vsftpd + PAM + MySQL + 内外网 + 磁盘配额 配置全过程

网管

一、前期准备

1. 需要安装的工具

[root@ylt001 ~]# yum -y install net-tools vim wget 

2. 网络配置

1）修改 IP

[root@ylt001 ~]# ifconfig
# 查看当前ip详细信息
[root@ylt001 ~]# ip addr del 10.86.1.xx/24 dev ens160
# 删除原来的ip
[root@ylt001 ~]# ip addr add 10.86.1.xx/24 dev ens160
# 新配置的ip
[root@ylt001 ~]# systemctl restart network
# 重启网络服务
[root@ylt001 ~]# ifconfig
# 检查是否修改成功

2）修改外网配置文件

[root@ylt001 ~]# cd /etc/sysconfig/network-scripts/
[root@ylt001 ~]# cat ifcfg-ens192
TYPE="Ethernet"
BOOTPROTO="static"
NM_CONTROLLED=yes
IPV6INIT="yes"
DEVICE="ens192"
ONBOOT="yes"
IPADDR=202.116.83.xx
NETMASK=255.255.255.0
GATEWAY=202.116.83.1

3）修改内网配置文件

[root@ylt001 ~]# cat ifcfg-ens160
TYPE="Ethernet"
BOOTPROTO="static"
NM_CONTROLLED=yes
IPV6INIT="yes"
DEVICE="ens160"
ONBOOT="yes"
IPADDR=10.86.1.xx
NETMASK=255.255.255.0

4）配置 DNS

[root@ylt001 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 8.8.8.8
nameserver 8.8.4.4

5）重启并检查网络服务

[root@ylt001 ~]# systemctl restart network
[root@ylt001 ~]# ifconfig
[root@ylt001 ~]# ip link show

二、安装 vsftpd

[root@ylt001 ~]# yum install -y vsftpd

三、MariaDB 的安装与配置

1. 安装 mariadb

[root@ylt001 ~]# yum install -y mariadb mariadb-devel mariadb-server
[root@ylt001 ~]# systemctl enable mariadb
# 设置开机自启
[root@ylt001 ~]# systemctl restart mariadb
# 重启 mariadb
[root@ylt001 ~]# netstat -npl|grep 3306
# 查看是否开启

2. 为 root 账户设置密码

[root@ylt001 ~]# mysql_secure_installation          
# 该命令会执行以下几个设置：
# a)为root用户设置密码Y (默认密码)
# b)删除匿名账号Y
# c)取消root用户远程登录Y
# d)删除test库和对test库的访问权限Y
# e)刷新授权表使修改生效Y

3. 建立一个数据库并设置相应权限

[root@ylt001 ~]# mysql -u root -p
MariaDB [(none)]> create database ftpdb;
MariaDB [(none)]> use ftpdb;
MariaDB [(none)]> create table user(name varchar(20),passwd varchar(48));
MariaDB [(none)]> insert into user(name,passwd) values ("ylt",password("passwd"));
MariaDB [(none)]> select * from user;
MariaDB [(none)]> grant select on ftpdb.user to ftpuser@localhost identified by "passwd";
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;

四、配置 PAM 认证

1. 安装 pam pam-devel openssl-devel

[root@ylt001 ~]# yum install -y automake pam pam-devel openssl-devel

2. 编译安装 pam_mysql 包

[root@ylt001 ~]# cd /application
[root@ylt001 application]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@ylt001 application]# tar -xzvf pam_mysql-0.7RC1.tar.gz
[root@ylt001 application]# cd pam_mysql-0.7RC1/
[root@ylt001 application]# ./configure --with-mysql=/usr --with-openssl=/usr --with-pam=/usr --with-pam-mods-dir=/lib64/security
[root@ylt001 application]# make && make install
[root@ylt001 application]# ls /lib64/security/ | grep mysql
#pam_mysql.la
#pam_mysql.so

3. 建立 PAM 认证信息

[root@ylt001 ~]# vi /etc/pam.d/vsftpd
# 注释其他内容，写入如下两行：
auth required /lib64/security/pam_mysql.so user=ftpuser passwd=passwd host=localhost db=ftpdb table=user usercolumn=name passwdcolumn=passwd crypt=2
account required /lib64/security/pam_mysql.so user=ftpuser passwd=passwd host=localhost db=ftpdb table=user usercolumn=name passwdcolumn=passwd crypt=2
#crypt=0: 明文密码
#crypt=1: 使用crpyt()函数加密
#crypt=2: 使用MYSQL中的password()函数加密
#crypt=3：使用md5的散列方式

