table of Contents
1. Build NTP time server (CentOS7)
1. Server installation and anonymous access
4. FTP active and passive mode
1. Build NTP time server (CentOS7)
The NTP server is used for the time synchronization of the local area network server, which can ensure that all the services of the local area network are consistent with the time of the time server. Some applications that require high real-time time must be unified.
Commonly used NTP public time synchronization servers at home and abroad are as follows for reference: ( https://blog.csdn.net/weixin_42588262/article/details/82501488 )
server cn.pool.ntp.org
server cn.ntp.org.cn
server ntp.aliyun.com
server time.asia.apple.com
Support IPv6
server time.google.com
server time.cloudflare.com
server time.hko.hk
server ntp.nict.jp
server time.nist.gov
server ntp.tuna.tsinghua.edu.cn
server ntp.neu.edu.cn
server ntp.nc.u-tokyo.ac.jp
NTP server:
The listening port of the NTP server is UDP 123, and you need to enable the client to access port 123 in the local firewall.
vi /etc/sysconfig/iptables add the following rules:
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
CentOS7 does not use iptables, use firewall to open port 123 as follows:
firewall-cmd --zone=public --add-port=123/udp --permanent
firewall-cmd --reload
NTP time server installation: yum install ntp ntpdate -y
Modify the ntp.conf configuration file vi /etc/ntp.conf
Restart the NTP service: /etc/init.d/ntpd restart
View NTP status: ntpq -p //Only start NTP service to monitor NTP, otherwise ntpq: read: Connection refused
//Note: The default server can only be synchronized after a few minutes of startup, otherwise it will report no server suitable for synchronization found
The default time synchronization tool under CentOS7 is chronyd. To use the ntp service, you need to close the chronyd service
[root@10 sysconfig]# systemctl status chronyd
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Tue 2020-03-17 13:41:48 EDT; 1min 4s ago
Docs: man:chronyd(8)
man:chrony.conf(5)
Mar 17 10:01:11 10.0.2.15 chronyd[670]: Selected source 84.16.73.33
Mar 17 10:01:11 10.0.2.15 chronyd[670]: System clock wrong by 2.241067 seconds, adju...ed
Mar 17 10:01:13 10.0.2.15 chronyd[670]: System clock was stepped by 2.241067 seconds
Mar 17 10:03:26 10.0.2.15 chronyd[670]: Selected source 185.255.55.20
Mar 17 10:03:28 10.0.2.15 chronyd[670]: Source 185.209.85.222 replaced with 193.182....42
Mar 17 10:03:29 10.0.2.15 chronyd[670]: System clock wrong by 1.764803 seconds, adju...ed
Mar 17 10:04:31 10.0.2.15 chronyd[670]: Selected source 84.16.73.33
Mar 17 10:14:15 10.0.2.15 chronyd[670]: Selected source 185.255.55.20
Mar 17 13:41:48 10.0.2.15 systemd[1]: Stopping NTP client/server...
Mar 17 13:41:48 10.0.2.15 systemd[1]: Stopped NTP client/server.
Hint: Some lines were ellipsized, use -l to show in full.
[root@10 sysconfig]# systemctl disable chronyd.service
Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service.
