I am building a mysql server to allow a user to only access the database if he is on an internal ip address.
SET PASSWORD FOR 'testuser'#'MyIPwillgohere' = PASSWORD('password');
but i get the following error while using the above statement
Can't find any matching row in the user table
I think it has something to do with the host being % instead of local host or my ip address.
+------------------+-------------+
| user | host |
+------------------+-------------+
| testuser | % |
| root | 127.0.0.1 |
| root | ::1 |
| debian-sys-maint | localhost |
| root | localhost |
| root | raspberrypi |
+------------------+-------------+
How can i change the host or what should i do to fix this issue. I am using putty SSH connection to connect to the server and running mysql as the root user.
The question is how to change the test users host maybe?
I want to change the host from % to either local host or maybe my own ip address. I have used workbench to log in as editor but the host is still the same?
You might try something like this (but note that DROP essentially means "DELETE" so be careful):
DROP USER 'testuser';
GRANT USAGE ON dbnamegoeshere.* to 'testuser#MyIPwillgohere' IDENTIFIED BY 'password';
I have found the soloution to my own problem. It didnt let me change the where the host was connecting to by changing the password EG
You might try something like this (but note that DROP essentially
means "DELETE" so be careful):
DROP USER 'testuser'; GRANT USAGE ON dbnamegoeshere.* to
'testuser#MyIPwillgohere' IDENTIFIED BY 'password';
Doing that it said there was no match found. I hand to grant the privileges to the user first and state where he is connecting from and then changing the password was allowed.
Related
I have a Laravel project working fine on my local machine, but unable to connect to database on another Linux server.
The error I get is:
SQLSTATE[HY000] [1045] Access denied for user 'cpanel1_thewatcher'#'localhost' (using password: YES)
These are the settings I am using:
DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=dbnamehere
DB_USERNAME=cpanel1_thewatcher
DB_PASSWORD=passwordhere
I have checked to make sure cpanel1_thewatcher has ALL PRIVILEGES on this database and that the password is correct.
This is on a VPS, where I have root access, and it has two IPs dedicated to it. The main IP we will call xxx.xxx.xx.165 and the second one xxx.xxx.xx.166. If I change the settings above to set DB_HOST to xxx.xxx.xx.166 I get a different error:
SQLSTATE[HY000] [1130] Host 'xxx.xxx.xx.166' is not allowed to connect to this MariaDB server
If I set DB_HOST to xxx.xxx.xx.165 then I get yet another error:
SQLSTATE[HY000] [1045] Access denied for user 'cpanel1_thewatcher'#'server1.domain.com'
If I set DB_HOST to domain.com (the main domain on the server) I get the same error I get with DB_HOST=xxx.xxx.xx.166.
I have examined the mysql.user table on the server and found the following:
+-------------------+----------------------+
| User | Host |
+-------------------+----------------------+
| root | 127.0.0.1 |
| cpanel1 | xxx.xxx.xx.165 |
| cpanel1_thewatcher | xxx.xxx.xx.165 |
| root | ::1 |
| cpanel1 | localhost |
| cpanel1_thewatcher | localhost |
| nagios | localhost |
| root | localhost |
| cpanel1 | server1.domain.com |
| cpanel1_thewatcher | server1.domain.com |
| root | server1.domain.com |
+-------------------+----------------------+
where cpanel1 is the username of the only cPanel account on the server.
I have tried creating an entry in the table above where user is cpanel1_thewatcher and host is % but no effect. I have also tried setting DB_USERNAME to just thewatcher but nothing changes in the error messages.
I have seen some questions on SO referring to the second error message I listed, but I have been unable to find a MariaDB configuration file anywhere on my server as suggested by some answers there.
Doing GRANT ALL PRIVILEGES ON dbnamehere.* TO 'cpanel1_thewatcher'#'localhost'; gives
Query OK, 0 rows affected (0.00 sec)
Can anyone tell me what to do, I am confused with the 2 IPs and 3 different error messages here, and not sure what else to try. I'd like to eliminate any issues on my end before I resort to contacting the hosting company and waiting for a week for them to resolve it.
You need to follow this steps in order to connect to your remote database:
In your database server, run the following command in your mariadb console:
CREATE USER 'cpanel1_thewatcher'#'xxx.xxx.xx.166';
Followed by:
GRANT ALL PRIVILEGES ON dbnamehere.* TO 'cpanel1_thewatcher'#'xxx.xxx.xx.166';
FLUSH PRIVILEGES;
Where xxx.xxx.xx.166 is the ip of the machine you are trying to connect (where your laravel project lives)
I run rails on my local dev environment but the mysql instance is on a separate server.
When trying to open a page in the app I get this error:
Access denied for user 'username'#'myhostname.lan' (using password: YES)
When I ssh into the server running mysql and run this command SELECT Host from mysql.user WHERE User='username'; I get the following:
+---------------------+
| Host |
+---------------------+
| % |
| myhostname.lan |
| localhost |
+---------------------+
All of these entries were created with GRANT ALL PRIVIELEGES ON dbname.* TO ...
So why can I not connect given that both the any-host wildcard % is in the list as well as the hostname I try to connect from specifically?
Despite having same usernames these users are different for mysql.
Check that the password is set on all user entries and is what you expect it to be.
You can compare authentication_strings in mysql.user.
