云計算安全課件網(wǎng)絡共享服務

命令（控制）：客戶端：隨機port服務器：tcp21數(shù)據(jù)：客戶端：隨機port---服務器：tcp20命令（控制）：客戶端：隨機port服務器：tcp21數(shù)據(jù)：客戶端：隨機port---服務器：隨機port227EnteringPassiveModevsftpd:VerySecureFTPDaemon，CentOS默認FTP服務器vsftpd:VerySecureFTPDaemon，CentOS默認FTP服務器ftp-Aftpserver-Aplftp–uusernameftpserverlftpusername@ftpserverlftpgetgftp:GUIxccnsswitch:networkserviceswitch名稱解析框架pam:pluggableauthenticationmoduleman5vsftpd.conf匿名用戶（映射為系統(tǒng)用戶ftp）共享文件位置ftp_data_port=20（默認）ftp_data_port=20（默認）ftpd_banner=“welcometomageftp使用pam(PluggableAuthenticationModules)完成用戶認證使用pam(PluggableAuthenticationModules)完成用戶認證service{service{}=====+==ldd`whichvsftpd`ldd`whichvsftpd`cdmakeopensslx509-invsftpd.pem-nooutdb_loadTthashfvusers.txtvusers.db cddb_load-T-thash-fvusers.txtchmod600useradd-duseradd-d/var/ftproot-s/sbin/nologinchmod+rxchmod-wmkdirsetfacl-mu:vuser:rwxvimauthrequiredpam_userdb.sodb=/etc/vsftpd/vusersaccountvimauthrequiredpam_userdb.sodb=/etc/vsftpd/vusersaccountrequiredpam_userdb.sodb=/etc/vsftpd/vusersvim/etc/vsftpd/vsftpd.confsetsebool-Pftpd_full_accessmdkiretc/vsftpd/vusers.d/vim/etc/vsftpd/vsftpd.confcdetc/vsftpd/vusers.dmdkiretc/vsftpd/vusers.d/vim/etc/vsftpd/vsftpd.confcdetc/vsftpd/vusers.dvimvimCentos7：在數(shù)據(jù)庫服務器上安裝yum–yinstallmariadb-serversystemctlstartmariadb.servicesystemctlenablemariadbyum–yinstallmysql-server在FTP服務器上安裝vsftpd和pam_mysql包yuminstallvsftpdpam_mysqlyumyyumygroupinstallDevelopmentTools"yumyinstallmariadb-develpam-develvsftpdtarxvfpam_mysql-0.7RC1.tar.gzcdpam_mysql-0.7RC1/./configure--with-pam-mods-dir=/lib64/security--with-mysql=/usrmakemysql>CREATEDATABASEvsftpd;mysql>SHOWDATABASES;mysql>CREATEDATABASEvsftpd;mysql>SHOWDATABASES;mysql>GRANTSELECTONvsftpd.*TOvsftpd@'172.16.%.%'IDENTIFIEDBY'magedu';mysql>GRANTSELECTONvsftpd.*TOvsftpd@localhostIDENTIFIEDBY'magedu';mysql>GRANTSELECTONvsftpd.*TOIDENTIFIEDBYmysql>FLUSHmysqlmysqlUSEvsftpd;Mysql>SHOWmysql>CREATETABLEusersidINTAUTO_INCREMENTNOTNULLPRIMARYKEY,nameCHAR(50)BINARYNOTNULL,passwordCHAR(48)BINARYNOTmysql>DESCusers;mysql-uvsftpd-h00-mysql>SHOWmysql>DESCmysql>INSERTINTOusers(name,password)mysql>INSERTINTOusers(name,password)mysql>SELECT*FROMvietc/pam.d/vsftpd.mysqlauthrequiredpam_mysql.souser=vsftpdpasswd=mageduhost=mysqlserverdb=vsftpdtable=usersusercolumn=namepasswdcolumn=passwordcrypt=2accountrequiredpam_mysql.souser=vsftpdpasswd=mageduhost=mysqlserverdb=vsftpdtable=usersusercolumn=namepasswdcolumn=passwordcrypt=2auth ????a_auth ????a_ ????????table=usersusercolumn=name當做用戶名的字段flfluseradd-s/sbin/nologin-d/var/ftprootchmod555var/ftprootcentos7ftp根目錄的寫權(quán)限mkdir/var/ftproot/{upload,pub}setfaclmu:vuser:rwxvar/ftproot/uploadservicevsftpdstart;systemctlstartvsftpdchkconfigvsftpdon;systemctlenableservicevsftpdstart;systemctlstartvsftpdchkconfigvsftpdon;systemctlenablevsftpdnetstat-tnlp|grep-Rsetsebool-Pftpd_connect_dbsetsebool-Pftp_home_dirchcon-R-tpublic_content_rw_ttailvim/etc/vsftpd/vsftpd.confmkdir/etc/vsftpd/vusers_config/cdtouchwangNFS：NetworkFileSystem網(wǎng)絡文件系統(tǒng)，基于內(nèi)核的文件系統(tǒng)。