Hi everyone
I'm using the "MySQL Administrator" program to keep tabs on the health of a
web system i am developing. I think it's nice to have quick (gui) feedback
on the query cache, memory variables, and other status variables.
I've noticed that one of the status variables, "Aborted_connects" has been
increasing steadily. This is defined by MySQL as "Number of tries to
connect to the MySQL server that failed". I googled around a bit, and the
only reference I found was a suggestion to double-check php code. So, I
double-checked my php code but everything closes the mysql connection
properly.
Since the system is in development, and I am the only person who knows the
IP of where to log in and test it, I decided to restart the MySQL server,
not visit the website at all, and use MySQL Administrator to monitor
whether or not any status variables changed. Sure enough,
"Aborted_connects" is increasing by one every ten minutes or so despite no
activity on the website (it's been 30 minutes and I have three aborted
connects). To double-check that the website hasn't been used, I can see
under Performance that no "SELECTS" have been made since restarting the
server.
What could be causing this? Is someone *really* trying to hack into my
MySQL server (once every ten minutes?!)? Is it something in the MySQL
Administrator program itself that is causing the aborted connects? Is it
something to be concerned about? "Connections" (number of connection
attempts) has also been increasing...
I should mention that port 3306 is open, it's running Red Hat Linux, and
it's MySQL 4.1.x (Can't remember)
Any ideas appreciated!
5  8630 
Among the wreckage we found a fragment on which Good Man had scratched: What could be causing this? Is someone *really* trying to hack into my
MySQL server (once every ten minutes?!)? Is it something in the MySQL
Why not run ethereal and see for yourself?
"Good Man" <he***@letsgo.com> wrote in message
news:Xn***********************@216.196.97.131...
<snip> Since the system is in development, and I am the only person who knows the
IP of where to log in and test it,
Tis a fact of modern life that there are scads of computers out there
dedicated to the discovery of live IP addresses and when found, to bang away
with usr/pwd combinations. The human scoundrels behind this activity are
only awakened when the automation discovers an IP/usr/pwd combo that scores
a hit.
If you have an IP address that sends/receives packets over the Internet,
then you are most certainly not "the only person who knows the IP..". I decided to restart the MySQL server,
not visit the website at all, and use MySQL Administrator to monitor
whether or not any status variables changed. Sure enough,
"Aborted_connects" is increasing by one every ten minutes or so despite no
activity on the website (it's been 30 minutes and I have three aborted
connects). To double-check that the website hasn't been used, I can see
under Performance that no "SELECTS" have been made since restarting the
server.
The unauthorized entry attempts are a given. And it will take some
vigilance on your part to verify that these are not successful.
What could be causing this? Is someone *really* trying to hack into my
MySQL server (once every ten minutes?!)?
Not a "someone". It's a computer program run by an usncrupulous "someone"
and the answer is yes. It's probably nothing personal. As I said, any and
every IP address that both sends/receives is a target.
Is it something in the MySQL
Administrator program itself that is causing the aborted connects?
No!
Is it something to be concerned about?
Yes!
You need to get over the fact that the attempts are being made but you do
need to put mechanisms in place to see that they are not successful. And you
*especially* need to know when someone is successful in gaining unauthorized
entry.
"Connections" (number of connection attempts) has also been increasing...
The longer your IP is up, the more it becomes known as a "live" IP and the
more unauthorized entry attempts it will attract.
It is becoming increasingly popular to dedicate entire computers to serve as
a firewall. These spend all their cpu horsepower on rejecting unauthorized
entry attempts and passing along the few legitimate ones to the server.
I should mention that port 3306 is open, it's running Red Hat Linux, and
it's MySQL 4.1.x (Can't remember)
Any ideas appreciated!
Difficult and non-obvious user names and passwords.
Eternal vigilance.
Rapid discovery of unauthorized access followed immediately by new user
names and passwords.
Encryption.
Thomas Bartkus
"Thomas Bartkus" <to*@dtsam.com> wrote in
news:d9********************@telcove.net: What could be causing this? Is someone *really* trying to hack into
my MySQL server (once every ten minutes?!)?
