我们正在使用PROFTPD(版本1.3.3e),刚刚注意到,如果我们通过FTP连接到服务器,我们可以看到正在调用mod_wrap:
从proftpd.log
May 27 10:46:16 li46 proftpd[10592] FTP session opened. May 27 10:46:16 li46 proftpd[10592] mod_wrap/1.2.3: using access files: .hosts.allow, .hosts.deny May 27 10:46:16 li46 proftpd[10592] mod_wrap/1.2.3: allowed connection from xxx May 27 10:46:16 li46 proftpd[10592] Preparing to chroot to directory '/XXX' May 27 10:46:16 li46 proftpd[10592] : USER XXX: Login successful. 但是通过SFTP连接时,mod_wrap没有被调用:
从proftpd.log
May 27 11:21:47 li46 proftpd[11081] FTP session opened. May 27 11:21:49 li46 proftpd[11081] Preparing to chroot to directory '/home/XXX' May 27 11:21:49 li46 proftpd[11081] USER XXX: Login successful
从sftp.log
May 27 11:21:47 mod_sftp/0.9.7[11081]: + Session server-to-client compression: none May 27 11:21:47 mod_sftp/0.9.7[11081]: + Session client-to-server language: May 27 11:21:47 mod_sftp/0.9.7[11081]: + Session server-to-client language: May 27 11:21:48 mod_sftp/0.9.7[11081]: sending acceptable userauth methods: publickey,password May 27 11:21:49 mod_sftp/0.9.7[11081]: sending userauth success May 27 11:21:49 mod_sftp/0.9.7[11081]: user 'XXX' authenticated via 'password' method May 27 11:21:49 mod_sftp/0.9.7[11081]: client sent SSH_MSG_IGNORE message (160 bytes) May 27 11:21:49 mod_sftp/0.9.7[11081]: unsupported '[email protected]' channel requested, ignoring May 27 11:21:49 mod_sftp/0.9.7[11081]: 'subsystem' channel request for 'sftp' subsystem May 27 11:21:49 mod_sftp/0.9.7[11081]: using SFTP protocol version 3 for this session (channel ID 0)
任何人都可以提供任何指导,为什么这是这样的行为? 我search了论坛和文档,可以发现mod_wrap是否适用于mod_sftp。
proftpd.conf文件如下所示:
# Includes DSO modules Include /etc/proftpd/modules.conf SetEnv TZ XXX/XXX # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 off # If set on you can experience a longer connection delay in many cases. IdentLookups off ServerName "XXX" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks on # We want to hide our dot files for a reason # - BITS, 6th October 2010 ListOptions "" strict <Limit All> IgnoreHidden on </Limit> # # --- # <Global> DefaultTransferMode binary SyslogLevel warn DefaultRoot ~ DeleteAbortedStores on HiddenStores on </Global> DirFakeGroup on ~ DirFakeUser on ~ tcpNoDelay on # # --- # TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true #ListOptions "+R -h" DenyFilter \*.*/ # Use this to jail all users in their homes DefaultRoot ~ # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. RequireValidShell off # Port 21 is the standard FTP port. Port 21 #UseReverseDNS on # This is useful for masquerading address with dynamic IPs: # refresh any configured MasqueradeAddress directives every 8 hours <IfModule mod_dynmasq.c> # DynMasqRefresh 28800 </IfModule> # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 60 # Set the user and group that the server normally runs at. User proftpd Group nogroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 002 002 # Normally, we want files to be overwriteable. AllowOverwrite on TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log <IfModule mod_quotatab.c> QuotaEngine off </IfModule> <IfModule mod_ratio.c> Ratios off </IfModule> # # We want to use hosts.allow and hosts.deny in individual home dirs # for finer control on FTP logins - note these are dot files, which # are no hidden to the users - BITS, 6th October 2010 <IfModule mod_wrap.c> TCPAccessFiles ~/.hosts.allow ~/.hosts.deny </IfModule> # Delay engine reduces impact of the so-called Timing Attack described in # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 # It is on by default. <IfModule mod_delay.c> DelayEngine on </IfModule> <IfModule mod_ctrls.c> ControlsEngine off ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock </IfModule> <IfModule mod_ctrls_admin.c> AdminControlsEngine off </IfModule> # # Alternative authentication frameworks # #Include /etc/proftpd/ldap.conf #Include /etc/proftpd/sql.conf # # This is used for FTPS connections # #Include /etc/proftpd/tls.conf # # ---- Configure SFTP module here # <IfModule mod_sftp.c> <VirtualHost XXXX> SFTPEngine on SFTPLog /var/log/proftpd/sftp.log # Configure the server to listen on the normal SSH2 port, port 22 Port 22 # Configure both the RSA and DSA host keys, using the same host key # files that OpenSSH uses. SFTPHostKey /etc/ssh/ssh_host_rsa_key SFTPHostKey /etc/ssh/ssh_host_dsa_key # Configure the file used for comparing authorized public keys of users. SFTPAuthorizedUserKeys file:~/.ssh/authorized_keys # Enable compression SFTPCompression delayed RequireValidShell off # Allow the same number of authentication attempts as OpenSSH. # # It is recommended that you explicitly configure MaxLoginAttempts # for your SSH2/SFTP instance to be higher than the normal # MaxLoginAttempts value for FTP, as there are more ways to authenticate # using SSH2. MaxLoginAttempts 6 # Default Values # channelPacketSize 32KB channelWindowSize 4GB sftpProtocolVersion 1-6 # # General fixes from the mod_sftp forum SFTPClientMatch ".*WS_FTP.*" channelWindowSize 1GB #WS_FTP initial window size SFTPClientMatch ".*ClientSftp" sftpProtocolVersion 3 #CuteFTPPro8 SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 3 #upload/download fix for WinSCP # # SecureBlackbox (SSH-2.0-SecureBlackbox.7) # http://www.eldos.com/sbb/download-release.php SFTPClientMatch ".*SecureBlackbox.*" sftpProtocolVersion 3 # # GoAnywhere (SSH-2.0-1.0) # http://www.goanywheremft.com/products SFTPClientMatch "1.0" sftpProtocolVersion 3 channelWindowSize 1GB # # JaSFtp (SSH-2.0-J2SSH_Maverick_1.2.10_Sterling Commerce) # http://www.hiteksoftware.com/jasf/ SFTPClientMatch ".*J2SSH_Maverick.*" channelWindowSize 1GB # # Robo-FTP (SSH-2.0-WeOnlyDo) # http://www.robo-ftp.com/ SFTPClientMatch ".*WeOnlyDo.*" sftpProtocolVersion 3 channelWindowSize 1GB # # Network Automation (SSH-2.0-EldoS.SSHBlackbox.3) # http://www.networkautomation.com/ SFTPClientMatch ".*EldoS.SSHBlackbox.3.*" sftpProtocolVersion 3 channelWindowSize 1GB # # /n Software BizTalk SFTP Receive (SSH-2.0-IP*Works! SSH Client v8.0) # http://www.nsoftware.com/products/biztalk/adapters/sftp.aspx SFTPClientMatch ".*IP.Works.*" channelWindowSize 1GB # # JSch - Java Secure Channel (SSH-2.0-JSCH-0.1.39) # http://www.jcraft.com/jsch/ SFTPClientMatch "JSCH.*" channelWindowSize 1GB </VirtualHost> </IfModule>
与Apache不同,在ProFTPDconfiguration文件中,不在任何<Global>或<VirtualHost>部分内的指令不会自动全局应用; 这是由虚拟主机howto覆盖。
这意味着你的mod_wrapconfiguration:
<IfModule mod_wrap.c> TCPAccessFiles ~/.hosts.allow ~/.hosts.deny </IfModule>
应用于FTP会话(通过“服务器configuration”部分)。 但是,您的SFTP会话由configuration底部的显式<VirtualHost>处理,这是不同的configuration部分。
要为SFTP会话configuration/使用mod_wrap ,可以复制SFTP <VirtualHost>部分中的<IfModule mod_wrap.c>部分, 或者将<IfModule mod_wrap.c>放在<Global>部分中它适用于所有虚拟主机:
<Global> <IfModule mod_wrap.c> TCPAccessFiles ~/.hosts.allow ~/.hosts.deny </IfModule> </Global>
希望这可以帮助!