[root@10 sysconfig]# systemctl start ntpd
[root@10 sysconfig]# systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
Check that the ntp service has been started (yum install net-tools)
[root@10 sysconfig]# netstat -tunlp |grep ntp
udp 0 0 10.0.2.15:123 0.0.0.0:* 9382/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 9382/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 9382/ntpd
udp6 0 0 fe80::4f14:193b:a52:123 :::* 9382/ntpd
udp6 0 0 ::1:123 :::* 9382/ntpd
udp6 0 0 :::123 :::* 9382/ntpd
[root@10 sysconfig]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*makaki.miuku.ne 218.186.3.36 2 u 51 64 377 225.246 49.524 25.293
tock.ntp.infoma .GPS. 1 u 260 64 250 221.602 -12.719 12.814
+h199-182-204-19 219.119.208.14 2 u 62 64 377 270.913 -5.889 55.643
+time.cloudflare 10.12.3.42 3 u 51 64 73 235.926 7.386 39.593
Client synchronization time:
NTP安装:yum install ntp ntpdate -y
NTP time synchronization command: ntpdate [domain name/IP address]
[root@10 sysconfig]# date
Tue Mar 17 13:35:31 EDT 2020
[root@10 sysconfig]# ntpdate pool.ntp.org
17 Mar 13:36:54 ntpdate[9360]: adjust time server 84.16.73.33 offset -0.043212 sec
[root@10 sysconfig]# date
Tue Mar 17 13:36:59 EDT 2020
Client scheduled task: crontab -e
Add a row, plan to synchronize the time at 6:00 every day
00 06 * * * /usr/sbin/ntpdate [ntp-server ip] >>/usr/local/logs/crontab/ntpdate.log
Description of some parameters of ntp.conf:
1. 先处理权限方面的问题,包括放行上层服务器以及开放局域网用户来源:
restrict default kod nomodify notrap nopeer noquery <==拒绝 IPv4 的用户
restrict -6 default kod nomodify notrap nopeer noquery <==拒绝 IPv6 的用户
restrict 220.130.158.71 <==放行 tock.stdtime.gov.tw 进入本 NTP 的服务器
restrict 59.124.196.83<==放行 tick.stdtime.gov.tw 进入本 NTP 的服务器
restrict 59.124.196.84<==放行 time.stdtime.gov.tw 进入本 NTP 的服务器
restrict 127.0.0.1<==底下两个是默认值,放行本机来源
restrict -6 ::1
restrict 192.168.100.0 mask 255.255.255.0 nomodify <==放行局域网用户来源,或者列出单独IP
2. 设定主机来源,请先将原本的 [0|1|2].centos.pool.ntp.org 的设定批注掉:
server 220.130.158.71 prefer <==以这部主机为最优先的server
server 59.124.196.83
server 59.124.196.84
3.默认的一个内部时钟数据,用在没有外部 NTP 服务器时,使用它为局域网用户提供服务:
server127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
4.预设时间差异分析档案与暂不用到的 keys 等,不需要更动它:
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
Second, build a DHCP server
DHCP (Dynamic Host Configuration Protocol, dynamic host configuration protocol) is a LAN network protocol, using UDP protocol to work, the main purpose is to automatically assign IP addresses to internal networks or network service providers, DHCP has 3 ports, of which UDP67 and UDP68 It is the normal DNCP service port, which serves as the service port of DHCPServer and DHCPClient respectively.
DHCP can be deployed on servers, switches, or routers, and can control a range of IP addresses. Clients can automatically obtain the IP address and subnet mask assigned by the DHCP server when they log in to the server. The server where DHCP is located needs to install the TCP/IP protocol, set a static IP address, subnet mask, and default gateway.
Install DHCP service: yum install dhcp dhcp-devel -y
Modify the configuration file /etc/dhcp/dhcpd.conf, configuration reference: /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example
Restart the DHCP service: systemctl restart dhcpd.service
The client releases the original IP: dhclient -r
The client obtains a new IP: dhclient
Check the IP address: ifconfig //CentOS7 use the command: ip addr
Three, build SAMBA server
Samba is a free software that implements the SMB protocol on Linux and UNIX systems, and consists of server and client programs. SMB (Server Messages Block, information service block) is a communication protocol for sharing files and printers on a local area network. It provides resource sharing services such as files and printers between different computers in the local area network. The SMB protocol is a client/server protocol through which the client can access the shared file system, printer and other resources on the server. By setting "NetBIOS over TCP/IP", Samba can not only share resources with hosts on the local area network, but also share resources with computers all over the world.
