原型同步到测试服
页面通过nginx展示
借用当前7185端口的已有配置, 向其中新增/product/路径的映射.
server {
listen 7185;
error_page 404 403 /error/error-404.html;
error_page 500 502 503 504 /error/error-500.html;
client_max_body_size 20m;
#Nginx日志目录
autoindex on;
#打开目录浏览功能
autoindex_exact_size off;
#默认为on,显示出文件的确切大小,单位是bytes
#显示出文件的大概大小,单位是kB或者MB或者GB
autoindex_localtime on;
#默认为off,显示的文件时间为GMT时间。
#改为on后,显示的文件时间为文件的服务器时间
add_header Cache-Control no-store;
#让浏览器不保存临时文件
#防止中文乱码
charset utf-8,gbk;
location /android/ {
auth_basic "viva auth";
auth_basic_user_file /cjdata/vivachekcloud/nginx/passwd/htpasswd;
alias /cjdata/android_deploy/9801/;
}
location /java/service/install/ {
auth_basic "viva auth";
auth_basic_user_file /cjdata/vivachekcloud/nginx/passwd/htpasswd;
alias /cjdata/vivachekcloud_service_install/;
}
location /product/ {
auth_basic "viva auth";
auth_basic_user_file /cjdata/vivachekcloud/nginx/passwd/htpasswd;
alias /cjdata/vivachekcloud_product/;
}
} 将原型文件解压缩后上传到/cjdata/vivachekcloud_product目录, 输入对应的密码后, 可以从浏览器中访问. (密码使用上一项的密码)
通过ftp上传文件
为产品经理单独分配ftp账号密码. 不允许shell登录, 不允许跳出家目录, 只允许ftp或sftp协议登录.
参考:https://blog.csdn.net/pcn01/article/details/104395762 参考:https://www.jianshu.com/p/f24d8ca565d7
vsftpd方式
-
useradd product -d /cjdata/vivackcloud_product -s /sbin/nologin (或/bin/false), 不允许登录shell
-
passwd 分配密码
-
/etc/vsftpd.conf配置其不允许跳出家目录
-
若采用ftp主动模式,
- 需要服务器防火墙/云端防护打开20,21端口,
- 需要客户端防火墙允许传入连接.(简单点PC关闭防火墙)
- 需要链路上的nat支持(试了是支持的)
-
若采用ftp被动模式,
- 需要服务器防火墙/云端防护打开21端口, 并打开一段端口,比如60000-60100
#添加产品经理账户, 不允许登录shell. 密码之后需要改为更复杂的口令
useradd product -r -m -d /cjdata/vivachekcloud_product/ -s /bin/false
passwd product
vim /etc/pam.d/vsftpd
#注释掉shell校验: 否则使用了/bin/false或/sbin/nologin作文登录shell的product账户, 在ftp登录时会报密码错误.
#auth required pam_shells.so
vim /etc/vsftpd.conf
#关闭listen_ipv6=YES, 改为listen=YES,否则设置被动模式pasv_address=47.111.0.135 时会有bug
确认product无法ssh登录, 可以看到, 输入密码校验(这个过程没有显示)完成后,连接直接断开了:
[C:\~]$ ssh product@47.111.0.135
Connecting to 47.111.0.135:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-187-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to Alibaba Cloud Elastic Compute Service !
Last login: Fri May 27 09:07:25 2022 from 122.225.203.196
Connection closed.
Disconnected from remote host(47.111.0.135:22) at 09:18:41.
确认ftp可以登录
类型悬着ftp, 端口7186, 用户名product
encoding统一使用utf-8, use passive mode勾选不勾选都可以(主动/被动模式都做了配置), transfer type 选择 ascii模式.
