Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored

[Zdenek Herman <zdenek.herman@ille.cz>]

I tried from same and from another host too (with -h parameters)
In log I don't see any in log about connecting.
Is the tcp wrapper check first and than check by mysql grants or reverse?

_________________________________________________________
# mysql -h localhost -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 288
Server version: 5.1.63-0+squeeze1 (Debian)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input 
statement.

mysql>
____________________________________________________________

and in hosts.deny is ALL:ALL

Zdenek Herman
zdenek.herman@ille.cz

Dne 10.7.2012 06:46, Kushal Kumaran napsal(a):
> On Mon, Jul 9, 2012 at 11:41 PM, Zdenek Herman <zdenek.herman@ille.cz> wrote:
> > My hosts.deny
> > # /etc/hosts.deny: list of hosts that are _not_ allowed to access the
> > system.
> > #                  See the manual pages hosts_access(5) and
> > hosts_options(5).
> > #
> > # Example:    ALL: some.host.name, .some.domain
> > #             ALL EXCEPT in.fingerd: other.host.name, .other.domain
> > #
> > # If you're going to protect the portmapper use the name "portmap" for the
> > # daemon name. Remember that you can only use the keyword "ALL" and IP
> > # addresses (NOT host or domain names) for the portmapper, as well as for
> > # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
> > # for further information.
> > #
> > # The PARANOID wildcard matches any host whose name does not match its
> > # address.
> > #
> > # You may wish to enable this to ensure any programs that don't
> > # validate looked up hostnames still leave understandable logs. In past
> > # versions of Debian this has been the default.
> > # ALL: PARANOID
> > ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h
> > [%a] >> /var/log/tcp_wrapper/%d.log ) &
> >
> > My hosts.allow
> > # /etc/hosts.allow: list of hosts that are allowed to access the system.
> > #                   See the manual pages hosts_access(5) and
> > hosts_options(5).
> > #
> > # Example:    ALL: LOCAL @some_netgroup
> > #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> > #
> > # If you're going to protect the portmapper use the name "portmap" for the
> > # daemon name. Remember that you can only use the keyword "ALL" and IP
> > # addresses (NOT host or domain names) for the portmapper, as well as for
> > # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
> > # for further information.
> > #
> > sshd: 192.168.1.1 \
> >      : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a]
> > > > /var/log/tcp_wrapper/%d.log ) &
> >
> >
> > I tested with mysqld: ALL in hosts.deny too.
> What was the mysql client command line which failed?  If running on
> the same host as the server, the mysql client will use the unix-domain
> socket in /var/run/mysqld/mysqld.sock for connecting to the server.
> To force it to use an AF_INET socket, pass -h 127.0.0.1 to the mysql
> client (-h localhost is not sufficient).
>
> I just tested this on my debian squeeze mysql setup.  With -h
> 127.0.0.1 and "mysqld: ALL" in hosts.deny, connections are rejected.
> If you do not want to use mysql access control, you should disable the
> socket in the mysql server config, if that's possible.