On Mon, Jul 9, 2012 at 11:41 PM, Zdenek Herman <zdenek.her...@ille.cz> wrote: > My hosts.deny > # /etc/hosts.deny: list of hosts that are _not_ allowed to access the > system. > # See the manual pages hosts_access(5) and > hosts_options(5). > # > # Example: ALL: some.host.name, .some.domain > # ALL EXCEPT in.fingerd: other.host.name, .other.domain > # > # If you're going to protect the portmapper use the name "portmap" for the > # daemon name. Remember that you can only use the keyword "ALL" and IP > # addresses (NOT host or domain names) for the portmapper, as well as for > # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) > # for further information. > # > # The PARANOID wildcard matches any host whose name does not match its > # address. > # > # You may wish to enable this to ensure any programs that don't > # validate looked up hostnames still leave understandable logs. In past > # versions of Debian this has been the default. > # ALL: PARANOID > ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h > [%a] >> /var/log/tcp_wrapper/%d.log ) & > > My hosts.allow > # /etc/hosts.allow: list of hosts that are allowed to access the system. > # See the manual pages hosts_access(5) and > hosts_options(5). > # > # Example: ALL: LOCAL @some_netgroup > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu > # > # If you're going to protect the portmapper use the name "portmap" for the > # daemon name. Remember that you can only use the keyword "ALL" and IP > # addresses (NOT host or domain names) for the portmapper, as well as for > # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) > # for further information. > # > sshd: 192.168.1.1 \ > : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] >>> /var/log/tcp_wrapper/%d.log ) & > > > > I tested with mysqld: ALL in hosts.deny too. >
What was the mysql client command line which failed? If running on the same host as the server, the mysql client will use the unix-domain socket in /var/run/mysqld/mysqld.sock for connecting to the server. To force it to use an AF_INET socket, pass -h 127.0.0.1 to the mysql client (-h localhost is not sufficient). I just tested this on my debian squeeze mysql setup. With -h 127.0.0.1 and "mysqld: ALL" in hosts.deny, connections are rejected. If you do not want to use mysql access control, you should disable the socket in the mysql server config, if that's possible. -- regards, kushal -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cah8gtdm3dzqtqzg_xor3xvfhr_4mwkfpgal1sa60aebblt-...@mail.gmail.com