sftp方式
-
useradd product -d /cjdata/vivackcloud_product (前面配置vsftpd已经创建了账户, 此步骤省略)
-
创建并使用密码登录(或者创建并使用rsa密钥登录) (前面配置vsftpd已经创建了账户, 此步骤省略)
-
/etc/ssh/sshd_config中对product登录限制不允许跳出家目录
-
setfacl 设置文件夹访问权限. (不允许读其他目录)
上面配置vsftpd时,已经创建了product账户,并分配了密码, 但是分配了/bin/false或/sbin/nologin作为登录shell(实际上拒绝了登录),
#临时修改product的登录shell为/bin/bash, 方便验证sftp配置
usermod product -s /bin/bash
less /etc/passwd | grep product
#显示: product:x:998:997::/cjdata/vivachekcloud_product:/bin/bash
#可以确认登录shell已经修改为bash
#ssh product@47.111.0.135 也可以登录成功
vim /etc/ssh/sshd_config
#注释掉下面这一行,改为使用internal-sftp
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp #指定使用sftp服务使用系统自带的internal-sftp
#文件末尾增加对product的登录限制, 这里要求ChrootDirectory与各上级目录所有者为root, 且group和other账户没有写权限(755)
Match User product
ChrootDirectory /cjdata/vivachekcloud_product
X11Forwarding no
AllowTcpForwarding no
#PermitTTY no
ForceCommand internal-sftp
参考:https://qastack.cn/server/584986/bad-ownership-or-modes-for-chroot-directory-component
#上面sshd_config中配置的ChrootDirectory, 要求ChrootDirectory与各上级目录所有者为root, 且group和other账户没有写权限(755)
chown root.root /cjdata/vivachekcloud_product
chmod 0755 /cjdata/vivachekcloud_product
#但这样的话, product用户的家目录/cjdata/vivachekcloud_product变成了root所有. 且文件夹权限为755
#会发现,原来的vsftpd的配置受到影响, product无法在product下创建文件了.
#我的办法是向下建一层文件夹
cd /cjdata/vivachekcloud_product
mkdir product
chown product.product product
#修改product家目录
usermod product -d /cjdata/vivachekcloud_product/product
修改nginx配置文件
vim /cjdata/vivachekcloud/nginx/conf/nginx.conf
#定位并修改如下位置(调整了映射目录为/cjdata/vivachekcloud_product/product/)
location /product/ {
auth_basic "viva auth";
auth_basic_user_file /cjdata/vivachekcloud/nginx/passwd/htpasswd;
alias /cjdata/vivachekcloud_product/product/;
}
先注释掉/etc/ssh/sshd_config下面的配置, 确认ftp工具可以登录, ssh也可以登录
#Match User product
# ChrootDirectory /cjdata/vivachekcloud_product
# X11Forwarding no
# AllowTcpForwarding no
# #PermitTTY no
# ForceCommand internal-sftp重启sshd服务
systemctl restart sshd前面临时把product的登录shell改为了/bin/bash, 这种情况下product用户可以ssh登录的。
[C:\~]$ ssh product@47.111.0.135
Connecting to 47.111.0.135:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-187-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to Alibaba Cloud Elastic Compute Service !
Last login: Sat May 28 09:23:52 2022 from 60.191.35.227
/usr/bin/xauth: file /cjdata/vivachekcloud_product/product/.Xauthority does not exist
product@iZbp16oop9hm8ts5lixv9oZ:~$ ls
青海大屏-修改版(整合两病、院内、院外)
product@iZbp16oop9hm8ts5lixv9oZ:~$ pwd
/cjdata/vivachekcloud_product/product
product@iZbp16oop9hm8ts5lixv9oZ:~$ exit
logout
现在取消注释/etc/ssh/sshd_config下面的配置
Match User product
ChrootDirectory /cjdata/vivachekcloud_product
X11Forwarding no
AllowTcpForwarding no
#PermitTTY no
ForceCommand internal-sftp重启sshd服务
systemctl restart sshd此时就会发现,ssh无法登录, 提示只允许sftp登录
[C:\~]$ ssh product@47.111.0.135
Connecting to 47.111.0.135:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
This service allows sftp connections only.
Connection closed.
Disconnected from remote host(47.111.0.135:22) at 09:17:21.将product的登录shell改回/bin/false, 进一步阻止登录
usermod product -s /bin/false
less /etc/passwd | grep product
#显示: product:x:998:997::/cjdata/vivachekcloud_product/product:/bin/false再次尝试ssh登录
[C:\~]$ ssh product@47.111.0.135
Connecting to 47.111.0.135:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
This service allows sftp connections only.
Connection closed.
Disconnected from remote host(47.111.0.135:22) at 09:26:32.