Sun公司文件，基于RPC（RemoteProcedureCallProtocol遠程過程調(diào)用）實現(xiàn)NFS：NetworkFileSystem網(wǎng)絡文件系統(tǒng)，基于內(nèi)核的文件系統(tǒng)。Sun公司文件，基于RPC（RemoteProcedureCallProtocol遠程過程調(diào)用）實現(xiàn)NFSNFSNFSCentOS7默認很使用NFSv4NFSNFSNFSCentOS7默認很使用NFSv4文件傳輸尺寸限制在無有更好的I/O寫性能ro,rw只讀和讀寫asyncno_all_squash（默認）保留共享文件的UID和GIDall_squashro,rw只讀和讀寫asyncno_all_squash（默認）保留共享文件的UID和GIDall_squashroot)都變成nfsnobody是4294967294(nfsnobody)?????????/myshare/myshare/myshare/myshare/myshareserver[0-/myshare/myshare/myshare/myshare/myshare*./myshare/(ro)server[0-/myshare????????????rpcinfo-prpcinforpcinfo-prpcinfoshostnameRPC–a–aushowmount-emount.nfs（默認）前臺掛載，bg（默認）持續(xù)請求，softintr（默認）前臺掛載，bg（默認）持續(xù)請求，softintr_netdevmount-orw,nosuid,fg,hard,intr:/testdir00為所有導出到網(wǎng)絡中的NFShost參看幫助：man5*systemctlstartnfs-systemctlenablenfs-mkdirsystemctlstartnfs-systemctlenablenfs-mkdirchownnfsnobody/nfsshareexporfsmountvim/etc/fstabmount-nfs0vi/exports/readnonebindvi/exports/readnonebind0/data2/write/exports/writenonebind0vi/exports/exports/read/exports/writemountvinfsserver://mnt/nfs4ro0SMB：ServerMessageSMB：ServerMessageBlock服務器消息塊，IBM發(fā)布，最早是DOS網(wǎng)絡文Cifs：commoninternetfilesystem，微軟基于SMBSamba提供smb服務samba-commonsmbdSamba提供smb服務samba-commonsmbdsmb（cifs）nmbdNetBIOS幫助參看：man [homes]用戶的家目錄共享 [homes]用戶的家目錄共享 %I客戶端主機的%Sworkgroup指定workgroup指定工作組名serverstring機注釋信netbiosname指定NetBIOSinterfaces指定服務偵聽接口和IPv4network/prefix:/24IPv4前綴IPv4network/netmask:/主機名:hostsallow=hostsallow=172.25.configmaxlogconfigmaxlogdomain:使用DC（DOMAINCONTROLLER)passdbbackendtdbsampdbedit-a-updbedit-a-usmbpasswd–x–x–updbedit–L–vreadonly=nowritable=yes等價，如與以上設置沖突，放在后面的設置生readonly=nowritable=yes等價，如與以上設置沖突，放在后面的設置生validpathpath=writeable=nobrowseable=UNCUniversalNamingConvention,通用命名規(guī)范UNCUniversalNamingConvention,通用命名規(guī)范smbclient-Lsmbclient-L-cdgetputsmbclient///shared-Umount-tmount-tcifs-ouser=wang,password=magedu//server/homes/mntcifscredentials=/etc/smb.txt0cat/etc/smb.txtchmod600yum-yinstallsambayum-yinstallsambagroupadd-radminsuseradd-s/sbin/nologin-Gadminswangsmbpasswd-awanguseradd-s/sbin/nologinsmbpasswd-amkdir/testdir/smbsharechgrpadminsmkdir/testdir/smbsharechgrpadminschmod2775semanagefcontext-a-tsamba_share_trestorecon-vvFRsecuritysecurity=passdbbackend=tdbsamwritelist=@adminssystemctlstartsmbsystemctlenablesmbfirewall-cmd--permanent--add-firewall-cmd--yumyum-yinstallcifs-mkdirmount-ousername=wang//smbserver/share/mnt/wangecho"Hellowang">/mnt/wang/wangfile.txtmkdir/mnt/magemount-ousername=mage//smbserver/sharetouchyumyuminstallmkdirwritelist=useradduseraddssbin/nologinsmbusersmbpasswd–suseradd–s/sbin/nolog