防syn泛滥攻击、暴力破解攻击 错误:ERROR 1129 (00000): Host 'xxx' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts' 很多资料说,这个是密码输入错误的尝试次数超过max_connect_errors变量,MySQL就会阻塞这个客户端登录。 官方描述: If more than this many successive connection requests from a host are interrupted without a successful connection, the server blocks that host from further connections. You can unblock blocked hosts by flushing the host cache. To do so, issue a FLUSH HOSTS statement or execute a mysqladmin flush-hosts command. If a connection is established successfully within fewer than max_connect_errors attempts after a previous connection was interrupted, the error count for the host is cleared to zero. However, once a host is blocked, flushing the host cache is the only way to unblock it. The default is 100. 大致如下:如果MySQL服务器连续接收到了来自于同一个主机的请求,而且这些连续的请求全部都没有成功的建立连接就被中断了,当这些连续的请求的累计值大于max_connect_errors的设定值时,MySQL服务器就会阻止这台主机后续的所有请求。 注意:其实这个就是因为由于网络异常而中止数据库连接。并没有提及密码错误尝试。 验证过程: 在MySQL数据库里面创建一个test账号,然后我们将max_connect_errors变量设置为3. mysql> set global max_connect_errors=3; Query OK, 0 rows affected (0.00 sec) mysql> show variables like '%max_connect_error%'; +--------------------+-------+ | Variable_name | Value | +--------------------+-------+ | max_connect_errors | 3 | +--------------------+-------+ 1 row in set (0.00 sec) 然后我们在另外一台测试机器,以错误的密码去连接这个MySQL数据库,如下所示,即使前面输入了三次错误密码,第四次输入是也没有碰到上面错误。那么可以排除这个变量与密码错误输入有关系。 [root@mytestlnx02 tmp]# mysql -h10.20.57.24 -utest -p Enter password: ERROR 1045 (28000): Access denied for user 'test'@'mytestlnx02' (using password: YES) [root@mytestlnx02 tmp]# mysql -h10.20.57.24 -utest -p Enter password: ERROR 1045 (28000): Access denied for user 'test'@'mytestlnx02' (using password: YES) [root@mytestlnx02 tmp]# mysql -h10.20.57.24 -utest -p Enter password: ERROR 1045 (28000): Access denied for user 'test'@'mytestlnx02' (using password: YES) [root@mytestlnx02 tmp]# mysql -h10.20.57.24 -utest -p Enter password: ERROR 1045 (28000): Access denied for user 'test'@'mytestlnx02' (using password: YES) 其实,关于某个IP客户端输入了错误密码,MySQL会在performance_schema数据库下的host_cache表中记录。它会累计记录在COUNT_AUTHENTICATION_ERRORS字段,如下所示: mysql> select * from performance_schema.host_cache\G; *************************** 1. row *************************** IP: 192.168.27.180 HOST: gettestlnx02 HOST_VALIDATED: YES SUM_CONNECT_ERRORS: 0 COUNT_HOST_BLOCKED_ERRORS: 0 COUNT_NAMEINFO_TRANSIENT_ERRORS: 0 COUNT_NAMEINFO_PERMANENT_ERRORS: 0 COUNT_FORMAT_ERRORS: 0 COUNT_ADDRINFO_TRANSIENT_ERRORS: 0 COUNT_ADDRINFO_PERMANENT_ERRORS: 0 COUNT_FCRDNS_ERRORS: 0 COUNT_HOST_ACL_ERRORS: 0 COUNT_NO_AUTH_PLUGIN_ERRORS: 0 COUNT_AUTH_PLUGIN_ERRORS: 0 COUNT_HANDSHAKE_ERRORS: 0 COUNT_PROXY_USER_ERRORS: 0 COUNT_PROXY_USER_ACL_ERRORS: 0 COUNT_AUTHENTICATION_ERRORS: 4 COUNT_SSL_ERRORS: 0 COUNT_MAX_USER_CONNECTIONS_ERRORS: 0 COUNT_MAX_USER_CONNECTIONS_PER_HOUR_ERRORS: 0 COUNT_DEFAULT_DATABASE_ERRORS: 0 COUNT_INIT_CONNECT_ERRORS: 0 COUNT_LOCAL_ERRORS: 0 COUNT_UNKNOWN_ERRORS: 0 FIRST_SEEN: 2018-01-31 16:28:19 LAST_SEEN: 2018-01-31 16:28:26 FIRST_ERROR_SEEN: 2018-01-31 16:28:19 LAST_ERROR_SEEN: 2018-01-31 16:28:26 1 row in set (0.00 sec) 官方资料介绍,COUNT_AUTHENTICATION_ERRORS的字段是统计被视为“阻塞”的连接错误的数量(根据max_connect_errors系统变量进行评估)。 只计算协议握手错误,并且仅用于通过验证的主机(HOST_VALIDATED = YES)。 MySQL客户端与数据库建立连接需要发起三次握手协议,正常情况下,这个时间非常短,但是一旦网络异常,网络超时等因素出现,就会导致这个握手协议无法完成,MySQL有个参数connect_timeout,它是MySQL服务端进程mysqld等待连接建立完成的时间,单位为秒。如果超过connect_timeout时间范围内,仍然无法完成协议握手话,MySQL客户端会收到异常,异常消息类似于: Lost connection to MySQL server at 'XXX', system error: errno,该变量默认是10秒. 