deepin网络存储服务搭建

FTP服务搭建

vsftpd配置使用

概述

vsftpd 是Linus上非常安全好用的ftp服务,只需要简单的安装后就可以搭建起ftp服务;
该服务主要的配置文件就是vsftpd.conf ,在deepin/uos系统中的绝对路径是: /etc/vsftpd.conf

安装

# 只需要简单的进行安装配置即可,前提是你开启了开发者模式我们才能通过终端安装软件

sudo apt install vsftpd

# 如果提示没有找到对应安装包,则可能是没有进行仓库的更新连接,执行如下命令即可

sudo apt update

服务的启停配置

# 启动服务

service vsftpd start

# 停止服务

service vsftpd stop

# 重启服务

service vsftpd restart

# 查看服务状态

service vsftpd status

#执行后结果如下:active则表示正常运行,如果失败了则可以通过提示信息查询对应问题

babyfengfjx@babyfengfjx:~$ service vsftpd status

● vsftpd.service - vsftpd FTP server

Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)

Active: active (running) since Sat 2021-10-09 16:22:48 CST; 1s ago

Process: 18334 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)

Main PID: 18335 (vsftpd)

Tasks: 1 (limit: 4915)

Memory: 568.0K

CGroup: /system.slice/vsftpd.service

└─18335 /usr/sbin/vsftpd /etc/vsftpd.conf

配置文件展示

在使用该服务过程中,主要就是这些配置文件该如何配置,很多同学在实际配置过程中很难一次配置成功,这里就给出一个实际可用的配置参数以供参考

配置文件路径:/etc/vsftpd.conf

配置过程中尽量是将匿名登录关闭,使用本地用户登录,以确保安全。

# Example config file /etc/vsftpd.conf

#

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

#

# READ THIS: This example file is NOT an exhaustive list of vsftpd options.

# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

# capabilities.

#

#

# Run standalone? vsftpd can run either from an inetd or as a standalone

# daemon started from an initscript.

listen=YES

#

# This directive enables listening on IPv6 sockets. By default, listening

# on the IPv6 "any" address (::) will accept connections from both IPv6

# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6

# sockets. If you want that (perhaps because you want to listen on specific

# addresses) then you must run two copies of vsftpd with two configuration

# files.

listen_ipv6=NO

#

# Allow anonymous FTP? (Disabled by default).

anonymous_enable=NO

#

# Uncomment this to allow local users to log in.

local_enable=YES

#

# Uncomment this to enable any form of FTP write command.

write_enable=YES

#

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

#local_umask=022

#

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

#anon_upload_enable=YES

#

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

#anon_mkdir_write_enable=YES

#

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=YES

#

# If enabled, vsftpd will display directory listings with the time

# in your local time zone. The default is to display GMT. The

# times returned by the MDTM FTP command are also affected by this

# option.

use_localtime=YES

#

# Activate logging of uploads/downloads.

xferlog_enable=YES

#

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

#

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

#chown_uploads=YES

#chown_username=whoever

#

# You may override where the log file goes if you like. The default is shown

# below.

#xferlog_file=/var/log/vsftpd.log

#

# If you want, you can have your log file in standard ftpd xferlog format.

# Note that the default log file location is /var/log/xferlog in this case.

#xferlog_std_format=YES

#

# You may change the default value for timing out an idle session.

#idle_session_timeout=600

#

# You may change the default value for timing out a data connection.

#data_connection_timeout=120

#

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

#nopriv_user=ftpsecure

#

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

#

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that on some FTP servers, ASCII support allows a denial of service

# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

# predicted this attack and has always been safe, reporting the size of the

# raw file.

# ASCII mangling is a horrible feature of the protocol.

#ascii_upload_enable=YES

#ascii_download_enable=YES

#

# You may fully customise the login banner string:

#ftpd_banner=Welcome to blah FTP service.

#

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd.banned_emails

#

# You may restrict local users to their home directories. See the FAQ for

# the possible risks in this before using chroot_local_user or

# chroot_list_enable below.

# chroot_local_user=YES

#

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that

# the user does not have write access to the top level directory within the

# chroot)

# chroot_local_user=YES

# chroot_list_enable=YES

# (default follows)

# chroot_list_file=/etc/vsftpd.chroot_list

#

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

#ls_recurse_enable=YES

#

# Customization

#

# Some of vsftpd's settings don't fit the filesystem layout by

# default.

#

# This option should be the name of a directory which is empty. Also, the

# directory should not be writable by the ftp user. This directory is used

# as a secure chroot() jail at times vsftpd does not require filesystem

# access.

secure_chroot_dir=/var/run/vsftpd/empty

#

# This string is the name of the PAM service vsftpd will use.

pam_service_name=vsftpd

#

# This option specifies the location of the RSA certificate to use for SSL

# encrypted connections.

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

ssl_enable=NO

#

# Uncomment this to indicate that vsftpd use a utf8 filesystem.

#utf8_filesystem=YES

实际开启的配置项如下:

