Benjamin Pflugmann wrote: > On Sat 2002-08-24 at 19:21:56 -0400, [EMAIL PROTECTED] wrote: > > On Sat, 2002-08-24 at 18:38, Van wrote: > > > > Just thought I'd pass it along, since I haven't seen Monty and > > > crew address it. > > I think that it is a non-issue and that this already has been convered > in the BugTraq thread. >
But, not covered in a post from a MySQL AB representive. The BugTraq thread usually doesn't end unless / until such an event occurs... > > > Since I'm not familiar with the error-handling code that deals > > > with this, I'd offer a suggestion that rather than just ignoring > > > excessive bad connections from localhost an admin notification > > > (via e-mail or console message, perhaps) be sent when localhost is > > > exhibiting this behavior so someone can intervene before it > > > becomes a problem and "DoS-es" itself. > > This is the task of an monitoring system, not of MySQL. It is standard > procedure to have a monitoring system on a production system (at > least, if outages cause some form of damages). I have "mon" running > and should an important IP get blocked (for whatever reason), I will > get a mail two minutes later. > > The advantage of this method is that you get notified for any reason > the access does not work, not only blocked IPs. Additionally, a > monitoring system if flexible, in when, how often, how and whom to > notify. You do not want to build all this into MySQL, do you? (And > without, the feature could trigger thausands of mails in an DDoS > attack). As I said, this is the task of a monitoring system. > Perhaps in your world monitoring systems lie in constant function all over the place, and I assure you they do in my own without the nuisance of thousands of e-mails in my inbox (ever), but the vast majority of other peoples' systems lie exposed on the Internet at large, absolutely unsupervised. My clients' systems, and probably your client systems probably have no entries in wtmp except your own. And, since MySQL is a viable deployment solution on Windows, my guess is you don't even have those entries in their systems' logging facilities since Windoze logging is not a priority in the OSes design. I don't use TCP/IP for connections in most of my MySQL-based applications and never from localhost to localhost, but I've been doing this stuff for quite a few years. Not everyone has the luxury of experience (the real kind; not XP), and best I can judge not many people actually do stuff in *n*x either, even at this point in time, nor on this list. So, what that gives you is many non-*n*x users using non-*n*x machines to connect to their MySQL servers to do stuff (sometimes ODBC stuff), and those servers mostly run some kind of *n*x (pro'ly Linux). This all falls into the realm of people running complex queries over TCP/IP. This is the kind of thing you'd probably encounter tons of "bad connection" type stuff if there were connectivity issues, like those you'd find on a DSL connection behind a Linux firewall running NAT, or masquerading, which is something most, (if not all) newbie Linuxers do... If your queries run on localhost via the local web-server and you've educated your users to run queries using UNIX sockets, the likelihood you'll ever get a bad connection from localhost to your server is about zero (0). If I get such an error, I'd want my inbox to fill up and I'll definitely notice. If someone who doesn't know the first thing about the "bad connection" problem starts getting messages about them, perhaps an education will commence. No one uses a "monitoring system" out there, except for you apparently, and thanks for doing it; and, clearly myself as I've admitted to it. Some people out there (and, they probably have good reasons for it) isolate their web machines from their MySQL machines, and this would mandate a TCP/IP connection, which is fine, but I'm sure that's a more rare configuration than most people are deploying. > > If you can code something like this (that can be turned off by default > > or by config, because I _want_ the behavior you want to remove) that is > > portable (i.e. works on Windows), then feel free. > > As should be clear from above, I am rather against it, even if it > could be done easily. > > If at all, I would suggest to implement a trigger system, into which > some other program can hook in, if it wants to know about special > events. But then, the problem can be handled by existing means, so why > bother? Windoze can have services disabled by default, but many times we encounter problems due to people running them without their knowledge or need. People have to take responsibility for their systems, even if it means a couple inconvenient e-Mails. Otherwise, the Gov't will take over what is currently our responsibility. I'm certain I'd be against that. > > Regards, > > Benjamin. I'm glad you monitor your systems and apparently take pride in those responsiblities. Please allow for the possiblity that you are the exception rather than the rule and that is why network and application security has rendered our industry so useless; because there is none. Regards, Van -- ================================================================= Linux rocks!!! http://www.dedserius.com/ ================================================================= --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
