[Maria-developers] Allow to turn off max_connect_errors
Hi guys, there are apparently some tools out there [1], that check if the server is up quite often, while not closing the connection properly. It eventually ends in 'many connection errors', because max_connect_errors is always limited now. I understand that this way of checking may be wrong, but there may be scenarios where we do not want to check for `max_connect_errors` at all. So, would it be acceptable for mariadb to change behaviour of max_connect_errors option, so that it accepts also 0 as a possible value, which would mean 'do not check connect errors at all'? I'm bringing the idea here first, but will submit a report and possibly patch if it does not seem to be undesired behaviour. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1104957 TIA and regards, Honza
maybe a null value?
2014-06-09 12:14 GMT-03:00 Honza Horak
Hi guys,
there are apparently some tools out there [1], that check if the server is up quite often, while not closing the connection properly. It eventually ends in 'many connection errors', because max_connect_errors is always limited now.
I understand that this way of checking may be wrong, but there may be scenarios where we do not want to check for `max_connect_errors` at all.
So, would it be acceptable for mariadb to change behaviour of max_connect_errors option, so that it accepts also 0 as a possible value, which would mean 'do not check connect errors at all'?
I'm bringing the idea here first, but will submit a report and possibly patch if it does not seem to be undesired behaviour.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1104957
TIA and regards, Honza
_______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
-- Roberto Spadim SPAEmpresarial Eng. Automação e Controle
max_connect_errors provides a mechanism for protecting against some kinds
of SYN flood attacks (
http://mysqlblog.fivefarmers.com/2013/08/08/understanding-max_connect_errors...).
Disabling it altogether would seem to make MariaDB less secure.
Better is to provide a mechanism to whitelist hosts such as your LBs. For
example a new option, max_connect_error_whitelist=<list of ips> might be
the better approach.
Also note, using --skip-name-resolve should bypass the max_connect_errors
mechanism altogether.
Thanks,
Adam Scott
On Mon, Jun 9, 2014 at 9:14 AM, Honza Horak
Hi guys,
there are apparently some tools out there [1], that check if the server is up quite often, while not closing the connection properly. It eventually ends in 'many connection errors', because max_connect_errors is always limited now.
I understand that this way of checking may be wrong, but there may be scenarios where we do not want to check for `max_connect_errors` at all.
So, would it be acceptable for mariadb to change behaviour of max_connect_errors option, so that it accepts also 0 as a possible value, which would mean 'do not check connect errors at all'?
I'm bringing the idea here first, but will submit a report and possibly patch if it does not seem to be undesired behaviour.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1104957
TIA and regards, Honza
_______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
Hi, Honza!
there are apparently some tools out there [1], that check if the server is up quite often, while not closing the connection properly. It eventually ends in 'many connection errors', because max_connect_errors is always limited now.
What's the status of that? Was any workaround (skip-name-resolve, max_connect_errors=4294967295 or FLUSH HOSTS, which can be run periodically with CREATE EVENT) considered good enough? I see that the bug is closed as NOTABUG. Regards, Sergei
On 06/12/2014 05:08 PM, Sergei Golubchik wrote:
Hi, Honza!
there are apparently some tools out there [1], that check if the server is up quite often, while not closing the connection properly. It eventually ends in 'many connection errors', because max_connect_errors is always limited now.
What's the status of that?
Was any workaround (skip-name-resolve, max_connect_errors=4294967295 or FLUSH HOSTS, which can be run periodically with CREATE EVENT) considered good enough? I see that the bug is closed as NOTABUG.
Guys who reported this started using skip-name-resolve=1, but it does more than necessary, so it is still considered a work-around and it still seems to be a good idea to add some feature that would disable only max_connect_errors. Honza
participants (4)
-
Adam Scott -
Honza Horak -
Roberto Spadim -
Sergei Golubchik