按照如下简单的配置就可以通过本地用户进行访问了

listen=YES

listen_ipv6=NO

anonymous_enable=NO

local_enable=YES

write_enable=YES

dirmessage_enable=YES

use_localtime=YES

xferlog_enable=YES

connect_from_port_20=YES

secure_chroot_dir=/var/run/vsftpd/empty

pam_service_name=vsftpd

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

ssl_enable=NO

遇到的问题

  • 无法配置指定根目录,也就是任何本地账户登录后的目录都是根目录,无法自定义配置指定目录,配置后也不生效;
  • 在添加新用户配置成nologin时,是无法正常使用该类用户进行访问的;
  • 添加的新用户,需要先登录一次后,方可使用该账号访问ftp;

SFTP服务搭建

群组配置---服务端


sudo groupadd sftp

cat /etc/group # 确认组新建成功

sudo vim /etc/group #修改 sftp:x:1002:

sudo useradd -g sftp -s /bin/false mysftp

sudo passwd mysftp # 设置新密码为服务器访问密码

共享目录---服务端


sudo mkdir -p /data/sftp/mysftp

sudo usermod -d /data/sftp/mysftp mysftp

配置文件修改---服务端


sudo vim /etc/ssh/sshd_config

Subsystem sftp /usr/libexec/openssh/sftp-server # 该行原本配置,需要手动注释掉

并在文件最后面添加如下几行内容然后保存

Subsystem sftp internal-sftp

Match Group sftp

ChrootDirectory /data/sftp/%u

ForceCommand internal-sftp

AllowTcpForwarding no

X11Forwarding no

目录授权与新建---服务端


sudo chown root:sftp /data/sftp/mysftp

sudo chmod 755 /data/sftp/mysftp

sudo mkdir /data/sftp/mysftp/upload

sudo chown mysftp:sftp /data/sftp/mysftp/upload

sudo chmod 755 /data/sftp/mysftp/upload

重启服务---服务端


sudo systemctl restart sshd.service # 重启服务时如果提示服务不存在,则先添加如下服务

systemctl enable ssh.service

# 再执行:

sudo systemctl restart sshd.service

访问服务器---客户端

进入文件管理器或我的电脑

输入---例如sftp://10.20.32.** (根据实际服务端IP输入,并键如账号密码,即可访问)

NFS服务搭建

服务端

工具安装


sudo apt-get install nfs-kernel-server # 安装 NFS服务器端

创建共享文件夹


sudo mkdir /home/deepin-server/nfs # 路径可以根据自己需要设置

sudo chmod -R 777 /home/deepin-server/nfs # 设置共享目录权限

修改配置文件

vim /etc/exports

  • 配置文件虽然只有一句,但是其中还是有很多讲究;
  • 共享文件可执行权限有:

  • ro 只读访问

  • rw 读写访问

  • sync 所有数据在请求时写入共享

  • hide 在NFS共享目录中不共享其子目录

  • no_hide 共享NFS目录的子目录

  • all_squash 共享文件的UID和GID映射匿名用户anonymous,适合公用目录。

  • no_all_squash 保留共享文件的UID和GID(默认)

  • root_squash root用户的所有请求映射成如anonymous用户一样的权限(默认)

  • no_root_squas root用户具有根目录的完全管理访问权限

  • ip配置一般需要进行限定,最好不要使用* ,不然存在安全问题,可以限定具体ip或者ip段才能挂载。


vim /etc/exports

# 配置文件修改如下:

deepin-server@deepin-server-PC:~$ cat /etc/exports

# /etc/exports: the access control list for filesystems which may be exported

# to NFS clients. See exports(5).

#

# Example for NFSv2 and NFSv3:

# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)

# Example for NFSv4:

# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)

# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)

/home/deepin-server/nfs 10.20.*(rw)#此处ip只做了部分限制,圆括号里面就是配置权限的。

启动服务


systemctl start rpcbind nfs-server

查看服务状态

服务在running态即可

deepin-server@deepin-server-PC:~$ sudo systemctl status rpcbind nfs-server

● rpcbind.service - RPC bind portmap service

Loaded: loaded (/lib/systemd/system/rpcbind.service; enabled; vendor preset: enabled)

Active: active (running) since Wed 2022-01-05 11:53:19 CST; 1h 56min ago

Docs: man:rpcbind(8)

Main PID: 19304 (rpcbind)

Tasks: 1 (limit: 19660)

Memory: 608.0K

CGroup: /system.slice/rpcbind.service

└─19304 /sbin/rpcbind -f -w

1月 05 11:53:19 deepin-server-PC systemd[1]: Starting RPC bind portmap service...

1月 05 11:53:19 deepin-server-PC systemd[1]: Started RPC bind portmap service.

● nfs-server.service - NFS server and services

Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)

Active: active (exited) since Wed 2022-01-05 11:53:21 CST; 1h 56min ago

Process: 19319 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)

Process: 19320 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)

Main PID: 19320 (code=exited, status=0/SUCCESS)

1月 05 11:53:20 deepin-server-PC systemd[1]: Starting NFS server and services...

