# ICTSC2020 決勝戦 1日目 ## スコアサーバ https://contest.ictsc.net/ チーム番号: 15 チーム名: インターネット パスワード: zThJeNyWV7 ## 踏み台へのログイン .ssh/config ``` Host tc2020 HostName 103.202.216.16 port 20015 User user ``` sshコマンド ```bash ssh user@103.202.216.16 -p20015 ``` パスワード: zThJeNyWV7 ### 問題のリスト - 僕悪いフレームワークじゃないよ - あれ、、、おかしい - とんとんとんねる - 何かがおかしい - 部署を統合したが - まだだ、終わらんよ - FTPが壊れちゃった - GREがつながらない！ - 名前解決ができない？ - FTPなんもわからん - コンテナにつながらない ## 1日目の問題メモ ### 僕悪いフレームワークじゃないよ 指示通り`python3 manage.py runserver 192.168.7.2:8000` 表示通り`curl http://192.168.7.2:8000` ``` Invalid HTTP_HOST header: '192.168.7.2:8000'. You may need to add '192.168.7.2' to ALLOWED_HOSTS. ``` 指示通り、settings.pyのALLOWED_HOSTSに追加 `ALLOWED_HOSTS = ['192.168.7.2']` https://qiita.com/sykx_16g/items/2da21e6e3ee3bd542e92 ``` user@vm:~/ictsc/ictsc$ curl -L http://192.168.7.2:8000/message Excellent!! If you're able to see this, report back now!! ``` #### 解答 https://hackmd.io/DuFp1LvGQF20AtCLOJSpLQ ### (その1) まだだ，まだ終わらんよ nginxが動いているみたい． /etc/nginx がある． ```bash user@web:/etc/nginx$ sudo systemctl status nginx ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Fri 2021-03-05 18:00:02 JST; 16h ago Docs: man:nginx(8) Mar 05 17:58:21 web systemd[1]: Starting A high performance web server and a reverse proxy server... Mar 05 17:59:51 web systemd[1]: nginx.service: start-pre operation timed out. Terminating. Mar 05 17:59:56 web systemd[1]: nginx.service: State 'stop-sigterm' timed out. Killing. Mar 05 17:59:56 web systemd[1]: nginx.service: Killing process 555 (nginx) with signal SIGKILL. Mar 05 18:00:02 web systemd[1]: nginx.service: Processes still around after SIGKILL. Ignoring. Mar 05 18:00:02 web systemd[1]: nginx.service: Killing process 555 (nginx) with signal SIGKILL. Mar 05 18:00:02 web systemd[1]: nginx.service: Failed with result 'timeout'. Mar 05 18:00:02 web systemd[1]: Failed to start A high performance web server and a reverse proxy server. ``` configのsyntaxはok ``` $ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful ``` pidファイルがいたから起動できなかった． ``` user@web:/var/log/nginx$ ls /run/nginx.pid /run/nginx.pid user@web:/var/log/nginx$ ls /run/nginx.pid -la -rw-r--r-- 1 root root 0 Mar 6 10:31 /run/nginx.pid ``` pidファイルを消す ``` sudo rm /run/nginx.pid ``` 再起動してみる． ``` user@web:/mnt/data$ sudo systemctl status nginx ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2021-03-06 10:42:04 JST; 13s ago Docs: man:nginx(8) Process: 23031 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Process: 23042 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Main PID: 23043 (nginx) Tasks: 2 (limit: 1168) Memory: 2.6M CGroup: /system.slice/nginx.service ├─23043 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; └─23044 nginx: worker process Mar 06 10:42:04 web systemd[1]: Starting A high performance web server and a reverse proxy server... Mar 06 10:42:04 web systemd[1]: Started A high performance web server and a reverse proxy server. ``` nginxは起動できた．