分类： Linux

linux对磁盘配额quota的设置

2006-03-03 by syshy·一条评论

通过quota进行磁盘配额，可以控制用户对磁盘空间和文件的控制，我们以一个实例作为说明，对２个用户user01、user02分别进行磁盘使用空间和创建文件的限制。
首先，创建一个新的分区，将/tmp挂载在新的分区。
＃fdisk /dev/hda创建后执行：

＃partprobe
　

重新写分区表

＃mkfs –t ext3 /dev/hda7　格式化分区
＃mount /dev/hda7 /tmp　将/tmp挂载到hda7分区

修改分区表

＃vi /etc/fstab增加usrquota,grpquota
/dev/hda7 /tmp ext3 defaults, usrquota,grpquota 0 0

创建用户

＃useradd user01
＃useradd user02
＃cd /tmp
＃mount –o remount /tmp
＃quotacheck –cvug /tmp
＃quotaon –vug /tmp 开启quota
Quota会在/tmp目录下自动创建quota.user quota.group

对用户user01进行磁盘空间使用限制

＃edquota –u user01 修改quota配置文件
Block limits File limits
User used soft hard timeleft used soft hard timeleft
userq — 0 5000 8000 0 0 0

Block limits是对磁盘空间使用的限制，以字节为单位，soft是指软限制，hard是指硬限制，如例，soft限制为5MB，hard限制为8MB，当用户user01使用空间超过5MB时，系统会进行提示，但可以继续使用空间，而当用户user01使用空间达到8MB时，就会限制用户user01继续使用/tmp空间
我们可以进行一下测试，手动创建相对大的文件：

＃dd if/dev/zero of=user01file bs=1M count=4 将创建成功
＃dd if/dev/zero of=user01file bs=1M count=6　将创建成功，但会有提示
＃dd if/dev/zero of=user01file bs=1M count=9　将创建失败，超出hard限制

对用户user02进行创建文件使用限制

＃edquota –u user02 修改quota配置文件
Block limits File limits
User used soft hard timeleft used soft hard timeleft
userq — 0 0 0 0 50 80

File limits是对用户创建文件的限制，soft和hard同上是软限制和硬限制，分别是50、80，当用户user02创建文件超过50个时，系统会进行提示，但仍可以继续创建文件，而当用户user02创建文件超过80个文件时，就会限制用户user02继续创建文件，但要注意，因为用户user02是在/tmp目录下进行了磁盘配额限制，所以/tmp目录会算做一个文件，所以user02最多只能创建79个文件。

我们可以进行一下测试，手动创建文件：
＃for i in $(seq 1 60);do echo “user02file$i”;touch user02file$i;done

创建60个文件，此时quota会进行提示，而当超过80个文件的时候，quota就会限制用户user02继续创建文件

＃edquota –t

可以设置timeleft的值，在这里我们都设定为2分钟，重复上面的例子，用户user02创建60个文件，此时会出现quota的提示，但仍可以创建文件，但当我们等待2分钟后，你会发现，user02已经不能再进行创建文件了，这里就是timeleft的作用，就是当你超过soft限制时，设定有效的时间。
其他相关命令

＃repquota 重载quota设置
＃quota –v 察看quota设置
＃quota on/off quota开启/关闭

这样我们就可以对用户进行相应的限制了。

SSH的一些安全小技巧

2006-03-03 by syshy·0评论

SSH的一些安全小技巧 —————————————————-

一, 前言

关于ssh 的好处, 相信不用我多说了吧?
简而言之, 之前的 rpc command 与 telnet 都全可用 ssh 代替.
比方如下的这些常见功能:
– 远程登录
ssh user@remote.machine
– 远程执行
ssh user@remote.machine ‘command …’
– 远程复制
scp user@remote.machine:/remote/path /local/path
scp /local/path user@remote.machine:/remote/path
– X forward
ssh -X user@remote.machine<
span lang=”EN-US” style=”FONT-SIZE: 10pt; COLOR: #2e2e2e; FONT-FAMILY: Arial”>
xcommand …
– Tunnel / Portforward
ssh -L 1234:remote.machine:4321 user@remote.machine
ssh -R 1234:local.machine:4321 user@remote.machine
ssh -L 1234:other.machine:4321 user@remote.machine

至于详细的用法, 我这就不说了. 请读者自行研究吧.
我这里要说的, 是针对 ssh 服务为大家介绍一些安全技巧, 希望大家用得更安心些.

