1、實作rsyslog将日志記錄到mysql并通過loganalyzer展示
準備 rsyslog 用的主機(192.168.30.108)
# 系統預設安裝有rsyslog服務
rpm -q rsyslog
rsyslog-8.24.0-34.el7.x86_64
# 安裝日志儲存到mysql資料庫對應的軟體包
yum -y install rsyslog-mysql
rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
# 将對應的sql腳本發送到mysql伺服器上
scp /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql 192.168.30.106:/root
# 修改rsyslog配置檔案
vim /etc/rsyslog.conf
$ModLoad ommysql # 加載子產品
*.info;mail.none;authpriv.none;cron.none :ommysql:192.168.30.17,Syslog,log,centos
配置rsyslog将日志儲存到mysql中,需要設定rsyslog.conf
#### MODULES ####
$ModLoad ommysql
#### RULES ####
facility.priority :ommysql:DBHOST,DBNAME,DBUSER, PASSWORD
準備 mysql 伺服器(192.168.30.106)
yum install -y mariadb-server
systemctl start mariadb
mysql < /root/mysql-createDB.sql
# 建立日志儲存用的資料庫帳号
mysql > GRANT ALL ON Syslog.* TO 'log'@'192.168.30.%' IDENTIFIED BY 'centos';
mysql > select user,host,password from mysql.user;
+------+----------------+-------------------------------------------+
| user | host | password |
+------+----------------+-------------------------------------------+
| root | localhost | |
| root | mysql | |
| root | 127.0.0.1 | |
| root | ::1 | |
| | localhost | |
| | mysql | |
| log | 192.168.30.% | *128977E278358FF80A246B5046F51043A2B1FCED |
+------+----------------+-------------------------------------------+
準備 loganalyzer 主機(192.168.30.117)
yum -y install httpd php php-mysql php-gd
# 準備loganalyzer 應用資料
wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.7.tar.gz
tar xf loganalyzer-4.1.7.tar.gz
cp -a loganalyzer-4.1.7/src/* /var/www/html/
cd /var/www/html/loganalyzer
touch config.php
chmod 666 config.php
# 應為php包硬體帶有php相關的配置檔案了,是以這裡不用其他設定。如果是php-fpm 包,這裡還是需要手動配置的
systemctl start httpd
# 配置loganalyzer
http://192.168.30.117/install.php
2、實作基于mysql驗證的vsftpd虛拟使用者,使用者為user1、user2
安裝對應的軟體包
- FTP 伺服器
yum -y install vsftp
# centos7 上安裝pam_mysql 需要編譯安裝
yum -y install mariadb-devel pam-devel
tar xvf pam_mysql-0.7RC1.tar.gz # 下載下傳的時候開一下代理
cd pam_mysql-0.7RC1/
./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
make
make install
# 安裝完成後
ll /lib64/security/pam_mysql.*
-rwxr-xr-x 1 root root 882 May 15 15:48 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141752 May 15 15:48 /lib64/security/pam_mysql.so
- MySQL伺服器
yum -y install mariadb-server
systemctl start mariadb
在資料庫上建立虛拟使用者帳号
- 建立資料庫和使用者
mysql > create database vsftpd;
mysql > grant select on vsftpd.* to vsftp@'192.168.30.%' identified by 'centos';
- 準備資料表
mysql> USE vsftpd;
mysql> create table user
(
id int unsigned auto_increment primary key,
name char(50) binary not null,
password char(50) binary not null
);
mysql>DESC user;
+----------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+------------------+------+-----+---------+----------------+
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| name | char(50) | NO | | NULL | |
| password | char(50) | NO | | NULL | |
+----------+------------------+------+-----+---------+----------------+
- 添加虛拟使用者
mysql> Iinsert into user(name,password) values ('mike',password('test'));
mysql> insert into user(name,password) values ('bean',password('test'));
mysql> select * from user;
+----+------+-------------------------------------------+
| id | name | password |
+----+------+-------------------------------------------+
| 1 | mike | *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 |
| 2 | bean | *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 |
+----+------+-------------------------------------------+
配置vsftpd服務
- 建立pam認證檔案
vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftp passwd=test host=mysqlserver db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftp passwd=test host=mysqlserver db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2
- 建立映射FTP帳号的系統帳号,并修改vsftpd的配置檔案
useradd -r -s /sbin/nologin -d /data/ftproot vuser
cd /data/
mkdir ftproot/{pub,upload} -pv
chmod 555 ftproot/ # 去掉ftp使用者的根寫權限
setfacl -m u:vuser:rwx ftproot/upload/
# 修改配置檔案
vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftp passwd=centos host=192.168.30.106 db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftp passwd=centos host=192.168.30.106 db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2
vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql
guest_enable=YES
guest_username=vuser
啟動服務,并測試
- 啟動服務
systemctl start vsftpd
- 測試
Microsoft Windows [版本 6.1.7601]
版權所有 (c) 2009 Microsoft Corporation。保留所有權利。
C:\Users\jlee>ftp 192.168.30.117
連接配接到 192.168.30.117。
220 (vsFTPd 3.0.2)