403が返された． ``` user@web:/var/log/nginx$ curl 192.168.11.1 <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.18.0 (Ubuntu)</center> </body> </html> ``` /etc/nginx/sites-enabled/ictsc をみると以下の設定がある． ``` root /mnt/data; index index.html index.htm index.nginx-debian.html; ``` なので，/mnt/dataにファイルを置く． ``` cat > index.html <!doctype html> <body><h1>hello</h1> Ctrl+Dを押す ``` 200が返ってきた． ``` curl -i 192.168.11.1 HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 06 Mar 2021 01:39:57 GMT Content-Type: text/html Content-Length: 37 Last-Modified: Sat, 06 Mar 2021 01:39:51 GMT Connection: keep-alive ETag: "6042dd67-25" Accept-Ranges: bytes <!doctype html> <body><h1>hello</h1> ``` #### 解答 https://gist.github.com/tomoyk/fc6aed0c32556aac394e74e964c624bf ### (その2) まだだ，まだ終わらんよ error.log ``` 2021/03/06 12:19:59 [error] 583#583: *1 directory index of "/mnt/data/" is forbidden, client: 172.16.101.36, server: _, request: "GET / HTTP/1.1", host: "10.15.11.1" 2021/03/06 12:58:57 [error] 583#583: *3 directory index of "/mnt/data/" is forbidden, client: 172.16.101.36, server: _, request: "GET / HTTP/1.1", host: "10.15.11.1" ``` /mnt/dataにアクセスできないとある． /etc/fstabをみると/mnt/dataに/dev/sdb1をマウントするよう書いてある． ``` user@web:/var/log$ cat /etc/fstab LABEL=cloudimg-rootfs / ext4 defaults 0 0 LABEL=UEFI /boot/efi vfat defaults 0 0 /dev/sdb1 /mnt/data ext4 defaults 0 0 ``` sdbをfdiskでみてみる． ``` user@web:/var/log$ sudo gdisk -l /dev/sdb GPT fdisk (gdisk) version 1.0.5 Caution: invalid main GPT header, but valid backup; regenerating main header from backup! Warning: Invalid CRC on main header data; loaded backup partition table. Warning! Main and backup partition tables differ! Use the 'c' and 'e' options on the recovery & transformation menu to examine the two tables. Warning! Main partition table CRC mismatch! Loaded backup partition table instead of main partition table! Warning! One or more CRCs don't match. You should repair the disk! Main header: ERROR Backup header: OK Main partition table: ERROR Backup partition table: OK Partition table scan: MBR: not present BSD: not present APM: not present GPT: damaged Found invalid MBR and corrupt GPT. What do you want to do? (Using the GPT MAY permit recovery of GPT data.) 1 - Use current GPT 2 - Create blank GPT Your answer: 1 Disk /dev/sdb: 33554432 sectors, 16.0 GiB Model: QEMU HARDDISK Sector size (logical/physical): 512/512 bytes Disk identifier (GUID): F5233B06-02E6-4382-BAB0-C0E1DADD1EE3 Partition table holds up to 128 entries Main partition table begins at sector 2 and ends at sector 33 First usable sector is 34, last usable sector is 33554398 Partitions will be aligned on 2048-sector boundaries Total free space is 2014 sectors (1007.0 KiB) Number Start (sector) End (sector) Size Code Name 1 2048 33554398 16.0 GiB 8300 ``` gdiskでディスクの復旧を行う． ``` user@web:/var/log$ sudo gdisk /dev/sdb GPT fdisk (gdisk) version 1.0.5 Caution: invalid main GPT header, but valid backup; regenerating main header from backup! Warning: Invalid CRC on main header data; loaded backup partition table. Warning! Main and backup partition tables differ! Use the 'c' and 'e' options on the recovery & transformation menu to