1, install vsftpd
[root@test ~]# yum -y install vsftpd
2, the configuration file
/etc/vsftpd/vsftpd.conf #vsftpd core configuration file
/ Etc / vsftpd / ftpusers: # is used to specify which users can not access FTP, blacklist
/ Etc / vsftpd / user_list # specified list of users allowed to use vsftpd file
# If userlist_deny = YES (default), never allow the user to log in this file ftp, or even not prompted for a password
/etcvsftpd/vsftpd_conf_migrate.sh # is the number of variables and settings vsftpd script operation
/ Var / ftp / # default root directory for anonymous users
3, start the service
[root @ test ~] # systemctl start vsftpd # to start the service
[root @ test ~] # systemctl enable vsftpd # join open from Kai
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
[root @ the Test ~] # netstat -antup | grep # view the FTP port corresponding to whether to start up
tcp6 0 0 ::: 21 ::: * LISTEN 3350 / vsftpd
4, through the configuration file to understand the profile of each option
Example 1: Technology companies ready to build a simple FTP server function that allows all employees to upload and download files, and allows users to create their own directory
Analysis: allow all employees to upload and download configuration files needs to be set to allow anonymous logins and the need to allow anonymous users to upload function is enabled
anon_mkdir_write_enable This field can control whether to allow anonymous users to create directories
[Root @ test ~] # vim /etc/vsftpd/vsftpd.conf # open the configuration file, the following modifications
Allow anonymous user access
anonymous_enable=YES
Allow anonymous users to upload files and create directories
anon_upload_enable=YES
anon_mkdir_write_enable=YES
[Root @ test ~] # systemctl restart vsftpd # restart the service test
Windows by visiting ftp://192.168.135.8 to verify normal
It was found not to write, because the owner is a group of shared FTP folder is root, and the user is running ftp ftp, so you can not write, modify owner / var / ftp / pub genus group after verification
[root@test ~]# chown ftp:ftp /var/ftp/pub/
Then the test, it can create a new folder, but can not be renamed, not deleted!
[root@test63 vsftpd]# vim vsftpd.conf
anon_other_write_enable = YES ## default no need to manually add the next line
Restart the service, you can rename the folder.
But you can delete a folder , this parameter is too big for the anonymous user permissions , insecurity, balanced use this parameter
Note that the default anonymous user's home directory permissions are 755, this authority can not be changed. Remember!
Let us step by step to achieve, to modify directory permissions, create a company with the upload directory, called testdata, the owner set to ftp all users, directory permissions are 755
[root@test63 vsftpd]# mkdir /var/ftp/testdata
[root@test63 vsftpd]# chown ftp.ftp /var/ftp/testdata/
[root@test63 vsftpd]# ll -d !$
ll -d /var/ftp/testdata/
drwxr-xr-x 2 ftp root 4096 Mar 9 19:30 /var/ftp/testdata/
Then restart the service
[root@test63 ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
test
Anonymous FTP Log
Now we upload Anonymous
Anonymous uploaded files is now prohibited delete drop ~
Such anonymous users to upload even if successful
Note: the work of anonymous users only read-only access, write permissions have not.
Example 2:
The company now has an internal FTP and WEB server, FTP function is used to maintain the site's content, including uploading files
Pieces, create a directory, update pages and so on. The company has two departments responsible for maintenance tasks, they are applicable team1 and team2
Account management. First ask only allow team1 and team2 account login FTP server, but you can not log on the local system, and
The root directory is limited to these two accounts / var / www / html, you can not enter any directory other than the directory.
ftp and www web server combination.
www web server root directory: / var / www / html
Only allow: TEAM1 and team2 two users can upload. vsftp prohibit anonymous.
analysis:
Will do with FTP and WEB server is a method often used by businesses, so easy to achieve the maintenance of the site, in order to enhance security
Full of, you first need to only allow local users to access, and to prohibit anonymous user login. Secondly, the use of chroot feature team1
And team2 locked in / var / www / html directory. If you need to delete the files you need to pay attention to the local authority
solution:
(1) the establishment, maintenance ftp site content and disable the account team1 and team2 log on locally, and then set its password
[root@test63 ~]# useradd -s /sbin/nologin team1
[root@test63 ~]# useradd -s /sbin/nologin team2
[root@test63 ~]# echo "123456" | passwd --stdin team1
Changing password for user team1.
passwd: all authentication tokens updated successfully.
[root@test63 ~]# echo "123456" | passwd --stdin team2
Changing password for user team2.
passwd: all authentication tokens updated successfully.