(The following commands are for CentOS7)
Install SAMBA server: yum install samba -y
Configuration file: /etc/samba/smb.conf
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
security = user
passdb backend = tdbsam
load printers = yes
cups options = raw
[temp]
comment = Temporary file space
path=/root/tmp
read only = no
public = yes
[data]
comment = Temporary file space
path=/root/data
read only = no
public = yes
Note: The parameter "security = share" has been deprecated. When using testparm to check the parameters, it prompts WARNING: Ignoring invalid value'share' for parameter'security'. Use the following instead:
security = user
map to guest = Bad User
Restart command: systemctl start smb View startup status: systemctl status smb View startup errors: testparm or journalctl -xe//Refer to the following
View log: smbd -F -S
[root@10 samba]# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: Ignoring invalid value 'share' for parameter 'security'
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: Ignoring invalid value 'share' for parameter 'security'
Error loading services.
Note before starting:
1. Turn off the firewall service iptables stop, or systemctl stop firewalld.service
2. Close selinux:
1) Temporarily close: #setenforce 0;
2) Permanently close #vi /etc/selinux/config
#SELINUX=enforcing to SELINUX=disabled, restart to take effect;
3) View status: #getenforce //enforcing is open, disable is closed, and temporary closed is permissive
Here add root user to access:
[root@localhost ~]# id root
uid=0(root) gid=0(root) groups=0(root)
[root@localhost ~]#
[root@localhost ~]# pdbedit -a -u root
new password:
retype new password:
Unix username: root
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3575077016-1421681991-2031849627-1000
Primary Group SID: S-1-5-21-3575077016-1421681991-2031849627-513
Full Name: root
Home Directory: \\localhost\root
HomeDir Drive:
Logon Script:
Profile Path: \\localhost\root\profile
Domain: LOCALHOST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Wed, 18 Mar 2020 12:07:07 EDT
Password can change: Wed, 18 Mar 2020 12:07:07 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@localhost ~]# systemctl restart smb
[root@localhost ~]# systemctl status smb
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2020-03-18 12:08:20 EDT; 26s ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 1600 (smbd)
Status: "smbd: ready to serve connections..."
CGroup: /system.slice/smb.service
├─1600 /usr/sbin/smbd --foreground --no-process-group
├─1602 /usr/sbin/smbd --foreground --no-process-group
├─1603 /usr/sbin/smbd --foreground --no-process-group
└─1604 /usr/sbin/smbd --foreground --no-process-group
Mar 18 12:08:19 localhost.localdomain systemd[1]: Starting Samba SMB Daemon...
Mar 18 12:08:20 localhost.localdomain smbd[1600]: [2020/03/18 12:08:20.316064, 0] ../lib/util/become_daemon.c:138(daemon_ready)
Mar 18 12:08:20 localhost.localdomain systemd[1]: Started Samba SMB Daemon.
Mar 18 12:08:20 localhost.localdomain smbd[1600]: daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
[root@localhost ~]#
Access by running: \\192.168.56.101, enter the user/password to access the configured directory
Fourth, build an NFS server
NFS (Network File System) is a protocol used in distributed file systems. It is a UNIX presentation layer protocol developed by SUN. The function is to allow different machines and different operating systems to share individual data with each other through the network, allowing applications to access the data located on the server's disk red on the client through the network. It is a method to achieve disk file sharing between Unix-like systems .
NFS relies on the RPC protocol (Remote Procedure Call) during file transfer or information transfer. RPC is a mechanism that enables clients to execute programs in other systems. NFS itself does not provide protocols and functions for information transmission. NFS is often used for high-availability file sharing. Multiple servers share the same data, with poor scalability and imperfect high-availability solutions. Instead, distributed file systems such as MFS, TFS, and HDFS can be used with larger data volumes.