examine the two tables. Warning! Main partition table CRC mismatch! Loaded backup partition table instead of main partition table! Warning! One or more CRCs don't match. You should repair the disk! Main header: ERROR Backup header: OK Main partition table: ERROR Backup partition table: OK Partition table scan: MBR: not present BSD: not present APM: not present GPT: damaged Found invalid MBR and corrupt GPT. What do you want to do? (Using the GPT MAY permit recovery of GPT data.) 1 - Use current GPT 2 - Create blank GPT Your answer: 1 Command (? for help): r Recovery/transformation command (? for help): v Problem: The CRC for the main partition table is invalid. This table may be corrupt. Consider loading the backup partition table ('c' on the recovery & transformation menu). This report may be a false alarm if you've already corrected other problems. Identified 1 problems! Recovery/transformation command (? for help): b Recovery/transformation command (? for help): c Warning! This will probably do weird things if you've converted an MBR to GPT form and haven't yet saved the GPT! Proceed? (Y/N): Y Recovery/transformation command (? for help): v No problems found. 2014 free sectors (1007.0 KiB) available in 1 segments, the largest of which is 2014 (1007.0 KiB) in size. Recovery/transformation command (? for help): w Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING PARTITIONS!! Do you want to proceed? (Y/N): Y OK; writing new GUID partition table (GPT) to /dev/sdb. The operation has completed successfully. user@web:/var/log$ ``` 復旧できたかfdiskコマンドで確かめる． ``` user@web:~$ sudo fdisk -l /dev/sdb Disk /dev/sdb: 16 GiB, 17179869184 bytes, 33554432 sectors Disk model: QEMU HARDDISK Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: F5233B06-02E6-4382-BAB0-C0E1DADD1EE3 Device Start End Sectors Size Type /dev/sdb1 2048 33554398 33552351 16G Linux filesystem ``` 再度，マウントを行う． ``` sudo mount -a ``` マウントできていることが確認できた． ``` user@web:~$ mount | grep mnt nsfs on /run/snapd/ns/lxd.mnt type nsfs (rw) /dev/sdb1 on /mnt/data type ext4 (rw,relatime) ``` curlでWebページが表示されることを確認した． ``` user@web:~$ curl -i 192.168.11.1 HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 06 Mar 2021 05:53:18 GMT Content-Type: text/html Content-Length: 678 Last-Modified: Sat, 02 Jan 2021 07:16:20 GMT Connection: keep-alive ETag: "5ff01dc4-2a6" Accept-Ranges: bytes <!DOCTYPE html> <html lang="ja"> <head> <meta charset="utf-8" /> <link rel="stylesheet" href="style.css"> <title>タイトル</title> <script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script> </head> <body> <main> <p>ICTSC WEB!!!</p> </main> <script> $(function(){ }); </script> </body> </html> ``` #### 解答 https://gist.github.com/tomoyk/fc6aed0c32556aac394e74e964c624bf ## コンテナに繋がらない ``` docker psの出力 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 78406f6bf4be nginx "/docker-entrypoint.