Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored

To: Zdenek Herman <zdenek.herman@ille.cz>
Cc: debian-user@lists.debian.org
Subject: Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
From: Kushal Kumaran <kushal.kumaran+debian@gmail.com>
Date: Tue, 10 Jul 2012 10:16:44 +0530
Message-id: <[🔎] CAH8GtdM3dzQtQZg_xoR3xVFHr_4mwKfpGaL1sa60aEbbLt-53Q@mail.gmail.com>
In-reply-to: <[🔎] 4FFB1EBE.70603@ille.cz>
References: <[🔎] 4FF9ECE3.2000805@ille.cz> <[🔎] jter7u$sc9$12@dough.gmane.org> <[🔎] 4FFB1EBE.70603@ille.cz>

On Mon, Jul 9, 2012 at 11:41 PM, Zdenek Herman <zdenek.herman@ille.cz> wrote:
> My hosts.deny
> # /etc/hosts.deny: list of hosts that are _not_ allowed to access the
> system.
> #                  See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:    ALL: some.host.name, .some.domain
> #             ALL EXCEPT in.fingerd: other.host.name, .other.domain
> #
> # If you're going to protect the portmapper use the name "portmap" for the
> # daemon name. Remember that you can only use the keyword "ALL" and IP
> # addresses (NOT host or domain names) for the portmapper, as well as for
> # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
> # for further information.
> #
> # The PARANOID wildcard matches any host whose name does not match its
> # address.
> #
> # You may wish to enable this to ensure any programs that don't
> # validate looked up hostnames still leave understandable logs. In past
> # versions of Debian this has been the default.
> # ALL: PARANOID
> ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h
> [%a] >> /var/log/tcp_wrapper/%d.log ) &
>
> My hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the system.
> #                   See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:    ALL: LOCAL @some_netgroup
> #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "portmap" for the
> # daemon name. Remember that you can only use the keyword "ALL" and IP
> # addresses (NOT host or domain names) for the portmapper, as well as for
> # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
> # for further information.
> #
> sshd: 192.168.1.1 \
>     : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a]
>>> /var/log/tcp_wrapper/%d.log ) &
>
>
>
> I tested with mysqld: ALL in hosts.deny too.
>

What was the mysql client command line which failed?  If running on
the same host as the server, the mysql client will use the unix-domain
socket in /var/run/mysqld/mysqld.sock for connecting to the server.
To force it to use an AF_INET socket, pass -h 127.0.0.1 to the mysql
client (-h localhost is not sufficient).

I just tested this on my debian squeeze mysql setup.  With -h
127.0.0.1 and "mysqld: ALL" in hosts.deny, connections are rejected.
If you do not want to use mysql access control, you should disable the
socket in the mysql server config, if that's possible.

-- 
regards,
kushal

Reply to:

Follow-Ups:
- Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Zdenek Herman <zdenek.herman@ille.cz>

References:
- Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Zdenek Herman <zdenek.herman@ille.cz>
- Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Camaleón <noelamac@gmail.com>
- Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Zdenek Herman <zdenek.herman@ille.cz>

Prev by Date: Re: Current SSD setup recommendations for laptop with Debian
Next by Date: SOLVED was: Re: Problem with Evolution
Previous by thread: Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
Next by thread: Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
Index(es):
- Date
- Thread