maria-developers team mailing list archive

[Adam Scott <adam.c.scott@xxxxxxxxx>]

max_connect_errors provides a mechanism for protecting against some kinds
of SYN flood attacks (
http://mysqlblog.fivefarmers.com/2013/08/08/understanding-max_connect_errors/).
Disabling it altogether would seem to make MariaDB less secure.

Better is to provide a mechanism to whitelist hosts such as your LBs.  For
example a new option, max_connect_error_whitelist=<list of ips> might be
the better approach.

Also note, using --skip-name-resolve should bypass the max_connect_errors
mechanism altogether.

Thanks,
Adam Scott





On Mon, Jun 9, 2014 at 9:14 AM, Honza Horak <hhorak@xxxxxxxxxx> wrote:

> Hi guys,
>
> there are apparently some tools out there [1], that check if the server is
> up quite often, while not closing the connection properly. It eventually
> ends in 'many connection errors', because max_connect_errors is always
> limited now.
>
> I understand that this way of checking may be wrong, but there may be
> scenarios where we do not want to check for `max_connect_errors` at all.
>
> So, would it be acceptable for mariadb to change behaviour of
> max_connect_errors option, so that it accepts also 0 as a possible value,
> which would mean 'do not check connect errors at all'?
>
> I'm bringing the idea here first, but will submit a report and possibly
> patch if it does not seem to be undesired behaviour.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1104957
>
> TIA and regards,
> Honza
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-developers
> Post to     : maria-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-developers
> More help   : https://help.launchpad.net/ListHelp
>