NFS出错了,Permission denied

今天同事跟我说网站的图片不能显示了,后来检查的时候发现一个NFS的怪异现象。

在mount nfs目录时出现错误:

mount -t nfs 192.168.1.172:/nfs/mp3/mp3files /web/mp3/mp3files
mount: 192.168.1.172:/nfs/mp3/mp3files failed, reason given by server: Permission denied

我原来的/etc/exportfs是这样的:
[root@ha1 nfs]# cat /etc/exports
/nfs/mp3/mp3files 192.168.1.*(rw,async)

一直都用的好好的,其它的机器通过内网IP来mount这台上面的数据。

所以我想应该是我做了什么造成的,因为之前我看到/var/log/messages

mountd[3082]: Fake hostname rs0.xxxxxxcom for 192.168.1.69 – forward lookup doesn’t exist

以为nfs警告说我没有做域名反解,所以我就在我的域名服务器做把192.168.1.69做了一下反解。并增加了rs0.xxxxx.com这个域名到192.168.1.69。做完之后就没有再出现上面的错误了,但是上面说的出现不能mount的情况。

在网上查了一些资料,有人说把/etc/exports换成域名试试,所以我就改成了:
[root@ha1 nfs]# cat /etc/exports
/nfs/mp3/mp3files *.xxxxxx.com(rw,async)

再mount,发现正常,没有问题了。

后来又查了一些相关资料,才知道:

nfs server接到客户端的mount时,会先客户的IP做反解成域名,用域名(注意是用域名而不是IP)去和/etc/exports做比较,如果匹配不成功会失败。

而我做了域名反解后,并没有更新/etc/exports内的IP为域名。所以匹配不到对应的域名,自然就出现mount: 192.168.1.172:/nfs/mp3/mp3files failed, reason given by server: Permission denied的错误了。

之前用IP没有问题是因为在域名不能反解的时候还是用IP去匹配的。

用denyhosts来防止ssh攻击

每天服务器都遭受着上千次的SSH失败的尝试:

sshd:
   Authentication Failures:
      root (218.247.185.218): 575 Time(s)
      unknown (218.247.185.218): 224 Time(s)
      unknown (218.247.185.222): 6 Time(s)
      unknown (202.101.72.35): 5 Time(s)
      unknown (202.101.72.36): 5 Time(s)
      unknown (202.101.72.37): 5 Time(s)
      unknown (202.101.72.44): 5 Time(s)
      unknown (202.101.72.32): 4 Time(s)
      unknown (202.101.72.40): 4 Time(s)
      unknown (202.101.72.43): 4 Time(s)
      unknown (202.101.72.45): 4 Time(s)
      unknown (202.101.72.47): 4 Time(s)
      unknown (202.101.72.50): 4 Time(s)
      unknown (202.101.72.53): 4 Time(s)
      unknown (202.101.72.56): 4 Time(s)
      unknown (202.101.72.57): 4 Time(s)
      unknown (202.101.72.60): 4 Time(s)
      unknown (202.101.72.62): 4 Time(s)
      root (218.247.185.222): 3 Time(s)
      unknown (202.101.72.33): 3 Time(s)
      unknown (202.101.72.34): 3 Time(s)
      unknown (202.101.72.38): 3 Time(s)
      unknown (202.101.72.39): 3 Time(s)
      unknown (202.101.72.41): 3 Time(s)
      unknown (202.101.72.48): 3 Time(s)
      unknown (202.101.72.51): 3 Time(s)
      unknown (202.101.72.52): 3 Time(s)
      unknown (202.101.72.54): 3 Time(s)
      unknown (202.101.72.55): 3 Time(s)
      unknown (202.101.72.58): 3 Time(s)
      unknown (202.101.72.61): 3 Time(s)
      unknown (202.101.72.63): 3 Time(s)
      ftp (202.101.72.34): 2 Time(s)
      mail (218.247.185.218): 2 Time(s)
      mysql (218.247.185.218): 2 Time(s)
      news (218.247.185.218): 2 Time(s)
      root (192.168.123.69): 2 Time(s)
      unknown (202.101.72.42): 2 Time(s)
      unknown (202.101.72.46): 2 Time(s)
      unknown (202.101.72.49): 2 Time(s)
      unknown (202.101.72.59): 2 Time(s)
      adm (202.101.72.34): 1 Time(s)
      adm (202.101.72.42): 1 Time(s)
      adm (202.101.72.46): 1 Time(s)
      adm (202.101.72.49): 1 Time(s)
      adm (202.101.72.51): 1 Time(s)
      adm (202.101.72.58): 1 Time(s)
      adm (202.101.72.59): 1 Time(s)
      adm (202.101.72.61): 1 Time(s)
      adm (218.247.185.218): 1 Time(s)
      apache (218.247.185.218): 1 Time(s)
      bin (218.247.185.218): 1 Time(s)
      ftp (202.101.72.33): 1 Time(s)
      ftp (202.101.72.39): 1 Time(s)
      ftp (202.101.72.46): 1 Time(s)
      ftp (202.101.72.58): 1 Time(s)
      ftp (202.101.72.60): 1 Time(s)
      ftp (218.247.185.218): 1 Time(s)
      games (218.247.185.218): 1 Time(s)
      lp (218.247.185.218): 1 Time(s)
      mysql (202.101.72.38): 1 Time(s)
      mysql (202.101.72.39): 1 Time(s)
      mysql (202.101.72.42): 1 Time(s)
      mysql (202.101.72.49): 1 Time(s)
      mysql (202.101.72.51): 1 Time(s)
      mysql (202.101.72.59): 1 Time(s)
      mysql (202.101.72.61): 1 Time(s)
      nobody (218.247.185.218): 1 Time(s)
      operator (218.247.185.218): 1 Time(s)
      postgres (202.101.72.33): 1 Time(s)
      postgres (202.101.72.48): 1 Time(s)
      postgres (202.101.72.49): 1 Time(s)
      postgres (202.101.72.52): 1 Time(s)
      postgres (202.101.72.53): 1 Time(s)
      postgres (202.101.72.54): 1 Time(s)
      rpm (218.247.185.218): 1 Time(s)
      squid (218.247.185.218): 1 Time(s)
      sshd (218.247.185.218): 1 Time(s)
   Invalid Users:
      Unknown Account: 341 Time(s)