Not a "someone". It's a computer program run by an usncrupulous
"someone" and the answer is yes. It's probably nothing personal. As
I said, any and every IP address that both sends/receives is a target.
it just seems like a weird way to hack into a database. when i look at my
apache server attacks, they last for about an hour with 5-10 login attempts
each minute. now that's an attack! that's the way *i* would try to break
in - not by trying a mysql database with one password and moving on. so
it seems like a weird way of trying to break into the server, and i'm still
not convinced its an automaton/person with nefarious desires.
It is becoming increasingly popular to dedicate entire computers to
serve as a firewall. These spend all their cpu horsepower on
rejecting unauthorized entry attempts and passing along the few
legitimate ones to the server.
you know, the site is being hosted (managed hosting) by Rackspace, and
they're offering a hardware firewall for $200/month. That seems like a
totally outrageous price - i'd rather ship them a crappy pc from my house
and have them set up a firewall with that. do you really think a firewall
is needed? how would it know what an unauthorized attempt is? surely it
will need to be open to the MySQL & Apache servers anyways?
Thanks!
"Good Man" <he***@letsgo.com> wrote in message
news:Xn************************@216.196.97.131... "Thomas Bartkus" <to*@dtsam.com> wrote in
news:d9********************@telcove.net:
What could be causing this? Is someone *really* trying to hack into
my MySQL server (once every ten minutes?!)?
Not a "someone". It's a computer program run by an usncrupulous
"someone" and the answer is yes. It's probably nothing personal. As
I said, any and every IP address that both sends/receives is a target.
it just seems like a weird way to hack into a database. when i look at my
apache server attacks, they last for about an hour with 5-10 login
attempts each minute. now that's an attack! that's the way *i* would try to break
in - not by trying a mysql database with one password and moving on. so
it seems like a weird way of trying to break into the server, and i'm
still not convinced its an automaton/person with nefarious desires.
Well, I would agree.
All you can say is that at such and such a time, some one tried to log on
with an invalid usr/pwd. How often do I miskey my own password? - very
often.
Still - I think you see that your IP address is never a secret and that it
will there will be many knocks on the door by people simply looking for a
(any) door that will open for them.
It is becoming increasingly popular to dedicate entire computers to
serve as a firewall. These spend all their cpu horsepower on
rejecting unauthorized entry attempts and passing along the few
legitimate ones to the server.
you know, the site is being hosted (managed hosting) by Rackspace, and
they're offering a hardware firewall for $200/month. That seems like a
totally outrageous price - i'd rather ship them a crappy pc from my house
and have them set up a firewall with that.
I agree.
do you really think a firewall is needed?
It depends. How much cpu does your server/software firewall spend fending
off unauthorized entry?
The only thing I really *know* is that this sort of thing tends to increase
over time. The longer your IP is out there, the more it becomes known as a
hack target. Will it level off eventually? Is it degrading performance
unnacceptably?
I wish I could give you answers but we are struggling with this issue
ourselves.
how would it know what an unauthorized attempt is?
I don't have the answer for MySQL. I wish someone else would jump in here
because I would like to look at a log myself that shows me "who" was trying
and failing. I don't know where to find that kind of record for MySQL like
I can for the apache server.
I am scrupulously looking over the logs at the successful log ons and trying
to verify them. Kind of like the way your credit card company will
(hopefully!) detect suspicious charge activity and give you a call when they
record a charge in Las Vegas after you just charged a tank of gas in NJ five
minutes ago.
I'm looking for software myself!
Thomas Bartkus
surely it
will need to be open to the MySQL & Apache servers anyways?
>I'm using the "MySQL Administrator" program to keep tabs on the health of a web system i am developing. I think it's nice to have quick (gui) feedback
on the query cache, memory variables, and other status variables.
