Squeeze, MySQL and hosts.allow and hosts.deny ignored

[Zdenek Herman]

Hello
I have problem with MySQL and control access by TCP wrapper in Debian
Squeeze.
MySQL is compiled correctly with libwrap library:

ldd /usr/sbin/mysqld | grep libwrap
libwrap.so.0 => /lib/libwrap.so.0 (0x00007f145d28d000)

When I set hosts.deny ALL: ALL and hosts.allow is empty.
I can allow connect to MySQL from anywhere - settings in hosts.allow and
hosts.deny are ignored.

Yes - I can solve by iptables or directly from MySQL grantes but
wrappers have more futures (logging all connects) and quickly configuration.

For example my SSHd works correctly with TCP wrapper.

Please where can be problem ?

Thanks

--

Zdenek Herman
zdenek...@ille.cz


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/4FF9ECE3...@ille.cz

[Camaleón]

On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote:

(...)

> When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow
> connect to MySQL from anywhere - settings in hosts.allow and hosts.deny
> are ignored.

(...)

I wonder if you aren't just missing the daemon to filter (mysqld) :-?

cat /etc/hosts.deny

Greetings,

--
Camaleón

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/jter7u$sc9$1...@dough.gmane.org

[Camaleón]

On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote:

(please, reply at the bottom)

> Dne 9.7.2012 16:52, Camaleón napsal(a):

>> On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote:
>>
>> (...)
>>
>>> When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow
>>> connect to MySQL from anywhere - settings in hosts.allow and
>>> hosts.deny are ignored.
>> (...)
>>
>> I wonder if you aren't just missing the daemon to filter (mysqld) :-?
>>
>> cat /etc/hosts.deny

> My hosts.deny

(...)

> ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] >> /var/log/tcp_wrapper/%d.log ) &

(...)

> My hosts.allow

(...)

> sshd: 192.168.1.1 \
> : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] >> /var/log/tcp_wrapper/%d.log ) &

And you said this was working for the sshd service, right?

> I tested with mysqld: ALL in hosts.deny too.

Well, that should prevent connections coming from the same host (localhost)
unless you explicitely allow it from the hosts.allow, that has preference.

I don't know why does not work for you. Take a look into this article that
shows a few samples for using mysql with tcp wrappers:

http://www.unixmen.com/securing-services-with-tcp-wrappers/

And also read the manual ("man hosts_options"), maybe we are omitting
something obvious...

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/jthi02$cnl$6...@dough.gmane.org

[Zdenek Herman]

I found part of problem. If I use localhost can connect, if 127.0.0.1
all is ok.
If I connect from remote first is checked client in mysql grant and
after in tcp wrappers.
Conslusion for me is that mysql doesn't support tcp wrappers correctly
(first check by wrapper then authentization by service).

-----------------------------------------
root@mon:~# mysql -h localhost -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 699
Server version: 5.1.63-0+squeeze1 (Debian)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input
statement.

mysql> quit
Bye
---------------------------------------------------------
root@mon:~# mysql -h 127.0.0.1 -p
Enter password:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial
communication packet', system error: 0
root@mon:~#
---------------------------------------------

Thanks for help

Zdenek

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/4FFC53C6...@ille.cz

[Camaleón]

On Tue, 10 Jul 2012 18:09:42 +0200, Zdenek Herman wrote:

> On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply
> at the bottom)
>>> Dne 9.7.2012 16:52, Camaleón napsal(a):

(...)

>> I don't know why does not work for you. Take a look into this article
>> that shows a few samples for using mysql with tcp wrappers:
>>
>> http://www.unixmen.com/securing-services-with-tcp-wrappers/
>>
>> And also read the manual ("man hosts_options"), maybe we are omitting
>> something obvious...
>>
>> Greetings,
>>
>>
> I found part of problem. If I use localhost can connect, if 127.0.0.1
> all is ok.
> If I connect from remote first is checked client in mysql grant and
> after in tcp wrappers.
> Conslusion for me is that mysql doesn't support tcp wrappers correctly
> (first check by wrapper then authentization by service).

