模板
教程
环境
性能
功能
管理
为什么/etc/ftpaccess中的limit没有起作用?
发表于:2007-05-26来源:作者:点击数:
标签:
我的/etc/ftpaccess: loginfails3 classallreal,guest,anonymous* classtrustreal222.222.222.1222.222.222.2 limitall0Any/tmp/a limittrust10Any/tmp/a 目的是禁止除了trust中的地址之外的机器访问。 /tmp/a也是存在的,但是没有起作用,我从其他的IP地址f
我的/etc/ftpaclearcase/" target="_blank" >ccess:
loginfails 3
class all real,guest,anonymous *
class trust real 222.222.222.1 222.222.222.2
limit all 0 Any /tmp/a
limit trust 10 Any /tmp/a
目的是禁止除了trust中的地址之外的机器访问。
/tmp/a也是存在的,但是没有起作用,我从其他的IP地址ftp过来,仍然可以。
/etc/ftpaccess文件中的其他语法可以。例如
banner /tmp/msg
deny 222.222.222.*
等,都好用,但是limit确不好用。不知道为什么。看man,应该是好用的啊。
我的sco是5.0.5,ftp应该是wu-2.1的吧。
| CNL 回复于:2004-11-09 15:09:53 |
| limit目的用于流量控制, 如果limit之间互相冲突,则前面的设置自动失效
你两行limit有冲突,第2条limit的turst自身也是all中的成员,所以第1条limit all会失效 你的需求应该通过设置/etc/ftphosts中的allow和deny实现。 |
| RunOut 回复于:2004-11-10 09:11:58 |
| 应该不是这样的吧。。。
另外,SCO中ftphosts文件是无效的。。。SCO用的是wu-ftp 2.1,而网上教程的wu-ftp一般是高版本的,支持ftphosts文件配置 下面是SCO man中的example --------------------------- # comments begin with a pound (#) sign and continue to the end of the # line. Blank lines are ignored. deny *.isc.com /archive/etc/msgs/msg.deny deny 0.0.0.0 /archive/etc/msgs/msg.deny # !nameserver is a special case, it triggers whenever the ftp server # is not able to resolve the remote system name via the nameserver. deny !nameserved /archive/etc/msgs/msg.no_nameserver # define a "dead" class in case we want to "shut down" the # ftp server for a while (this class, which has a 0-user # limit, will print a nice message to all new connections # telling them to go away and come back later) class dead real,anonymous * # define a class of local users (sites which are directly connected to # our local .network or which have a one-hop unloaded network connection. class local real,anonymous 128.212.* *.lachman.com 0.0.0.0 # and everybody else... class remote real,anonymous * # define the user limits for various times # for remote users, limit to 100 users during off-peak hours and # 60 during peak hours # (off-peak ::= Saturday, Sunday or 6PM to 6AM weekdays) limit dead 0 Any /archive/etc/msgs/msg.dead limit local 20 Any /archive/etc/msgs/msg.toomany limit remote 100 SaSu|Any1800-0600 /archive/etc/msgs/msg.toomany limit remote 60 Any /archive/etc/msgs/msg.toomany # remind the users to read the README files readme /README* login readme README* cwd=* # let them know about special features of the archives message /etc/msgs/mirrors.msg cwd=/mirrors message /etc/msgs/welcome.msg login message .message cwd=* # let everyone compress/uncompress files on the fly compress yes local remote # ... and tar things, too. tar yes local remote # Passworded anonymous-access accounts are in group ftpguest guestgroup ftpguest # Make local-use information accessible only to local hosts by putting # them in UNIX group localuse. autogroup localuse local # Set up the private access group file # -rw------- 1 root 1025 May 23 14:37 /etc/ftpgroup private /etc/ftpgroup # log all commands the users execute (USER, PASS, # NLST, PORT, *EVERYTHING*) # this can run to several (i.e. 5-10) megabytes/day for a # heavily used archive site log commands anonymous,real,guest # log all file transfers to and from the archives log transfers anonymous,real,guest inbound,outbound |
| lw371 回复于:2004-11-10 09:48:06 |
| http://docsrv.sco.com:507/en/man/html.SFF/ftphosts.SFF.html
我来解释一下吧,老大们: limit的帮助信息说: displaying message_file if the user is denied access. 什么意思呢?是讲当对方被拒绝时显示的信息,明白吧,是拒绝后才显示的 如果不拒绝那么就不显示,这个什么意思呢,如果对方登录上来就不会有此信息了, 登录不上才会回应的,所以CNL讲是流量控制是基本正确的. 为什么帮助里面有个dead呢,那是当ftp服务停止了(端口关闭了), 这时当然ftp连接的用户数是0啦,都被断开了嘛. 当系统inetd守护进程检测到还有连接到ftp端口(一般是21), 就把limit dead 0后面的文件内容给对方展示一下, 这么讲,你的limit all 0 Any只有ftp服务停止后才有效, 这一点CNL老大说的就不对啦,不是失效,而是没到时候. 因此,如果你要deny就必须按照ftpaccess的说明加deny和allow 取巧是没有用的. |
| RunOut 回复于:2004-11-10 10:43:22 |
| [quote:3c13e97b9f="lw371"]http://docsrv.sco.com:507/en/man/html.SFF/ftphosts.SFF.html
我来解释一下吧,老大们: limit的帮助信息说: displaying message_file if the user is denied access. 什么意思呢?是讲当对方被拒绝时显示的信?.........[/quote:3c13e97b9f] 那么如何实现以下目的: 允许若干个地址访问 禁止其他所有地址访问 sco 5.0.5中不支持ftphosts的。 而用deny,是无法实现我的目的的。除非支持allow,但是ftpaccess的man中没有写allow语法啊 |
| CNL 回复于:2004-11-10 10:54:07 |
| 5.0.5自带的ftp恐怕满足不了你的需求, 考虑安装个GNU的ftp服务程序算了 |
| RunOut 回复于:2004-11-10 13:23:23 |
| 好像proftpd在sco下编译不过去。。。
还有其他好的推荐吗 |
