1,基于本地文本文件的虚拟用户授权
实验操作之前先把SELinux和防火墙关掉,操作环境为CENTOS 7.2
setenforce 0 iptables -F
1,安装vsftpd程序包
yum install vsftpd -y
2,先创建一个用户密码授权文件
mkdir /etc/vsftpd/vuser_db vim /etc/vsftpd/vuser_db/vuser
3,使用户密码授权和vsftpd的进行连接
vim /etc/pam.d/vsftpd.vuserdb auth required /usr/lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_db/vuserpass account required /usr/lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_db/vuserpass
4,根据用户密码授权文件生成授权加密数据库
db_load -T -t hash -f /etc/vsftpd/vuser_db/vuser /etc/vsftpd/vuser_db/vuserpass.db
5,创建一个用户作为虚拟用户的代理用户,创建一个目录作为虚拟用户访问的目录,然后并赋予一些权限
mkdir /ftproot
useradd -d /ftproot/ ftpvuser
mkdir /ftproot/{pub,upload}
setfacl -m u:ftpvuser:rwx /ftproot/upload/
6,编辑vsftpd的主配置文件
vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.vuserdb guest_enable=YES guest_username=vftpuser user_config_dir=/etc/vsftpd/vuser_dir
7,配置虚拟用户访问权限
mkdir /etc/vsftpd/vuser_dir vim /etc/vsftpd/vuser_dir/xixi
anon_mkdir_write_enable=YES anon_umask=022 anon_upload_enable=YES anon_other_write_enable=YES
8,启动服务并测试
systemctl restart vsftpd
2,基于数据库的虚拟用户授权
实验操作之前先把SELinux和防火墙关掉,操作环境为CENTOS 7.2
setenforce 0 iptables -F
1,安装vsftpd和mariadb程序包
yum install vsftpd mariadb-server -y
2,编译安装vsftpd,mariadb认证驱动文件(centos 6.8可以直接用yum install -y pam_mysql ,安装后的模块在/lib64/security目录下)
a,先安装编译所需的包
yum install -y mariadb-server mariadb-devel pam pam-devel gcc gcc-c++
b,先下载pam_mysql源码包
c,解压编译安装
tar -xvf pam_mysql-0.7RC1.tar.gz cd pam_mysql-0.7RC1/ ./configure --with-pam=/usr --with-mysql=/usr --with-pam-mods-dir=/usr/lib64/security make && make install
编译安装后会在/usr/lib64/security/生成两个文件
3,启动数据库并且添加授权用户
systemctl start mariadb
mysql -e "grant all on vsftp.* to vuser@127.0.0.1 identified by 'vpasswd';"
mysql -e "create database if not exists vsftp"
mysql -e "create table if not exists vsftp.users (id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,name CHAR(30) NOT NULL UNIQUE KEY,password CHAR(42));"
mysql -e "INSERT INTO vsftp.users (name,password) values ('xixi',PASSWORD('xixi')),('nihao',PASSWORD('nihao'));"
mysql -e "flush privileges;"
4,使用户密码授权和vsftpd的进行连接
vim /etc/pam.d/vsftpd.vuserdb
auth required /usr/lib64/security/pam_mysql.so user=vuser passwd=vpasswd host=127.0.0.1 db=vsftp table=users usercolumn=name passwdcolumn=password crypt=2 account required /usr/lib64/security/pam_mysql.so user=vuser passwd=vpasswd host=127.0.0.1 db=vsftp table=users usercolumn=name passwdcolumn=password crypt=2
5,创建一个用户作为虚拟用户的代理用户,创建一个目录作为虚拟用户访问的目录,然后并赋予一些权限
mkdir /ftproot
useradd -d /ftproot/ ftpvuser
mkdir /ftproot/{pub,upload}
setfacl -m u:ftpvuser:rwx /ftproot/upload/
6,编辑vsftpd的主配置文件
vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.vuserdb guest_enable=YES guest_username=vftpuser user_config_dir=/etc/vsftpd/vuser_dir
7,配置虚拟用户访问权限
mkdir /etc/vsftpd/vuser_dir vim /etc/vsftpd/vuser_dir/xixi
anon_mkdir_write_enable=YES anon_umask=022 anon_upload_enable=YES anon_other_write_enable=YES
8,启动服务并测试
systemctl restart vsftpd
自动化ftp数据库安装脚本
#!/bin/bash
yum install -y mariadb-server mariadb-devel pam pam-devel gcc gcc-c++ vsftpd wget
pmadir=`mktemp -d /tmp/pma.XXXX`
wget -q ftp://10.1.0.1/pub/Sources/sources/pam/pam_mysql-0.7RC1.tar.gz -P $pmadir
cd $pmadir && tar -xvf pam_mysql-0.7RC1.tar.gz