2)配置vsftpd.conf 主配置文件并作相应修改
[root@test63 vsftpd]# cp vsftpd.conf.back vsftpd.conf
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO:禁止匿名用户登录
local_enable=YES:允许本地用户登录
改:
为:
local_root=/var/www/html:设置本地用户的根目录为/var/www/html
chroot_list_enable=YES:激chroot 功能
chroot_list_file=/etc/vsftpd/chroot_list:设置锁定用户在根目录中的列表文件。此文件存放要锁定的用户名
allow_writeable_chroot=YES :允许锁定的用户有写的权限
保存退出
(3)建立/etc/vsftpd/chroot_list 文件,添加team1 和team2 帐号
[root@test63 vsftpd]# touch /etc/vsftpd/chroot_list
[root@test63 ~]# ll !$
ll /etc/vsftpd/chroot_list
-rw-r--r-- 1 root root 0 Nov 10 17:08 /etc/vsftpd/chroot_list
[root@test63 ~]# vim /etc/vsftpd/chroot_list #写入以下内容,一行,一个用户名
team1
team2
(5)修改本地权限
[root@test63 ~]# ll -d /var/www/html/
drwxr-xr-x. 2 root root 4096 Oct 6 2011 /var/www/html/
[root@test63 ~]# chmod -R o+w /var/www/html/
[root@test63 ~]# ll -d /var/www/html/
drwxr-xrwx. 2 root root 4096 Oct 6 2011 /var/www/html/
(6)重启vsftpd 服务使配置生效
service vsftpd restart
(7)测试
客户端用lftp登陆查看:
root@test64 ~]# lftp 192.168.0.63 -u team1,123456
lftp [email protected]:~> ls
-rw-r--r-- 1 0 0 1384 Jul 30 01:56 passwd
lftp [email protected]:/>
补充: 配置vsftpd,使用SSL证书加密数据传输
FTP与HTTP一样缺省状态都是基于明文传输,希望FTP服务器端与客户端传输保证安全,可以为FTP配置SSL
1, 使用OpenSSL生成自签证书
[root@test63 vsftpd]# openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem -days 3560
Generating a 2048 bit RSA private key
..........................................................................................+++
.....................+++
writing new private key to 'vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ZH
State or Province Name (full name) []:JS
Locality Name (eg, city) [Default City]:NJ
Organization Name (eg, company) [Default Company Ltd]:XS
Organizational Unit Name (eg, section) []:XS
Common Name (eg, your name or your server's hostname) []:XS.COM
Email Address []:[email protected]
OpenSSL 简单参数解释:
req - 是 X.509 Certificate Signing Request (CSR,证书签名请求)管理的一个命令。
x509 - X.509 证书数据管理。
days - 定义证书的有效日期。
newkey - 指定证书密钥处理器。
keyout - 设置密钥存储文件。
out - 设置证书存储文件,注意证书和密钥都保存在一个相同的文件
2,创建证书文件存放目录
[root@test63 vsftpd]# mkdir .sslkey
[root@test63 vsftpd]# cp vsftpd.pem .sslkey/
[root@test63 vsftpd]# chmod 400 .sslkey/vsftpd.pem
3, 修改配置文件,支持SSL
[root@test63 vsftpd]# vim vsftpd.conf
添加如下配置:
ssl_enable=YES #启用SSL支持
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
force_anon_logins_ssl=YES
force_anon_data_ssl=YES
#上面四行force 表示强制匿名用户使用加密登陆和数据传输
ssl_tlsv1=YES #指定vsftpd支持TLS v1[
ssl_sslv2=YES #指定vsftpd支持SSL v2
ssl_sslv3=YES #指定vsftpd支持SSL v3
require_ssl_reuse=NO #不重用SSL会话,安全配置项
ssl_ciphers=HIGH #允许用于加密 SSL 连接的 SSL 算法。这可以极大地限制那些尝试发现使用存在缺陷的特定算法的攻击者
rsa_cert_file=/etc/vsftpd/.sslkey/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/.sslkey/vsftpd.pem
#定义 SSL 证书和密钥文件的位置
注意:上面的配置项不要添加到vsftpd.conf 文件最后,否则启动报错
4,配置FileZilla客户端验证:
连接成功,发现可以使用TLS加密传输了
注意: 在工作中,内网FTP传输,可以不用证书加密传输
如果FTP服务器在公网,为了数据的安全性,就一定要配置证书加密传输
NFS概述-配置NFS服务器并实现开机自动挂载
NFS服务端概述:
NFS,是Network File System的简写,即网络文件系统。网络文件系统是FreeBSD支持的文件系统中的一种,也被称为NFS. NFS允许一个系统在网络上与他人共享目录和文件。通过使用NFS,用户和程序可以像访问本地文件一样访问远端系统上的文件。
模式: C/S 模式
端口:
RHEL7是以NFSv4作为默认版本,NFSv4使用TCP协议(端口号是2049)和NFS服务器建立连接
安装nfs
[root@test63 ~]# yum -y install rpcbind nfs-utils
配置文件位置
[root@test63 ~]# ls /etc/exports
/etc/exports
启动NFS服务
先查看2049端口是否开放:
[root@test63 ~]# netstat -antpu | grep 2049
[root@test63 ~]# systemctl start rpcbind
[root@test63 ~]# systemctl start nfs-server.service
再次查看端口监听状态
[root@test63 ~]# netstat -antpu | grep 2049
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 :::2049 :::* LISTEN +
配置开机自动启动
[root@test63 ~]# chkconfig nfs-server on
服务的使用方法
showmount -e NFS服务器IP
例:
[root@test64 ~]# showmount -e 192.168.0.63
Export list for 192.168.0.63:
挂载
[root@test64 ~]# mount 192.168.0.63:/tmp /opt
修改配置文件,实战举例
[root@test63 ~]# vim /etc/exports
/media *(rw)
注意: * 表示对所有网段开放权限
也可以指定特定的网段
重启服务
[root@test63 ~]# exportfs -rv ##重新读取配置文件,不中断服务.
