Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored

To: debian-user@lists.debian.org
Subject: Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
From: Zdenek Herman <zdenek.herman@ille.cz>
Date: Tue, 10 Jul 2012 18:09:42 +0200
Message-id: <[🔎] 4FFC53C6.5070400@ille.cz>
In-reply-to: <[🔎] jthi02$cnl$6@dough.gmane.org>
References: <[🔎] 4FF9ECE3.2000805@ille.cz> <[🔎] jter7u$sc9$12@dough.gmane.org> <[🔎] 4FFB1EBE.70603@ille.cz> <[🔎] jthi02$cnl$6@dough.gmane.org>

On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, replyat the bottom)

Dne 9.7.2012 16:52, Camaleón napsal(a):

On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote:

(...)

When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow
connect to MySQL from anywhere - settings in hosts.allow and
hosts.deny are ignored.

(...)

I wonder if you aren't just missing the daemon to filter (mysqld) :-?

cat /etc/hosts.deny

My hosts.deny

(...)

ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] >> /var/log/tcp_wrapper/%d.log ) &

(...)

My hosts.allow

(...)

sshd: 192.168.1.1 \
      : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] >> /var/log/tcp_wrapper/%d.log ) &

And you said this was working for the sshd service, right?

I tested with mysqld: ALL in hosts.deny too.

Well, that should prevent connections coming from the same host (localhost)
unless you explicitely allow it from the hosts.allow, that has preference.

I don't know why does not work for you. Take a look into this article that
shows a few samples for using mysql with tcp wrappers:

http://www.unixmen.com/securing-services-with-tcp-wrappers/

And also read the manual ("man hosts_options"), maybe we are omitting
something obvious...

Greetings,

I found part of problem. If I use localhost can connect, if 127.0.0.1all is ok.If I connect from remote first is checked client in mysql grant andafter in tcp wrappers.Conslusion for me is that mysql doesn't support tcp wrappers correctly(first check by wrapper then authentization by service).


-----------------------------------------
root@mon:~# mysql -h localhost -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 699
Server version: 5.1.63-0+squeeze1 (Debian)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current inputstatement.


mysql> quit
Bye
---------------------------------------------------------
root@mon:~# mysql -h 127.0.0.1 -p
Enter password:

ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initialcommunication packet', system error: 0

root@mon:~#
---------------------------------------------

Thanks for help

Zdenek

Reply to:

Follow-Ups:
- Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Camaleón <noelamac@gmail.com>

References:
- Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Zdenek Herman <zdenek.herman@ille.cz>
- Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Camaleón <noelamac@gmail.com>
- Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Zdenek Herman <zdenek.herman@ille.cz>
- Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
Next by Date: Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
Previous by thread: Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
Next by thread: Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
Index(es):
- Date
- Thread