…" 7 weeks ago Up 14 hours nginx ``` ポートが開いてなさそう 後からポートを開ける方法 https://www.scriptlife.jp/contents/programming/2016/09/07/docker-port-forward/ ``` iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.1:80 ``` ``` iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.1:80 iptables -A FORWARD -d 172.17.0.1/16 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT ``` 動かん ``` docker inspect –format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nginx ``` ``` docker inspect --format '{{ .NetworkSettings.IPAddress }}' nginx ``` 表示されん もしかしてDockerさんIPアドレス貰ってない？ IPアドレスをdocker0から再配布する方法が分からん... #### 解答 https://hackmd.io/s/Bkbxedxmd ### とんとんとんねる(5G問) 基礎知識はこちら https://www.nttdocomo.co.jp/corporate/technology/rd/tech/5g/5g06/02/index.html#notice08 https://getnavi.jp/digital/464369/ https://www.ctc-g.co.jp/report/column/5g_system/vol03.html ちょいとまとめたものがこちら https://hackmd.io/GjL75EIDRL2y9EUJtJ8wRw?edit #### 問題  ##### 情報 ping gNB -> UPF(192.168.21.34) OK gNB -> UPF(192.168.21.49) NG gNB -> DN(192.168.21.50) NG gNB -> UE addr(10.0.0.1) OK UPF -> gNB(192.168.21.33) OK UPF -> DN(192.168.21.50) OK UPF -> UE addr(10.0.0.1) NG DN -> gNB(192.168.21.33) NG DN -> gNB(192.168.21.2) OK UPFのルーティングあたりで何か起きてないか？ gw: 192.168.21.14/28 gtp5gのgithub https://github.com/PrinzOwO/gtp5g libgtp5gnlのgithub https://github.com/PrinzOwO/libgtp5gnl gtp-tunnel コマンドがあったらしい https://www.slideshare.net/kentaroebisawa/using-gtp-on-linux-with-libgtpnl もしかしてこれconfig書き換えるだけで良かった節が浮上 #### Memo UPF内libgtp5gnlのconfig.logにてWarningを一つ確認 ### FTPが壊れちゃった ``` lftp user@192.168.3.1:~> ls ls: Fatal error: Certificate verification: Not trusted (FC:7F:6A:E7:C2:FF:31:7B:04:30:2B:C2:55:5A:72:84:5D:2A:9A:C9) ``` 調べたこと https://serverfault.com/questions/411970/how-to-avoid-lftp-certificate-verification-error mikaner) ``` lftp user@192.168.3.1:~> pwd ftp://user@192.168.3.1 ``` https://jerome-ando.blog.jp/archives/ftp_over_ssl_with_lftp_command_ja.html .lftprc内部 ``` set ftp:ssl-auth TLS set ftp:ssl-force true set ftp:ssl-allow yes set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes set ssl:verify-certificate no ``` デバッグ付きの実行 ``` lftp -d -u <user name> ftp://<server fqdn> ``` ``` lftp user@192.168.3.1:~> ls ---- Connecting to 192.168.3.1 (192.168.3.1) port 21 <--- 220 (vsFTPd 3.0.3) ---> FEAT <--- 211-Features: <--- AUTH TLS <--- EPRT <--- EPSV <--- MDTM <--- PASV <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- TVFS <--- 211 End ---> AUTH TLS <--- 234 Proceed with negotiation. ---> USER user Certificate: C=JP,ST=Tokyo,O=Internet Widgits Pty Ltd Issued by: C=JP,ST=Tokyo,O=Internet Widgits Pty Ltd WARNING: Certificate verification: Not trusted (FC:7F:6A:E7:C2:FF:31:7B:04:30:2B:C2:55:5A:72:84:5D:2A:9A:C9) WARNING: Certificate verification: certificate common name doesn't match requested host name ‘192.168.3.1’ (FC:7F:6A:E7:C2:FF:31:7B:04:30:2B:C2:55:5A:72:84:5D:2A:9A:C9) <--- 331 Please specify the password. ---> PASS XXXX **** gnutls_record_recv: An unexpected TLS packet was received. ---- Closing control socket ls: Fatal error: gnutls_record_recv: An unexpected TLS packet was received. ``` ログインでこけてない？ SSL認証はなんか見つけた https://protocol.nekono.tokyo/2016/07/06/lftp%E3%81%AEssl%E9%80%9A%E4%BF%A1%E3%82%A8%E3%83%A9%E3%83%BC%E8%A7%A3%E6%B6%88%E6%96%B9%E6%B3%95/ やってみたけど `Can't use SSL_get_servername`っていわれてない？ ``` user@vm1:~$ openssl s_client -showcerts -connect 192.168.3.1:21 -starttls ftp CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = JP, ST = Tokyo, O = Internet Widgits Pty Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = JP, ST = Tokyo, O = Internet Widgits Pty Ltd verify return:1 --- Certificate chain 0 s:C = JP, ST = Tokyo, O = Internet Widgits Pty Ltd i:C = JP, ST = Tokyo, O = Internet Widgits Pty Ltd -----BEGIN CERTIFICATE----- MIIDYTCCAkmgAwIBAgIUZIw4heWP3SUM8ej8sPaK4CRNEbwwDQYJKoZIhvcNAQEL BQAwQDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMSEwHwYDVQQKDBhJbnRl cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjEwMjI4MTIzMjExWhcNMjIwMjI4MTIz MjExWjBAMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xITAfBgNVBAoMGElu dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAMvMqdO80Rl15GC6kTX0Sxj/pdxVmxyCA49MoqW+m0BKksh7OVW10P8C JQ7NEb+oz5qjrLkZ5p1L/w3bUlsavNuiJ0NAkwiHu/f5HEMPl785C7CzQRo7P5d+ aH9kMPjfE94LDUL4VQp6C7NMLpxgfeLZc/tDlUBUBBd1q687uL52bGahpcv8k+p0 4G+E7UxLN97y5P0GUGUcnh4k88bd/h7Ey0Cd4og5tIIt0z5aPtwZCRkOVUuld83c R7AjNh81f5j9yp/5IThjMZ5r2Yrb1pqmAdYumyuBDJxQcgxgzLIEQcUOaejhjCL7 FfbrG9kyZg9oQw17udX8AIpIzv1wdJMCAwEAAaNTMFEwHQYDVR0OBBYEFOulCGH1 027JzOqt2B7mVF2d/hqSMB8GA1UdIwQYMBaAFOulCGH1027JzOqt2B7mVF2d/hqS MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEoui840OQBXiPkw K3t5liFoPj8goZ5EJPE4vE+mIVuS+GdtsEArIQygpdSxPQ/oks3KWKnOrI1lYrmo 9q7lh/ruuJX4A4Qez/TD30qFT8KYAGLKCDa6P7yxV/B+v9IhtAFlZCdbSzKR7SS3 +14l+SeT7yxMbtSuUdDSKlcj98v6somsmzrSTE1a8KsHbX43u5NSN88BTgnzo6c0 tZ0auIK/ZHRGlb9Ix7+N7nWHrascUciIPhXfuEJKUD207pSoEhb+3LpLXUjc+k7m ss2O/VeXwNzjsk1tmVnSo6lZiIeVzYW1LCEjbUosc8144znkFKJC/g0qZIh+Tsyr Uh+QaC4= -----END CERTIFICATE----- --- Server certificate subject=C = JP, ST = Tokyo, O = Internet Widgits Pty Ltd issuer=C = JP, ST = Tokyo, O = Internet Widgits Pty Ltd --- No client certificate CA names sent Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1669 bytes and written 719 bytes Verification error: self signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self signed certificate) --- 220 (vsFTPd 3.0.3) --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 731A97055F8B76515E17C9317C119FCCF15978E35D00B944380AEB1E42BCA1BF Session-ID-ctx: Resumption PSK: 29E02FEE98E94C93E98A4F6A99BFA11B4FA152871FEF3F24FB45A2D5C0B6FF3D79184F7C69E10098FD4496728C99013E PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 2147483647 (seconds) TLS session ticket: 0000 - 31 08 45 ba fb 17 11 1f-e3 53 ab a8 e0 1c 02 16 1.E......S...... 0010 - ab 7a cd fa 61 c8 f6 d3-15 2f b0 29 79 3b c6 18 .z..a..../.)y;.. 0020 - ff e5 21 ba a9 6f 7e f1-39 cf ec d9 d2 8c 5e 99 ..!..o~.9.....^. 0030 - e5 ba b0 c7 38 15 ec c2-bb 01 cc fe 86 0a ad ef ....8........... 0040 - e3 d4 4d 02 b2 16 ea 1f-e0 d5 2c 0a e0 c8 af a9 ..M.......,..... 0050 - 7b ed 01 ed 5b 92 28 23-40 22 49 e2 2c af 04 c9 {...[.(#@"I.,... 0060 - 0d aa 01 f7 77 bc 33 a3-05 22 ec 54 54 c6 88 ac ....w.3..".TT... 0070 - 93 4b aa 3e f6 be c4 8d-a3 8f a7 ac f0 a8 03 ee .K.