vsftp based mysql create virtual users
1. First installation environment
yum groupinstall -y "Development Tools" "Server PlatformDevelopment"
yum install -y pam-devel mariadb-devel mariadb-server vsftpd lftp ftp
下载最新的pam-mysql
http://pam-mysql.sourceforge.net/
编译安装pam-mysql
tar xf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1
./configure --with-pam=/usr --with-mysql=/usr --with-pam-mods-dir=/usr/lib64/security
make
make install
2 Configuration vsftp
Pam authentication to establish the required documents
vim /etc/pam.d/vsftpd.mysql
添加如下两行
auth required /usr/lib64/security/pam_mysql.so user=vsftpd passwd=centos host=127.0.0.1 db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2
account required /usr/lib64/security/pam_mysql.so user=vsftpd passwd=centos host=127.0.0.1 db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2
Create a virtual user mapping system users and the corresponding directory
mkdir /ftproot
useradd -s /sbin/nologin -d ftproot vuser
创建测试目录
mkdir /ftproot/{pub,upload}
cd /ftproot
chown vuser:vuser upload
Vsftpd modify configuration files to adapt mysql certification
vim /etc/vsftpd/vsftpd.conf
修改pam_service_name选项的值如下所示
pam_service_name=vsftpd.mysql
添加以下两行:
guest_enable=YES
guest_username=vuser
Configure virtual users with different access rights
to create the required directory, and provides profiles for virtual users
mkdir /etc/vsftpd/vusers_conf
cd /etc/vsftpd/vusers_conf
Configure virtual users with different access rights:
tom following written vim
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
vim jerry
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
3 Create data in sql
MariaDB [(none)]> CREATEDATABASE vsftpd;
MariaDB [(none)]>use vsftpd;
MariaDB [vsftpd]> create table user(name char(30),password char(50));
MariaDB [vsftpd]> INSERT INTO vsftpd.user(name,password) VALUES ('tom',PASSWORD('lxq')),('jerry',PASSWORD('lxq'));
MariaDB [(none)]>create user vsftpd@localhost identified by 'centos'
MariaDB [(none)]>grant all privileges on vsftp.user to vsftpd@localhost identified by 'centos';
MariaDB [(none)]>FLUSHPRIVILEGES;
4 Test
landing tom
Just upload a file
Landing jerry, upload failed
DETAILED DESCRIPTION OF iptables pentachain
Table V four chain concept
filter表——过滤数据包
Nat表——用于网络地址转换(IP、端口)
Mangle表——修改数据包的服务类型、TTL、并且可以配置路由实现QOS
Raw表——决定数据包是否被状态跟踪机制处理
INPUT链——进来的数据包应用此规则链中的策略
OUTPUT链——外出的数据包应用此规则链中的策略
FORWARD链——转发数据包时应用此规则链中的策略
PREROUTING链——对数据包作路由选择前应用此链中的规则(所有的数据包进来的时侯都先由这个链处理)
POSTROUTING链——对数据包作路由选择后应用此链中的规则(所有的数据包出去的时侯都先由这个链处理
#清空iptables规则
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 348 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 380 bytes)
pkts bytes target prot opt in out source destination
#安装所需软件
[root@localhost ~]# yum -y install httpd telnet-server samba tftp-server vsftpd mariadb-server
#设置服务器输入和输出默认策略为DROP
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -P OUTPUT DROP
(1) multi-port match
#接收流经22和80端口的报文,即可以正常使用ssh和httpd服务
[root@localhost ~]# iptables -I INPUT -d 192.168.186.131 -p tcp -m multiport --dports 22,80 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -s 192.168.186.131 -p tcp -m multiport --sports 22,80 -j ACCEPT
(2) connecting track
#允许指定范围的ip地址连接23端口
[root@localhost ~]# iptables -I INPUT 3 -d 192.168.186.131 -p tcp --dport 23 -m iprange --src-range 192.168.186.130-192.168.186.135 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT 3 -s 192.168.186.131 -p tcp --sport 23 -m iprange --dst-range 192.168.186.130-192.168.186.135 -j ACCEPT
(3) string matching
#将默认策略改回ACCEPT
[root@localhost ~]# iptables -P INPUT ACCEPT
[root@localhost ~]# iptables -P OUTPUT ACCEPT
#当数据报文中出现"gaain"就不发送
