Understanding mysql max_connect_errors

来自:http://mysqlblog.fivefarmers.com/2013/08/08/understanding-max_connect_errors/

Perhaps like many users, I had certain assumptions about what max_connect_errors really does – but in looking closely as part of investigating the new PERFORMANCE_SCHEMA.HOST_CACHE table in MySQL 5.6, I learned that some very fundamental elements had escaped my notice.  I’m writing this blog post to help others who hold similar misconceptions of what this option does.

Many, if not most, MySQL DBAs are familiar with “host blocked” errors:

C:\mysql-5.5.27-winx64>bin\mysql -utest_mce -P3307 -h192.168.2.8
ERROR 1129 (HY000): Host ‘Crowder‘ is blocked because of many connection errors;
 unblock with ‘mysqladmin flush-hosts‘

The solution to this problem is readily apparent from the error message – some DBAs might not even bother to glance at the documentation regarding this.  Even those who do might miss the nuanced explanation of the root cause:

The value of the max_connect_errors system variable determines how many successive interrupted connection requests are permitted.

The use of “interrupted” is surely intentional here, and it’s key to understanding the first point I’ll make:

1. It provides no meaningful protection against brute force access attacks

Truly.  You can set max_connect_errors to any value you please, and it will have exactly zero impact on somebody trying to brute force their way into your system by guessing user names and passwords.  It will lock out a host if somebody does a dumb port scan 100 times successively without trying to log in, but who scans a port 100 times?  The useful information from a port scan is divulged in the initial scan:

  1. MySQL is running on the specified port.
  2. The version of MySQL is included in the handshake.
  3. There are (or aren’t) accounts configured to allow access from the client machine, based on error code.
  4. The default authentication mechanism preferred by the server.

What’s the use of scanning it an additional 99 times when you already have all the information you are going to get?

2. Authentication failures reset the counter

Strange, but true.  Not only do authentication failures not increment the host counter, they actually reset it to zero – along with all other errors other than handshake interruptions.  The only thing that matters is whether the handshake was interrupted or not.  If it wasn’t interrupted, it counts as “success” and reset the host counter – regardless of whether the end result was a successful connection or not.  So, if you want to run a dumb port scanner more than 100 times, just make sure you intersperse an actual connection attempt every 99 cycles or so to rest the counter.  Here’s my testing of MySQL 5.5 behavior:

mysql> select @@global.max_connect_errors;
+-----------------------------+
| @@global.max_connect_errors |
+-----------------------------+
|                           1 |
+-----------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye

D:\mysql-5.5.28-win32>bin\mysql -uhct -P3308 -h10.159.156.50 -ptest
ERROR 1129 (HY000): Host ‘TFARMER-MYSQL.wh.oracle.com‘ is blocked
because of many connection errors; unblock with
‘mysqladmin flush-hosts‘

D:\mysql-5.5.28-win32>bin\mysqladmin -uroot -P3308 flush-hosts

D:\mysql-5.5.28-win32>start telnet 10.159.156.50 3308

D:\mysql-5.5.28-win32>bin\mysql -uhct -P3308 -h10.159.156.50 -ptest-bad
ERROR 1045 (28000): Access denied for user
‘hct‘@‘TFARMER-MYSQL.wh.oracle.com‘ (using password: YES)

D:\mysql-5.5.28-win32>start telnet 10.159.156.50 3308

D:\mysql-5.5.28-win32>bin\mysql -uhct -P3308 -h10.159.156.50 -ptest
Welcome to the MySQL monitor.  Commands end with ; or \g.
...
mysql> exit
Bye

D:\mysql-5.5.28-win32>bin\mysqladmin -uroot -P3308 flush-hosts

D:\mysql-5.5.28-win32>start telnet 10.159.156.50 3308

D:\mysql-5.5.28-win32>start telnet 10.159.156.50 3308

D:\mysql-5.5.28-win32>bin\mysql -uhct -P3308 -h10.159.156.50 -ptest
ERROR 1129 (HY000): Host ‘TFARMER-MYSQL.wh.oracle.com‘ is blocked
because of many connection errors; unblock with ‘mysqladmin flush-hosts‘

3. All bets are off if you use –skip-name-resolve

Because this is all managed in the host cache, if you turn off reverse DNS lookups using –skip-name-resolve – and many people will to avoid potential DNS overhead in creation of new connections – max_connect_errors has zero effect.

4.  Localhost and IP loopbacks are excluded

For the same reason as #3, you’ll never see host blocked errors when connecting to localhost or via IP loopback interface.  These don’t go through the DNS reverse lookup and thus the host cache, and are therefore not tracked at all.  Whether that’s good (nobody can lock up local access) or not, I’ll let you decide.

5. The host cache is a fixed size

Marc Alff pointed out to me that the fixed size of the host cache – along with the LRU purge algorithm used – makes it quite possible that blocked hosts can fall out of the cache and cease to be blocked.  That has pretty obvious implications for how it can be bypassed by any third party needing to do so.

