When I set hosts.deny ALL: ALL and hosts.allow is empty.
I can allow connect to MySQL from anywhere - settings in hosts.allow and
hosts.deny are ignored.
Yes - I can solve by iptables or directly from MySQL grantes but
wrappers have more futures (logging all connects) and quickly configuration.
For example my SSHd works correctly with TCP wrapper.
Please where can be problem ?
Thanks
--
Zdenek Herman
zdenek.herman@ille.cz
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote:
(...)
> When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow
> connect to MySQL from anywhere - settings in hosts.allow and hosts.deny
> are ignored.
(...)
I wonder if you aren't just missing the daemon to filter (mysqld) :-?
cat /etc/hosts.deny
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jter7u$sc9$12@dough.gmane.org
07-09-2012, 06:11 PM
Zdenek Herman
Squeeze, MySQL and hosts.allow and hosts.deny ignored
My hosts.deny
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the
system.
# See the manual pages hosts_access(5) and
hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from
%u@%h [%a] >> /var/log/tcp_wrapper/%d.log ) &
My hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and
hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#
sshd: 192.168.1.1
: spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h
[%a] >> /var/log/tcp_wrapper/%d.log ) &
I tested with mysqld: ALL in hosts.deny too.
Thanks for help
Zdenek Herman
zdenek.herman@ille.cz
Dne 9.7.2012 16:52, Camaleón napsal(a):
On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote:
(...)
When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow
connect to MySQL from anywhere - settings in hosts.allow and hosts.deny
are ignored.
(...)
I wonder if you aren't just missing the daemon to filter (mysqld) :-?
cat /etc/hosts.deny
Greetings,
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FFB1EBE.70603@ille.cz">http://lists.debian.org/4FFB1EBE.70603@ille.cz
07-10-2012, 04:46 AM
Kushal Kumaran
Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Mon, Jul 9, 2012 at 11:41 PM, Zdenek Herman <zdenek.herman@ille.cz> wrote:
> My hosts.deny
> # /etc/hosts.deny: list of hosts that are _not_ allowed to access the
> system.
> # See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example: ALL: some.host.name, .some.domain
> # ALL EXCEPT in.fingerd: other.host.name, .other.domain
> #
> # If you're going to protect the portmapper use the name "portmap" for the
> # daemon name. Remember that you can only use the keyword "ALL" and IP
> # addresses (NOT host or domain names) for the portmapper, as well as for
> # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
> # for further information.
> #
> # The PARANOID wildcard matches any host whose name does not match its
> # address.
> #
> # You may wish to enable this to ensure any programs that don't
> # validate looked up hostnames still leave understandable logs. In past
> # versions of Debian this has been the default.
> # ALL: PARANOID
> ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h
> [%a] >> /var/log/tcp_wrapper/%d.log ) &
>
> My hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the system.
> # See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example: ALL: LOCAL @some_netgroup
> # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "portmap" for the
> # daemon name. Remember that you can only use the keyword "ALL" and IP
> # addresses (NOT host or domain names) for the portmapper, as well as for
> # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
> # for further information.
> #
> sshd: 192.168.1.1
> : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a]
>>> /var/log/tcp_wrapper/%d.log ) &
>
>
>
> I tested with mysqld: ALL in hosts.deny too.
>
What was the mysql client command line which failed? If running on
the same host as the server, the mysql client will use the unix-domain
socket in /var/run/mysqld/mysqld.sock for connecting to the server.
To force it to use an AF_INET socket, pass -h 127.0.0.1 to the mysql
client (-h localhost is not sufficient).
I just tested this on my debian squeeze mysql setup. With -h
127.0.0.1 and "mysqld: ALL" in hosts.deny, connections are rejected.
If you do not want to use mysql access control, you should disable the
socket in the mysql server config, if that's possible.
--
regards,
kushal
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAH8GtdM3dzQtQZg_xoR3xVFHr_4mwKfpGaL1sa60aEbbLt-53Q@mail.gmail.com">http://lists.debian.org/CAH8GtdM3dzQtQZg_xoR3xVFHr_4mwKfpGaL1sa60aEbbLt-53Q@mail.gmail.com
07-10-2012, 03:05 PM
Zdenek Herman
Squeeze, MySQL and hosts.allow and hosts.deny ignored
I tried from same and from another host too (with -h parameters)
In log I don't see any in log about connecting.
Is the tcp wrapper check first and than check by mysql grants or reverse?