1月 05 11:53:20 deepin-server-PC exportfs[19319]: exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "10.20.*:/home/deepin-server/Documents/NFS文件目录for-test".

1月 05 11:53:20 deepin-server-PC exportfs[19319]: Assuming default behaviour ('no_subtree_check').

1月 05 11:53:20 deepin-server-PC exportfs[19319]: NOTE: this default has changed since nfs-utils version 1.0.x

1月 05 11:53:21 deepin-server-PC systemd[1]: Started NFS server and services.

deepin-server@deepin-server-PC:~$

至此服务端算是配置完成了。

客户端配置

客户端主要就是挂载操作,不过挂载nfs的时候同样需要安装客户端软件

客户端安装


sudo apt-get install nfs-common

查看服务端nfs共享信息

showmount -e 10.20.13.152

babyfengfjx@babyfengfjx:~$ showmount -e 10.20.13.152

Export list for 10.20.13.152:

/home/deepin-server/Documents/NFS文件目录for-test 10.20.*

babyfengfjx@babyfengfjx:~$

客户端创建挂载目录

随便在本地客户端创建一个目录作为NFS挂载目录即可

sudo mkdir /home/babyfengfjx/Documents/nfsfile/

客户端挂载

将服务端的NFS共享目录,挂载到本地客户端对应目录即可

sudo mount -t nfs 10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/

查看并传输文件

上述操作完成后,此时就可以在客户端对应目录使用NFS存储了,上传新建文件均可以随心所欲。

开机自动挂载

  • 写入fstab方法并不推荐,如果NFS挂载失败可能会影响设备正常启动

写入fstab进行开机自动挂载


echo "10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/ nfs4 defaults 0 0" >> /etc/fstab

mount -av

通过配置开机自运行脚本

原理如下:

新建 /etc/rc.local 文件
  • 这种方法的原理是系统开机后会自动启动 rc-local 服务;
  • rc-local 服务启动后就会自动执行 /etc 目录下的 rc.local 脚本;
  • 该方法的优点就是不存在第一种方法的三个缺点,脚本执行失败不会出现黑屏弹窗、sleep 不会造成开机黑屏以及 执行脚本的用户是 root 用户
主要步骤:
1、新建 /etc/rc.local 文件
2、粘贴以下模板

#!/bin/sh -e

# rc.local

# This script is executed at the end of each multiuser runlevel.

# Make sure that the script will "exit 0" on success or any other

# value on error.

# In order to enable or disable this script just change the execution

# bits.

# By default this script does nothing.

# 下面脚本是我配置的开机自动启动一个python脚本的

nohup python3 /home/babyfengfjx/Documents/typora_documents/TestScripts/01.LitterScript/02.bbsmonitor/bbsmonitor.py >bbs.log 2>&1 &

# 因为该命令本身就是会以root权限执行,所以不用加sudo

sleep 5;mount -t nfs 10.20.13.152:/home/deepin-server/Documents/NFS文件目录for-test /home/babyfengfjx/Documents/nfsfile/

exit 0

3、在 exit 0 上方插入你需要自启的命令(一行一个)后保存文件
4、给脚本加上 755 权限
sudo chmod +755 /etc/rc.local
5、调试脚本(可选)
sudo /etc/rc.local # 使用 sudo 模拟 root 用户开机自启 /etc/rc.local 文件
如果第 5 步模拟启动脚本没有报错,那我们就可以重启电脑看看是否可以成功实现脚本开机自启。重启进入系统后我们可以通过 systemctl status rc-local.service 查看 rc-local 的运行状态,如果结果显示的是 active (exited) 则说明你的脚本已经成功执行,反之如果结果显示 failed,那么你需要检查一下脚本是否哪里有问题。
2]、这里提供可能导致脚本无法正常启动的原因:
1、执行脚本的用户不一致
由于 rc.local 开机自启的时候是以 root 用户执行的,这里很多人会忽略了一个问题,很多情况下你的命令是必须要普通用户执行的。比如 conky 和虚拟机(用户A建立的VBox和VM Ware虚拟机用户B无法访问)等。
假设用户 lolimay 在终端用 VBoxHeadless -s aikuai & 后台启动了虚拟机名 aikuai,那么我们在 rc.local 文件应该用下面这种方式写:
su - lolimay -c "VBoxHeadless -s aikuai &" # 以 lolimay 用户执行该命令
2、多余的 sudo
前面已经提到 rc.local 开机时是以 root 用户启动的,所以写在 rc.local 文件中命令不需要带有 sudo 前缀(实际上就算你带有了 sudo 前缀也不会产生错误)。
3]、最佳实践
个人建议每当往 rc.local 文件中添加了一个需要自启的命令时,可以先用 sudo /etc/rc.local 命令模拟一下看看是否能够执行成功(如果执行失败也能够直观地看到出错的原因),这样能够有效减少你重启电脑来调试的次数。
上一篇:阿里云服务器排查挖矿病毒


下一篇:Linux 命令