cd $pmadir/pam_mysql-0.7RC1 && ./configure --with-pam=/usr --with-mysql=/usr --with-pam-mods-dir=/usr/lib64/security
make && make install
systemctl start mariadb
mysql -e "grant all on vsftp.* to vuser@127.0.0.1 identified by 'vpasswd';"
mysql -e "create database if not exists vsftp"
mysql -e "create table if not exists vsftp.users (id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,name CHAR(30) NOT NULL UNIQUE KEY,password CHAR(50));"
mysql -e "INSERT INTO vsftp.users (name,password) values ('xixi',PASSWORD('xixi')),('tom',PASSWORD('tom'));"
mysql -e "flush privileges;"
sed -i "/\[mysqld\]/askip_name_resolve=NO" /etc/my.cnf
mkdir /ftproot
useradd -r -d /ftproot vftpuser
mkdir /ftproot/{pub,upload}
setfacl -m u:vftpuser:rwx /ftproot/upload
cat > /etc/pam.d/vsftpd.mysql << eof
auth required /usr/lib64/security/pam_mysql.so user=vuser passwd=vpasswd host=127.0.0.1 db=vsftp table=users usercolumn=name passwdcolumn=password crypt=2
account required /usr/lib64/security/pam_mysql.so user=vuser passwd=vpasswd host=127.0.0.1 db=vsftp table=users usercolumn=name passwdcolumn=password crypt=2
eof
sed -i "/pam_service_name=vsftpd/d" /etc/vsftpd/vsftpd.conf
cat >> /etc/vsftpd/vsftpd.conf <<eof
guest_enable=YES
guest_username=vftpuser
user_config_dir=/etc/vsftpd/vusers_config
pam_service_name=vsftpd.mysql
eof
mkdir -pv /etc/vsftpd/vusers_config
echo "write conf.....ok"
cat >> /etc/vsftpd/vusers_config/tom <<eof
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_umask=022
eof
cat >> /etc/vsftpd/vusers_config/xixi <<eof
anon_upload_enable=YES
anon_mkdir_write_enable=YES
eof
##start####教室环境需要清空dns解析,否则连接很慢,其他环境可以注释
sed -i "/.*/d" /etc/resolv.conf
#########end
rm -rf $pmadir && echo "delete cache....ok"
systemctl start vsftpd
setenforce 0
iptables -F
echo "is ok....."
基于文件认证的脚本
#!/bin/bash
yum install -y vsftpd
mkdir /ftproot
useradd -r -d /ftproot vftpuser
mkdir /ftproot/{pub,upload}
setfacl -m u:vftpuser:rwx /ftproot/upload
cat > /etc/pam.d/vsftpd.db << eof
auth required /usr/lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_db/vuserpass
account required /usr/lib64/security/pam_userdb.so db=/etc/vsftpd/vuser_db/vuserpass
eof
sed -i "/pam_service_name=vsftpd/d" /etc/vsftpd/vsftpd.conf
cat >> /etc/vsftpd/vsftpd.conf <<eof
guest_enable=YES
guest_username=vftpuser
user_config_dir=/etc/vsftpd/vusers_config
pam_service_name=vsftpd.db
eof
mkdir /etc/vsftpd/vuser_db
echo -e "nihao\nnihao\nxixi\nxixi" >>/etc/vsftpd/vuser_db/vuser
db_load -T -t hash -f /etc/vsftpd/vuser_db/vuser /etc/vsftpd/vuser_db/vuserpass.db
mkdir -pv /etc/vsftpd/vusers_config
echo "write conf.....ok"
cat >> /etc/vsftpd/vusers_config/xixi <<eof
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_umask=022
eof
cat >> /etc/vsftpd/vusers_config/nihao <<eof
anon_upload_enable=YES
anon_mkdir_write_enable=YES
eof
##start####教室环境需要清空dns解析,否则连接很慢
sed -i "/.*/d" /etc/resolv.conf
#########end
systemctl start vsftpd
setenforce 0
iptables -F
echo "is ok....."
![nginx主机黑白名单[geoip]](https://blog.dvcloud.xin/wp-content/themes/begin2.0/timthumb.php?src=https://blog.dvcloud.xin/wp-content/plugins/ueditor/ueditor/dialogs/attachment/fileTypeImages/icon_rar.gif){kind=icon}