__________________________________________________ _______
# mysql -h localhost -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 288
Server version: 5.1.63-0+squeeze1 (Debian)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input
statement.
On Mon, Jul 9, 2012 at 11:41 PM, Zdenek Herman <zdenek.herman@ille.cz> wrote:
My hosts.deny
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the
system.
# See the manual pages hosts_access(5) and
hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h
[%a] >> /var/log/tcp_wrapper/%d.log ) &
My hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and
hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#
sshd: 192.168.1.1
: spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a]
/var/log/tcp_wrapper/%d.log ) &
I tested with mysqld: ALL in hosts.deny too.
What was the mysql client command line which failed? If running on
the same host as the server, the mysql client will use the unix-domain
socket in /var/run/mysqld/mysqld.sock for connecting to the server.
To force it to use an AF_INET socket, pass -h 127.0.0.1 to the mysql
client (-h localhost is not sufficient).
I just tested this on my debian squeeze mysql setup. With -h
127.0.0.1 and "mysqld: ALL" in hosts.deny, connections are rejected.
If you do not want to use mysql access control, you should disable the
socket in the mysql server config, if that's possible.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote:
(please, reply at the bottom)
> Dne 9.7.2012 16:52, Camaleón napsal(a):
>> On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote:
>>
>> (...)
>>
>>> When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow
>>> connect to MySQL from anywhere - settings in hosts.allow and
>>> hosts.deny are ignored.
>> (...)
>>
>> I wonder if you aren't just missing the daemon to filter (mysqld) :-?
>>
>> cat /etc/hosts.deny
> My hosts.deny
(...)
> ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] >> /var/log/tcp_wrapper/%d.log ) &
And also read the manual ("man hosts_options"), maybe we are omitting
something obvious...
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jthi02$cnl$6@dough.gmane.org
07-10-2012, 04:09 PM
Zdenek Herman
Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply
at the bottom)
Dne 9.7.2012 16:52, Camaleón napsal(a):
On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote:
(...)
When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow
connect to MySQL from anywhere - settings in hosts.allow and
hosts.deny are ignored.
(...)
I wonder if you aren't just missing the daemon to filter (mysqld) :-?
cat /etc/hosts.deny
My hosts.deny
(...)
ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] >> /var/log/tcp_wrapper/%d.log ) &
And also read the manual ("man hosts_options"), maybe we are omitting
something obvious...
Greetings,
I found part of problem. If I use localhost can connect, if 127.0.0.1
all is ok.
If I connect from remote first is checked client in mysql grant and
after in tcp wrappers.
Conslusion for me is that mysql doesn't support tcp wrappers correctly
(first check by wrapper then authentization by service).
-----------------------------------------
root@mon:~# mysql -h localhost -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 699
Server version: 5.1.63-0+squeeze1 (Debian)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input
statement.
mysql> quit
Bye
---------------------------------------------------------
root@mon:~# mysql -h 127.0.0.1 -p
Enter password:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial
communication packet', system error: 0
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FFC53C6.5070400@ille.cz">http://lists.debian.org/4FFC53C6.5070400@ille.cz
07-10-2012, 04:29 PM
Camaleón
Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Tue, 10 Jul 2012 18:09:42 +0200, Zdenek Herman wrote:
> On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply
> at the bottom)
>>> Dne 9.7.2012 16:52, Camaleón napsal(a):
(...)
>> I don't know why does not work for you. Take a look into this article
>> that shows a few samples for using mysql with tcp wrappers:
>>
>> http://www.unixmen.com/securing-services-with-tcp-wrappers/
>>
>> And also read the manual ("man hosts_options"), maybe we are omitting
>> something obvious...
>>
>> Greetings,
>>
>>
> I found part of problem. If I use localhost can connect, if 127.0.0.1
> all is ok.
> If I connect from remote first is checked client in mysql grant and
> after in tcp wrappers.
> Conslusion for me is that mysql doesn't support tcp wrappers correctly
> (first check by wrapper then authentization by service).
(...)
> root@mon:~# mysql -h localhost -p
(...)
Ah, how curious... It seems to be documented here:
4.2.2. Connecting to the MySQL Server
http://dev.mysql.com/doc/refman/5.6/en/connecting.html
"(...) On Unix, MySQL programs treat the host name localhost specially,
in a way that is likely different from what you expect compared to other
network-based programs. For connections to localhost, MySQL programs
attempt to connect to the local server by using a Unix socket file. This
occurs even if a --port or -P option is given to specify a port number.
