linux視頻-教程專用文件共享服務(wù)

網(wǎng)絡(luò)文件共享主講：馬永亮(馬哥)

客服,1661815153

fcgiDNSwww IN A www IN A NFS,SAMBAnfs,cifs（smb)應(yīng)用層協(xié)議C/S:ftprsync+inotify:sersynccrontabVSFTPD主講：馬永亮(馬哥)

客服,1661815153

connectiontracklftp>get2120CIP,Cport,SIP,SportCIP,12321,SIP,21(123,31)文件流XML流式化文本二進(jìn)制/etc/nsswitch.conflogin:解析庫(kù)get,mget,put,mput,cd,ls2020012002FSAPIPOSIXFSAPICIFS/SMBCommonInternetFileSystemServiceMessageBlockWindowsNFSNetworkFileSystemUnix,LinuxLinuxWindowsSamba:CIFS/SMBNFSFTPSamba+LDAP=DC命令連接，124,12FTPFileTransferProtocol21/tcp，20/tcpClientServer被動(dòng)模式主動(dòng)模式2010021隨機(jī)ftp連接命令連接一直連接數(shù)據(jù)連接按需建立ftp的工作模式主動(dòng)模式port被動(dòng)模式pasvsftp(ssh)ftps(ssl)C/SClient:ftplftpWindows:FlashFXP,CuteFTP,FilezillaLinux:gftpServer:FilezillaServervsftpd,proftpd,pureftp,wuftpdWindows:ServUvsftpd安全性檢查規(guī)則非常嚴(yán)格輕量級(jí)、高性能支持虛擬用戶ftp用戶類型：匿名用戶(ftp,/var/ftp)系統(tǒng)用戶(各自家目錄)虛擬用戶(映射為一個(gè)系統(tǒng)用戶)共享文件系統(tǒng)，權(quán)限文件系統(tǒng)權(quán)限共享權(quán)限交集ftp的數(shù)據(jù)傳輸模式二進(jìn)制模式文本模式文件服務(wù)器：NFSUnix-likeFTP應(yīng)用層SAMBAftpFileTransmissionProtocol命令連接21/tcp數(shù)據(jù)連接數(shù)據(jù)連接主動(dòng)模式C/S333321S:203333+1被動(dòng)模式C:4444S:21S:告知客戶端自己打開了某端口(>1023隨機(jī)端口，33，21)C：4445S:（33*256+21)CSget服務(wù)器端為什么要工作在被動(dòng)模式下？>1023，關(guān)閉的<1023S3334>1023RELATED:關(guān)聯(lián)的數(shù)據(jù)傳輸格式httpsmtpMIMEASCII:文本格式ftpbinaryasciiNFSc1:jerryS:userjerry:502502:tomUIDFTPanonymousftp用戶帳號(hào)類別：匿名用戶(ftp)HOMEDIR系統(tǒng)用戶HOMEDIR虛擬用戶有帳號(hào)和密碼，但帳號(hào)不能用于登錄系統(tǒng)file,Kerberos,LDAP,mysql,NIS3Aauthentication認(rèn)證：合法用戶（用戶名/密碼），生物識(shí)別authorization授權(quán)auditionftp帳號(hào)/密碼/etc/passwd/etc/ftp/.passwdldap://KerberosPAM配置文件ftp:ftpHOMEDIRFTP:WU-ftpdproftpdpureftpvsftpd:verysecureC/SWindowsServ-UIISFilezillaLinuxFilezillaVsftpd(verysecure)wu-ftpdproftpdpureftpfilezillaflashfxpcuteftpgftpftplftpftpLftpGUIflashfxpcuteftpgftpTheFTPProtocolTwochannels,commandanddataMakingtheservicehardtoprotectwithfirewallsorencryptedtunnelsClientcontatcsserveronport21toopencommandchannelThesearecleartextcommands.Afterauthentication,eitherthePORTorPASVcommandissentbytheclienteachtimeitneedstoopenthedatachannelPORT:ServeropensdatachanneltoclientServerconnectsfromport20toclient’sportPASV:ClientopensdatachanneltoserverServerspecifieswhichportWorksbetterthroughsomefirewallsFTPserversvsftpd“VerySecure”andfastFTPserverSomealternativesarealsoavailableinthedistributiongssftp(inkrb5-workstation)tuxProftpd,wu-ftpd,pureftpServiceProfile:vsftpdPackages:vsftpdDaemon:vsftpd(/usr/sbin/vsftpd)Script:/etc/rc.d/init.d/vsftpdPorts:21/tcp(ftp),20/tcp(ftp-data)Configuration:/etc/vsftpd/vsftpd.conf 