Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
Description
If a connection is aborted prior to authentication, then a warning is only logged if log_warnings=4 is set, and the warning is the same "Aborted connection ... (CLOSE_CONNECTION)" warning as it is for any other connection.
You can reproduce this by setting log_warnings=4:
SET GLOBAL log_warnings=4;
|
And then something like using telnet to connect to the MariaDB port, and then killing the telnet process:
$ telnet 127.0.0.1 3306
|
Trying 127.0.0.1...
|
Connected to 127.0.0.1.
|
Escape character is '^]'.
|
Y
|
5.5.5-10.1.38-MariaDB@TcxOay_?▒MFWbhc931>#4mysql_native_password^CConnection closed by foreign host
|
At that point, the error log will contain a message like this:
2019-04-18 18:12:55 140535201905408 [Warning] Aborted connection 328 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (CLOSE_CONNECTION)
|
I think this message should actually read something like this:
2019-04-18 18:12:55 140535201905408 [Warning] Aborted connection 328 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (Connection closed without authenticating)
|
I also think that this message should be logged when log_warnings=2, instead of log_warnings=4.
I also think that MDEV-19277 should be implemented as part of this.
Attachments
Issue Links
- causes
-
MDEV-21456 TCP health checks to port 3306 quickly exceed max_connect_errors
-
- Closed
-
- relates to
-
-
- Open
-
-
-
- Closed
-
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link |
This issue relates to |
| Link |
This issue relates to |
| Summary | Log more specific warning if connection is aborted prior to authentication | Log more specific warning with log_warnings=2 if connection is aborted prior to authentication |
| Assignee | Oleksandr Byelkin [ sanja ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
Hi sanja,
I don't think I would consider this feature request a good candidate for DDoS attacks. Failed authentication attempts already write warnings to the error log when log_warnings=2, so this feature request isn't even very novel when compared to the current behavior.
I think this feature request's potential as a DDoS attack is especially limited, since a host would be blocked after its failed connection attempts reached max_connect_errors, which defaults to only 100.
https://mariadb.com/kb/en/library/server-system-variables/#max_connect_errors
And additionally, if someone were really worried about their log size growing enough to cause a denial of service, then they should definitely configure log rotation.
https://mariadb.com/kb/en/library/rotating-logs-on-unix-and-linux/
didn't 'unauthenticated' point that there was no authentication?
If there is concerns that somebody can create such user, I can change it to
@@@@%%%%!!!!§§§§§ununauthenticated§§§§§!!!!!%%%%%@@@@@
|
I think the current "unauthenticated" user name is fine.
I think the priority should be changed to 2, and I think the message in the parenthesis should be changed from CLOSE_CONNECTION to something more descriptive.
what can be more descriptive? the code is like this:
thd->print_aborted_warning(3, sql_errno ? ER_DEFAULT(sql_errno)
|
: "CLOSE_CONNECTION");
|
|
i.e. if there is no error we write "CLOSE_CONNECTION" as an error, probably I can write "CLOSED_BY_USER_CONNECTION", but it would not be true, we just do not know why connection is closed, so I am open for suggestion about what to write if the connection closed with no error.
NORMALLY_CLOSED_CONNECTION ?
NO_ERROR_CLOSED_CONNECTION ?
This connection closed without an error ?
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
My suggestion in the issue description was "Connection closed without authenticating". This is way more descriptive because it makes it extremely clear that the connection had not performed authentication before it was closed.
I can not write this if it was authenticated, I can make 2 cases for closing without an error:
1) connection closed normally
2) connection closed normally without authentication
| Assignee | Oleksandr Byelkin [ sanja ] | Sergei Golubchik [ serg ] |
| Status | Stalled [ 10000 ] | In Review [ 10002 ] |
| Assignee | Sergei Golubchik [ serg ] | Vladislav Vaintroub [ wlad ] |
Hi sanja. The patch is fine, but I'd like have a test case for connect timeout (connect with socket on the port, and do nothing for a while), if possible.
A more specific error message in case of connect timeout would be helpful (this can be made another MDEV, if you wish)
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Assignee | Vladislav Vaintroub [ wlad ] | Oleksandr Byelkin [ sanja ] |
| Link | This issue relates to MDEV-19469 [ MDEV-19469 ] |
| Fix Version/s | 10.4.5 [ 23311 ] | |
| Fix Version/s | 10.4 [ 22408 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Link |
This issue causes |
| Workflow | MariaDB v3 [ 96207 ] | MariaDB v4 [ 133933 ] |
| Zendesk Related Tickets | 103711 |
Isn't this way lead to DDoS attack via log overflow?