuser

确保vuser的家目录其他用户能读能执行

1
2
3
4
5
6
7
[root@CentOS6 /]# ll |grep ftproot/
[root@CentOS6 /]# ll |grep ftpr
drwx------    3 vuser vuser  4096 Mar 27 13:59 ftproot
[root@CentOS6 /]# chmod +rx -R /ftproot/
[root@CentOS6 /]# ll |grep ftpr
drwxr-xr-x    3 vuser vuser  4096 Mar 27 13:59 ftproot
[root@CentOS6 /]#

配置/etc/vsftpd/vsftpd.conf

vim /etc/vsftpd/vsftpd.conf

修改 pam_service_name=vsftpd.mysql

匿名用户只允许下载,不允许上传

vim /etc/vsftpd/vsftpd.conf

anonymous_enable=YES #允许匿名账户登录

anon_upload_enable=NO #不允许匿名用户上传文件

禁锢所有的用户于其家目录当中

chroot_local_user=YES #禁锢本地账户的家目录

限制最大并发连接数为200

max_clients=200 #最大允许的客户端连接数

匿名用户的最大传输速率512KB/s

local_max_rate=512000

写入配置文件后,重启vsftp服务即可。

0%