云计算安全课件网络共享服务

命令（控制）：客户端：随机port服务器：tcp21数据：客户端：随机port---服务器：tcp20命令（控制）：客户端：随机port服务器：tcp21数据：客户端：随机port---服务器：随机port227EnteringPassiveModevsftpd:VerySecureFTPDaemon，CentOS默认FTP服务器vsftpd:VerySecureFTPDaemon，CentOS默认FTP服务器ftp-Aftpserver-Aplftp–uusernameftpserverlftpusername@ftpserverlftpgetgftp:GUIxccnsswitch:networkserviceswitch名称解析框架pam:pluggableauthenticationmoduleman5vsftpd.conf匿名用户（映射为系统用户ftp）共享文件位置ftp_data_port=20（默认）ftp_data_port=20（默认）ftpd_banner=“welcometomageftp使用pam(PluggableAuthenticationModules)完成用户认证使用pam(PluggableAuthenticationModules)完成用户认证service{service{}=====+==ldd`whichvsftpd`ldd`whichvsftpd`cdmakeopensslx509-invsftpd.pem-nooutdb_loadTthashfvusers.txtvusers.db cddb_load-T-thash-fvusers.txtchmod600useradd-duseradd-d/var/ftproot-s/sbin/nologinchmod+rxchmod-wmkdirsetfacl-mu:vuser:rwxvimauthrequiredpam_userdb.sodb=/etc/vsftpd/vusersaccountvimauthrequiredpam_userdb.sodb=/etc/vsftpd/vusersaccountrequiredpam_userdb.sodb=/etc/vsftpd/vusersvim/etc/vsftpd/vsftpd.confsetsebool-Pftpd_full_accessmdkiretc/vsftpd/vusers.d/vim/etc/vsftpd/vsftpd.confcdetc/vsftpd/vusers.dmdkiretc/vsftpd/vusers.d/vim/etc/vsftpd/vsftpd.confcdetc/vsftpd/vusers.dvimvimCentos7：在数据库服务器上安装yum–yinstallmariadb-serversystemctlstartmariadb.servicesystemctlenablemariadbyum–yinstallmysql-server在FTP服务器上安装vsftpd和pam_mysql包yuminstallvsftpdpam_mysqlyumyyumygroupinstallDevelopmentTools"yumyinstallmariadb-develpam-develvsftpdtarxvfpam_mysql-0.7RC1.tar.gzcdpam_mysql-0.7RC1/./configure--with-pam-mods-dir=/lib64/security--with-mysql=/usrmakemysql>CREATEDATABASEvsftpd;mysql>SHOWDATABASES;mysql>CREATEDATABASEvsftpd;mysql>SHOWDATABASES;mysql>GRANTSELECTONvsftpd.*TOvsftpd@'172.16.%.%'IDENTIFIEDBY'magedu';mysql>GRANTSELECTONvsftpd.*TOvsftpd@localhostIDENTIFIEDBY'magedu';mysql>GRANTSELECTONvsftpd.*TOIDENTIFIEDBYmysql>FLUSHmysqlmysqlUSEvsftpd;Mysql>SHOWmysql>CREATETABLEusersidINTAUTO_INCREMENTNOTNULLPRIMARYKEY,nameCHAR(50)BINARYNOTNULL,passwordCHAR(48)BINARYNOTmysql>DESCusers;mysql-uvsftpd-h00-mysql>SHOWmysql>DESCmysql>INSERTINTOusers(name,password)mysql>INSERTINTOusers(name,password)mysql>SELECT*FROMvietc/pam.d/vsftpd.mysqlauthrequiredpam_mysql.souser=vsftpdpasswd=mageduhost=mysqlserverdb=vsftpdtable=usersusercolumn=namepasswdcolumn=passwordcrypt=2accountrequiredpam_mysql.souser=vsftpdpasswd=mageduhost=mysqlserverdb=vsftpdtable=usersusercolumn=namepasswdcolumn=passwordcrypt=2auth ••••a_auth ••••a_ ••••••••table=usersusercolumn=name当做用户名的字段flfluseradd-s/sbin/nologin-d/var/ftprootchmod555var/ftprootcentos7ftp根目录的写权限mkdir/var/ftproot/{upload,pub}setfaclmu:vuser:rwxvar/ftproot/uploadservicevsftpdstart;systemctlstartvsftpdchkconfigvsftpdon;systemctlenableservicevsftpdstart;systemctlstartvsftpdchkconfigvsftpdon;systemctlenablevsftpdnetstat-tnlp|grep-Rsetsebool-Pftpd_connect_dbsetsebool-Pftp_home_dirchcon-R-tpublic_content_rw_ttailvim/etc/vsftpd/vsftpd.confmkdir/etc/vsftpd/vusers_config/cdtouchwangNFS：NetworkFileSystem网络文件系统，基于内核的文件系统。