Shulou(Shulou.com)06/01 Report--

Experiment preparation: this experiment is implemented on two CentOS hosts, one as a FTP server and the other as a database server

One CentOS-7 as MYSQL server and one CentOS-6 as FTP server

Note that who is the FTP server here is critical, because there is a PAM module package that is not available on CentOS-7 and requires source code compilation, pam_mysql. I will first demonstrate CentOS-6 as an example of FTP server CentOS-6 when FTP server 1, configure database server 1, install the mariadb-server package yum-y install mariadb-server systemctl start mariadb # on the database server side to boot and start systemctl enable mariadb2 automatically For the sake of security, you can run the mariadb security script "mysql_secure_installation". The first item asks you: enter the root password and enter, because there is no second question: do you need to set the root password? of course, the third item asks you: do you need to delete the empty account user? of course, the fourth item asks you: do you prohibit root users from logging in remotely? According to the needs of your company, the fifth question is: do you need to delete the test test data to cry? I don't need the sixth question to ask you: do you reload the permission table now, of course 3, set up a virtual user account on the mariadb server side, create a database user that stores the virtual user database and connections (with mysql > means you need to connect to the database to perform operations) # create a database mysql > CREATE DATABASE vsftpd # check whether the database has been created successfully mysql > SHOW DATABASES; 2, and create a user to manage the vsftpd database. Mysql > GRANT all ON vsftpd.* TO vsftpd@'192.168.136.6' IDENTIFIED BY 'centos' Command parsing: GRANT: create the authorized user keyword all: indicates that you have all permissions on the vsftpd database vsftpd.*: indicates that all tables vsftpd@'192.168.136.6': @ of the specified vsftpd indicate the user name @ indicates that the user can only log in on 192.168.136.6 If you want to indicate a network segment, you can add a percent sign: 192.168.136.% IDENTIFIED BY 'centos': function to set the password, centos is the user's password.

Prepare to store the user's related tables

# cut table mysql > USE vsftpd; # View table Mysql > SHOW TABLES; # create users table mysql > create table users (id int auto_increment not null primary key,name varchar (30) binary not null, password varchar (50) binary not null) Command parsing: create table users: create the table structure in the table name users clause slogan, and use a comma to separate the fields. For example, the first field is id, the second field is name, and the third field is the password modifier: int: indicates that the field is a number. Auto_increment: indicates that the field is an integer auto-growth not null: indicates that the field cannot be empty primary key: indicates that the field is the primary key varchar (30): indicates that the field can be any character length of 30 binary: the function is to make the field available for login verification

Add a virtual user to the user table

Add the required users as needed, and use the PASSWORD function to encrypt their passwords and store them for security.

# View table structure mysql > DESC users; # insert content mysql > INSERT INTO users (name,password) values ('wang',password (' wang')); # insert content mysql > INSERT INTO users (name,password) values ('li',password (' li')); # View table content mysql > SELECT * FROM users Second, configure FTP server 1, install vsftpd and pam_mysql package on FTP server centos6:pam_mysql from the source of epel6 to provide configuration epel source: [epel] name=centos-epel baseurl= http://mirrors.aliyun.com/epel/6/x86_64/ gpgcheck=0 enable=1 # installation module, and FTP server package yum install vsftpd pam_mysql2, create the PAM module authentication file required by FTP

Because you need to connect to the database, the previous PAM block can no longer be used, so you need to configure it yourself.

Create a configuration file called vsftpd.mysql to hold the PAM module in the / etc/pam.d/ directory cd / etc/pam.d/ touch vsftpd.mysql vim vsftpd.mysql add the following lines: auth required pam_mysql.so user=vsftpd passwd=centos host= database IP address db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 account required pam_mysql.so user=vsftpd passwd=centos host= database IP address db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 configuration field description auth table Show authentication account verify account password normally use required to indicate that authentication to pass the pam_mysql.so module is the default relative path For relative / lib64/security/ paths, you can also write absolute paths The parameter user=vsftpd passed to this module is the password of the mysql login user passwd=magedu login mysql hostname or ip address db=vsftpd specify the database name of the connection msyql table=users specify the table name in the connection database usercolumn=name as the user name field passwdcolumn=password as the password of the user name field crypt=2 secret The encryption method of the code is mysql password () function encryption Note: crypt is the encryption method 0 indicates no encryption, 1 indicates crypt (3) encryption, 2 indicates the use of mysql password () function encryption, 3 indicates md5 encryption, 4 indicates sha1 encryption 3, establishes an ordinary user of the system and is used as a user for virtual user mapping

