Linux服务及安全管理第十周作业【Linux微职位】

1、建立samba共享，共享目录为/data，要求：（描述完整的过程）
1)共享名为shared，工作组为magedu；
2)添加组develop，添加用户gentoo,centos和ubuntu，其中gentoo和centos以develop为附加组，ubuntu不属于develop组；密码均为用户名；
3)添加samba用户gentoo,centos和ubuntu，密码均为“mageedu”；
4)此samba共享shared仅允许develop组具有写权限，其他用户只能以只读方式访问；
5)此samba共享服务仅允许来自于172.16.0.0/16网络的主机访问；
实验环境：
samba服务器：172.16.10.11(CentOS 7.2)
samba客户端：172.16.10.12(CentOS 7.2)
1、samba服务器配置
1)安装samba软件包，启动服务，并查看相关端口监听状态

[root@localhost ~]# yum install -y samba
[root@localhost ~]# systemctl start smb.service
[root@localhost ~]# systemctl start nmb.service
[root@localhost ~]# ss -tunlp | egrep 'smb|nmb'
udp    UNCONN     0      0      172.16.10.255:137                   *:*                   users:(("nmbd",pid=13450,fd=22))
udp    UNCONN     0      0      172.16.10.11:137                   *:*                   users:(("nmbd",pid=13450,fd=21))
udp    UNCONN     0      0      172.16.10.255:138                   *:*                   users:(("nmbd",pid=13450,fd=24))
udp    UNCONN     0      0      172.16.10.11:138                   *:*                   users:(("nmbd",pid=13450,fd=23))
udp    UNCONN     0      0         *:137                   *:*                   users:(("nmbd",pid=13450,fd=15))
udp    UNCONN     0      0         *:138                   *:*                   users:(("nmbd",pid=13450,fd=16))
tcp    LISTEN     0      50        *:139                   *:*                   users:(("smbd",pid=13437,fd=38))
tcp    LISTEN     0      50        *:445                   *:*                   users:(("smbd",pid=13437,fd=37))

2)创建共享目录

[root@localhost ~]# mkdir /data

3)创建系统用户及系统组，并修改附加组

[root@localhost ~]# useradd centos
[root@localhost ~]# useradd gentoo
[root@localhost ~]# useradd ubuntu
[root@localhost ~]# echo centos | passwd --stdin centos
Changing password for user centos.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# echo gentoo | passwd --stdin gentoo
Changing password for user gentoo.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# echo ubuntu | passwd --stdin ubuntu
Changing password for user ubuntu.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# groupadd develop
[root@localhost ~]# usermod -G develop centos
[root@localhost ~]# usermod -G develop gentoo

4)对共享目录赋予相关系统权限

[root@localhost ~]# ls -ld /data/
drwxr-xr-x. 2 root root 6 Sep  4 14:40 /data/
[root@localhost ~]# setfacl -m g:develop:rwx /data
[root@localhost ~]# getfacl /data/
getfacl: Removing leading '/' from absolute path names
# file: data/
# owner: root
# group: root
user::rwx
group::r-x
group:develop:rwx
mask::rwx
other::r-x

5)添加并验证samba用户

[root@localhost ~]# smbpasswd -a centos
New SMB password:
Retype new SMB password:
Added user centos.
[root@localhost ~]# smbpasswd -a gentoo
New SMB password:
Retype new SMB password:
Added user gentoo.
[root@localhost ~]# smbpasswd -a ubuntu
New SMB password:
Retype new SMB password:
Added user ubuntu.
[root@localhost ~]# pdbedit -L
centos:1000:centos
ubuntu:1002:
gentoo:1001:

6)修改samba配置文件/etc/samba/smb.conf，修改并添加如下内容

[root@localhost ~]# vim /etc/samba/smb.conf
workgroup = magedu
[shared]
comment = shared dir
path = /data
write list = @develop
hosts allow = 172.16.