[root@localhost ~]# iptables -I OUTPUT -s 192.168.186.131 -m string --algo kmp --string "gaain" -j REJECT
(4) time-matched
#开放同步时间服务端口
[root@localhost ~]# iptables -I OUTPUT -s 192.168.186.131 -p udp -m multiport --dports 123,323 -j ACCEPT
[root@localhost ~]# iptables -I INPUT -d 192.168.186.131 -p udp -m multiport --sports 123,323 -j ACCEPT
#添加规则
#指定ip在每天16点~23点可以连接23端口
[root@localhost ~]# iptables -I INPUT -d 192.168.186.131 -p tcp --dport 23 -m iprange --src-range 192.168.186.130-192.168.186.135 -m time --timestart 12:00:00 --timestop 23:00:00 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -s 192.168.186.131 -p tcp --sport 23 -m iprange --dst-range 192.168.186.130-192.168.186.135 -m time --timestart 12:00:00 --timestop 23:00:00 -j ACCEPT
(5) the concurrent connection limits
[root@localhost ~]# systemctl start mariadb.service
[root@localhost ~]# mysql
MariaDB [(none)]> CREATE USER 'test'@'192.168.186.%' IDENTIFIED BY '123';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> exit
[root@localhost ~]# vim /etc/my.cnf.d/server.cnf
[mysqld]
skip_name_resolve=ON
[root@localhost ~]# systemctl restart mariadb.service
#给指定服务器和客户端开放3306端口
[root@localhost ~]# iptables -I INPUT -s 192.168.186.0/24 -d 192.168.186.131 -p tcp --dport 3306 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -d 192.168.186.0/24 -s 192.168.1186.131 -p tcp --sport 3306 -j ACCEPT
#限制流入报文,同一IP并发连接数据库不能超过2
[root@localhost ~]# iptables -R INPUT 1 -s 192.168.10.0/24 -d 192.168.10.10 -p tcp --dport 3306 -m connlimit --connlimit-upto 2 -j ACCEPT
(6) matching rate (packet rate limiting contract)
#每3秒处理一个请求(可用其他主机使用ping测试)
[root@localhost ~]# iptables -I INPUT -d 192.168.186.131 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 20/minute -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -s 192.168.186.131 -p icmp --icmp-type 0 -j ACCEPT
(7) packets matching state
Packets of five states:
NEW: 新连接请求;
ESTABLISHED:已建立的连接;
INVALID:无法识别的连接;
RELATED:相关联的连接,当前连接是一个新请求,但附属于某个已存在的连接;
UNTRACKED:未追踪的连接;
#允许NEW请求
[root@localhost ~]# iptables -I INPUT -d 192.168.186.131 -p tcp -m multiport --dports 22:23,80,139,445,3306 -m state --state NEW -j ACCEPT
#允许ESTABLISHED请求
[root@localhost ~]# iptables -I INPUT -d 192.168.186.131 -m state --state ESTABLISHED -j ACCEPT
#允许ESTABLISHED请求
[root@localhost ~]# iptables -I OUTPUT -s 192.168.186.131 -m state --state ESTABLISHED -j ACCEPT
3, for example to achieve the SNAT iptables modified source address and destination address DNAT ports PNAT modifications and modifications and other applications
a, source address modification SNAT
After the router (the POSTROUTING) ip address within the network to modify the external network card ip address
#iptables -t nat -I POSTROUTING -o 外网网卡 -s 内网网段 -j SNAT --to-source 外网ip地址 #适用于外网ip地址固定场景
[root@localhost g513452987]# iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o ens32 -j SNAT --to-source 10.23.15.57
Two, DNAT target address modification
Before the route (the PREROUTING) modify the destination ip and port from the external network to access the public network gateway ip and port corresponding to the internal server ip and port
#iptables -t nat -I PREROUTING -i 外网网卡 -d 外网ip tcp --dport 发布的端口 -j DNAT --to-destination 内网服务ip:端口
[root@localhost g513452987]# iptables -t nat A PREROUING -d 172.16.0.254 -p tcp --dport 80 -j DNAT --to-destination 10.23.12.235
Three, PNAT port modification
REDIRECT: port mapping
iptables -A PREROUTING -t nat -d 内网ip -p 服务 --doprt 发布的端口 -j REDIRECT --to-ports 映射的端口
[root@localhost g513452987]# iptables -A PREROUTING -t nat -d 10.23.12.235 -p tcp --dport 80 -j REDIRECT --to-ports8080 #80端口映射到8080端口