0

In these last couple of days, one my vps server has crashed twice for no appearant reasons. All sytems on it are up to date. Fail2ban is installed and jailed as much as usual, I trust the server's provider company, the distibution system is Ubuntu 14.
So I checked some logs and found in the mysql error logs about 60 warnings like the one below in a time frame of 90 seconds, 1 hour before I received a mail from the monitoring system of the vps informing me that the vps was down:

[Warning] IP address 'XXX.XXX.XXX.XXX' could not be resolved: Temporary failure in name resolution

Can this be a brute force attack on mysql that crashed the server? Does that make sense?
The server and the site are from western Europe. The IP in the warning leads to Beijing.
Is there any mysql configuration I can make to avoid these kind of request? I actually don't understand how someone can request mysql on my server.

Tritof
  • 159
  • 1
  • 1
  • 8
  • 2
    Why is your MySQL server reachable from the internet? – Sven May 17 '18 at 11:39
  • Oh. well... I... don't... know. I guess I missed something in the configuration somewhere – Tritof May 17 '18 at 11:44
  • Do you mean remote access to mysql? – Tritof May 17 '18 at 11:46
  • Alright so after checking it, `bind-address = 127.0.0.1` was commented out. I am not sure this should be this way. It may be because there is plesk installed on it. I have others without plesk and `bind-address = 127.0.0.1` is uncommented by default. Thanks for pointing it to me. – Tritof May 17 '18 at 12:28

1 Answers1

0

My suggestion would be to make sure you have your host based firewall only allowing traffic to it from the host itself (and webserver if it is a web app). You only need TCP 3306 open to specified hosts, not the public internet.

Joe M
  • 291
  • 1
  • 4
  • @tritof Suggestion to consider in your my.cnf-ini [mysqld] section skip_name_resolve=ON # see refman for your version, please . If you application does NOT depend on this feature, SKIP it due to frequent unreliability issues. – Wilson Hauck Jun 21 '18 at 03:50
  • @tritof Please share with us results of SELECT @@max_connect_errors With this information, there will likely be suggestions to limit brute force attacks. Thanks – Wilson Hauck Jul 02 '18 at 00:05