I've noticed that one of the status variables, "Aborted_connects" has been
increasing steadily. This is defined by MySQL as "Number of tries to
connect to the MySQL server that failed". I googled around a bit, and the
only reference I found was a suggestion to double-check php code. So, I
double-checked my php code but everything closes the mysql connection
properly.
This description of the "Aborted_connects" status variable is misleading.
I get log messages in hostname.err often:
Date time [Warning] Aborted connection NNNN to db: database, user:
username ost: host.do.main (Got an error reading communication packets).
and at the same time, Aborted_connects gets incremented.
This does not mean that someone is trying to hack into your database.
(nor does it mean that they aren't, but this message is not a sign
of it). The given database,username,host.do.main logged in
SUCCESSFULLY, then killed the connection. And it is one of the
logins I created.
I'm running MySQL 5.0.6, but this particular issue has been going
on since the early 3.23.* versions.
At first the real meaning of this appeared to be: ONE OF YOUR PHP
PAGES FORGOT TO CALL mysql_close(), DUMMY! After I fixed that on
several pages, it turns out that the remaining offenders are mail
transport programs using the database for spam filtering, which
open up a connection, make some queries, and just abruptly die
rather than closing (mysql_close()) the connection cleanly. I
haven't been able to find a hook to make them close the connection
cleanly, so for error messages mentioning the logins used for that
purpose, I ignore them.
Since the system is in development, and I am the only person who knows the
IP of where to log in and test it, I decided to restart the MySQL server,
If you think about it a little, everyone with even a small amount
of knowledge about the Internet knows a complete list of *ALL* IP
addresses, even if they don't bother writing out each individual
one. There aren't any secret ones, like the alleged phone numbers
with * and # in the area code used by the government for tin foil
hat distribution. There's plenty of scanning going on for MySQL
servers; my firewall blocks a lot of them (typically a couple an
hour, 24x7). If you avoid giving out any MySQL user logins valid
from ANY host, you may not really need a firewall; absent major
security holes, MySQL can protect itself, and dictionary attacks
don't work from hosts not allowed to log in at all.
Gordon L. Burditt This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Bryan Rickard |
last post by:
I wrote a simple program in VB6 to copy all the files from a directory
on a CD-ROM to my hard disk. There are about 10 files, each about
30MB.
The program uses Get and Put to get data from the...
|
by: Jerry Negrelli |
last post by:
I have a windows service that is mysteriously dying on me at what appears to be random intervals. Sometimes its 3 hours, sometimes it's 2 days. Clearly an error is occuring but I haven't been able...
|
by: Patty O'Dors |
last post by:
I've got a program that contains a crystal report, and it has a function that
saves off one report for each branch of the company, in a loop.
This all works beautifully, however - if the user...
|
by: joe martin |
last post by:
Sometimes when I run my C# application I am developing the keyboard
repeat rate mysteriously goes down all the way. When I check in
HKEY_CURRENT_USER\ControlPanel\Keyboard\KeyboardSpeed it is...
|
by: Danny J. Lesandrini |
last post by:
I asked this on microsoft.public.access, but got no answers. Maybe
I was too verbose ... or there is no answer.
User opens form A and then form B
While typing in form B, focus jumps to last...
| | |
by: Amit Dedhia |
last post by:
Hi
I am developing a scientific application which has moderate level
image processing involved.
In my application, there is a main application form which invokes
another form. When this form...
|
by: Rahul B |
last post by:
Hi,
I was getting the error: sqlcode: -911 sqlstate: 40001 , which is
"The maximum number of lock requests has been reached for the
database."
So i increased the locklist size to 200 from the...
|
by: wajedali |
last post by:
hi.........
i have problem in incresing and decreasing the component.
I have a one main panel (i.e. i used as _basewindowPanel) in that again two panel in that two panel like wise....
...
|
by: =?Utf-8?B?cmFuZHkxMjAw?= |
last post by:
Visual Studio 2005, C# WinForms application:
Here’s the question: How can I increase the standard 1 MB stack size of the
UI thread in a C# WinForms application?
Here’s why I ask:
I’ve...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| |