Sun公司文件，基于RPC（RemoteProcedureCallProtocol远程过程调用）实现NFS：NetworkFileSystem网络文件系统，基于内核的文件系统。Sun公司文件，基于RPC（RemoteProcedureCallProtocol远程过程调用）实现NFSNFSNFSCentOS7默认很使用NFSv4NFSNFSNFSCentOS7默认很使用NFSv4文件传输尺寸限制在无有更好的I/O写性能ro,rw只读和读写asyncno_all_squash（默认）保留共享文件的UID和GIDall_squashro,rw只读和读写asyncno_all_squash（默认）保留共享文件的UID和GIDall_squashroot)都变成nfsnobody是4294967294(nfsnobody)•••••••••/myshare/myshare/myshare/myshare/myshareserver[0-/myshare/myshare/myshare/myshare/myshare*./myshare/(ro)server[0-/myshare••••••••••••rpcinfo-prpcinforpcinfo-prpcinfoshostnameRPC–a–aushowmount-emount.nfs（默认）前台挂载，bg（默认）持续请求，softintr（默认）前台挂载，bg（默认）持续请求，softintr_netdevmount-orw,nosuid,fg,hard,intr:/testdir00为所有导出到网络中的NFShost参看帮助：man5*systemctlstartnfs-systemctlenablenfs-mkdirsystemctlstartnfs-systemctlenablenfs-mkdirchownnfsnobody/nfsshareexporfsmountvim/etc/fstabmount-nfs0vi/exports/readnonebindvi/exports/readnonebind0/data2/write/exports/writenonebind0vi/exports/exports/read/exports/writemountvinfsserver://mnt/nfs4ro0SMB：ServerMessageSMB：ServerMessageBlock服务器消息块，IBM发布，最早是DOS网络文Cifs：commoninternetfilesystem，微软基于SMBSamba提供smb服务samba-commonsmbdSamba提供smb服务samba-commonsmbdsmb（cifs）nmbdNetBIOS帮助参看：man [homes]用户的家目录共享 [homes]用户的家目录共享 %I客户端主机的%Sworkgroup指定workgroup指定工作组名serverstring机注释信netbiosname指定NetBIOSinterfaces指定服务侦听接口和IPv4network/prefix:/24IPv4前缀IPv4network/netmask:/主机名:hostsallow=hostsallow=172.25.configmaxlogconfigmaxlogdomain:使用DC（DOMAINCONTROLLER)passdbbackendtdbsampdbedit-a-updbedit-a-usmbpasswd–x–x–updbedit–L–vreadonly=nowritable=yes等价，如与以上设置冲突，放在后面的设置生readonly=nowritable=yes等价，如与以上设置冲突，放在后面的设置生validpathpath=writeable=nobrowseable=UNCUniversalNamingConvention,通用命名规范UNCUniversalNamingConvention,通用命名规范smbclient-Lsmbclient-L-cdgetputsmbclient///shared-Umount-tmount-tcifs-ouser=wang,password=magedu//server/homes/mntcifscredentials=/etc/smb.txt0cat/etc/smb.txtchmod600yum-yinstallsambayum-yinstallsambagroupadd-radminsuseradd-s/sbin/nologin-Gadminswangsmbpasswd-awanguseradd-s/sbin/nologinsmbpasswd-amkdir/testdir/smbsharechgrpadminsmkdir/testdir/smbsharechgrpadminschmod2775semanagefcontext-a-tsamba_share_trestorecon-vvFRsecuritysecurity=passdbbackend=tdbsamwritelist=@adminssystemctlstartsmbsystemctlenablesmbfirewall-cmd--permanent--add-firewall-cmd--yumyum-yinstallcifs-mkdirmount-ousername=wang//smbserver/share/mnt/wangecho"Hellowang">/mnt/wang/wangfile.txtmkdir/mnt/magemount-ousername=mage//smbserver/sharetouchyumyuminstallmkdirwritelist=useradduseraddssbin/nologinsmbusersmbpasswd–suseradd–s/sbin/nolog