Mysql 大量 unauthenticated user
时间:2010-09-14 来源:sunss
MySQL的文档:http://dev.mysql.com/doc/refman/5.0/en/dns.html
MySQL处理用户连接时进行如下过程来验证用户的合法性:
1 When a new client connects to mysqld, mysqld spawns a new thread to handle the request. This thread first checks whether the host name is in the host name cache. If not, the thread attempts to resolve the host name:
2
3 The thread takes the IP address and resolves it to a host name (using gethostbyaddr()). It then takes that host name and resolves it back to the IP address (using gethostbyname()) and compares to ensure it is the original IP address.
即:先作反向解析IP>Hostname,然后作Hostname>IP的正向解析。如果结果符合,则验证为合法用户允许登录,如果不符合则定义为“unauthenticated user”。
1 eg: If your client machine is called 'foo.domain.com' with IP 1.2.3.4, you might set up grants on your remote MySQL server like this:
2
3 grant select on dbname.* to [email]username@foo.domain.com[/email] identified by 'somepassword'
4
5 But when you try to connect from foo.domain.com you find you get the error "Host '1.2.3.4' is not allowed to connect to this MySQL server"
6
7 This is because a reverse lookup of 1.2.3.4 may in fact return a fully qualified domain name of 4-3-2-1.isp.otherdomain.com, ie something *other* than foo.domain.com.
8
9 So stick to granting access by IP, not hostname, unless your forward and reverse lookups match.
所以建议创建用户权限的时候,不要使用hostname作为限制而是直接用IP;更干脆的话就主机不配置DNS Server。
MySQL的文档:http://dev.mysql.com/doc/refman/5.0/en/dns.html
手册中的解释是:unauthenticated user refers to a thread that has become associated with a client connection but for which authentication of the client user has not yet been done。意即:有一个线程在处理客户端的连接,但是该客户端还没通过用户验证。
解决办法有:
- 在 hosts 中添加客户端ip,如
192.168.0.1 yejr - MySQL启动参数增加一个skip-name-resolve,即不启用DNS反响解析
- 服务器的线程还处于排队状态,因此可以加大 back_log
相关阅读 更多 +