客户端查看:
[root@test64 ~]# showmount -e 192.168.0.63
Export list for 192.168.0.63:
/media *
挂载共享
[root@test64 ~]# mount -t nfs 192.168.0.63:/media/ /opt/
[root@test64 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 9.7G 4.0G 5.2G 44% /
tmpfs 996M 80K 996M 1% /dev/shm
/dev/sda1 485M 39M 421M 9% /boot
/dev/sr0 3.7G 3.7G 0 100% /mnt
192.168.0.63:/media/ 9.7G 4.0G 5.3G 43% /opt
开机自动挂载:
编辑 [root@test63 ~]# vim /etc/fstab
在文件最后添加自动挂载的信息:
验证写入权限
[root@test64 ~]# touch /opt/a.txt
touch: 无法创建"/opt/a.txt": 权限不够
解决方法:
设置访问权限一般包含2部分
1)服务本身权限
2)目录访问权限
nfs默认使用nfsnobody用户
[root@test63 ~]# grep nfs /etc/passwd
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
修改权限
[root@test63 ~]# chmod 777 -R /media/
或
[root@test63 ~]# chown nfsnobody.nfsnobody -R /media/
再次验证写入权限
[root@test64 ~]# touch /opt/a.txt
[root@test64 ~]# ll !$
ll /opt/a.txt
-rw-r--r-- 1 nfsnobody nfsnobody 0 5月 24 2016 /opt/a.txt
下面是一些NFS共享的常用参数:
ro 只读访问
rw 读写访问
sync 资料同步写入到内存与硬盘当中
async 资料会先暂存于内存当中,而非直接写入硬盘
secure NFS通过1024以下的安全TCP/IP端口发送
insecure NFS通过1024以上的端口发送
wdelay 如果多个用户要写入NFS目录,则归组写入(默认)
no_wdelay 如果多个用户要写入NFS目录,则立即写入,当使用async时,无需此设置。
Hide 在NFS共享目录中不共享其子目录
no_hide 共享NFS目录的子目录
subtree_check 如果共享/usr/bin之类的子目录时,强制NFS检查父目录的权限(默认)
no_subtree_check 和上面相对,不检查父目录权限
all_squash 共享文件的UID和GID映射匿名用户anonymous,适合公用目录。
no_all_squash 保留共享文件的UID和GID(默认)
root_squash root用户的所有请求映射成如anonymous用户一样的权限(默认)
no_root_squash root用户具有根目录的完全管理访问权限
[root@xue63 a]# cat /etc/exports
/tmp/a/no_root_squash *(rw,no_root_squash)
/tmp/a/sync 192.168.0.0/24(rw,sync)
/tmp/a/ro 192.168.1.64(ro)
/tmp/a/all_squash 192.168.0.0/24(rw,all_squash,anonuid=500,anongid=500)
/tmp/a/async 192.168.3.0/255.255.255.0(async)
/tmp/a/rw 192.168.3.0/255.255.255.0(rw) 192.168.4.0/255.255.255.0(rw)
/tmp/a/root_squash *(rw,root_squash)
注意:在发布共享目录的格式中除了共享目录是必跟参数外,其他参数都是可选的。并且共享
目录与客户端之间及客户端与客户端之间需要使用空格符号,但是客户端与参数之间是不能有
空格的
NFS客户端挂载参数的优化:
NFS高并发环境下的服务端重要优化(mount -o 参数)
async 异步同步,此参数会提高I/O性能,但会降低数据安全(除非对性能要求很高,对数据可靠性不要求的场合。一般生产环境,不推荐使用)
noatime 取消更新文件系统上的inode访问时间,提升I/O性能,优化I/O目的,推荐使用。
nodiratime 取消更新文件系统上的directory inode访问时间,高并发环境,推荐显式应用该选项,提高系统性能
intr:可以中断不成功的挂载
rsize/wsize 读取(rsize)/写入(wsize)的区块大小(block size),这个设置值可以影响客户端与服
务端传输数据的缓冲存储量。一般来说,如果在局域网内,并且客户端与服务端都具有足够的内存,这个
值可以设置大一点,比如说32768(bytes),提升缓冲区块将可提升NFS文件系统的传输能力。但设置的值也不要太大,最好是实现网络能够传输的最大值为限。
内核优化:
net.core.wmem_default = 8388608 #内核默认读缓存
net.core.rmem_default = 8388608 #内核默认写缓存
net.core.rmem_max = 16777216 #内核最大读缓存
net.core.wmem_max = 16777216 #内核最大写缓存
用法:
mount -t nfs -o noatime,nodiratime,rsize=131072,wsize=131072,intr 192.168.0.63:/backup/NFS /mnt
或者写到挂载文件里:
192.168.0.63:/backup/NFS /mnt nfs noatime,nodiratime,rsize=131072,wsize=131072,intr 0 0