max_connect_errors provides a mechanism for protecting against some kinds of SYN flood attacks ( http://mysqlblog.fivefarmers.com/2013/08/08/understanding-max_connect_errors/). Disabling it altogether would seem to make MariaDB less secure.
Better is to provide a mechanism to whitelist hosts such as your LBs. For example a new option, max_connect_error_whitelist=<list of ips> might be the better approach. Also note, using --skip-name-resolve should bypass the max_connect_errors mechanism altogether. Thanks, Adam Scott On Mon, Jun 9, 2014 at 9:14 AM, Honza Horak <hho...@redhat.com> wrote: > Hi guys, > > there are apparently some tools out there [1], that check if the server is > up quite often, while not closing the connection properly. It eventually > ends in 'many connection errors', because max_connect_errors is always > limited now. > > I understand that this way of checking may be wrong, but there may be > scenarios where we do not want to check for `max_connect_errors` at all. > > So, would it be acceptable for mariadb to change behaviour of > max_connect_errors option, so that it accepts also 0 as a possible value, > which would mean 'do not check connect errors at all'? > > I'm bringing the idea here first, but will submit a report and possibly > patch if it does not seem to be undesired behaviour. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1104957 > > TIA and regards, > Honza > > _______________________________________________ > Mailing list: https://launchpad.net/~maria-developers > Post to : maria-developers@lists.launchpad.net > Unsubscribe : https://launchpad.net/~maria-developers > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