7)配置文件检查并重新加载，同时验证samba

[root@localhost ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[shared]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = MAGEDU
server string = Samba Server Version %v
security = USER
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
[shared]
comment = shared dir
path = /data
write list = @develop
hosts allow = 172.16.
[root@localhost ~]# systemctl reload smb.service

2、samba客户端验证
1)安装samba-client软件包

[root@localhost ~]# yum install -y samba-client

2)查看共享信息，并验证权限

[root@localhost ~]# smbclient -L //172.16.10.11 -U centos
Enter centos's password:
Domain=[MAGEDU] OS=[Windows 6.1] Server=[Samba 4.2.3]
Sharename       Type      Comment
---------       ----      -------
shared          Disk      shared dir
IPC$            IPC       IPC Service (Samba Server Version 4.2.3)
centos          Disk      Home Directories
Domain=[MAGEDU] OS=[Windows 6.1] Server=[Samba 4.2.3]
Server               Comment
---------            -------
Workgroup            Master
---------            -------
MYGROUP              LOCALHOST
[root@localhost ~]# smbclient //172.16.10.11/shared -U gentoo
Enter gentoo's password:
Domain=[MAGEDU] OS=[Windows 6.1] Server=[Samba 4.2.3]
smb: \> ls
.                                   D        0  Mon Sep  4 14:40:24 2017
..                                 DR        0  Mon Sep  4 14:40:24 2017
52403200 blocks of size 1024. 49105360 blocks available
smb: \> lcd /etc
smb: \> !ls
abrt    hosts.allow      pulse
adjtime    hosts.deny      purple
aliases    hp      python
aliases.db    idmapd.conf      qemu-ga
alsa    init.d      qemu-kvm
alternatives    inittab      radvd.conf
anacrontab    inputrc      rc0.d
asound.conf    iproute2      rc1.d
at.deny    ipsec.conf      rc2.d
at-spi2    ipsec.d      rc3.d
audisp    ipsec.secrets      rc4.d
audit    iscsi      rc5.d
avahi    issue      rc6.d
bash_completion.d    issue.net      rc.d
bashrc    java      rc.local
binfmt.d    jvm      rdma
brltty    jvm-commmon      redhat-release
brltty.conf    kdump.conf      request-key.conf
centos-release    kernel      request-key.d
centos-release-upstream     krb5.conf      resolv.conf
chkconfig.d    ksmtuned.conf      rpc
chrony.conf    ld.so.cache      rpm
chrony.keys    ld.so.conf      rsyncd.conf
cifs-utils    ld.so.conf.d      rsyslog.conf
cron.d    libaudit.conf      rsyslog.d
cron.daily    libibverbs.d      rwtab
cron.deny    libnl      rwtab.d
cron.hourly    libreport      samba
cron.monthly    libuser.conf      sane.d
crontab    libvirt      sasl2
cron.weekly    locale.conf      scl
crypttab    localtime      securetty
csh.cshrc    login.defs      security
csh.login    logrotate.conf      selinux
cups    logrotate.d      services
cupshelpers    lsm      sestatus.conf
dbus-1    lvm      setroubleshoot
dconf    machine-id      setuptool.d
default    magic      sgml
depmod.d    mail.rc      shadow
dhcp    makedumpfile.conf.sample  shadow-
DIR_COLORS    man_db.conf      shells
DIR_COLORS.256color    maven      skel
DIR_COLORS.lightbgcolor     mke2fs.conf      smartmontools
dleyna-server-service.conf  modprobe.d      sos.conf
dnsmasq.conf    modules-load.d      speech-dispatcher
dnsmasq.d    motd      ssh
dracut.conf    mtab      ssl
dracut.conf.d    mtools.conf      statetab
drirc    multipath      statetab.d
e2fsck.conf    my.cnf      sudo.conf
enscript.cfg    my.cnf.d      sudoers
environment    nanorc      sudoers.d
ethertypes    netconfig      sudo-ldap.conf
exports    NetworkManager      sysconfig
exports.d    networks      sysctl.conf
favicon.png    nfsmount.conf      sysctl.d
fcoe    nsswitch.conf      systemd
festival    nsswitch.conf.bak      system-release
filesystems    ntp      system-release-cpe
firewalld    numad.conf      tcsd.conf
fonts    oddjob      terminfo
fprintd.conf    oddjobd.conf      tmpfiles.d
fstab    oddjobd.conf.d      trusted-key.key
fuse.conf    openldap      tuned
gconf    opt      udev
gcrypt    os-release      udisks2
gdbinit    PackageKit      unbound
gdbinit.d    pam.d      updatedb.conf
gdm    passwd      UPower
geoclue    passwd-      usb_modeswitch.conf
ghostscript    pbm2ppa.conf      usb_modeswitch.d
gnupg    pinforc      vconsole.conf
GREP_COLORS    pkcs11      vimrc
groff    pki      virc
group    plymouth      vmware-tools
group-    pm      wgetrc
grub2.cfg    pnm2ppa.conf      wpa_supplicant
grub.d    polkit-1      wvdial.conf
gshadow    popt.d      X11
gshadow-    postfix      xdg
gss    ppp      xinetd.d
gssproxy    prelink.conf.d      xml
hba.conf    printcap      yum
host.conf    profile      yum.conf
hostname    profile.d      yum.repos.d
hosts    protocols
smb: \> put fstab
putting file fstab as \fstab (47.7 kb/s) (average 47.7 kb/s)
smb: \> ls
.                                   D        0  Mon Sep  4 15:21:55 2017
..                                 DR        0  Mon Sep  4 14:40:24 2017
fstab                               A      586  Mon Sep  4 15:21:55 2017
52403200 blocks of size 1024. 49105092 blocks available
smb: \> exit
[root@localhost ~]# smbclient //172.16.10.11/shared -U ubuntu
Enter ubuntu's password:
Domain=[MAGEDU] OS=[Windows 6.1] Server=[Samba 4.2.3]
smb: \> ls
.                                   D        0  Mon Sep  4 15:21:55 2017
..                                 DR        0  Mon Sep  4 14:40:24 2017
fstab                               A      586  Mon Sep  4 15:21:55 2017
52403200 blocks of size 1024. 49105048 blocks available
smb: \> lcd /etc/
smb: \> put issue
NT_STATUS_ACCESS_DENIED opening remote file \issue
smb: \> exit