First, create users and share directories

# system users who create virtual user mapping and corresponding directories useradd-s / sbin/nologin-d / var/ftproot vuser # modify the corresponding directory permissions Because the FTP shared root directory cannot have write permission chmod 555 / var/ftproot # create a shared directory mkdir / var/ftproot/ {upload,pub} # that can be uploaded and downloaded and give the vuser user ACL permission setfacl-m u:vuser:rwx / var/ftproot/upload

Modify the master configuration file

Confirm whether the following options are enabled in / etc/vsftpd.conf # support anonymous users to login to anonymous_enable=YES # add the following two items to support virtual user mapping to a system user guest_enable=YES guest_username=vuser # modify one of the following The original system user cannot log in to pam_service_name=vsftpd.mysql 4, start the FTP service # start the service service vsftpd start # start the chkconfig vsftpd on automatically # check the port opening ss-ntlp | grep: 21 5 restorecon-R / lib64/security 2m setsebool-P ftpd_connect_db 1 3m setsebool-P ftp_home_dir 1 4 Chcon-R-t public_content_rw_t / var/ftproot/ final test 1 root@ansible-7 li user login test: successful [root@ansible-7 ~] # ftp 192.168.136.6 Connected to 192.168.136.6 (192.168.136.6). 220 (vsFTPd 2.2.2) Name (192.168.136.6:root): li 331Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. 2 root@ansible-7 Wang user login test: successful [root@ansible-7 ~] # ftp 192.168.136.6 Connected to 192.168.136.6 (192.168.136.6). 220 (vsFTPd 2.2.2) Name (192.168.136.6:root): wang 331Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. Third, realize that each virtual user has different permissions.

1. Modify the main configuration file

Vim / etc/vsftpd/vsftpd.conf adds the following options to enable virtual users to support independent permission profiles and customize the storage directory. User_config_dir=/etc/vsftpd/vusers_config/

2. Create a permission profile for each virtual user under the / etc/vsftpd/vusers_config/ directory, with the file name versus the application user name

Mkdir / etc/vsftpd/vusers_config/ cd / etc/vsftpd/vusers_config/ touch wang touch li "Note: the virtual user's access to the vsftpd service is through the relevant instructions of anonymous users. "the following permissions can be added to the file Whether upload function anon_upload_enable= {YES | NO} # support file creation function anon_mkdir_write_enable= {YES | NO} # whether support delete file function anon_other_write_enable= {YES | NO} # specify virtual Local_root=/ftproot of the shared directory logged into the account for example: let wang users support upload Download, delete file permissions, then only need to add the following lines in the wang permissions configuration file "Note: make sure the corresponding mapping user has write access to the file system" vim wang anon_upload_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YESCentOS-7 when the FTP server has only one difference, that is, you need to compile and install the pam_mysql module, and the rest is roughly the same.

Steps:

# install the development package group yum-y groupinstall "Development Tools" # install the related dependency package yum-y install mariadb-devel pam-devel vsftpd # download the pam_mysql-0.7RC1.tar.gz source package https://sourceforge.net/projects/pam-mysql/ # decompress package tar xvf pam_mysql-0.7RC1.tar.gz # enter the pam_mysql-0.7RC1/ directory to open Start compiling cd pam_mysql-0.7RC1/ # run the configure script. / configure\-- with-mysql=/usr\-- with-pam=/usr\-- with-pam-mods-dir=/lib64/security # compilation starts make-j 4 # installer make install

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.