一样的提示, 说明ssh登录时,先通过sshd_config的限制做的判断, 还未等到使用/bin/false,已经断开了连接。
到目前为止, product用户已经可以通过ftp协议和sftp协议连接服务器了,并分别限制了该用户只能查看该用户家目录下的文件, 并且阻止了该用户的shell登录。
PS:ftp登录会明文传输密码, vsftpd也可以做ssl加密,这里没有做配置, 只限制了其shell登录。 或者vsftpd可以配置使用仅在vsftpd中存在的虚拟用户,仅用于ftp使用。
PS: 测试时,为product分配的密码偏简单, 可以重新分配个复杂点的。
小问题
vsftpd配置了ftp主动模式, 默认listen_port=21时, 在其他服务器上测试可以正常使用(会使用服务器20,21端口);
修改默认监听端口为其他端口,比如listen_port=7186之后, 主动模式可以登录, 但是其他与数据传输相关的ftp命令都失败了。主动模式无法使用。
以下是在命令行ftp客户端下的
[C:\~]$ ftp 47.111.0.135:7186
Connecting to 47.111.0.135:7186...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
220 (vsFTPd 3.0.3)
Name (47.111.0.135:wangjm): product
331 Please specify the password.
Password:
230 Login successful.
ftp:/cjdata/vivachekcloud_product/product> ls
227 Entering Passive Mode (47,111,0,135,28,22).
150 Here comes the directory listing.
青海大屏-修改版(整合两病、院内、院外)
226 Directory send OK.
ftp:/cjdata/vivachekcloud_product/product> passive
Passive mode off.
ftp:/cjdata/vivachekcloud_product/product> ls
500 Illegal PORT command.
ftp:/cjdata/vivachekcloud_product/product> 同时在服务器上开启了tcpdump,
root@iZbp16oop9hm8ts5lixv9oZ:~# tcpdump -nn host 60.191.35.227 and ! port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:21:45.381346 IP 60.191.35.227.5935 > 172.16.1.84.7186: Flags [P.], seq 3763057112:3763057117, ack 431556165, win 1024, length 5
10:21:45.381427 IP 172.16.1.84.7186 > 60.191.35.227.5935: Flags [P.], seq 1:71, ack 5, win 229, length 70
10:21:45.443635 IP 60.191.35.227.5935 > 172.16.1.84.7186: Flags [.], ack 71, win 1023, length 0
10:21:45.804622 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [S], seq 3164261673, win 64240, options [mss 1448,nop,wscale 8,nop,nop,sackOK], length 0
10:21:45.804672 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [S.], seq 2759782746, ack 3164261674, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
10:21:45.815541 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 1, win 1029, length 0
10:21:45.818518 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 1:21, ack 1, win 229, length 20
10:21:45.878045 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 21, win 1029, length 0
10:21:51.087899 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [P.], seq 1:15, ack 21, win 1029, length 14
10:21:51.087930 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [.], ack 15, win 229, length 0
10:21:51.087995 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 21:55, ack 15, win 229, length 34
10:21:51.141648 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 55, win 1029, length 0
10:21:53.500207 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [P.], seq 15:28, ack 55, win 1029, length 13
10:21:53.538708 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [.], ack 28, win 229, length 0
10:21:53.714292 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 55:78, ack 28, win 229, length 23
10:21:53.722845 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [P.], seq 28:33, ack 78, win 1029, length 5
10:21:53.722869 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [.], ack 33, win 229, length 0
10:21:53.722925 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 78:148, ack 33, win 229, length 70
10:21:53.782464 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 148, win 1028, length 0
10:21:57.545311 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [P.], seq 33:39, ack 148, win 1028, length 6
10:21:57.545549 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 148:197, ack 39, win 229, length 49
10:21:57.560723 IP 60.191.35.227.6442 > 172.16.1.84.7190: Flags [S], seq 1595002629, win 64240, options [mss 1448,nop,wscale 8,nop,nop,sackOK], length 0
10:21:57.560754 IP 172.16.1.84.7190 > 60.191.35.227.6442: Flags [S.], seq 1676491428, ack 1595002630, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
10:21:57.604283 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 197, win 1028, length 0