2、搭建一套文件vsftp文件共享服务，共享目录为/ftproot,要求：（描述完整的过程）
1)基于虚拟用户的访问形式；
2)匿名用户只允许下载，不允许上传；
3)禁锢所有的用户于其家目录当中；
4)限制最大并发连接数为200；
5)匿名用户的最大传输速率512KB/s；
6)虚拟用户的账号存储在mysql数据库当中；
7)数据库通过NFS进行共享。
实验环境：
192.168.10.11(CentOS 7.2)：vsftpd服务器，mariadb服务器；nfs客户端
192.168.10.12(CentOS 7.2)：nfs服务器(为mariadb提供数据目录共享)；vsftpd客户端

1、nfs服务器配置(192.168.10.12)
1)nfs默认已经安装直接启动，并查看2049端口监听状态

[root@localhost ~]# systemctl start nfs.service
[root@localhost ~]# ss -tnlp | grep :2049
LISTEN     0      64           *:2049                     *:*

2)数据库共享目录保持两边mysql的用户ID一致，本地手工创建mysql用户，并指定uid为27(mysql用户ID)

[root@localhost ~]# id mysql
id: mysql: no such user
[root@localhost ~]# useradd -r -u 27 -s /sbin/nologin mysql

3)创建数据库共享目录/mysqldata，修改该目录所有者及所属组为mysql，并导出给mariadb服务器端(注意：由于mariadb初始化时需要root权限，暂时不要压制root权限)

[root@localhost ~]# mkdir /mysqldata
[root@localhost ~]# chown -R mysql.mysql /mysqldata
[root@localhost ~]# ls -ld /mysqldata/
drwxr-xr-x. 2 mysql mysql 6 Sep  4 20:12 /mysqldata/
[root@localhost ~]# vim /etc/exports
/mysqldata      192.168.10.0/24(rw,no_root_squash)
[root@localhost ~]# exportfs -r

2、nfs客户端测试，mariadb服务器安装配置(192.168.10.11)
1)安装mariadb-server软件包，nfs客户端测试，创建mariadb数据目录，并将远程nfs共享目录挂载到本地