600,root,root/etc/vsftpd/ftpusers 600,root,root/etc/pam.d/vstpd 644,root,rootRelated:tcp_wrappers,ip_conntrack_ftp,ip_nat_ftpLoginBannersBannerprovidesinformationbeforeloginSetsecuritywarningbannersbanner_file=filenameSuppressserverandversioninformationftp_banner=FTPserverreadybanner_fileoverridestheftp_banneroptionInformationCapabilitiesDisplayfilewhencliententersdirectorymessage_file=.messagedirmessage_enable=YESSometimes,itisnicetoautomaticallydisplayamessagetoaFTPclientwhenitchangestoaparticulardirectoryontheserverLoggingCapabilitiesTologalluploadsanddownloadsxferlog_enable=YESxferlog_std_format=YESoptional;usewu-ftpd’slogformatTologallFTPcommandslog_ftp_protocol=YESxferlog_std_format=NOLocalUsersUserswithlocalaccountsmayloginusingtheirusernameandpasswordLocalusersstartintheirhomedirectoryBydefault,dosenotchrootuserschroot_local_user=YESHaveread-writeaccessbydefaultToturnoffwirteaccess:write_enable=NOToturnlocalusersentirely:local_enable=NOAnonymousFTPAnonymoususecanloginbydefaultvsftpdsetsupthe/var/ftpdirectoryCanloginasuseranonymousorasftpChrootto/var/ftpHasread-onlyaccessbydefaultAnonymousaccesstotheFTPservercanbeexplicitlyprohitited:anonyous_enable=NOAnonymousFTPUploadingUploadingoffilesbyanonymoususershouldbecarefullycontrolledSetpermissionsandumasktoonlyallowuploadstotheuploaddirectorying 770,root,ftpanon_upload_enable=YESanon_umask=077chown_uploads=YESchown_username=rootExaminefilesbeforeallowingotherstodownloadConnectionRestrictionsTolimitthenumberofclientsthatmaybeconnectedmax_clientsTolimitthenumberofclientsthatmaybeconnectedfromoneIPaddressmax_per_ipssl_enable=YESssl_tlsv1=YESssl_sslv2=YESssl_sslv3=YESallow_anon_ssl=NOforce_local_data_ssl=YESforce_local_logins_ssl=YESrsa_cert_file=/etc/vsftpd/ssl/vsftpd_cert.pemrsa_private_key_file=/etc/vsftpd/ssl/vsftpd_key.pem構(gòu)建基于虛擬用戶的vsftpd服務(wù)器1.建立虛擬FTP用戶的帳號(hào)數(shù)據(jù)庫(kù)文件2.創(chuàng)建FTP根目錄及虛擬用戶映射的系統(tǒng)用戶3.建立支持虛擬用戶的PAM認(rèn)證文件4.在vsftpd.conf文件中添加支持配置5.為個(gè)別虛擬用戶建立獨(dú)立的配置文件6.重新加載vsftpd配置7.使用虛擬FTP賬戶訪問測(cè)試構(gòu)建基于虛擬用戶的vsftpd服務(wù)器1.建立虛擬FTP用戶的帳號(hào)數(shù)據(jù)庫(kù)文件建立虛擬用戶的賬戶名、密碼列表奇數(shù)行為帳號(hào)名偶數(shù)行為上一行中帳號(hào)的密碼轉(zhuǎn)化為BerkeleyDB格式的數(shù)據(jù)文件