五、建立本地虚拟用户

[root@ylt001 ~]# useradd -s /sbin/nologin ftpuser
[root@ylt001 ~]# cd /home
[root@ylt001 home]# ll
ftpuser

六、修改配置文件

1. 前期准备

[root@ylt001 ~]# touch /var/log/xferlog
[root@ylt001 ~]# mkdir /etc/vsftpd/vsftpd_user_conf
[root@ylt001 ~]# touch chroot_list

2. 修改 vsftpd.conf

[root@ylt001 ~]# cat /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
#dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
#xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
chown_uploads=YES
chown_username=ftpuser
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=NO
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
allow_writeable_chroot=YES
anon_other_write_enable=NO
anon_world_readable_only=NO
delete_failed_uploads=TRUE
dirlist_enable=YES
anon_max_rate=1048576
local_max_rate=1048576
anon_umask=022
max_login_fails=3
max_per_ip=10
pasv_enable=YES
pasv_min_port=24500
pasv_max_port=24500
listen_address=192.168.2.xx
guest_enable=YES
virtual_use_local_privs=YES
guest_username=ftpuser
user_config_dir=/etc/vsftpd/vsftpd_user_conf

3. 启动 vsftpd 服务

[root@ylt001 ~]# systemctl enable vsftpd  
[root@ylt001 ~]# systemctl start vsftpd

4. 配置用户独立的配置文件

[root@ylt001 ~]# touch /etc/vsftpd/vsftpd_user_conf/ylt.conf

1）可读、可上传、可下载、可删除、可建目录

[root@ylt001 ~]# cat /etc/vsftpd/vsftpd_user_conf/ylt.conf
write_enable=YES
download_enable=YES
local_root=/home/ftpuser/ylt

2）可读、不可上传、可下载、不可删除、不可创建目录

[root@ylt001 ~]# cat /etc/vsftpd/vsftpd_user_conf/ylt.conf
write_enable=NO
download_enable=NO
local_root=/home/ftpuser/ylt

5. 开启 ftp 服务端口

[root@ylt001 ~]# firewall-cmd --zone=public --add-port=21/tcp --permanent
[root@ylt001 ~]# firewall-cmd --zone=public --add-port=20/tcp --permanent
[root@ylt001 ~]# firewall-cmd --zone=public --add-port=24500/tcp --permanent
[root@ylt001 ~]# firewall-cmd --reload

七、实现文件夹配额

1. 磁盘分割

[root@ylt001 ~]# gdisk /dev/sdb
[root@ylt001 ~]# mkfs.xfs /dev/sdb1

2. 磁盘挂载

[root@ylt001 ~]# mount -o prjquota /dev/sdb1 /home/ftpuser
# dev/sdb 是未挂载的 partition

3. 设置磁盘自动挂载

[root@ylt001 ~]# vi /etc/fstab
#添加:
UUID=27a9bc94-36a7-4cd6-aa68-5ea38c944529 /home/ftpuser  xfs  defaults 0 0

4. 创建用户的家目录

[root@ylt001 ~]# cd /home/ftpuser
[root@ylt001 ftpuser]# mkdir ylt
[root@ylt001 ftpuser]# chmod 777 ylt

5. 文件夹配额

[root@ylt001 ~]# xfs_quota -x -c report /home/ftpuser
# 列出所有的 Project ID 以及对应的配额使用情况
[root@ylt001 ~]# mkdir /ftpuser/ylt
# 创建需要配额的用户目录(其实之前已经创建好了)
[root@ylt001 ~]# xfs_quota -x -c 'project -s -p /home/ftpuser/ylt 1'
# 为文件夹分配 ProjectID 1
[root@ylt001 ~]# xfs_quota -x -c 'limit -p bhard=100m 1' /home/ftpuser
# 限制 Project 1 的配额为100MB
[root@ylt001 ~]# dd if=/dev/zero of=/home/ftpuser/ylt/test bs=1M count=101
# 检测配额是否生效
[root@ylt001 ~]# xfs_quota -x -c report /home/ftpuser
[root@ylt001 ~]# xfs_quota -c 'quota -p 1' /home/ftpuser
# 查询某个 project 的配额使用情况

八、关闭SELINUX

[root@ylt001 ~]# vi /etc/selinux/config
#将 SELINUX=XXX -->XXX 代表级别改为SELINUX=disabled
[root@ylt001 ~]# init 6
# 重启系统

九、文件目录权限设置

# 用户家目录的最低权限为
[root@ylt001 ~]# chmod 755 /home/ftpuser
chmod 777 /home/ftpuser/ylt
# 以下两个配置文件的最低权限为
chmod 700 vsftpd.conf
chmod 700 vsftpd_user_conf