MySQL Watch Causes host connection errors.

5 views
Skip to first unread message

briantroy

unread,
Dec 28, 2009, 1:38:09 PM12/28/09
to Decaf Support
FYI - If you watch MySQL using Decaf you MUST consider the
ramifications of having a bunch of terminated (not completed login)
connections.

MySQL (by default) allows 10 interrupted/failed connection attempts in
a row from a specific host before locking the host out (see:
http://dev.mysql.com/doc/refman/5.0/en/blocked-host.html).

If you turn on Watch for MySQL and do not adjust the
max_connect_errors - and thereby make your host less secure - you will
get locked out on a regular basis. In my case my headend router IP got
locked out every night causing a bunch of reporting failures.

I've turned off MySQL watch in Decaf.

To the Developers - There has to be a better way - opening a
connection on 3306 and terminating if it opens causes too many other
issues, additionally, I'm not putting my MySql Credentials in Decaf
(too many ways a man in the middle can be used to grab my credentials
and do something nefarious).

Regards,

Brian Roy

Jurg van Vliet

unread,
Dec 28, 2009, 3:18:02 PM12/28/09
to decaf-...@googlegroups.com
thanks for reporting this. i do not experience this myself, perhaps because i never use wifi. i will have to look into this in my particular situation.

but you definitely do not want this to occur. and i agree with you, brian, i would also never add my mysql credentials to a decaf.

the solution that comes to my mind is to use snmp. but that requires quite some work on the part of decaf, and we still have a lot of more basic features to add. and it also adds to the complexity of your instances.

another solution we could look at is mysql reporting.

any other ideas?

groet,
jurg.

Jurg van Vliet

unread,
Jan 24, 2010, 11:01:20 AM1/24/10
to decaf-...@googlegroups.com

we could implement one of the better known (not by me) techniques used for port scanning. one of these methods opens a socket on a particular port but tears down that socket after the first ACK with a RST. this way MySQL will never know we pinged it...

after figuring out how to build libraries with the NDK i wanted to start implementing this method, known as TCP SYN (hafl open) scanning. i found several useful examples (here andhere,) one of the guy that invented this technique (Uriel Maimon.)

but there is a catch, you need to be root to build these special TCP packets. this means this form of monitoring will only work for rooted phones. so i am leaving this for now.

if anyone has another idea on how to fix/approach this problem...

Reply all
Reply to author
Forward
0 new messages