1.SFTP规划
SFTP Server Port: 30022
按照项目进行分类,来创建sftp账号
定名规范:
用户名权限sftp目录Chroot目录Group地域+项目+用户(组或个人)rw/r/data/项目/项目/项目项目+RW例:CHN-projectname-arw/data/projectname/projectname/projectnameprojectnameRWCHN-projectname-br/data/projectname/projectname/projectname只有写权限才需要加入对应的组2.配置SFTP
2.1 修改ssh配置
只用第一次修改ssh配置文件- ~]# vi /etc/ssh/sshd_config
- #Subsystem sftp /usr/libexec/openssh/sftp-server
- Subsystem sftp internal-sftp
- Match Group sftp
- Match LocalPort 20912
- ChrootDirectory %h #chroot到所创建用户时的家目录
- ForceCommand internal-sftp
- ~]# systemctl restart sshd
下面是每次创建账号需要的操纵
3.1 创建目录结构
- ~]# mkdir –p /data/projectname/projectname
- ~]# chmod 775 /data/projectname/projectname
- ~]# useradd -s /bin/false -d /data/projectname CHN-projectname-b
- ~]# useradd -s /bin/false -d /data/projectname CHN-projectname-a
- ~]# echo ‘CHN-projectname-b:password1’|chpasswd
- ~]# echo ‘CHN-projectname-a:password2’|chpasswd
- #可以使用其他方式配置密码
- ~]# groupadd projectnameRW
- ~]# usermod -aG projectnameRW CHN-projectname-b
- 如果CHN-projectname-a也需要写权限,加入到权限组(projectnameRW)即可
- ~]# chown root:projectnameRW /data/projectname/projectname
- #针对需要多个用户对同一个目录进行读写,需要使用到ACL权限
- 如果是第一次新建,比较简单,2条命令即可
- ~]# chmod –R g+s /data/CN-project/CN-project
- ~]# setfacl -Rm d:g:groupname:rwx /data/CN-project/CN-project
- 如果是已经在使用的sftp,并且sftp的家目录有数据,手动执行以下命令
- ~]# chmod -R g+s /data/CN-project/CN-project
- ~]# setfacl -Rm d:g:groupname:rwx /data/CN-project/CN-project
- ~]# chown -R :groupname /data/CN-project/CN-project
- ~]# chmod -R 775 /data/CN-project/CN-project
- ~]# systemctl restart sshd
4.1 Linux6
- ~]# sftp -oPort=30022 CHN-project-user@10.0.0.1
- -oPort=30022:SFTP server Port
- CHN-project-user:SFTP Username
- 10.0.0.1:SFTP Server address
- ~]# sftp -P 30022 CHN-project-user@10.0.0.1
- CHN-project-user@10.0.0.1's password: <-- 输入密码
- ~]# cat /etc/ssh/sshd_config
- ......
- Subsystem sftp internal-sftp -l VERBOSE -f AUTHPRIV
- Match Group sftp
- Match LocalPort 20912
- ChrootDirectory %h
- ForceCommand internal-sftp -l VERBOSE -f AUTHPRIV
- ~]# cat /etc/rsyslog.conf
- ......
- authpriv.* /var/log/sftp.log
- ~]# systemctl restart sshd
- ~]# systemctl restart rsyslog
10.1 监控sftp连接数
- ~]# cd /etc/logrotate.d/
- ~]# vi sftp
- /var/log/sftp.log {
- monthly #默认每月执行一次日志轮询
- missingok
- rotate 6 #保存6个日志文件
- compress
- delaycompress
- dateext
- create 0600 root root
- sharedscripts
- postrotate
- /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
- endscript
- }
- ~]# systemctl restart rsyslog
- 测试
- ~]# logrotate --dbug --verbose --force /etc/logrotate.d/sftp
监控sftp日记,指定sftp用户触发连接数限制,告警通知- ~]# cat /etc/security/limits.d/95-sftp-limit.conf
- @sftpusername hard nproc 400 #限制用户连接数为200,这里配置数量为连接数*2
11.1 多台sftp底层存储使用阿里云NAS
使用nas作为/data盘. acl授权命令改为nfs4_setfacl.
11.2 多台sftp创建用户时,保持UID,GID一致.
多台sftp server创建用户用此脚本创建.
[code]#!/bin/bash########################################################## Function : Add user in 2 SFTP servers ## Version : 1.0 ###################################################################### env define ############sshuser=osadmin #多台sftp配置免密用户workdir=/tmpshijian=`date +%Y_%M_%d_%H_%m`server1=10.0.0.1server2=10.0.0.2server3=10.0.0.3server4=10.0.0.4sftpport=30022sshport=22new_user=${1}user_pass=${2}############ env define ######################## USAGE ############if [[ $# != 2 ]];then echo -e "\033[31;5mParameter incorrect. Please check below example: \033[0m" echo -e "\033[33;1mfor example:\033[0m" echo "ScriptName USER PASSWORD" exit 1fi############ USAGE #################### Function ################## get /etc/passwd from each serverget_passwd_file() {scp -q ${sshuser}@${1}:/etc/passwd ${workdir}/passwdfile_${1}_${shijian}}### get /etc/group from each serverget_group_file() {scp -q ${sshuser}@${1}:/etc/group ${workdir}/groupfile_${1}_${shijian}}### find the maximum user idfind_max_user_id() {awk -F':' '{ print $3 }' ${workdir}/passwdfile_${1}_${shijian} | grep -v 65534 | sort -n | tail -n 1}### find the maximum group idfind_max_group_id() {awk -F':' '{ print $3 }' ${workdir}/groupfile_${1}_${shijian} | grep -v 65534 | sort -n | tail -n 1}### get max id among all serversget_max_id() {if [ $# -eq 0 ]thenecho "No input , please check"else min=$1 max=$1 sum=0 for i in "$@" do if [ $min -gt $i ] then min=$i fi if [ $max -lt $i ] then max=$i fi sum=$[$sum+$i]done echo $maxfi}### check if all server alivecheck_server_alive() {nc -4 -w 2 -z ${1} ${2}if [ $? -eq 0 ]then echo -e "\033[32;1m ${1} port ${2} alived\033[0m"else echo -e "\033[31;5m Server ${1} Port ${2} cannot connect , please check it manually ~! \033[0m" exitfi}### add user in 2 serversadd_user() {for i in {1..4}doserverip=`eval echo '$'"server${i}"`ssh ${sshuser}@${serverip} "sudo /sbin/groupadd -g ${next_gid} ${1}"if [ $? -eq 0 ]then echo -e "\033[32;1m Group ${1} creation in ${serverip} done \033[0m"else echo -e "\033[31;5m Group ${1} creation in ${serverip} failed , please check it manually ~! \033[0m" exitfissh ${sshuser}@${serverip} "sudo /sbin/useradd -s /bin/false -u ${next_uid} -g ${next_gid} ${1}"if [ $? -eq 0 ]then echo -e "\033[32;1m User ${1} creation in ${serverip} done \033[0m"else echo -e "\033[31;5m User ${1} creation in ${serverip} failed , please check it manually ~! \033[0m" exitfissh ${sshuser}@${serverip} "sudo /bin/passwd ${1} |