那么我们就构造一个网络超时引起的数据库连接被中断案例吧,我们用Linux下的netem与tc命令模拟构造出复杂环境下的网络传输延时案例,如下设置后,此时从测试服务器去访问MySQL服务器,都会出现延时11秒: [root@gettestlnx02 ~]# ping 10.20.57.24 PING 10.20.57.24 (10.20.57.24) 56(84) bytes of data. 64 bytes from 10.20.57.24: icmp_seq=1 ttl=62 time=0.251 ms 64 bytes from 10.20.57.24: icmp_seq=2 ttl=62 time=0.330 ms 64 bytes from 10.20.57.24: icmp_seq=3 ttl=62 time=0.362 ms 64 bytes from 10.20.57.24: icmp_seq=4 ttl=62 time=0.316 ms [root@gettestlnx02 ~]# tc qdisc add dev eth0 root netem delay 11000ms [root@gettestlnx02 ~]# ping 10.20.57.24 PING 10.20.57.24 (10.20.57.24) 56(84) bytes of data. 64 bytes from 10.20.57.24: icmp_seq=1 ttl=62 time=11000 ms 64 bytes from 10.20.57.24: icmp_seq=2 ttl=62 time=11000 ms 64 bytes from 10.20.57.24: icmp_seq=3 ttl=62 time=11000 ms 我们在测试服务器gettestlnx02连接MySQL数据库,如下所示(注意,如果你是在通过ssh连接这台服务器的话,此时在gettestlnx02上操作会相当慢。当然你也可以在MySQL服务器模拟网络延时,或者你将connect_timeout和网络延时都设小一点) [root@gettestlnx02 ~]# mysql -h10.20.57.24 -utest -p Enter password: ERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error: 0 如上所示,由于网络延时超过10秒,导致连接MySQL失败,此时,你在MySQL服务器上查询host_cache表时,那么你就会看到SUM_CONNECT_ERRORS变成1了,COUNT_HANDSHAKE_ERRORS也变成了1. 那么我们反复这样折腾三次,那么你会看到SUM_CONNECT_ERRORS变成3了,COUNT_HANDSHAKE_ERRORS也变成了3了. mysql> select * from host_cache\G; *************************** 1. row *************************** IP: 192.168.27.180 HOST: gettestlnx02 HOST_VALIDATED: YES SUM_CONNECT_ERRORS: 3 COUNT_HOST_BLOCKED_ERRORS: 1 COUNT_NAMEINFO_TRANSIENT_ERRORS: 0 COUNT_NAMEINFO_PERMANENT_ERRORS: 0 COUNT_FORMAT_ERRORS: 0 COUNT_ADDRINFO_TRANSIENT_ERRORS: 0 COUNT_ADDRINFO_PERMANENT_ERRORS: 0 COUNT_FCRDNS_ERRORS: 0 COUNT_HOST_ACL_ERRORS: 0 COUNT_NO_AUTH_PLUGIN_ERRORS: 0 COUNT_AUTH_PLUGIN_ERRORS: 0 COUNT_HANDSHAKE_ERRORS: 3 COUNT_PROXY_USER_ERRORS: 0 COUNT_PROXY_USER_ACL_ERRORS: 0 COUNT_AUTHENTICATION_ERRORS: 4 COUNT_SSL_ERRORS: 0 COUNT_MAX_USER_CONNECTIONS_ERRORS: 0 COUNT_MAX_USER_CONNECTIONS_PER_HOUR_ERRORS: 0 COUNT_DEFAULT_DATABASE_ERRORS: 0 COUNT_INIT_CONNECT_ERRORS: 0 COUNT_LOCAL_ERRORS: 0 COUNT_UNKNOWN_ERRORS: 0 FIRST_SEEN: 2018-01-31 16:28:19 LAST_SEEN: 2018-01-31 17:02:10 FIRST_ERROR_SEEN: 2018-01-31 16:28:19 LAST_ERROR_SEEN: 2018-01-31 17:02:10 1 row in set (0.00 sec) 然后我们用netem与tc 命令在测试服务器上取消网络延迟模拟,然后去测试连接MySQL数据库,如下测试所示: [root@gettestlnx02 ~]# tc qdisc del dev eth0 root netem delay 11000ms [root@gettestlnx02 ~]# mysql -h10.20.57.24 -utest -p Enter password: ERROR 1129 (HY000): Host '192.168.27.180' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts' 此时就能构造出开头的错误了。 解决方案 解决网络延迟。 临时解决方法: 1、将变量max_connection_errors的值设置为一个更大的值 mysql> set global max_connect_errors=150; Query OK, 0 rows affected (0.00 sec) 可以在my.cnf配置文件里面配置。 2、使用flush hosts mysql> flush hosts; Query OK, 0 rows affected (0.00 sec) mysql> select * from performance_schema.host_cache; Empty set (0.00 sec) 那么host cache是什么呢? 简单来说,就是MySQL服务器在内存中维护一个包含客户端信息的缓存:IP地址,主机名和错误信息等。 服务器会将非本地TCP连接信息缓存起来。它不会缓存使用环回接口地址(127.0.0.1或者:: 1)建立的TCP连接,或者使用Unix套接字文件,命名管道或共享内存建立的连接。host cache信息可以通过performance_schema数据库下的host_cache表查询。 总结:关于参数max_connect_errors,这个不能作为防暴力破解密码攻击的手段。但可以防止SYN泛滥攻击。 但是在performance_schema.host_cache记录了COUNT_AUTHENTICATION_ERRORS数量。 因此可以每秒去读取该数据,获取同一IP来源的错误请求过多的IP,自动添加到防火墙禁止访问。 参考资料: http://mysqlblog.fivefarmers.com/2013/08/08/understanding-max_connect_errors/ https://dev.mysql.com/doc/refman/8.4/en/performance-schema-host-cache-table.html
标签:COUNT,57.24,ERRORS,攻击,syn,host,connect,MySQL From: https://www.cnblogs.com/rcsy/p/18284890