今天没事在http://dag.wieers.com/home-made/apt/packages.php看到一个软件denyhosts,正好可以解决这个问题。

先安装一个包,以便用yum直接在dag上取包:

wget http://ftp.belnet.be/packages/dries.ulyssis.org/redhat/el4/en/i386/RPMS.dries/rpmforge-release-0.2-2.2.el4.rf.i386.rpm

rpm -ivh rpmforge-release-0.2-2.2.el4.rf.i386.rpm

这样就可以直接用yum安装denyhosts了:

yum install denyhosts

再进行一下设置:

 cp /usr/share/doc/denyhosts-2.2/daemon-control-dist /etc/init.d/denyhosts

 cp /usr/share/doc/denyhosts-2.2/denyhosts.cfg-dist /etc/denyhosts.cfg

 vi /etc/init.d/denyhosts

 将DENYHOSTS_CFG参数的值改成 "/etc/denyhosts.cfg"

 再增加到services:

 chkconfig –add denyhosts
 chkconfig –level 2345 denyhosts on

再修改一下配置文件:

 vi /etc/denyhosts.cfg

SECURE_LOG = /var/log/secure
#ssh 日志文件,它是根据这个文件来判断的。

HOSTS_DENY = /etc/hosts.deny
#控制用户登陆的文件

PURGE_DENY = 5m
#过多久后清除已经禁止的

BLOCK_SERVICE  = sshd
#禁止的服务名

DENY_THRESHOLD_INVALID = 1
#允许无效用户失败的次数

DENY_THRESHOLD_VALID = 10
#允许普通用户登陆失败的次数

DENY_THRESHOLD_ROOT = 5
#允许root登陆失败的次数

HOSTNAME_LOOKUP=NO
#是否做域名反解

ADMIN_EMAIL = hui@ffccc.com
#管理员邮件地址,它会给管理员发邮件

DAEMON_LOG = /var/log/denyhosts
#自己的日志文件

然后就可以启动了:

service denyhost start

可以看看/etc/hosts.deny内是否有禁止的IP,有的话说明已经成功了。