二, 实作 (

实作以 RedHat 9 为范例) 1)

禁止 root 登录
# vi /etc/ssh/sshd_config
PermitRootLogin no 2)

废除密码登录, 强迫使用 RSA 验证(假设 ssh 账户为 an> user1 )
# vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
# service sshd restart
# su – user1
$ mkdir ~/.ssh 2>/dev/null
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 644 ~/.ssh/authorized_keys ————————————————–

转往 client 端
在 browser URL 输入:
http://server.machine/ssh_open/ssh_open.php?myip=1.2.3.4
(若不指定 ?myip=1.2.3.4 则以 client 当时 IP 为准, 若没经 proxy 的话.)
如此, server 端的 ssh_open.txt 文件只有单一记录, 每次盖写.
接着:
$ telnet server.machine 1234
然后你有最多 5 分钟时间用 ssh 联机 server !
—————————

转往 client 端:
$ ssh-keygen -t rsa
(按三下 enter 完成﹔不需设密码，除非您会用 ssh-agent 。)
$ scp ~/.ssh/id_rsa.pub user1@server.machine:id_rsa.pub
(若是 windows client, 可用 puttygen.exe 产生 public key,
然后复制到 server 端后修改之, 使其内容成为单一一行.)
—————————————————

回到 server 端:
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
$ exit 3)

限制 su / sudo 名单:
# vi /etc/pam.d/su
auth required /lib/security/$ISA/pam_wheel.so use_uid
# visudo
%wheel ALL=(ALL) ALL
# gpasswd -a user1 wheel 4)

限制 ssh 使用者名单
# vi /etc/pam.d/sshd
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
# echo user1 >> /etc/ssh_users 5)

封锁 ssh 联机并改用 web 控管清单
# iptables -I INPUT -p tcp –dport 22 -j Drop
# mkdir /var/www/html/ssh_open
# cat > /var/www/html/ssh_open/.htaccess <<END
AuthName “ssh_open”
AuthUserFile /var/www/html/ssh_open/.htpasswd
AuthType basic
require valid-user
END
# htpasswd -c /var/www/html/ssh_open/.htpasswd user1
(最好还将 SSL 设起来, 或只限 https 联机更佳, 我这里略过 SSL 设定, 请读者自补.)
(如需控制联机来源, 那请再补 Allow/Deny 项目, 也请读者自补.)
# cat > /var/www/html/ssh_open/ssh_open.php <<END
<?
//Set dir path for ip list
$dir_path=”.”; //Set filename for ip list
$ip_list=”ssh_open.txt”;

//Get client ip
$user_ip=$_SERVER[‘REMOTE_ADDR’];

//allow specifying ip if needed
if (@$_GET[‘myip’]) {
$user_ip=$_GET[‘myip’];
}

//checking IP format
if ($user_ip==long2ip(ip2long($user_ip))) {

//Put client ip to a file
if(@!($file = fopen(“$dir_path/$ip_list”,”w+”)))
{
echo “Permission denied!!<br>”;
echo “Pls Check your rights to dir $dir_path or file $ip_list”;
}
else
{
fputs($file,”$user_ip”);
fclose($file);
echo “client ip($user_ip) has put into $dir_path/$ip_list”;
}
} else {
echo “Invalid IP format!!<br>ssh_open.txt was not changed.”;
class=”postbody”>}

?>
END
# touch /var/www/html/ssh_open/ssh_open.txt
# chmod 640 /var/www/html/ssh_open/*
# chgrp apache /var/www/html/ssh_open/*
# chmod g+w /var/www/html/ssh_open/ssh_open.txt
# chmod o+t /var/www/html/ssh_open
# service httpd restart
# mkdir /etc/iptables
# cat > /etc/iptables/sshopen.sh <<END
#!/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

list_dir=/var/www/html/ssh_open
list_file=$list_dir/ssh_open.txt
chain_name=ssh_rules
mail_to=root

# clear chain if exits, or create chain.
iptables -L -n | /bin/grep -q “^Chain $chain_name” && {
iptables -F $chain_name
true
} || {
iptables -N $chain_name
iptables -I INPUT -p tcp –dport 22 -j $chain_name
}

# clear chain when needed
[ “$1” = clear ] && {
iptables -F $chain_name
exit 0
}

# do nothing while list is empty
[ -s $list_file ] || exit 1

# add rule
iptables -A $chain_name -p tcp –dport 22 -s $(< $list_file) -j ACCEPT && \
echo “ssh opened to $(< $list_file) on $(date)” | mail -s “sshopen” $mail_to
END
# chmod +x /etc/iptables/sshopen.sh
# echo -e ‘sshopen\t\t1234/tcp’ >> /etc/services
# cat > /etc/xinetd.d/sshopen <<END
service sshopen
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
server = /etc/iptables/sshopen.sh
}
# iptables -I INPUT -p tcp –dport 1234 -j ACCEPT
# cat > /etc/cron.d/sshopen <<END
*/5 * * * * root /etc/iptables/sshopen.sh clear
END

