MySQL 读取 /etc/hosts.allow 和 /etc/hosts.deny

tag-icon tag-icon mysql strace
MySQL 读取 /etc/hosts.allow 和 /etc/hosts.deny

我的一个服务的错误报告报告了连接到 MySQL 服务器的问题。这个问题不是一致的,只是在不同的服务器上发生了几次。

我开始使用进行调试strace并注意到 MySQL每次尝试打开新连接时都会读取/etc/hosts.allow两者:/etc/hosts.deny

read(127, "# /etc/hosts.allow: list of hosts that are allowed to access the system.\n#                   See the manual pages hosts_access(5) and hosts_options(5).\n#\n# Example:    ALL: LOCAL @some_netgroup\n#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu\n#\n# If you're going to protect the portmapper use the name \"portmap\" for the\n# daemon name. Remember that you can only use the keyword \"ALL\" and IP\n# addresses (NOT host or domain names) for the portmapper, as well as for\n# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)\n# for further information.\n#\n\n", 4096) = 580
read(127, "", 4096)                     = 0
close(127)                              = 0
munmap(0x7f94533f9000, 4096)            = 0
open("/etc/hosts.deny", O_RDONLY)       = 127
fstat(127, {st_mode=S_IFREG|0644, st_size=880, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f94533f9000
read(127, "# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.\n#                  See the manual pages hosts_access(5) and hosts_options(5).\n#\n# Example:    ALL: some.host.name, .some.domain\n#             ALL EXCEPT in.fingerd: other.host.name, .other.domain\n#\n# If you're going to protect the portmapper use the name \"portmap\" for the\n# daemon name. Remember that you can only use the keyword \"ALL\" and IP\n# addresses (NOT host or domain names) for the portmapper, as well as for\n# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)\n# for further information.\n#\n# The PARANOID wildcard matches any host whose name does not match its\n# address.\n#\n# You may wish to enable this to ensure any programs that don't\n# validate looked up hostnames still leave understandable logs. In past\n# versions of Debian this has been the default.\n# ALL: PARANOID\n\n", 4096) = 880
read(127, "", 4096)                     = 0
close(127)                              = 0
[...]
getpeername(127, {sa_family=AF_INET, sin_port=htons(33362), sin_addr=inet_addr("10.2.3.19")}, [16]) = 0
getsockname(127, {sa_family=AF_INET, sin_port=htons(3306), sin_addr=inet_addr("10.2.2.9")}, [16]) = 0

我猜这是预期的行为,但我想知道是否有任何方法可以绕过读取这些文件?我认为只需将 IP 地址添加到即可/etc/hosts.allow(因为 IP 将从该文件匹配,并且不会读取拒绝)...

答案1

MySQL 服务器本身不会读取这些文件,它TCP 包装器负责的库。你可以编译 MySQL 而不需要对图书馆的支持,但我认为没有必要削弱它,因为你是对的,一个来自允许文件未经过检查否定文件,因此,如果您想将其列入白名单,只需这样做即可。

但如果您的连接问题是随机的,我可能会寻找其他原因。

答案2

我猜服务器有类似的东西失败2ban或者拒绝主机 在其上运行,它们具有跟踪失败登录尝试的功能,并且具有可配置bantime和成功重置的功能。即使它们不一定配置为跟踪 MySQL 登录失败,它们也可以跟踪其他登录失败,例如 SSH,如果配置为使用/etc/hosts.deny,那么 MySQL 会选择它。

我建议您首先弄清楚为什么这些客户端最终会出现在该文件中,然后根据您发现的情况做出明智的决定。

如果是这两种工具中的任何一种/etc/hosts.deny为您填充文件,则可以将它们配置为忽略某些 IP 范围,也许您想允许 rfc1918?但是,如果不了解是什么导致这些客户端首先出现在该文件中,我不会采取这样的行动。

相关内容