db_load轉(zhuǎn)換工具需安裝db4-utils-4.3.29-9.fc6.i386.rpm軟件包[root@filesvr~]#vi/etc/vsftpd/vusers.listfedora123gentoo456[root@filesvr~]#cd/etc/vsftpd/[root@filesvrvsftpd]#db_load-T-thash-fvusers.listvusers.db[root@filesvrvsftpd]#filevusers.dbvusers.db:BerkeleyDB(Hash,version8,nativebyte-order)[root@filesvrvsftpd]#chown600/etc/vsftpd/vusers.*構(gòu)建基于虛擬用戶的vsftpd服務(wù)器2.創(chuàng)建FTP根目錄及虛擬用戶映射的系統(tǒng)用戶[root@filesvr~]#mkdir/var/ftproot[root@filesvr~]#useradd-d/var/ftproot-s/sbin/nologinvirtual[root@filesvr~]#chmod755/var/ftproot/3.建立支持虛擬用戶的PAM認(rèn)證文件[root@filesvr~]#vi/etc/pam.d/vsftpd.vu#%PAM-1.0authrequiredpam_userdb.sodb=/etc/vsftpd/vusersaccountrequiredpam_userdb.sodb=/etc/vsftpd/vusers對(duì)應(yīng)于第1步中建立的vusers.db文件構(gòu)建基于虛擬用戶的vsftpd服務(wù)器4.在vsftpd.conf文件中添加支持配置[root@filesvr~]#vi/etc/vsftpd/vsftpd.confanonymous_enable=NOlocal_enable=YESwrite_enable=YESanon_umask=022guest_enable=YESguest_username=virtualpam_service_name=vsftpd.vu……構(gòu)建基于虛擬用戶的vsftpd服務(wù)器5.為個(gè)別虛擬用戶建立獨(dú)立的配置文件在vsftpd.conf文件中添加用戶配置目錄支持

user_config_dir=/etc/vsftpd/vusers_dir為用戶fedora、gentoo建立獨(dú)立的配置目錄及文件配置文件名與用戶名同名[root@filesvr~]#mkdir/etc/vsftpd/vusers_dir/[root@filesvr~]#cd/etc/vsftpd/vusers_dir/[root@filesvrvusers_dir]#touchfedora[root@filesvrvusers_dir]#vigentooanon_upload_enable=YESanon_mkdir_write_enable=YES構(gòu)建基于虛擬用戶的vsftpd服務(wù)器6.重新加載vsftpd配置servicevsftpdreload7.使用虛擬FTP賬戶訪問測(cè)試分別用fedora、gentoo用戶登錄FTP服務(wù)器進(jìn)行下載、上傳測(cè)試

fedora用戶可以登錄，并可以瀏覽、下載文件，但無(wú)法上傳

gentoo用戶可以登錄，并可以瀏覽、下載文件，也可以上傳匿名用戶或其他系統(tǒng)用戶將不能登錄NFS主講：馬永亮(馬哥)

