← Back to team overview

maria-developers team mailing list archive

Re: Allow to turn off max_connect_errors


max_connect_errors provides a mechanism for protecting against some kinds
of SYN flood attacks (
Disabling it altogether would seem to make MariaDB less secure.

Better is to provide a mechanism to whitelist hosts such as your LBs.  For
example a new option, max_connect_error_whitelist=<list of ips> might be
the better approach.

Also note, using --skip-name-resolve should bypass the max_connect_errors
mechanism altogether.

Adam Scott

On Mon, Jun 9, 2014 at 9:14 AM, Honza Horak <hhorak@xxxxxxxxxx> wrote:

> Hi guys,
> there are apparently some tools out there [1], that check if the server is
> up quite often, while not closing the connection properly. It eventually
> ends in 'many connection errors', because max_connect_errors is always
> limited now.
> I understand that this way of checking may be wrong, but there may be
> scenarios where we do not want to check for `max_connect_errors` at all.
> So, would it be acceptable for mariadb to change behaviour of
> max_connect_errors option, so that it accepts also 0 as a possible value,
> which would mean 'do not check connect errors at all'?
> I'm bringing the idea here first, but will submit a report and possibly
> patch if it does not seem to be undesired behaviour.
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1104957
> TIA and regards,
> Honza
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-developers
> Post to     : maria-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-developers
> More help   : https://help.launchpad.net/ListHelp