Many "Name or Service not known" RDNS entries in MySQL error log - how to trace
Hi all
We keep receiving the following errors in our MySQL error log:
2019-11-02 2:47:13 111377 [Warning] Host name 'X-X-X-X.example.in-addr.arpa' could not be resolved: Name or service not known
2019-11-02 3:27:48 113358 [Warning] IP address 'X.X.X.X' could not be resolved: Name or service not known
2019-11-02 8:50:09 147361 [Warning] IP address 'X.X.X.X' has been resolved to the host name 'X.X.X.X.example.com', which resembles IPv4-address itself.
Obviously this is due to MySQL attempting to perform a reverse lookup for a connection attempt, my query is how do we trace the source of these messages? I'm assuming a customer's site is compromised and it would be nice to be able to notify them.
I'm also concerned about any potential security ramifications, we have CSF enabled with port 3306 closed to the general public. I know there is an option to disable networking in MySQL completely, unfortunately we have to have this active and port 3306 accessible to our hosting providers internal network so their backup software can interface with MySQL. We're on a dedicated VLAN etc so it shouldn't be an issue from a security perspective but would be nice to confirm.
Any guidance greatly appreciated!
-
If you thought that it was a compromise the IP address would be useful to utilize in researching the logs - specifically: /var/log/messages
/etc/apache2/logs/domlogs/
/etc/apache2/logs/error_log
0 -
Hi Lauren Other than some portscanning showing up in log/messages (blocked by CSF) there's nothing else of interest in those logs. Is there any way to monitor the source of these types of queries via MySQL? 0 -
The access logs would give you detail on what they're accessing, as far as with MySQL - if there is a specific query/process occurring the following would tell you MySQL :: MySQL 5.7 Reference Manual :: 13.7.5.29 SHOW PROCESSLIST Syntax it's real-time I would be concerned that you don't have MySQL port 3306 locked down to outside requests properly if this continues to occur though. 0
Please sign in to leave a comment.
Comments
3 comments