1. Server-side deployment
Installation command: yum -y install nfs-utils
Since CentOS7 comes with rpcbind, there is no need to install rpc. rpc is listening on port 111. Use ss -tnulp | grep 111 to check whether the rpc service is started. If it is not started, use systemctl start rpcbind to start the service. rpc can obtain the port number of the nfs server. Wait for information, the nfs server can only connect to the nfs server after obtaining this information through rpc. After the rpc service is started, it is as follows:
[root@10 ~]# ss -tnulp | grep 111
udp UNCONN 0 0 *:111 *:* users:(("rpcbind",pid=1535,fd=5),("systemd",pid=1,fd=73))
udp UNCONN 0 0 [::]:111 [::]:* users:(("rpcbind",pid=1535,fd=7),("systemd",pid=1,fd=75))
tcp LISTEN 0 128 *:111 *:* users:(("rpcbind",pid=1535,fd=4),("systemd",pid=1,fd=72))
tcp LISTEN 0 128 [::]:111 [::]:* users:(("rpcbind",pid=1535,fd=6),("systemd",pid=1,fd=74))
Confirm whether the installation was successful
[root@10 ~]# rpm -qa nfs-utils
nfs-utils-1.3.0-0.65.el7.x86_64
Edit /etc/exports (empty file for the first time), the first column /data indicates the shared directory, IP indicates the allowed ip client access, if all are allowed, it is "*", the parentheses indicate the permission to the shared file, and the permission Refer to the following for specific instructions.
/data 192.168.56.0/24(rw,async)
ro | Read-only access |
rw | Read and write access |
sync | All data is written and shared when requested |
hide | Do not share its subdirectories in the NFS shared directory |
no_hide | Share the subdirectories of the NFS directory |
all_squash | UID and GID of shared files are mapped anonymously, suitable for public directories |
no_all_squash | Keep the UID and GID of the shared file (default) |
root_squash | All root requests are mapped to the same permissions as anonymous (default) |
no_root_squash | The root user has full administrative access to the root directory |
Start the NFS service: systemctl start nfs, you can use rpcinfo -p localhost to view it after startup
[root@10 ~]# rpcinfo -p localhost
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 49201 status
100024 1 tcp 56698 status
100005 1 udp 20048 mountd
100005 1 tcp 20048 mountd
100005 2 udp 20048 mountd
100005 2 tcp 20048 mountd
100005 3 udp 20048 mountd
100005 3 tcp 20048 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 3 udp 2049 nfs_acl
100021 1 udp 39406 nlockmgr
100021 3 udp 39406 nlockmgr
100021 4 udp 39406 nlockmgr
100021 1 tcp 40237 nlockmgr
100021 3 tcp 40237 nlockmgr
100021 4 tcp 40237 nlockmgr
Use showmount -e localhost to check the mount status (commonly used):
[root@10 /]# showmount -e localhost
Export list for localhost:
/data 192.168.56.0/24
Set boot up automatically: systemctl enable nfs-server.server and systemctl enable rpcbind
2. Client deployment
yum -y intall nfs-utils, do not need to start, only use showmount
showmount -e 192.168.56.102
[root@10 ~]# showmount -e 192.168.56.102
Export list for 192.168.56.102:
/data 192.168.56.0/24
Note: If prompted: clnt_create: RPC: Port mapper failure-Unable to receive: errno 113 (No route to host), you need to open the firewall: systemctl stop iptables and systemctl stop firewalld.service (test solution)
Mount to the local directory: mount -t nfs 192.168.56.102:/data /mnt
Go to the /mnt directory to view the files shared by NFS:
[root@10 mnt]# ll
total 4
-rw-r--r-- 1 root root 5 Mar 21 04:16 1.txt
-rw-r--r-- 1 nfsnobody nfsnobody 0 Mar 21 03:39 test.txt
View mount:
[root@10 mnt]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 484M 0 484M 0% /dev
tmpfs 496M 0 496M 0% /dev/shm
tmpfs 496M 6.8M 489M 2% /run
tmpfs 496M 0 496M 0% /sys/fs/cgroup
/dev/mapper/centos_10-root 6.2G 1.3G 5.0G 21% /
/dev/sda1 1014M 136M 879M 14% /boot
tmpfs 100M 0 100M 0% /run/user/0
192.168.56.102:/data 6.2G 1.3G 5.0G 21% /mnt
Fourth, build an FTP server
FTP (File Transfer Protocol) is one of the protocols in the TCP/IP protocol suite. The FTP protocol includes two components, one is the FTP server, and the other is the FTP client. The FTP server is used to store files, and users can use the FTP client to access the resources located on the FTP server through the FTP protocol. By default, the FTP protocol uses the two ports 20 and 21 in the TCP port, where 20 is used to transmit data and 21 is used to transmit control information. However, whether or not to use 20 as the port for data transmission is related to the transmission mode used by FTP. If the active mode is adopted, the data transmission port is 20; if the passive mode is adopted, the final port to be used is determined by the server and the client through negotiation. vsftpd is one of the most mainstream FTP server programs in Linux distributions, featuring small, light, fast, safe and easy-to-use. At present, the commonly used FTP server programs in open source operating systems mainly include vsftpd, ProFTPD, PureFTPd, and wuftpd. Server-U can be used to build under Windows.