(...)

> root@mon:~# mysql -h localhost -p

(...)

Ah, how curious... It seems to be documented here:

4.2.2. Connecting to the MySQL Server
http://dev.mysql.com/doc/refman/5.6/en/connecting.html

"(...) On Unix, MySQL programs treat the host name localhost specially,
in a way that is likely different from what you expect compared to other
network-based programs. For connections to localhost, MySQL programs
attempt to connect to the local server by using a Unix socket file. This
occurs even if a --port or -P option is given to specify a port number.
To ensure that the client makes a TCP/IP connection to the local server,
use --host or -h to specify a host name value of 127.0.0.1, or the IP
address or name of the local server. You can also specify the connection
protocol explicitly, even for localhost, by using the --protocol=TCP
option. For example:

shell> mysql --host=127.0.0.1
shell> mysql --protocol=TCP

(...)"

Greetings,

--
Camaleón

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/jthl8c$cnl$9...@dough.gmane.org

[Dom]

Camaleón is correct.

When you are logged into mysql, you can enter the "status" command and
it will show how you are connected.

Connect via "-h localhost":

mysql> status;
--------------
mysql Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (i686) using
readline 6.2

...
Connection: Localhost via UNIX socket
...
UNIX socket: /var/run/mysqld/mysqld.sock
...
--------------

Connect via "-h 127.0.0.1":

mysql> status;
--------------
mysql Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (i686) using
readline 6.2

...
Connection: 127.0.0.1 via TCP/IP
...
TCP port: 3306
...
--------------

Hope that clears it up a bit.

It might be possible to disable the socket connection in the MySQL
config, but I haven't looked into that.

--
Dom

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/4FFC6945...@rpdom.net

[Zdenek Herman]

Ok - many thanks guys for reply
This explain first part of problem - my fault sorry.
I tried set in my hosts.allow
mysqld: 127.0.0.1 \

: spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h
[%a] >> /var/log/tcp_wrapper/%d.log ) &

This allow connect from localhost - its ok. But why when connect from
remote machine or 127.0.0.1 nothing in log ?
With sshd work same command great.

Thanks Zdenek

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/4FFC71DF...@ille.cz

[Camaleón]

On Tue, 10 Jul 2012 20:18:07 +0200, Zdenek Herman wrote:

> On 10/07/12 17:29, Camaleón wrote:

(...)

>>> Ah, how curious... It seems to be documented here:
>>>
>>> 4.2.2. Connecting to the MySQL Server
>>> http://dev.mysql.com/doc/refman/5.6/en/connecting.html

(...)

>>>

>> Camaleón is correct.
>>
>> When you are logged into mysql, you can enter the "status" command and
>> it will show how you are connected.
>>
>> Connect via "-h localhost":

(...)

>> Connect via "-h 127.0.0.1":

(...)

>> Connection: 127.0.0.1 via TCP/IP ...
>> TCP port: 3306
>> ...
>>

>> Hope that clears it up a bit.
>>
>> It might be possible to disable the socket connection in the MySQL
>> config, but I haven't looked into that.
>>
>>
> Ok - many thanks guys for reply
> This explain first part of problem - my fault sorry. I tried set in my
> hosts.allow
> mysqld: 127.0.0.1 \
> : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] >> /var/log/tcp_wrapper/%d.log ) &
> This allow connect from localhost - its ok. But why when connect from
> remote machine or 127.0.0.1 nothing in log ? With sshd work same command great.

I would rather use the IP of the machine where MySQL runs (192.168.1.1)
instead the loopback device (127.0.0.1) and not only for hosts.allow/
deny but also for the running MySQL daemon if you want to be accessible
from clients in your local network.

Greetings,

--
Camaleón

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/jtjv97$4fh$4...@dough.gmane.org