Comments on: How Securing MySQL with TCP Wrappers Can Cause an Outage

By: Ananias Tsalouchidis

Ananias Tsalouchidis — Fri, 10 Jan 2020 10:24:56 +0000

“from DNS to the MySQL and MySQL to DNS ?

That was done on the MySQL host to verify if it is receiving connections and if connections are going out

“but problem is , very hard to dig it out . takes a long time! who knows it is creating problem as people keep using it.”

Problems may be caused with every software and it’s not always easy to diagnose. For example with iptables or any other firewall you may accidentally block something legitimate. I’m not sure what you really asking here. Going through the tcp wrappers documentation you can easily find that there are some notes about issues that can be caused by DNS server not properly functioning.

“someone suggest remove tcpwrapper and only use firewall, the iptables, the one IP address allow list in MySQL?”

Purpose of this blogpost is not to suggest best practises for Securing your installation. Decision is always up to you based on your needs. You have to evaluate what is better.

By: dba100

dba100 — Fri, 10 Jan 2020 10:03:29 +0000

hi,

“we did a tcpdump as a first step to check connections coming in and going out.”

from DNS to the MySQL and MySQL to DNS ?

“You just need to pay attention on specific things, as you should always do with every software that you may be using. ”

but problem is , very hard to dig it out . takes a long time! who knows it is creating problem as people keep using it.

“Firewalls based on iptables could be an alternative.”
someone suggest remove tcpwrapper and only use firewall,
the iptables, the one IP address allow list in MySQL?

By: Ananias Tsalouchidis

Ananias Tsalouchidis — Fri, 10 Jan 2020 09:24:55 +0000

In reply to dba100. Hi. - For the network packet inspection, we did a tcpdump as a first step to check connections coming in and going out. - We found that MySQL was accessing these files using the strace and capturing the open and read system calls only. You can use strace in multiple ways but this is how we reached to that conclusion. - I don't state that you shouldn't use TCP wrappers. You just need to pay attention on specific things, as you should always do with every software that you may be using. Firewalls based on iptables could be an alternative. There are plenty. You could also build your architecture accordingly i.e. closed network, VPCs, etc. You should also limit the MySQL accounts i.e. not allow % . And of course use a combination of all of these methods :)

By: dba100

dba100 — Thu, 09 Jan 2020 09:26:31 +0000

hi,

“Inspecting network traffic revealed that the host was doing a crazy amount of requests to the DNS server defined into /etc/resolv.conf”

how can you check this out ?

by using “tcpdump dst port 3306 or src port 3306 “, where dst is the IP address of the destination MySQL? and src is the source host/machine which is connecting to the MySQL in concern ?

” we noticed was that mysql was too frequently accessing the /etc/hosts.allow and /etc/hosts.deny files. ”

how can you know the mysQL is keep accessing both files ? by this command: strace -e open,read -p$(pidof mysqld) ?

“With TCP wrappers, each new connection has to be checked against an ACL and based on this ACL a decision will be taken whether the remote host is allowed to connect to a service or not.”

if not using TCP wrappers, what should we use ? why people keep using it ? and what LInux and MySQL security feature can replace it ?