[MDEV-19282] Log more specific warning with log_warnings=2 if connection is aborted prior to authentication Created: 2019-04-18 Updated: 2023-02-06 Resolved: 2019-05-14 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Authentication and Privilege System |
| Fix Version/s: | 10.4.5 |
| Type: | Task | Priority: | Major |
| Reporter: | Geoff Montee (Inactive) | Assignee: | Oleksandr Byelkin |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Description |
|
If a connection is aborted prior to authentication, then a warning is only logged if log_warnings=4 is set, and the warning is the same "Aborted connection ... (CLOSE_CONNECTION)" warning as it is for any other connection. You can reproduce this by setting log_warnings=4:
And then something like using telnet to connect to the MariaDB port, and then killing the telnet process:
At that point, the error log will contain a message like this:
I think this message should actually read something like this:
I also think that this message should be logged when log_warnings=2, instead of log_warnings=4. I also think that |
| Comments |
| Comment by Oleksandr Byelkin [ 2019-05-09 ] | |||
|
Isn't this way lead to DDoS attack via log overflow? | |||
| Comment by Geoff Montee (Inactive) [ 2019-05-09 ] | |||
|
Hi sanja, I don't think I would consider this feature request a good candidate for DDoS attacks. Failed authentication attempts already write warnings to the error log when log_warnings=2, so this feature request isn't even very novel when compared to the current behavior. I think this feature request's potential as a DDoS attack is especially limited, since a host would be blocked after its failed connection attempts reached max_connect_errors, which defaults to only 100. https://mariadb.com/kb/en/library/server-system-variables/#max_connect_errors And additionally, if someone were really worried about their log size growing enough to cause a denial of service, then they should definitely configure log rotation. https://mariadb.com/kb/en/library/rotating-logs-on-unix-and-linux/ | |||
| Comment by Oleksandr Byelkin [ 2019-05-09 ] | |||
|
didn't 'unauthenticated' point that there was no authentication? | |||
| Comment by Oleksandr Byelkin [ 2019-05-09 ] | |||
|
If there is concerns that somebody can create such user, I can change it to
| |||
| Comment by Oleksandr Byelkin [ 2019-05-09 ] | |||
|
and change the priority of the warning | |||
| Comment by Geoff Montee (Inactive) [ 2019-05-09 ] | |||
|
I think the current "unauthenticated" user name is fine. I think the priority should be changed to 2, and I think the message in the parenthesis should be changed from CLOSE_CONNECTION to something more descriptive. | |||
| Comment by Oleksandr Byelkin [ 2019-05-09 ] | |||
|
what can be more descriptive? the code is like this:
i.e. if there is no error we write "CLOSE_CONNECTION" as an error, probably I can write "CLOSED_BY_USER_CONNECTION", but it would not be true, we just do not know why connection is closed, so I am open for suggestion about what to write if the connection closed with no error. NORMALLY_CLOSED_CONNECTION ? | |||
| Comment by Geoff Montee (Inactive) [ 2019-05-10 ] | |||
|
My suggestion in the issue description was "Connection closed without authenticating". This is way more descriptive because it makes it extremely clear that the connection had not performed authentication before it was closed. | |||
| Comment by Oleksandr Byelkin [ 2019-05-11 ] | |||
|
I can not write this if it was authenticated, I can make 2 cases for closing without an error: | |||
| Comment by Geoff Montee (Inactive) [ 2019-05-11 ] | |||
|
That sounds good to me. | |||
| Comment by Vladislav Vaintroub [ 2019-05-14 ] | |||
|
Hi sanja. The patch is fine, but I'd like have a test case for connect timeout (connect with socket on the port, and do nothing for a while), if possible. |