我的家庭 FTP 服务器上遇到了这个超级奇怪的访问被拒绝问题。症状是我只能通过无线接口访问它。当禁用 Wifi 并使用以太网时,我的访问被拒绝。
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
ncftp> debug 1
ncftp> open 192.168.1.134
> open 192.168.1.134
LibNcFTP 3.2.5 (January 17, 2011) compiled for linux-x86_64-glibc2.21
Uname: Linux|Korhal|4.4.0-87-generic|#110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017|x86_64
Contents of /etc/debian_version:
stretch/sid
Contents of /etc/issue:
Ubuntu 16.04.3 LTS \n \l
Glibc: 2.23 (stable)
Remote server is running ProFTPD.
ProFTPD 1.3.4d Server (foxnfish FTP Server) [::ffff:192.168.1.134]
220: ProFTPD 1.3.4d Server (foxnfish FTP Server) [::ffff:192.168.1.134]
Connected to 192.168.1.134.
Cmd: USER anonymous
331: Anonymous login ok, send your complete email address as your password
Cmd: PASS NcFTP@
530: Access denied
Access denied
Cmd: QUIT
221: Goodbye.
我的 ifconfig 的输出
enp0s25 Link encap:Ethernet HWaddr 00:1c:25:78:d5:06
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: **** Scope:Link
inet6 addr: **** Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29531724 errors:0 dropped:0 overruns:0 frame:0
TX packets:4256164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:42081203522 (42.0 GB) TX bytes:851356778 (851.3 MB)
Interrupt:20 Memory:fe200000-fe220000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:198 errors:0 dropped:0 overruns:0 frame:0
TX packets:198 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16160 (16.1 KB) TX bytes:16160 (16.1 KB)
wls3 Link encap:Ethernet HWaddr 00:1f:3b:04:58:59
inet addr:192.168.1.143 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: **** Scope:Global
inet6 addr: **** Scope:Link
inet6 addr: ****/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:303586 errors:0 dropped:0 overruns:0 frame:0
TX packets:157656 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:452487811 (452.4 MB) TX bytes:15696186 (15.6 MB)
Proftd配置文件
ServerName "foxnfish FTP Server"
ServerType standalone
DefaultServer on
DefaultAddress foxnfish
UseIPv6 on
Port 21
User nobody
Group nogroup
Umask 000 000
SyslogFacility ftp
MultilineRFC2228 off
DisplayLogin /var/run/proftpd/proftpd.motd
DeferWelcome off
TimeoutIdle 600
TimeoutLogin 300
TimeoutNoTransfer 300
TimeoutStalled 3600
MaxInstances none
MaxClients 5
MaxConnectionsPerHost 10
MaxLoginAttempts 1
DefaultTransferMode ascii
IdentLookups off
UseReverseDNS off
<Limit LOGIN>
AllowGroup ftp
DenyAll
</Limit>
<Global>
RequireValidShell off
DefaultRoot ~ !wheel
AllowOverwrite on
DeleteAbortedStores off
TimesGMT off
</Global>
<IfModule mod_ban.c>
BanEngine off
BanControlsACLs all allow group wheel
BanLog /var/log/proftpd/ban.log
BanMessage Host %a has been banned
BanTable /var/run/proftpd/ban.tab
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
DelayTable "/var/run/proftpd/proftpd.delay"
</IfModule>
<IfModule mod_wrap.c>
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
TCPAccessSyslogLevels info warn
TCPServiceName ftpd
</ifModule>
/etc/hosts.allow
#ftpd : xxx.xxx.xxx.xxx : deny
#sshd : .example.com : deny
#in.tftpd : xxx.xxx.xxx.xxx : deny
#bsnmpd : xxx.xxx.xxx.xxx : deny
ALL : ALL : allow
/etc/hosts.deny 为空
可能出了什么问题?
答案1
感谢@wurtel 的提示。我检查了proftpD的配置文件,发现有两个文件名为hosts.allow和hosts.deny。虽然这两个文件的内容看起来很无辜。
/etc/hosts.allow
#ftpd : xxx.xxx.xxx.xxx : deny
#sshd : .example.com : deny
#in.tftpd : xxx.xxx.xxx.xxx : deny
#bsnmpd : xxx.xxx.xxx.xxx : deny
ALL : ALL : allow
/etc/hosts.deny 为空
当我进一步检查服务器日志并注意到这些错误日志时。
Feb 18 21:51:55 foxnfish proftpd[19657]: 192.168.1.134 (192.168.1.2[192.168.1.2]) - mod_wrap/1.2.4: using access files: /etc/hosts.allow, /etc/hosts.deny
Feb 18 21:51:55 foxnfish proftpd[19657]: 192.168.1.134 (192.168.1.2[192.168.1.2]) - mod_wrap/1.2.4: refused connection from ::ffff:192.168.1.2
Feb 18 21:54:15 foxnfish proftpd[19659]: 192.168.1.134 (192.168.1.146[192.168.1.146]) - mod_wrap/1.2.4: using access files: /etc/hosts.allow, /etc/hosts.deny
Feb 18 21:54:15 foxnfish proftpd[19659]: 192.168.1.134 (192.168.1.146[192.168.1.146]) - mod_wrap/1.2.4: allowed connection from iMac.xxx.xxx.xxx.net
因此,对于我的无线连接,我的源地址是以本地域主机的格式解析的。但是当从以太网连接时,我的源地址是一些奇怪的IP。我猜它与hosts.allow不匹配
由于这是一个嵌入式 Nas4Free 版本,我真的无法修改hosts.allow 文件。快速解决方案是完全关闭 proftpd_modwrap_enable。
对于在Nas4Free上使用proftpD的人,您可以通过将proftpd_modwrap_enable设置为NO来关闭此模块System|Advanced|rc.conf