I've got MySQL Master/Slave setup and I've noticed the following warnings in the mysql log files on both servers:
[Warning] IP address 'xxx.xxx.xxx.xxx' could not be resolved: Name or service not known
I've checked and the DNS lookups works fine and most of these IPs are from China.
I planning to limit access on port 3306 on the firewall however could you please help me to understand what they are trying to do. Are they just trying to connect to the MySQL server. Where I can look for some more details.
Thanks
When you create a MySQL user
[email protected]
MySQL has to do a reverse lookup on every IP address connecting to it to determine whether they are part ofexample.com
.Of course, there's no restriction on creating reverse lookups, so I can quite happily ask my provider to set the reverse lookup for my IP address to be
google.com
if I want... orexample.com
if I happen to know that's what the users in your database have. This won't let me in, as MySQL then does a forward lookup on the returned domain to make sure it matches the same IP address that's connecting.You can switch this off with
skip_name_resolve
in yourmy.cnf
. There are many good reasons for doing this.The reason you are getting this error is that the IP address in question has no reverse lookup at all.
You also have malicious attackers from China trying to brute force their way into your database. That should be your top priority.
I think it's a very very bad Idea to expose your database servers directly on the internet.
If you are replicating to a remote host and need internet access to achieve that, I suggest you setup a VPN between the two networks and bind your MySQL servers to listen only to the local network.
If both of your hosts are on the same local network, you will be safe to bind your mysql servers to that network.
Just got caught by this as well on Amazon RDS. I only wanted to connect to my test database instance (following is definitely not recommended for production databases):
The security groups in Amazon RDS works bit differently than the normal firewall rules for the EC2 instances. If you open MySQL port for the specific IP the IP must be recognized by your MySQL server. If not the connection is refused. The temporary solution is to create new security group i.e.
anyone_can_connect_to_mysql
with just a single item - allow inbound connection MySQL/Aurora anywhere from the internet and attach this security group to your database.This removes the IP check from client connections so you're free to connect. Don't forget to detach the
anyone_can_connect_to_mysql
policy from the database once the resolution problems are over.When connecting to Mysql remotely, I got an error. I had this warning in
/var/log/mysqld.log
:I just added this line to
/etc/hosts
file:Problem solved! without using
skip-name-resolve
, it caused some errors in my local app, when connecting to mysql.