如何运行某种诊断程序来检查与上游的连接叶节点NNTP 服务器在同一网络上运行吗?
thufir@arrakis:~$
thufir@arrakis:~$ telnet 192.168.1.7 119
Trying 192.168.1.7...
Connected to 192.168.1.7.
Escape character is '^]'.
Connection closed by foreign host.
thufir@arrakis:~$
它连接了一秒钟,然后连接关闭...我从来没有输入过转义字符。
或者,我可以在服务器上查找什么日志来了解它关闭连接的原因?
上游服务器上的news.err
和日志news.notice
都是空的。/var/logs/news
doge
下游服务器arrakis
可以NNTP
正常连接到服务器。上游服务器 也可以doge
。(这些只是在 no-ip.com 上注册的 FQDN,而不是“真实”域。)
thufir@arrakis:~$
thufir@arrakis:~$ sudo fetchnews -vvv
leafnode 1.11.10: verbosity level is 3, debugmode is 0
try_lock(timeout=5), fqdn="arrakis.bounceme.net"
192.168.1.7: connecting to port nntp...
error: NNTP server went away (server disconnect or timeout)
error: 192.168.1.7: received bogus greeting (498): (nil)
192.168.1.7: address list exhausted without establishing connection.
192.168.1.7: connection failed.
news.mozilla.org: connecting to port nntp...
news.mozilla.org: connected to 216.166.97.169:119, reply: 200
news.mozilla.org: connected.
news.mozilla.org: using STAT <message-ID> command.
Not posting to news.mozilla.org: nopost-set
news.mozilla.org: getting new newsgroups
^Cfetchnews: caught signal 2, shutting down.
WARNING: some servers have not been queried!
wrote active file with 156888 lines
Started process to update overview data in the background.
Network activity has finished.
thufir@arrakis:~$
arrakis
和都不doge
是无头服务器,我将它们用作普通 PC。在 上,doge
我可以localhost
很好地连接到pan
新闻阅读器。
但是,从arrakis
到 的连接doge
无法正常工作,无论是leafnode
使用fetchnews
norpan
还是alpine
/pine
电子邮件客户端。
也许这是一个安全问题:
如果您想使用 TCP 包装器保护您的 Leafnode 服务器,您可以轻松做到这一点。如果新闻服务器仅供内部网使用,您可能需要认真考虑这样做,以便您的新闻服务器不会被外界滥用。假设您的内部网络使用 IP 网络地址 192.168.1.0。您可以在 /etc/hosts.deny 文件中写入以下内容,以仅允许 IP 地址位于本地网络中的计算机访问 Leafnode:leafnode:除 192.168.1 外的所有地址。127.0.0.1
这是一个比较旧的系统,不确定叶节点的版本:
thufir@arrakis:~$
thufir@arrakis:~$ sudo leafnode --version
200 Leafnode NNTP Daemon, version 1.11.10 running at arrakis.bounceme.net (my fqdn: arrakis.bounceme.net)
^Cthufir@arrakis:~$
thufir@arrakis:~$
thufir@arrakis:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.10
DISTRIB_CODENAME=wily
DISTRIB_DESCRIPTION="Ubuntu 15.10"
thufir@arrakis:~$
下游服务器arrakis
在 中有一条新闻条目inetd
:
thufir@arrakis:~$
thufir@arrakis:~$ cat /etc/inetd.conf
# /etc/inetd.conf: see inetd(8) for further informations.
#
# Internet superserver configuration database
#
#
# Lines starting with "#:LABEL:" or "#<off>#" should not
# be changed unless you know what you are doing!
#
# If you want to disable an entry so it isn't touched during
# package updates just comment it out with a single '#' character.
#
# Packages should modify this file by using update-inetd(8)
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
#:INTERNAL: Internal services
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#time stream tcp nowait root internal
#:STANDARD: These are standard services.
#:BSD: Shell, login, exec and talk are BSD protocols.
#:MAIL: Mail, news and uucp services.
nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/leafnode
#:INFO: Info services
#:BOOT: TFTP service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
#:RPC: RPC based services
#:HAM-RADIO: amateur-radio services
#:OTHER: Other services
thufir@arrakis:~$
答案1
hosts.allow
以hosts.deny
一种非常不安全的方式摆弄:
thufir@arrakis:~$
thufir@arrakis:~$ cat /etc/hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
#-- leafnode begin
leafnode: 192.168.1.7
leafnode: 127.0.0.1
#-- leafnode end
thufir@arrakis:~$
thufir@arrakis:~$ cat /etc/hosts.deny
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
#-- leafnode begin
#leafnode: ALL
#-- leafnode end
thufir@arrakis:~$
并忽略每个配置文件的手册中的所有警告:
## By default, leafnode only serves connections from addresses in the
## local networks and drops those from outside. An IPv4 address, or an
## IPv6 address on computers that provide the getifaddrs() interface is
## considered local if it is within the networks (IP/netmask) of the local
## interfaces. On computers that lack the getifaddrs() interface, an
## IPv6 address is considered local if it is site-local, link-local or
## the loopback address (::1).
##
## You can enable remote access by doing:
## 1. enabling access for single static IPs (or subnetworks) through
## your super server (xinetd, tcpserver) or, if the service is wrapped by
## tcpd, hosts.allow/hosts.deny configuration,
## 2. disabling access for all other hosts (default to deny),
## 3. testing that "deny" works, to avoid abuse of your server,
## 4. uncommenting this option, capitalizing the "strangers" subword and
## setting the value to 42.
##
## WARNING: ENABLING THIS OPTION IS DANGEROUS. YOU AGREE TO BE LIABLE
## FOR ALL ABUSE OF YOUR SERVER WHEN THIS OPTION IS ENABLED.
## IF ANYTHING ABOUT ITEMS 1. TO 3. ABOVE IS UNCLEAR, DO NOT ENABLE THIS!
## IF YOU ARE NOT FAMILIAR WITH ACCESS CONTROL, OR YOUR CLIENTS ARE ON
## DYNAMIC IPS, YOU MUST NOT ENABLE THIS. (You can use other, authenticated,
## methods of access instead, for instance SSH tunnels.)
##
#
allowSTRANGERS = 42
现在,有点,有点工作了。显然,不是一个好的解决方案。