[root@localhost ~]# yum install -y mariadb-server
[root@localhost ~]# showmount -e 192.168.10.12
Export list for 192.168.10.12:
/mysqldata 192.168.10.0/24
[root@localhost ~]# mkdir /mysqldata
[root@localhost ~]# chown -R mysql.mysql /mysqldata/
[root@localhost ~]# mount -t nfs 192.168.10.12:/mysqldata/ /mysqldata/
[root@localhost ~]# mount | grep mysql
192.168.10.12:/mysqldata on /mysqldata type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.10.11,local_lock=none,addr=192.168.10.12)

2)启动mariadb服务，并移除默认数据目录

[root@localhost ~]# systemctl start mariadb.service
[root@localhost ~]# rm -rf /var/lib/mysql/

3)修改配置文件/etc/my.cnf，修改datadir为/mysqldata，同时指定socket路径为/mysqldata/mysql.sock
[

root@localhost ~]# cp /etc/my.cnf{,.bak}
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
datadir=/mysqldata
socket=/mysqldata/mysql.sock
[mysqladmin]
socket=/mysqldata/mysql.sock

4)初始化mariadb(初始化完成后，去掉nfs导出目录选项的no_root_squash)

[root@localhost ~]# mysql_install_db --defaults-file=/etc/my.cnf --datadir=/mysqldata --user=mysql
Installing MariaDB/MySQL system tables in '/mysqldata' ...
170904 21:28:07 [Note] /usr/libexec/mysqld (mysqld 5.5.44-MariaDB) starting as process 4551 ...
OK
Filling help tables...
170904 21:28:07 [Note] /usr/libexec/mysqld (mysqld 5.5.44-MariaDB) starting as process 4559 ...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following commands:
'/usr/bin/mysqladmin' -u root password 'new-password'
'/usr/bin/mysqladmin' -u root -h localhost.localdomain password 'new-password'
Alternatively you can run:
'/usr/bin/mysql_secure_installation'
which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.
See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.
You can start the MariaDB daemon with:
cd '/usr' ; /usr/bin/mysqld_safe --datadir='/mysqldata'
You can test the MariaDB daemon with mysql-test-run.pl
cd '/usr/mysql-test' ; perl mysql-test-run.pl
Please report any problems at http://mariadb.org/jira The latest information about MariaDB is available at http://mariadb.org/. You can find additional information about the MySQL part at: http://dev.mysql.com Support MariaDB development by buying support/new features from MariaDB
Corporation Ab. You can contact us about this at sales@mariadb.com.
Alternatively consider joining our community based development effort: http://mariadb.com/kb/en/contributing-to-the-mariadb-project/[/code]5)添加mysql管理员账号，添加mysql客户端socket路径为/mysqldata/mysql.sock，为pam_mysql模块访问建立socket软链接 
[root@localhost ~]# mysqladmin -uroot password "123456"
[root@localhost ~]# vim /etc/my.cnf.d/mysql-clients.cnf
[mysql]
socket=/mysqldata/mysql.sock
[root@localhost ~]# mkdir -p /var/lib/mysql
[root@localhost ~]# ln -s /mysqldata/mysql.sock /var/lib/mysql/mysql.sock
6)创建vsftpd数据库及users表，添加测试虚拟账号，新建vsftpd账号并赋予查询权限
[root@localhost ~]# mysql -uroot -p123456
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.44-MariaDB MariaDB Server
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> use vsftpd;
Database changed
MariaDB [vsftpd]> create table users (
->  id int AUTO_INCREMENT NOT NULL,
->  name char(20) binary NOT NULL,
-> password char(48) binary NOT NULL,
->  primary key(id)
->  );
Query OK, 0 rows affected (0.02 sec)
MariaDB [vsftpd]> insert into users(name,password) values('adam',password('adam'));
Query OK, 1 row affected (0.01 sec)
MariaDB [vsftpd]> insert into users(name,password) values('eve',password('eve'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field    | Type     | Null | Key | Default | Extra          |
+----------+----------+------+-----+---------+----------------+
| id       | int(11)  | NO   | PRI | NULL    | auto_increment |
| name     | char(20) | NO   |     | NULL    |                |
| password | char(48) | NO   |     | NULL    |                |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
MariaDB [vsftpd]> select * from users;
+----+------+-------------------------------------------+
| id | name | password                                  |
+----+------+-------------------------------------------+
|  1 | adam | *46D8C7BAEFF40601D8F821A601F07CD006FFB2D0 |
|  2 | eve  | *1A6EFD23741853F1DD5DF9B944BE40169F3931F1 |
+----+------+-------------------------------------------+
2 rows in set (0.00 sec)
MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@localhost identified by 'vsftpd';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@127.0.0.1 identified by 'vsftpd';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> exit