—————————

此步骤的基本构思如下:
5.1) 将 sshd 的 firewall 联机全部 block 掉.
5.2) 然后在 httpd 那设一个 directory, 可设 ssl+htpasswd+allow/deny control,
然后在目录内写一个 php 将 browser ip 记录于一份 .txt 文字文件里.
视你的转写能力, 你可自动抓取 browser 端的 IP, 也可让 browser 端传入参数来指定.
文字文件只有单一记录, 每次盖写.
5.3) 修改 /etc/services , 增加一个新项目(如 xxx), 并指定一个新 port(如 1234)
5.4) 再用 xinetd 监听该 port , 并启动令一只 script, 设定 iptables , 从 step2 的清单里取得 IP, 为之打开 ssh 联机.
5.5) 设 crontab 每数分中清理 iptables 关于 ssh 联机的规则. 这并不影响既有联机, 若逾时再连, 则重复上述. 6)

要是上一步骤没设定, 你或许会担心过多的人来 try 你的 ssh 服务的话:
# cat > /etc/iptables/sshblock.sh <<END
#!/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin

LOG_FILE=/var/log/secure
KEY_WORD=”Illegal user”
KEY_WORD1=”Failed password for root”
PERM_LIST=/etc/firewall/bad.list.perm
LIMIT=5
MAIL_TO=root
IPT_SAV=”$(iptables-save)”
bad_list=$(egrep “$KEY_WORD” $LOG_FILE | awk ‘{print $NF}’ | xargs)
bad_list1=$(egrep “$KEY_WORD1” $LOG_FILE | awk ‘{print $11}’ | xargs)
bad_list=”$bad_list $bad_list1″

for i in $(echo -e “${bad_list// /\n}” | sort -u)
do
hit=$(echo $bad_list | egrep -o “$i” | wc -l)
[ “$hit” -ge “$LIMIT” ] && {
echo “$IPT_SAV” | grep -q “$i .*-j Drop” || {
echo -e “\n$i was dropped on $(date)\n” | mail -s “Drop by ${0##*/}: $i” $MAIL_TO
iptables -I INPUT -s $i -j Drop
}
egrep -q “^$i$” $PERM_LIST || echo $i >> $PERM_LIST
}
done
END
# chmod +x /etc/firewall/sshblock.sh
# cat >> /etc/hosts.allow <<END
sshd: ALL: spawn ( /etc/firewall/sshblock.sh )& : ALLOW
END

这样, 那些乱 try SSH 的家伙, 顶多能试 5 次(LIMIT 可调整), 然后就给 BLOCK 掉了.
此外, 在 PERM_LIST 的 ip, 也可提供给 iptables 的初始 script , 来个永久性封闭:
for i in $(< $PERM_LIST)
do
/sbin/iptables -I INPUT -s $i -j Drop
done 7)

还有, 你想知道有哪些人对你做 full range port scan 的话: # iptables -I INPUT -p tcp –dport 79 -j ACCEPT
cat > /etc/xinetd.d/finger <<END
service finger
{
socket_type = stream
wait = no
user = nobody
server = /usr/sbin/in.fingerd
disable = no
}
END
# cat >> /etc/hosts.allow <<END
in.fingerd: ALL : spawn ( echo -e “\nWARNING %a was trying finger.\n$(date)” | mail -s “finger from %a” root ) & : DENY
END

这里, 我只是设为发信给 root.
事实上, 你可修改为起动 firewall 将 %a 这个传回值给 ban 掉也行.
不过, 对方要是有选择性的做 port scan , 没扫到 finger 的话, 那当然就没用了…

三, 结语 > security

有蛮多挺好玩的小技巧, 有空再跟大家做分享… ^_^

Linux下网络分析例解

2006-03-03 by syshy·0评论

Linux作为网络服务器，特别是作为路由器和网关时，数据的采集和分析是必不可少的。所以，今天我们就来看看Linux中强大的网络数据采集分析工具——TcpDump。

顾名思义，TcpDump可以将网络中传送的数据包的“头”完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你去掉无用的信息。

和Linux终端状态下的其他软件一样，TcpDump也是依靠参数来工作，本文将结合实例来说明。

数据过滤
不带任何参数的TcpDump将搜索系统中所有的网络接口，并显示它截获的所有数据，这些数据对我们不一定全都需要，而且数据太多不利于分析。所以，我们应当先想好需要哪些数据，TcpDump提供以下参数供我们选择数据：