使用者(192.168.30.117:(none)): bean
331 Please specify the password.
密碼:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
pub
upload
226 Directory send OK.
ftp: 收到 13 位元組,用時 0.00秒 13000.00千位元組/秒。
ftp>
3、實作網絡防火牆
- 放行telnet, ftp, web服務
- 放行samba服務
- 放行dns服務(查詢和區域傳送)
建構測試環境
三台主機全部使用僅主機模式,并關閉對應的dhcp設定
- 客戶機(192.168.30.100)
# 臨時的配置
ip a a 192.168.30.100/24 dev ens33
ip rounte add default via 192.168.30.1 dev ens33
# 寫入檔案
nmcli conn add con-name default type ethernet autoconnect yes ip4 192.168.30.100/24 gw4 192.168.30.1 ifname ens33
- 網絡防火牆(192.168.30.1和10.0.0.1)
ip a a 192.168.30.1/24 dev ens33
ip a a 10.0.0.1/8 dev ens37
# 寫入檔案
nmcli conn add con-name eth0 type ethernet autoconnect yes ip4 192.168.30.1/24 ifname ens33
nmcli conn add con-name eth1 type ethernet autoconnect yes ip4 10.0.0.1/8 ifname ens37
# 啟用路由轉發功能
echo 1 > /etc/sys/net/ipv4/ip_forward
# 或者
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
- 伺服器(10.0.0.100)
ip a a 10.0.0.100/8 dev ens33
ip rounte add default via 10.0.0.1 dev ens33
# 寫入檔案
nmcli conn add con-name default type ethernet autoconnect yes ip4 10.0.0.100/8 gw4 10.0.0.1 ifname ens33
在防火牆配置
-首先确認系統的預設防火牆服務是關閉的
iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 209 packets, 18373 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 26 packets, 2184 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 49 packets, 8409 bytes)
pkts bytes target prot opt in out source destination
- 先拒絕所有轉發,随便測試
iptables -A FORWARD -j REJECT
- 開通dns端口
iptables -I FORWARD -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- 開通samba端口
iptables -I FORWARD 2 -p tcp -m multiport --dports 139,445 -j ACCEPT
iptables -I FORWARD 2 -p udp -m multiport --dports 139,445 -j ACCEPT
- 開通被動模式的FTP端口
iptables -I FORWARD 2 -p tcp --dport 21 -j ACCEPT
# centos7上需要加載 nf_conntrack_ftp 的子產品
modprobe nf_conntrack_ftp
# 這個子產品是vsftpd包帶的,将伺服器上的這三個檔案複制防火牆主機對應的位置
locate nf_conntrack_ftp
/usr/include/linux/netfilter/nf_conntrack_ftp.h
/usr/lib/modules/3.10.0-957.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko.xz
/usr/src/kernels/3.10.0-957.el7.x86_64/include/linux/netfilter/nf_conntrack_ftp.h
/usr/src/kernels/3.10.0-957.el7.x86_64/include/uapi/linux/netfilter/nf_conntrack_ftp.h
- 開通 httpd、ssh、telnet 端口
iptables -I FORWARD 2 -p tcp -m multiport --dports 22,23,80 -j ACCEPT
最終防火牆規則
iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 17 packets, 1544 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 55 4198 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21:23,80,139,445
3 2 116 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 11 packets, 2920 bytes)
num pkts bytes target prot opt in out source destination
4、在Linux上搭建SMB服務,實作windows通路該服務