I'm using the -h option, specifying that I want to connect to MySQL Server via a specific host/interface, but MySQL is telling me this, which apparently doesn't make so much sense
root#ilg40:/# mysql -h 127.0.0.1 -u root -proot
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1698 (28000): Access denied for user 'root'#'localhost'
OBS.: I have created a access for root via 127.0.0.1 (FLUSH PRIVILEGES() was already performed.
root#ilg40:/# mysql -e "SELECT User,Host,authentication_string FROM mysql.user;"
+-----------+-----------+-------------------------------------------+
| User | Host | authentication_string |
+-----------+-----------+-------------------------------------------+
| root | localhost | |
| mysql.sys | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| root | 127.0.0.1 | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
+-----------+-----------+-------------------------------------------+
Have you guys any idea about what's going on?
I can't find where is my failure :(..
P.S: I'm using Debian Jessy + MySQL 5.7.12
root#ilg40:/# cat /etc/debian_version
8.4
root#ilg40:/# mysql -e "SELECT VERSION();"
+-----------+
| VERSION() |
+-----------+
| 5.7.12 |
+-----------+
Acoording to MySQL official doc:
"The server performs host name resolution using the thread-safe
gethostbyaddr_r() and gethostbyname_r() calls if the operating system
supports them.
Otherwise, the thread performing the lookup locks a mutex
and calls gethostbyaddr() and gethostbyname() instead.
In this case, no other thread can resolve host names that are not in the host
cache until the thread holding the mutex lock releases it."
The solution I found was: dropping the user 'root'#'localhost' from MySQL.
DROP USER 'root'#'localhost';
I tried to modify the /etc/hosts, but no good. There's something else around the way that MySQL performs these two syscalls, which maps 127.0.0.1 to localhost, independently if you the address mapped in a different way in /etc/hosts.
WARNING: be sure to have at least another user with admin powers on MySQL, using 127.0.0.1 for connection, or else, you may loose access and/or admin powers over MySQL.
I am troubleshooting a MySQL privileges problem.
I want to connect to MySQL on the local server, but refer to it by it's LAN name (so I can use the same user/pass/host on several web-nodes).
I have included credentials in the privilege tables for both a %.lan and a localhost user.
mysql> select user,host from mysql.user where user = 'mysqluser';
+-----------+---------------------+
| user | host |
+-----------+---------------------+
| mysqluser | %.lan |
| mysqluser | localhost |
+-----------+---------------------+
However, when I try to login, I get the error message
[systemuser#servername.mydomain.com ~]$ mysql -u mysqluser -p -h servername.mydomain.com.lan
Access denied for user 'mysqluser'#'servername.mydomain.com'
Note that servername.mydomain.com.lan does resolve to a 192.168.% IP; i.e. it's in my /etc/hosts file. Moreover, reverse DNS for the IP in question resolves as expected.
[systemuser#servername.mydomain.com ~]$ dig -x 192.168.X.Y
...
;; ANSWER SECTION:
Y.X.168.192.in-addr.arpa. 86400 IN PTR servername.mydomain.com.lan.
If I temporarily grant privileges to 'mysqluser'#'%' and login, MySQL reports
mysql> status
...
Current user: mysqluser#servername.mydomain.com
...
Connection: servername.mydomain.com.lan via TCP/IP
...
Why is the host for my Current user not equal to the host for my Connection?
What I am doing/assuming incorrectly? I should note that my arrangement was working as intended (for weeks), on two farms on a common LAN, then both, independent MySQL instances suddenly started rejecting MySQL connections.
Context
So I'm following the tutorial for securing MYSQL on a Linux machine from DigitalOcean (https://www.digitalocean.com/community/tutorials/how-to-secure-mysql-and-mariadb-databases-in-a-linux-vps) and I am at the section where we are renaming the root user so that it will be more difficult for people to gain unauthorized access to the databases.
After executing rename user 'root'#'localhost' to 'newAdminUser'#'localhost';, I see:
+------------------+-----------+-------------------------------------------+
| User | Host | Password |
+------------------+-----------+-------------------------------------------+
| newAdminUser | localhost | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| root | 127.0.0.1 | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| root | ::1 | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| debian-sys-maint | localhost | *0BA36D18675A3EC9BBA779AAD0C189D798C886B1 |
+------------------+-----------+-------------------------------------------+
Question
Should I be changing the name for the other root users? What effect would this have on my machine - does the machine expect to have these "root" users?
I appreciate your time and assistance!
You can safely remove the 'root'#'127.0.0.1' user since it is equivalent to 'root'#'localhost' (you can still connect to host localhost or 127.0.0.1 using root).
Changing the user name from root to something else provides a marginal security enhancement as a person would already need to have gained access to the system (either locally, or exploited a website and tries to connect from a script).
You can also remove the IPv6 localhost equivalent ::1 if you don't need to connect to MySQL locally over IPv6.
You should not delete the debian-sys-maint account as this is used by the system to perform log related tasks.
As long as you ran mysql_secure_installation and removed root accounts that are accessible from outside the local host it shouldn't really matter from a security standpoint (unless you think someone will have SSH access to the machine, but shouldn't have access to the database).
But I would still change it, just for your own sanity - at some point you may be connecting to the database, and trying to use the newAdminUser, but MySQL sees you are connecting from 127.0.0.1 and so it says "nope, no user newAdminUser for that host, invalid password."