To ensure that the client makes a TCP/IP connection to the local server,
use --host or -h to specify a host name value of 127.0.0.1, or the IP
address or name of the local server. You can also specify the connection
protocol explicitly, even for localhost, by using the --protocol=TCP
option. For example:
shell> mysql --host=127.0.0.1
shell> mysql --protocol=TCP
(...)"
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jthl8c$cnl$9@dough.gmane.org
07-10-2012, 05:41 PM
Dom
Squeeze, MySQL and hosts.allow and hosts.deny ignored
On 10/07/12 17:29, Camaleón wrote:
On Tue, 10 Jul 2012 18:09:42 +0200, Zdenek Herman wrote:
On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply
at the bottom)
Dne 9.7.2012 16:52, Camaleón napsal(a):
(...)
I don't know why does not work for you. Take a look into this article
that shows a few samples for using mysql with tcp wrappers:
And also read the manual ("man hosts_options"), maybe we are omitting
something obvious...
Greetings,
I found part of problem. If I use localhost can connect, if 127.0.0.1
all is ok.
If I connect from remote first is checked client in mysql grant and
after in tcp wrappers.
Conslusion for me is that mysql doesn't support tcp wrappers correctly
(first check by wrapper then authentization by service).
(...)
root@mon:~# mysql -h localhost -p
(...)
Ah, how curious... It seems to be documented here:
4.2.2. Connecting to the MySQL Server
http://dev.mysql.com/doc/refman/5.6/en/connecting.html
"(...) On Unix, MySQL programs treat the host name localhost specially,
in a way that is likely different from what you expect compared to other
network-based programs. For connections to localhost, MySQL programs
attempt to connect to the local server by using a Unix socket file. This
occurs even if a --port or -P option is given to specify a port number.
To ensure that the client makes a TCP/IP connection to the local server,
use --host or -h to specify a host name value of 127.0.0.1, or the IP
address or name of the local server. You can also specify the connection
protocol explicitly, even for localhost, by using the --protocol=TCP
option. For example:
shell> mysql --host=127.0.0.1
shell> mysql --protocol=TCP
(...)"
Camaleón is correct.
When you are logged into mysql, you can enter the "status" command and
it will show how you are connected.
Connect via "-h localhost":
mysql> status;
--------------
mysql Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (i686) using
readline 6.2
And also read the manual ("man hosts_options"), maybe we are omitting
something obvious...
Greetings,
I found part of problem. If I use localhost can connect, if 127.0.0.1
all is ok.
If I connect from remote first is checked client in mysql grant and
after in tcp wrappers.
Conslusion for me is that mysql doesn't support tcp wrappers correctly
(first check by wrapper then authentization by service).
(...)
root@mon:~# mysql -h localhost -p
(...)
Ah, how curious... It seems to be documented here:
4.2.2. Connecting to the MySQL Server
http://dev.mysql.com/doc/refman/5.6/en/connecting.html
"(...) On Unix, MySQL programs treat the host name localhost specially,
in a way that is likely different from what you expect compared to other
network-based programs. For connections to localhost, MySQL programs
attempt to connect to the local server by using a Unix socket file. This
occurs even if a --port or -P option is given to specify a port number.
To ensure that the client makes a TCP/IP connection to the local server,
use --host or -h to specify a host name value of 127.0.0.1, or the IP
address or name of the local server. You can also specify the connection
protocol explicitly, even for localhost, by using the --protocol=TCP
option. For example:
shell> mysql --host=127.0.0.1
shell> mysql --protocol=TCP
(...)"
Camaleón is correct.
When you are logged into mysql, you can enter the "status" command and
it will show how you are connected.
Connect via "-h localhost":
mysql> status;
--------------
mysql Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (i686) using
readline 6.2
It might be possible to disable the socket connection in the MySQL
config, but I haven't looked into that.
Ok - many thanks guys for reply
This explain first part of problem - my fault sorry.
I tried set in my hosts.allow
mysqld: 127.0.0.1
: spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h
[%a] >> /var/log/tcp_wrapper/%d.log ) &
This allow connect from localhost - its ok. But why when connect from
remote machine or 127.0.0.1 nothing in log ?
With sshd work same command great.
Thanks Zdenek
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FFC71DF.2010900@ille.cz">http://lists.debian.org/4FFC71DF.2010900@ille.cz
Squeeze, MySQL and hosts.allow and hosts.deny ignored