客服,1661815153

rpc調(diào)用：read(),open(),write(),close()read():函數(shù)write():函數(shù)調(diào)用，過程調(diào)用localprocedurecall/shared/nfs/NFSimapd模擬項(xiàng)目C/S,B/Sbrowser:mkdir:/a/b/c.txttouch存根RPC:stubrpcServerNISLDAP(SSL)vfsrpcread()write()/shared/nfshadoop:605gentoo:605/nfsshared/ahellodataLAMP:discuzdiscuzuser@172.16.%.%mypassfcginfsstubappFS808web:httpd,nginx,lighttpdftp,http,rpc(協(xié)議)，Portmap(實(shí)現(xiàn)),httpXML/client/nfs,/var/sharedmount2049jerry:1000UIDtouch阻塞:block提供用戶身份認(rèn)證用戶映射：uid/nfs/fs1/Jerry:601Tom:601kerberosNFSRPC：RemoteProcedureCall遠(yuǎn)程過程調(diào)用二進(jìn)制格式，數(shù)據(jù)塊SunNFSv1NFSv2UDPNFSv3async,TCP,64bitfilesizes,largerreadandwirte,KerberosNFSv4integratedauxiliaryprotocols,UTF-8filenames,improvedusermappingsupport,improvedlocking,improvedclientcaching身份驗(yàn)正NFSv3內(nèi)核中實(shí)現(xiàn)Serverrpc：111/tcp,111/udprpc.mounted:半隨機(jī)locked,NLM:nfslockNSM:rpc.statdhive:503,503root:0,0hadoop,hadoop503,503root_squash:nfsnobodyClientRPC(portmap,111/tcp,111/udp)Server(rpc.mounted)clientClientrpc.mounted(token)Client(token)NFSserver(2049/tcp,2049/udp)locked()rpc.statdClientNFSServernfs:內(nèi)核nfs-utilsrpm包:/etc/rc.d/init.dnfsnfslock/etc/exports:nfs文件系統(tǒng)共享定義配置文件NISDomainNIS,ypserv,ypbind,LDAPNetworkInformationSystemSUNhbase/etc/passwd/etc/shadownServiceProfile:NFSPackage:nfs-utilsDaemons:nfsd,rpc.mountd,rpc.statd,lockd,rpc.quotadScripts:nfs(nfsd,rpc.mountd,rpc.quotad),nfslock(rpc.statd,lockd)Ports:2049/tcpand2049/udp(nfsd),otherssemi-random(foundthroughportmap(111/tcpand111/udp)Configuration:/etc/exports,/etc/sysconfig/nfsrpc.mountd8011,7986RPC,3306/tcprpc,mysqldHistoryofNFSOneoftheoriginalRPCservices,NFSallowsaclientcomputertomountanetwork-attachedfilesystemfromaserverandusethefilesystemonthatserverasifwereonalocaldisk.NFSversion1wasneverreleasedoutsideSunMicrosystemsNFSv2:originalUDP-basedpublicreleaseNFSv3:addedsafeasyncexports,TCPsupport,64-bitfilesizes,largerreadandwritesizes,someimplementationssupportKerberosfeaturesNFSv4:interatedauxiliaryprotocols,UTF-8filenames,improvedusermappingsupport,improvedlocking,improvedclientclientcaching,allimplementationssupportKerberosfeatures/etc/exportsThefile/etc/exportsservesastheaccesscontrollistforfilesystemswhichmaybeexportedtoNFSclients.Eachlinecontainsanexportpointandawhitespace-separatedlistofclientsallowedtomountthefilesystematthatpoint.Eachlistedclientmaybeimmediatelyfollowedbyaparenthesized,comma-separatedlistofexportoptionsforthatclient.Nowhitespaceispermittedbetweenaclientanditsoptionlist.Blanklinesareignored.Apoundsign("#")introducesacommenttotheendoftheline.Ifanexportnamecontainsspacesitshouldbequotedusingdoublequotes.MachineNameFormatssinglehosttheFQDN,oranIPaddressnetgroupsNISnetgroupsmaybegivenas@group.wildcardsMachinenamesmaycontainthewildcardcharacters*and?Forexample:*IPnetworksAnIPaddressandnetmaskpairasaddress/netmaskthenetmaskcanbespecifiedindotted-decimalformat,orasacontiguousmasklengthroot_squashnfsnobodyGeneralOptionsrorwasyncsyncroot_squashno_root_squashall_squashexportfsMaintainlistofNFSexportedfilesystems-aExportorunexportalldirectories-rReexportalldirectories-uUnexportoneormoredirectories-vBeverboseexportfs-rvexportfs-avrshowmountshowmountinformationforanNFSserver-aor--allListboththeclienthostnameorIPaddressandmounteddirectoryinhost:dirformat-dor--directoriesListonlythedirectoriesmountedbysomeclient-eor--exportsShowtheNFSserver'sexportlistNFSv3NFSv3service,implementedbythenfsdkernelthread,isalsosupportedbyseveralauxilaryRPCprotocolsMOUNT,implementedbyrpc.mounted,handlesinitialmountrequestsfromclientsNLM,implementedbythelockdkernelthread,handlesfilelockingrequestsfromclientsNSM,implementedbyrpc.statdisusedtonotifyclientsholdingfilelocksthattheyneedtore-lockfiletorecoverfromaserverorclientcrashLAMP

/web/discuz

/web/discuzMySQLmysql–u–h-pMySQLdiscuzapache+phpbbsuser@172.16.%.%小項(xiàng)目web1

web2

MySQLNFS/www/htdocs掛載NFS至本地的同名目錄/www/htdocs訪問web1的mysqlhttpd2.4.3php5.4.8httpd2.4.3php5.4.8172.16.x.1172.16.x.2MoutingandUsingNFSv3WhenanNFSv3clientattemptstomountanexportedfilesystemfromanNFSserverClientcontactsandasksserver’sportmapservicefortheportusedbyrpc.mountd