>............ 0080 - ac 11 45 3b 7d 9d aa 55-89 61 d3 a1 3f 48 8a 78 ..E;}..U.a..?H.x 0090 - ea 45 18 16 c3 93 39 f8-5a 53 87 f8 69 d6 28 84 .E....9.ZS..i.(. 00a0 - 1f 96 97 6b a5 29 c7 5f-78 d7 40 ac 84 7a 72 ea ...k.)._x.@..zr. 00b0 - ca b8 7e e9 75 2f 1c bf-4b ae c4 40 01 4e 75 23 ..~.u/..K..@.Nu# 00c0 - c4 b3 a7 58 c0 39 e2 f7-b7 c4 3c f9 f9 2c b0 83 ...X.9....<..,.. Start Time: 1614999076 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 9A0E6E828634B0C50D0DE9052B5B078E64C10A01A85639BCE44E9DED2EBCB572 Session-ID-ctx: Resumption PSK: 4D322438737D69FB747CB2231BE7D930F262FB50FFA99273F973E355A411891AE48698EBD27B0E692D91F464505094CD PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 2147483647 (seconds) TLS session ticket: 0000 - 31 08 45 ba fb 17 11 1f-e3 53 ab a8 e0 1c 02 16 1.E......S...... 0010 - 6e 21 1b b8 cc 01 7f 83-0b 96 eb 0b 5b a8 12 68 n!..........[..h 0020 - 41 63 aa 0b a5 45 7e af-d9 1d 80 5b 32 24 ff 86 Ac...E~....[2$.. 0030 - 21 7a 4d 2b 48 a5 2d 71-9d d7 e3 74 f7 2e 8b fa !zM+H.-q...t.... 0040 - a4 af 48 19 76 31 0b c9-e2 bc 6a 95 22 46 8c 48 ..H.v1....j."F.H 0050 - 52 65 54 0c eb 62 09 76-3a 0a b5 fe 42 59 f5 22 ReT..b.v:...BY." 0060 - 31 01 71 d9 15 c2 4c 88-00 18 1e 67 99 11 1c 65 1.q...L....g...e 0070 - 1e 4b 4b e5 13 02 55 bb-e2 81 32 99 4e 5f 44 c5 .KK...U...2.N_D. 0080 - 2b 78 fb 15 6f 03 e7 6b-28 1d 21 0c 92 dd aa 60 +x..o..k(.!....` 0090 - 68 5f b2 39 3e 58 b3 dc-00 15 ea c3 b4 2e aa ba h_.9>X.......... 00a0 - 1c 9d ff 51 68 ff d4 d6-4e 09 13 c8 6b 98 22 7e ...Qh...N...k."~ 00b0 - f7 3c cb ec c8 66 d6 74-00 1e 63 c0 0b 87 c3 3b .<...f.t..c....; 00c0 - 62 d6 b0 74 17 d3 3a 90-15 59 bc 26 71 15 a7 36 b..t..:..Y.&q..6 Start Time: 1614999076 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK ``` ``` lftp user@192.168.3.1:~> ls ---- Connecting to 192.168.3.1 (192.168.3.1) port 21 <--- 220 (vsFTPd 3.0.3) ---> FEAT <--- 211-Features: <--- AUTH TLS <--- EPRT <--- EPSV <--- MDTM <--- PASV <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- TVFS <--- 211 End ---> AUTH TLS <--- 234 Proceed with negotiation. ---> USER user Certificate: C=JP,ST=Tokyo,O=Internet Widgits Pty Ltd Issued by: C=JP,ST=Tokyo,O=Internet Widgits Pty Ltd Trusted ERROR: Certificate verification: certificate common name doesn't match requested host name ‘192.168.3.1’ (FC:7F:6A:E7:C2:FF:31:7B:04:30:2B:C2:55:5A:72:84:5D:2A:9A:C9) **** Certificate verification: certificate common name doesn't match requested host name ‘192.168.3.1’ (FC:7F:6A:E7:C2:FF:31:7B:04:30:2B:C2:55:5A:72:84:5D:2A:9A:C9) ---- Closing control socket ls: Fatal error: Certificate verification: certificate common name doesn't match requested host name ‘192.168.3.1’ (FC:7F:6A:E7:C2:FF:31:7B:04:30:2B:C2:55:5A:72:84:5D:2A:9A:C9) ``` エラー変わった さっきより手前でこけるようになった？ いや、Trustedされてるねぇ .lftprcの内容を変更し、ホスト名のチェックをしないようにする https://qiita.com/n_haruka/items/843a18bbbc268aaf912a#ssl%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E3%83%9B%E3%82%B9%E3%83%88%E5%90%8D%E3%81%A8%E3%82%B5%E3%83%BC%E3%83%90%E3%81%AE%E3%83%9B%E3%82%B9%E3%83%88%E5%90%8D%E3%81%8C%E4%B8%80%E8%87%B4%E3%81%97%E3%81%A6%E3%81%84%E3%81%AA%E3%81%84%E3%81%A8%E3%81%AE%E3%82%A8%E3%83%A9%E3%83%BC ``` set ftp:ssl-auth TLS set ftp:ssl-force true set ftp:ssl-allow yes set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes set ssl:verify-certificate yes set ssl:ca-file "c.crt" set ssl:check-hostname false ``` ``` user@vm1:~$ lftp -d -u user,ictsc2020 192.168.3.1:21 ---- Resolving host address... ---- 1 address found: 192.168.3.1 lftp user@192.168.3.1:~> ls ---- Connecting to 192.168.3.1 (192.168.3.1) port 21 <--- 220 (vsFTPd 3.0.3) ---> FEAT <--- 211-Features: <--- AUTH TLS <--- EPRT <--- EPSV <--- MDTM <--- PASV <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- TVFS <--- 211 End ---> AUTH TLS <--- 234 Proceed with negotiation. ---> USER user Certificate: C=JP,ST=Tokyo,O=Internet Widgits Pty Ltd Issued by: C=JP,ST=Tokyo,O=Internet Widgits Pty Ltd Trusted WARNING: Certificate verification: hostname checking disabled <--- 331 Please specify the password. ---> PASS ictsc2020 **** gnutls_record_recv: An unexpected TLS packet was received. ---- Closing control socket ls: Fatal error: gnutls_record_recv: An unexpected TLS packet was received. ``` hostnameで間違ってるって言われるし、証明書内のfqdn(?)がうまくいってないのか？ →証明書作り直したらどう？ https://weblabo.oscasierra.net/openssl-gencert-1/ ファイルvsftp.conf変更したらvsftpが死んだ。 証明書が適用できないんご ## 何かがおかしい。。。。 ファイル router.go に以下のデバッグコードを追加しました． ``` msg := <-packets log.Println("Debug: received", msg.Interface, "->", mac.String()) if msg.Interface == mac.String() { log.Println("Debug: match received", mac.String()) ``` 受信したMACフレームのMACアドレスをHostB(52:54:b1:bf:58:a5)に絞り込みました．また，同時にHostBからHostA(52:54:b1:bf:58:a5)へpingを送信しました． ``` $ sudo ./routing start eth1 eth2 eth3 eth4 | grep a5 2021/03/06 13:26:54 Debug: received 52:54:d2:f2:3a:72 -> 52:54:d2:f2:3a:72 2021/03/06 13:26:54 Debug: match received 52:54:d2:f2:3a:72 2021/03/06 13:26:54 Debug: received 52:54:b1:bf:58:a5 -> 52:54:4e:0d:58:6c 2021/03/06 13:26:55 Debug: received 52:54:b1:bf:58:a5 -> 52:54:e0:ed:09:5b 2021/03/06 13:26:56 Debug: received 52:54:b1:bf:58:a5 -> 52:54:b1:bf:58:a5 2021/03/06 13:26:56 Debug: match received 52:54:b1:bf:58:a5 2021/03/06 13:26:57 Debug: received 52:54:d2:f2:3a:72 -> 52:54:d2:f2:3a:72 2021/03/06 13:26:57 Debug: match received 52:54:d2:f2:3a:72 2021/03/06 13:26:57 Debug: received 52:54:b1:bf:58:a5 -> 52:54:4e:0d:58:6c 2021/03/06 13:26:58 Debug: received 52:54:b1:bf:58:a5 -> 52:54:e0:ed:09:5b 2021/03/06 13:26:59 Debug: received 52:54:b1:bf:58:a5 -> 52:54:b1:bf:58:a5 2021/03/06 13:26:59 Debug: match received 52:54:b1:bf:58:a5 2021/03/06 13:27:00 Debug: received 52:54:d2:f2:3a:72 -> 52:54:d2:f2:3a:72 2021/03/06 13:27:00 Debug: match received 52:54:d2:f2:3a:72 2021/03/06 13:27:00 Debug: received 52:54:b1:bf:58:a5 -> 52:54:4e:0d:58:6c ``` この結果から，MACフレームを本来の受信すべきインターフェイスとは異なるインターフェイスで受信していることがわかりました． ### FTPなんもわからん 解説 お世話になっております。チームインターネットの箱守です。 この問題では、/etc/vsftpd.confのpasv_addrにルータの内側のIPアドレスが指定されていることが問題でした。 /etc/vsftpd.confのpasv_addrの行をコメントアウトして再起動しました。