-b 在数据-链路层上选择协议，包括ip、arp、rarp、ipx都是这一层的。

例如：tcpdump -b arp 将只显示网络中的arp即地址转换协议信息。

-i 选择过滤的网络接口，如果是作为路由器至少有两个网络接口，通过这个选项，就可以只过滤指定的接口上通过的数据。例如：

tcpdump -i eth0 只显示通过eth0接口上的所有报头。

src、dst、port、host、net、ether、gateway这几个选项又分别包含src、dst 、port、host、net、ehost等附加选项。他们用来分辨数据包的来源和去向，src host 192.168.0.1指定源主机IP地址是192.168.0.1，dst net 192.168.0.0/24指定目标是网络192.168.0.0。以此类推，host是与其指定主机相关无论它是源还是目的，net是与其指定网络相关的，ether后面跟的不是IP地址而是物理地址，而gateway则用于网关主机。可能有点复杂，看下面例子就知道了：

tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24

过滤的是源主机为192.168.0.1与目的网络为192.168.0.0的报头。

tcpdump ether src 00:50:04:BA:9B and dst……

过滤源主机物理地址为XXX的报头（为什么ether src后面没有host或者net？物理地址当然不可能有网络喽）。

Tcpdump src host 192.168.0.1 and dst port not telnet

过滤源主机192.168.0.1和目的端口不是telnet的报头。

ip icmp arp rarp 和 tcp、udp、icmp这些选项等都要放到第一个参数的位置，用来过滤数据报的类型。例如：

tcpdump ip src……

只过滤数据-链路层上的IP报头。

tcpdump udp and src host 192.168.0.1

只过滤源主机192.168.0.1的所有udp报头。

数据显示/输入输出
TcpDump提供了足够的参数来让我们选择如何处理得到的数据，如下所示：

-l 可以将数据重定向。

如tcpdump -l ＞tcpcap.txt将得到的数据存入tcpcap.txt文件中。

-n 不进行IP地址到主机名的转换。

如果不使用这一项，当系统中存在某一主机的主机名时，TcpDump会把IP地址转换为主机名显示，就像这样：eth0 ＜ ntc9.1165＞ router.domain.net.telnet，使用-n后变成了：eth0 ＜ 192.168.0.9.1165 ＞ 192.168.0.1.telnet。

-nn 不进行端口名称的转换。

上面这条信息使用-nn后就变成了：eth0 ＜ ntc9.1165 ＞ router.domain.net.23。

-N 不打印出默认的域名。

还是这条信息-N 后就是：eth0 ＜ ntc9.1165 ＞ router.telnet。

-O 不进行匹配代码的优化。
-t 不打印UNIX时间戳，也就是不显示时间。
-tt 打印原始的、未格式化过的时间。
-v 详细的输出，也就比普通的多了个TTL和服务类型。

好了，说了这么多，是不是觉得TcpDump这个工具很好？它还有好多功能限于篇幅不能一一介绍，多读一读“帮助”都会有很大的收获，这也算是进入Linux世界的一条捷径吧

Active FTP vs.Passive FTP,a Definitive Explanation

2006-03-02 by syshy·0评论

Contents:

Introduction
The Basics
Active FTP
Active FTP Example
Passive FTP
Passive FTP Example
Summary
References
Appendix 1: Configuration of Common FTP Servers

Introduction

One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. Hopefully the following text will help to clear up some of the confusion over how to support FTP in a firewalled environment.

This may not be the definitive explanation, as the title claims, however, I’ve heard enough good feedback and seen this document linked in enough places to know that quite a few people have found it to be useful. I am always looking for ways to improve things though, and if you find something that is not quite clear or needs more explanation, please let me know! Recent additions to this document include the examples of both active and passive command line FTP sessions. These session examples should help make things a bit clearer. They also provide a nice picture into what goes on behind the scenes during an FTP session. Now, on to the information…

The Basics

FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a ‘data’ port and a ‘command’ port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

Active FTP

In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server’s command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client’s specified data port from its local data port, which is port 20.

From the server-side firewall’s standpoint, to support active mode FTP the following communication channels need to be opened:

FTP server’s port 21 from anywhere (Client initiates connection)
FTP server’s port 21 to ports > 1024 (Server responds to client’s control port)
FTP server’s port 20 to ports > 1024 (Server initiates data connection to client’s data port)
FTP server’s port 20 from ports > 1024 (Client sends ACKs to server’s data port)

When drawn out, the connection appears as follows:

In step 1, the client’s command port contacts the server’s command port and sends the command PORT 1027. The server then sends an ACK back to the client’s command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.