Therpc.mountdservicedeterminesifaccessisallowed,typicallybasedonlyonthesourceIPaddressoftheclientIfallowed,rpc.mountdissuesclientaninitialfilehandletofilesystemClientusestheinitialfilehandletoaccessandchangethefilesystemthroughserver’snfsdserviceonTCPorUDPport2049Filelocksaremanagedbylockdandrpc.statdservicesMostoftheNFSv3protocolarestatelessontheserversideWhenthefilelockinglost,clientmayneedtore-establishthefilerpc.statdserviceisusedtonotifyclientsLAMPdiscuz/var/www/htmlLAPdns服務(wù)

兩個(gè)A記錄NFSSERVER/var/wwwNFSCLIENTmountABAUTH_SYSandUserAuthenticationAUTH_SYSisthestandardRPCmechanismusedbyNFSv3anditsauxiliaryprotocolsto“authenticate”accesstofilesanddirectoriesonthemountedNFSfilesystembyusersontheremoteclientNFSclientincludestheprogram’sUIDandGIDnumbersintheNFSrequestforfileaccesssenttotheserverNFSservertrusttheclienttosendaccurateUID/GIDinformationAssumessameusertoUID/grouptoGIDmappingsonserverandclientsNFSserverusestheUID/GIDinformationtocontrolaccessControllingAUTH_SYSNameMappingUsecentralizedauthenticationwhenpossibleUsecentralNISorLDAPservicetokeepUIDandGIDmappingsidenticalonserveranditsNFSclientsUseappropriateoptionsis/etc/exportsroot_squashmapsUIDandGID0toUIDandGID65534,whichisassignedtouserandgroupnfsnobodyThispreventsrootontheclientfromcreatingfilesownedbyrootormodifyingfilesonlychangeablebyrootall_squashmapsallUIDsandGIDsto65534BasicExportSecurityDonotexportdirectoriescontainingserverconfigurationfilesExportentirefilesystem,notonlypartofafilesystemDonotexportwithno_root_squashunlessnecessaryCarefullyusecrossmntornohidetoexportfilesystemsmountedonanexportIfafilesystemisexportedthathasanotherchildfilesystemmountedononeofitssubdirectories,thecontentsofthechildfilesystemarenotexportedwiththeparent,butIfthechildfilesystemisitselfexportedusingthenohideexportoption,ORIfthechildisexportednormallyandtheparentisexportedwiththecrossmntexportoptionVulnerabilitiesofNFSv3Auxiliaryprotocolsuserandomports,complicatingfilewallconfigurationClientsareauthenticatedbyhostnameorIPaddressServertrustsclientstoauthenticateusersCleartextprotocolissubjecttotamperingandeavesdroppingComplexservicesthatmustrunasrootorinthekernelUsingStaticPortswithNFSv3SimplifyfirewallconfigurationbysettingstaticportsforauxiliaryNFSservicesnfsdusedTCPandUDPport2049bydefaultEdit/etc/sysconfig/nfs:LOCKD_TCPPORT=“4004”LOCKD_UDPPORT=“4004”MOUNTD_PORT=“4002”STATD_PORT=“4003”RQUOTAD_PORT=“4005”STATD_OUTGOING_PORT=“4006”Verifyportswithrpcinfo-pSELinuxandNFSServercannotprovidefilecontextstoclientsClientslabelallfilessystem_u:object_r:nfs_t:s0bydefaultClientscanoverridewithcontext=mountoptionServermaintainslocalcontextsonitsexportedfilesystemnormallyBooleanscontrolexportsanduseofNFSnfs_export_all_ro/nfs_export_all_rwBoththesebooleansareonbydefaultuse_nfs_home_nfsIfornotallowNFStobeusedforhomedirectoriesonanSELinux-enforcingserverNotsetbydefaultTroubleshootingNFSStalefilehandleerrorsNFSserver(nfsd)isdownorunreachableNFSservernolongerexportstoyouPossibleSELinuxissuesServer:Abooleanissettobl