10:21:58.558697 IP 172.16.1.84.7190 > 60.191.35.227.6442: Flags [S.], seq 1676491428, ack 1595002630, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
10:21:58.570559 IP 60.191.35.227.6442 > 172.16.1.84.7190: Flags [S], seq 1595002629, win 64240, options [mss 1448,nop,wscale 8,nop,nop,sackOK], length 0
10:21:58.570574 IP 172.16.1.84.7190 > 60.191.35.227.6442: Flags [S.], seq 1676491428, ack 1595002630, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
10:21:58.570617 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [P.], seq 39:45, ack 197, win 1028, length 6
10:21:58.573111 IP 60.191.35.227.6442 > 172.16.1.84.7190: Flags [.], ack 1, win 1029, length 0
10:21:58.573227 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 197:236, ack 45, win 229, length 39
10:21:58.573275 IP 172.16.1.84.7190 > 60.191.35.227.6442: Flags [P.], seq 1:61, ack 1, win 229, length 60
10:21:58.573294 IP 172.16.1.84.7190 > 60.191.35.227.6442: Flags [F.], seq 61, ack 1, win 229, length 0
10:21:58.585123 IP 60.191.35.227.6442 > 172.16.1.84.7190: Flags [.], ack 1, win 1029, options [nop,nop,sack 1 {0:1}], length 0
10:21:58.629438 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 236, win 1028, length 0
10:21:58.818711 IP 172.16.1.84.7190 > 60.191.35.227.6442: Flags [F.], seq 61, ack 1, win 229, length 0
10:21:59.066714 IP 172.16.1.84.7190 > 60.191.35.227.6442: Flags [FP.], seq 1:61, ack 1, win 229, length 60
10:21:59.078859 IP 60.191.35.227.6442 > 172.16.1.84.7190: Flags [.], ack 62, win 1029, length 0
10:21:59.078939 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 236:260, ack 45, win 229, length 24
10:21:59.079374 IP 60.191.35.227.6442 > 172.16.1.84.7190: Flags [F.], seq 1, ack 62, win 1029, length 0
10:21:59.079394 IP 172.16.1.84.7190 > 60.191.35.227.6442: Flags [.], ack 2, win 229, length 0
10:21:59.127612 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 260, win 1028, length 0
10:22:05.323784 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [P.], seq 45:71, ack 260, win 1028, length 26
10:22:05.323962 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 260:287, ack 71, win 229, length 27
10:22:05.379559 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 287, win 1028, length 0
10:22:45.374890 IP 60.191.35.227.5935 > 172.16.1.84.7186: Flags [P.], seq 5:10, ack 71, win 1023, length 5
10:22:45.374965 IP 172.16.1.84.7186 > 60.191.35.227.5935: Flags [P.], seq 71:141, ack 10, win 229, length 70
10:22:45.438281 IP 60.191.35.227.5935 > 172.16.1.84.7186: Flags [.], ack 141, win 1029, length 0
10:22:45.832489 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [P.], seq 71:76, ack 287, win 1028, length 5
10:22:45.832594 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 287:357, ack 76, win 229, length 70
10:22:45.893667 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 357, win 1028, length 0
10:23:45.379642 IP 60.191.35.227.5935 > 172.16.1.84.7186: Flags [P.], seq 10:15, ack 141, win 1029, length 5
10:23:45.379709 IP 172.16.1.84.7186 > 60.191.35.227.5935: Flags [P.], seq 141:211, ack 15, win 229, length 70
10:23:45.437325 IP 60.191.35.227.5935 > 172.16.1.84.7186: Flags [.], ack 211, win 1029, length 0
10:23:45.825648 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [P.], seq 76:81, ack 357, win 1028, length 5
10:23:45.825766 IP 172.16.1.84.7186 > 60.191.35.227.6437: Flags [P.], seq 357:427, ack 81, win 229, length 70
10:23:45.887349 IP 60.191.35.227.6437 > 172.16.1.84.7186: Flags [.], ack 427, win 1027, length 0这里172.16.1.84是47.111.0.135测试服的内网地址。 7186是vsftpd的监听端口。 ftp客户端的公网ip看了下是60.191.35.227, 这里tcpdump过滤了下与该host交互的tcp包,并排除了了ssh数据包。 可以看到主动模式交互时, 卡到了使用数据传输端口传输数据的步骤。(没有使用20端口, 也没有使用其他端口传数据。
猜测: ftp主动模式传输数据时, 是ftp服务器20端口向客户端指定的端口发送数据。传输链路上的nat网关会检测到来源是20与21端口的数据包,并维护客户端指定端口的正确性,保证ftp协议的正常使用。 当ftp协议使用其他端口时, 链路上的nat网关无法正确识别ftp协议,主动模式失败。
发表回复