The main problem with active mode FTP actually falls on the client side. The FTP client doesn’t make the actual connection to the data port of the server–it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client–something that is usually blocked.

Active FTP Example

Below is an actual example of an active FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

There are a few interesting things to consider about this dialog. Notice that when the PORT command is issued, it specifies a port on the client (192.168.150.80) system, rather than the server. We will see the opposite behavior when we use passive FTP. While we are on the subject, a quick note about the format of the PORT command. As you can see in the example below it is formatted as a series of six numbers separated by commas. The first four octets are the IP address while the second two octets comprise the port that will be used for the data connection. To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus in the example below the port number is ( (14*256) + 178), or 3762. A quick check with netstat should confirm this information.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
—> USER slacker
331 Password required for slacker.
Password: TmpPass
—> PASS XXXX
230 User slacker logged in.
—> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
—> PORT 192,168,150,80,14,178
200 PORT command successful.
—> LIST
150 Opening ASCII mode data connection for file list.
drwx—— 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
—> QUIT
221 Goodbye.

Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall’s standpoint, to support passive mode FTP the following communication channels need to be opened:

FTP server’s port 21 from anywhere (Client initiates connection)
FTP server’s port 21 to ports > 1024 (Server responds to client’s control port)
FTP server’s ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
FTP server’s ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client’s data port)

When drawn, a passive mode FTP connection looks like this:

In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client’s data port.

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.

The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.

With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.

Passive FTP Example

Below is an actual example of a passive FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

Notice the difference in the PORT command in this example as opposed to the active FTP example. Here, we see a port being opened on the server (192.168.150.90) system, rather than the client. See the discussion about the format of the PORT command above, in the Active FTP Example section.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
—> USER slacker
331 Password required for slacker.
Password: TmpPass
—> PASS XXXX
230 User slacker logged in.
—> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
—> PASV
227 Entering Passive Mode (192,168,150,90,195,149).
—> LIST
150 Opening ASCII mode data connection for file list
drwx—— 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
—> QUIT
221 Goodbye.

Summary

The following chart should help admins remember how each FTP mode works:

Active FTP :
command : client >1024 -> server 21
data : client >1024 <- server 20

Passive FTP :
command : client >1024 -> server 21
data : client >1024 -> server >1024

A quick summary of the pros and cons of active vs. passive FTP is also in order:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn’t eliminate all risk to the server, it decreases it tremendously. See Appendix 1for more information.

References

An excellent reference on how various internet protocols work and the issues involved in firewalling them can be found in the O’Reilly and Associates book, Building Internet Firewalls, 2nd Ed, by Brent Chapman and Elizabeth Zwicky.

Finally, the definitive reference on FTP would be RFC 959, which sets forth the official specifications of the FTP protocol. RFCs can be downloaded from numerous locations, including ftp://nic.merit.edu/documents/rfc/rfc0959.txt.

UUCP

2006-02-28 by syshy·0评论

UUCP 是 Unix-to-Unix Copy的一个缩写。它作为程序的一个文件包启动，在连续的线上转移文件，确定那些转移的时间，并且在远程地点上开始执行程序。自从70年代末它的第一实现以来，它经历了主要的变化 ,但是它仍然在它提供的服务中是一名勇士。它的主要的应用仍然是基于拨号的电话连接在宽区域网络。

UUCP 首先与1977年在贝尔实验室被开发，用于在他们的Unix发展地点之间的通讯。在1978年中，这个网络已经连接了80多个地点。它作为一个应用程序运行电子邮件,象远程打印一样。然而,系统的中央使用是散布新软件和错误修正。如今, UUCP 不再被限制到环境。有免费的和商业的为许多平台可得到的端口,包括 AmigaOS ，DOS , Atari的 TOS ,等等。

UUCP 网络的主要不利条件之一是他们的低带宽。一方面,电话设备对于最大转移频率有严格的限制。另一方面, UUCP 连接很少是永久的连接;相反,主机在常规的间隔中相互拨号。因此，大部分时间，它通过一个UUCP网络传递一个邮件信息，它懒散地位于一些主机的磁盘上，等待下一次一个连接被建立。

尽管有这些限制，仍然有许多 UUCP 网络在整个世界中操作,主要由业余爱好者运行,它提供私人用户在合理价格上的联网存取。UUCP流行的主要的原因是，它与把你的计算机与大的因特网电缆线联接起来相比是极便宜的。使你的计算机成 UUCP 节,你所需要的就是一个调制解调器，一个工作的UUCP实现，以及愿意给你发送邮件和新闻的另外一个UUCP节点。

Syshy's Blog

Anyway,we should move on...