Conclusion

If you are looking for a mechanism to limit exposure to brute-force attempts to access MySQL, max_connect_errors won’t help you.  If you’re worried about a SYN flood attack, max_connect_errors might help you in very specific situations.  PERFORMANCE_SCHEMA improvements in MySQL 5.6 expose meaningful information about potential brute-force attacks, but again – only in situations where the host cache is involved.  Beyond that, the contents of MySQL Enterprise Audit log or general query log can be mined to identify such attacks.  I filed several feature requests to give even more visibility through PERFORMANCE_SCHEMA and to provide a mechanism to restrict access from hosts based on number of failed authorization attempts.

时间: 2024-10-08 10:09:55

Understanding mysql max_connect_errors的相关文章

Mysql到底是怎么实现MVCC的

Mysql到底是怎么实现MVCC的?这个问题无数人都在问,但google中并无答案,本文尝试从Mysql源码中寻找答案. 在Mysql中MVCC是在Innodb存储引擎中得到支持的,Innodb为每行记录都实现了三个隐藏字段: 6字节的事务ID(DB_TRX_ID ) 7字节的回滚指针(DB_ROLL_PTR) 隐藏的ID 6字节的事物ID用来标识该行所述的事务,7字节的回滚指针需要了解下Innodb的事务模型. 1. Innodb的事务相关概念 为了支持事务,Innbodb引入了下面几个概念:

MYSQL 源代码 编译原理 AST和解析树 代码语法解析

MYSQL 源代码 编译原理 AST和解析树 代码语法解析 http://blog.csdn.net/wfp458113181wfp/article/details/17082355 使用AST树 分类:             antlr              2013-12-02 22:39     255人阅读     评论(0)     收藏     举报 目录(?)[+] 第五章使用AST树中间结果来计算表达式值 创建ASTS 第五章.使用AST树中间结果来计算表达式值 现在我们已

深入MySQL源码 学习方法 何登成专家

MYSQL 技术圈 有哪些做得好,又注重分享的公司: Oracle MySQL, MariaDB, Percona,Google, FB, Twitter, Taobao, NetEase… 有哪些值得关注的个人: Mark Callaghan. Jeremy Cole. Dimitri. Peter ,Zaitsev. Yoshinori Matsunobu … 微博上有哪些值得关注的账号: @姜承尧. @淘宝丁奇. @plinux. @那海蓝蓝 … 业界有哪些好的会议: Percona Li

MySQL多版本并发控制分析

读未提交时,读事务直接读取主记录,无论更新事务是否完成 READ_COMMITTED 读提交时,读事务每次检查主记录上有没有锁,如果没有锁就读取主记录:如果有锁,就读取undo log中最近的版本.这样每次读到的都是最新COMMITTED的数据.因此两次对同一字段的读可能读到不同的数据(幻读),但能保证每次都读到最新的数据. REPEATABLE_READ 第一次读的时候检查主记录上有没有锁,如果没有锁就读取主记录:如果有锁,就读取undo log中最近的版本.我猜测update的时候创建新的记

MySQL内核源码解读-SQL解析之解析器浅析

MYSQL服务器接收SQL格式的查询,首先要对sql进行解析,内部将文本格式转换为二进制结构,这个转换就是解析器,解析的目的是为了让优化器更好的处理指令,以便以最优的路径,最少的耗时返回我们想要的结果.sql解析器的构成:1.词法分析(Lexical scanner):作用是将整个查询分解为多个元素.2.语法规则(Grammar rule module):寻找sql语法规则组合,产生一个序列,执行这些规则相关的代码.1 and 2 产生一棵解析树,提供给优化器使用.mysql解析器的特殊性在于它

Haproxy Configure File

---------------------- HAProxy Configuration Manual ---------------------- version 1.5.11 willy tarreau 2015/02/01 This document covers the configuration language as implemented in the versionspecified above. It does not provide any hint, example or

[it-ebooks]电子书列表

#### it-ebooks电子书质量不错,但搜索功能不是很好 #### 格式说明  [ ]中为年份      ||  前后是标题和副标题  #### [2014]: Learning Objective-C by Developing iPhone Games || Leverage Xcode and Objective-C to develop iPhone games http://it-ebooks.info/book/3544/ Learning Web App Developmen

数据库知识学习指南

http://afei2.sinaapp.com/ book: <MySQL必知必会>,很薄,可以很快读完. <MySQL性能调优和架构设计>,很薄,可以很快读完. <高性能MySQL(第三版)>,阿里的几个DBA翻译的,非常经典,值得耐心阅读:开发人员可以阅读这一本即可应对大部分问题. <MySQL技术内幕:InnoDB存储引擎(第2版)>,通过这个可以了解到很多Innodb运行的内部原理. <MySQL技术内幕:SQL编程>. <O’R

(转) [it-ebooks]电子书列表

[it-ebooks]电子书列表 [2014]: Learning Objective-C by Developing iPhone Games || Leverage Xcode and Objective-C to develop iPhone games http://it-ebooks.info/book/3544/Learning Web App Development || Build Quickly with Proven JavaScript Techniques http://