伺服器上安裝samba軟體包
yum -y install samba
=======================================================================================
Package Arch Version Repository Size
=======================================================================================
Installing:
samba x86_64 4.8.3-4.el7 base 680 k
Installing for dependencies:
cups-libs x86_64 1:1.6.3-35.el7 base 357 k
libldb x86_64 1.3.4-1.el7 base 137 k
libtalloc x86_64 2.1.13-1.el7 base 32 k
libtdb x86_64 1.3.15-1.el7 base 48 k
libtevent x86_64 0.9.36-1.el7 base 36 k
libwbclient x86_64 4.8.3-4.el7 base 109 k
pytalloc x86_64 2.1.13-1.el7 base 17 k
samba-client-libs x86_64 4.8.3-4.el7 base 4.8 M
samba-common noarch 4.8.3-4.el7 base 206 k
samba-common-libs x86_64 4.8.3-4.el7 base 164 k
samba-common-tools x86_64 4.8.3-4.el7 base 448 k
samba-libs x86_64 4.8.3-4.el7 base 276 k
Transaction Summary
=======================================================================================
Install 1 Package (+12 Dependent packages)
建立samba使用者群組
groupadd -r admins
useradd -s /sbin/nologin -G admins lee
useradd -s /sbin/nologin share
建立samba的共享目錄
mkdir /data/smbshare
chgrp admins /data/smbshare
chmod 2775 /data/smbshare
配置samba伺服器
vim /etc/samba/smb.conf
[share]
path = /data/smbshare
write list = @admins
啟動服務和添加使用者密碼,最後測試
- 開啟服務
systemctl enable smb;systemctl start smb
# smbpasswd工具用來管理samba的使用者的,包括添加使用者、修改使用者密碼、删除使用者等
smbpasswd -a lee
smbpasswd -a share
- 連接配接samba伺服器非常慢
# 檢查 /etc/host 檔案中主機名是否在本機的ip中
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 centos7.auto.com
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
5、在server01上搭建NFS服務,在client01上挂載并實作寫入的資料共享
安裝nfs軟體包并啟動服務
yum -y install nfs-utils
systemctl enable nfs-server;systemctl start nfs-server
建立漫遊的帳号和家目錄
useradd -d /data/david -m -u 2000 david
useradd -d /data/jimy -m -u 2001 jimy
編輯nfs伺服器的exports檔案
vim /etc/exports
/data/david 192.168.30.0/24(rw)
/data/jimy 192.168.30.0/24(rw)
exportfs -r
# 檢視共享
exportfs -v
/data/david 192.168.30.0/24(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
/data/jimy 192.168.30.0/24(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
客服端安裝nfs包
yum -y install nfs-utils autofs
# 建立對應的漫遊帳号,否則顯示和權限都有問題
useradd -u 2000 -M david
useradd -u 2001 -M jimy
# 檢視挂載
showmount -e 192.168.30.117
使用autofs自動挂載
- 絕對路徑法,不會影響本地目錄結構
vim /etc/auto.master
/- /etc/auto.nfs
vim /etc/auto.nfs
/home/jimy 192.168.30.117:/data/jimy
/home/david 192.168.30.117:/data/david
systemctl start autofs
- 相對路徑法,本地其他使用者的家目錄将被隐藏
vim /etc/auto.master
/home /etc/auto.nfs
vim /etc/auto.nfs
jimy 192.168.30.117:/data/jimy
david 192.168.30.117:/data/david
systemctl start autofs
![驗證6174猜想(枚舉法)---Python[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)