apache2 和 sshd 正在监听,但只有 sshd 可以从远程访问

apache2 和 sshd 正在监听,但只有 sshd 可以从远程访问

我刚刚使用 chef 在 Ubuntu(aws)上安装了 apache2。

Ubuntu 服务器上的 Apache2:10.1.1.1

客户端:10.1.1.200

我还验证了 tcp 22(sshd)和 tcp 80(apache2)都在监听

root@Ubuntu:/var/www# netstat -anp | egrep '22|80'
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1469/sshd       
tcp6       0      0 :::80                   :::*                    LISTEN      16950/apache2   
tcp6       0      0 :::22                   :::*                    LISTEN      1469/sshd       
root@Ubuntu:/var/www# 

流程看起来也不错

root@Ubuntu:/var/www# ps -ef | egrep 'apache2|sshd'
root      1469     1  0 Sep29 ?        00:00:00 /usr/sbin/sshd -D
root     16950     1  0 Sep29 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 16953 16950  0 Sep29 ?        00:00:02 /usr/sbin/apache2 -k start
www-data 16954 16950  0 Sep29 ?        00:00:02 /usr/sbin/apache2 -k start
root@Ubuntu:/var/www# 

服务也照常运行

root@Ubuntu:/var/www# service apache2 status
● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: active (running) since Fri 2017-09-29 23:36:49 UTC; 2h 13min ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 55
   Memory: 6.5M
      CPU: 4.637s
   CGroup: /system.slice/apache2.service
           ├─16950 /usr/sbin/apache2 -k start
           ├─16953 /usr/sbin/apache2 -k start
           └─16954 /usr/sbin/apache2 -k start

Sep 29 23:36:47 Ubuntu systemd[1]: Starting LSB: Apache2 web server...
Sep 29 23:36:47 Ubuntu apache2[16933]:  * Starting Apache httpd web server apache2
Sep 29 23:36:48 Ubuntu apache2[16933]: AH00557: apache2: apr_sockaddr_info_get() failed for Ubuntu
Sep 29 23:36:48 Ubuntu apache2[16933]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the '
Sep 29 23:36:49 Ubuntu apache2[16933]:  *
Sep 29 23:36:49 Ubuntu systemd[1]: Started LSB: Apache2 web server.
root@Ubuntu:/var/www# 

但是,当我尝试通过 远程访问服务器时http://10.1.1.1,什么也没有发生。在同一台服务器上使用 ssh 时,我没有遇到此问题。

我在尝试从远程访问 Web 服务器时也运行了 tcpdump,但没有看到任何内容

客户端测试

[root@Client]# curl 10.1.1.1:80
curl: (7) Failed connect to 10.1.1.1:80; Connection timed out
[root@Client]# 

但在服务器上什么也没看到

root@Ubuntu:/var/www# tcpdump -nni eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@Ubuntu:/var/www# 

但是,当我尝试使用 ssh 执行同样操作时,我能够远程访问它,并且可以按预期在 tcpdump 上看到流量。

[root@Client]# curl 10.1.1.1:22
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
curl: (56) Recv failure: Connection reset by peer
[root@Client]# 

ssh 上的 tcpdump

root@Ubuntu:/var/www# tcpdump -nni eth0 port 22 and host 10.1.1.200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:03:04.320761 IP 10.1.1.200.35890 > 10.1.1.1.22: Flags [S], seq 1658944714, win 26883, options [mss 8961,sackOK,TS val 52461068 ecr 0,nop,wscale 7], length 0
02:03:04.320923 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [S.], seq 2270168630, ack 1658944715, win 26847, options [mss 8961,sackOK,TS val 13211819 ecr 52461068,nop,wscale 7], length 0
02:03:04.321264 IP 10.1.1.200.35890 > 10.1.1.1.22: Flags [.], ack 1, win 211, options [nop,nop,TS val 52461069 ecr 13211819], length 0
02:03:04.321287 IP 10.1.1.200.35890 > 10.1.1.1.22: Flags [P.], seq 1:80, ack 1, win 211, options [nop,nop,TS val 52461069 ecr 13211819], length 79
02:03:04.321293 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [.], ack 80, win 210, options [nop,nop,TS val 13211819 ecr 52461069], length 0
02:03:04.326160 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [P.], seq 1:42, ack 80, win 210, options [nop,nop,TS val 13211821 ecr 52461069], length 41
02:03:04.326683 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [R.], seq 42, ack 80, win 210, options [nop,nop,TS val 13211821 ecr 52461069], length 0
02:03:04.326899 IP 10.1.1.200.35890 > 10.1.1.1.22: Flags [.], ack 42, win 211, options [nop,nop,TS val 52461075 ecr 13211821], length 0
02:03:04.326911 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [R], seq 2270168672, win 0, length 0
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
root@Ubuntu:/var/www# 

更新:iptables 输出

此外,此框安装在 aws 上

root@Ubuntu:~# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
root@Ubuntu:~# 

答案1

Apache 正在监听 IPv6,而不是 IPv4:

tcp6       0      0 :::80                   :::*                    LISTEN      16950/apache2

tcp6:::80都是 Apache 正在监听 IPv6 而不是 v4 的线索(否则将是tcp0.0.0.0:80其他情况)。

这个问题有很多解决方案。可能最好的方法是告诉 Apache 明确监听 IPv4。将您的Listen指令从以下内容更改为:

Listen 80

到:

Listen 0.0.0.0:80

答案2

感谢大家的反馈。显然,AWS 仅为此连接打开 ssh (tcp22)。

一旦 aws 上允许 http(tcp80),我就可以远程访问这个框。

我知道有什么东西阻塞了,因为 nmap 显示在 tcp80 上过滤并在 tcp22 上打开,但那时根本不知道它是 aws。

Nmap scan report for 10.1.1.1
Host is up (0.062s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp filtered  http    nginx 1.10.3 (Ubuntu)

Nmap scan report for 10.1.1.1
Host is up (0.062s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.10.3 (Ubuntu)

相关内容