1. Server installation and anonymous access
Installation command: yum -y install vsftpd
Start command: service vsftpd start
After booting, you can access through ftp, enter ftp://192.168.56.102/ to access, pay attention to turn off the firewall and SELinux
At this time, it is anonymous access, and the corresponding path is under /var/ftp/ on ftp
FTP service is enabled by default chkconfig vsftpd on
[root@10 test]# chkconfig vsftpd on
Note: Forwarding request to 'systemctl enable vsftpd.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
vi /etc/vsftpd/vsftpd.conf //Refer to the following to modify the configuration file:
anonymous_enable=NO //禁止匿名用户访问
local_enable=YES //允许本地用户登陆FTP
write_enable=YES //运行用户在FTP目录有写入的权限
local_umask=022 //设置本地用户的文件生成掩码为022,默认是077
dirmessage_enable=YES //激活目录信息,当远程用户更改目录时,将出现提示信息
xferlog_enable=YES //启用上传和下载日志功能
connect_from_port_20=YES //启用FTP数据端口的连接请求
xferlog_std_format=YES //是否使用标准的ftpd xferlog日志文件格式
listen=YES //使vsftpd处于独立启动监听端口模式
pam_service_name=vsftpd //设置PAM认证服务配置文件名称,文件存放在/etc/pam.d/目录
2. Set up user access
Add users to ftp:
[root@10 data]# useradd test
[root@10 data]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
You need to modify the following contents of the /etc/vsftpd/vsftpd.conf configuration file and re-specify the root directory path:
anonymous_enable=NO
userlist_deny=NO
local_root=/var/ftp/test
Add the test user in the ftp user configuration: vi /etc/vsftpd/user_list and restart service vsftpd restart
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
test
If no access is added, an error 500 will be reported:
Under the ftp path:
[root@10 test]# cd /var/ftp/
[root@10 ftp]# ls
pub test
[root@10 ftp]# ll
total 0
drwxr-xr-x. 2 root root 6 Oct 30 2018 pub
drwxr-xr-x. 2 test test 19 Mar 21 05:58 test
Access ftp://192.168.56.102 will pop up the login box, if you click to save the password, right-click to log in to reopen the login box
3. User management module
In addition to the two methods, you can also use the vsftpd virtual user to log in to FTP. Compared with the method in 2, the configuration is more secure and the configuration is more complicated. The detailed configuration method will not be repeated here.
yum
install
pam pam-* db4 db4-*
4. FTP active and passive mode
1) FTP active mode: The client connects to the port 21 command port of the FTP server from an arbitrary unprivileged port N (N>1024). Then the client starts listening on port N+1, and sends the FTP command "port N+1" to the FTP server. Then the server will connect from its own data port (20) to the data port (N+1) specified by the client.
2) FTP passive mode: The client connects to the port 21 command port of the FTP server from an arbitrary unprivileged port N (N>1024). Then the client starts to listen on port N+1, and the client submits the PASV command, the server will open an arbitrary unprivileged port (P>1024), and send the PORT P command to the client, and then the client initiates from the local port N +1 connection to port P of the server is used to transfer data.
Note: Part of the way to check the problem, check the server log: tail -fn 100 /var/log/messages
[root@10 data]# getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@10 data]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
references:
1. https://www.cnblogs.com/yj411511/p/10794226.html