3、pam_mysql模块编译及配置(192.168.10.11)
1)http://pam-mysql.sourceforge.net/下载pam_mysql-0.7RC1.tar.gz源码包，并放到192.168.10.11的/tmp目录下
2)安装开发环境编译pam_mysql，并编辑配置文件/etc/pam.d/vsftpd.mysql添加vsftpd的pam_mysql模块虚拟用户认证
[root@localhost ~]# yum groupinstall -y "Development Tools" "Server Platform Development"
[root@localhost ~]# yum install -y mariadb-devel openssl-devel pam-devel
[root@localhost ~]# cd /tmp/
[root@localhost tmp]# tar -xf pam_mysql-0.7RC1.tar.gz
[root@localhost tmp]# cd pam_mysql-0.7RC1/
[root@localhost pam_mysql-0.7RC1]# ./configure --with-mysql=/usr --with-openssl=/usr --with-pam=/usr --with-pam-mods-dir=/usr/lib64/security
[root@localhost pam_mysql-0.7RC1]# make && make install
[root@localhost pam_mysql-0.7RC1]# ls /usr/lib64/security | grep pam_mysql
pam_mysql.la
pam_mysql.so
[root@localhost ~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2


4、vsftpd服务器安装配置(192.168.10.11)
1)安装vsftpd软件包，启动服务，查看监听21端口
[root@localhost ~]# yum install -y vsftpd
[root@localhost ~]# systemctl start vsftpd.service
[root@localhost ~]# ss -tnlp | grep :21
LISTEN     0      32          :::21                      :::*                   users:(("vsftpd",pid=61302,fd=3))
2)创建共享目录/ftproot，建立映射虚拟用户vuser，赋予其他用户读写权限，去除根目录写权限，创建公用目录及上传目录
[root@localhost ~]# useradd -s /sbin/nologin -d /ftproot vuser
[root@localhost ~]# chmod go+rx /ftproot
[root@localhost ~]# chmod -w /ftproot
mkdir /ftproot/{pub,upload}
[root@localhost ~]# ls -ld /ftproot/
dr-xr-xr-x 5 vuser vuser 97 Sep  4 22:48 /ftproot/
3)编辑/etc/vsftpd/vsftpd.conf主配置文件，修改及添加以下项，完成后重启服务
anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
max_clients=200
anon_max_rate=512000
chroot_local_user=YES
pam_service_name=vsftpd.mysql
guest_enable=YES
guest_username=vuser
[root@localhost ~]# systemctl restart vsftpd.service


5、vsftpd客户端虚拟用户账号验证(192.168.10.12)
[root@localhost ~]# yum install ftp -y
[root@localhost ~]# ftp 192.168.10.11
Connected to 192.168.10.11 (192.168.10.11).
220 (vsFTPd 3.0.2)
Name (192.168.10.11:root): adam
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc/
Local directory now /etc
ftp> put issue
local: issue remote: issue
227 Entering Passive Mode (192,168,10,11,88,20).
550 Permission denied.
ftp> ls
227 Entering Passive Mode (192,168,10,11,175,61).
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Sep 04 15:22 1.txt
drwxr-xr-x    2 0        0               6 Sep 04 14:48 pub
-rw-r--r--    1 0        0               0 Sep 04 15:22 test
drwxr-xr-x    2 0        0               6 Sep 04 14:48 upload
226 Directory send OK.
ftp> get 1.txt
local: 1.txt remote: 1.txt
227 Entering Passive Mode (192,168,10,11,63,59).
150 Opening BINARY mode data connection for 1.txt (0 bytes).
226 Transfer complete.
ftp>