Stefan Langenmaier
1 year
Andreas Vöst
1 year
Moritz Kraus
1 year
Stefan Xenopol
1 year
Emma Heinle
2 years
Andreas Vöst
4 years

Root-account tries to access mariadb-database regularly

Posted . Visible to the public.

We had a strange behaviour on one of our mariadb-servers:
Everyday at around midnight we saw that the root-account on one of our servers is trying to access the database.

# journalctl -u mariadb
Dec 16 00:00:03 cool-server mariadbd[788]: 2022-12-16  0:00:03 34996 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
Dec 17 00:00:02 cool-server mariadbd[788]: 2022-12-17  0:00:02 89012 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
Dec 18 00:00:02 cool-server mariadbd[788]: 2022-12-18  0:00:02 143027 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
Dec 19 00:00:02 cool-server mariadbd[788]: 2022-12-19  0:00:02 197043 [Warning] Access denied for user 'root'@'localhost' (using password: NO)

At first we wondered why this happens and looked at every crontab and haven't seen something that tries to authenticate at midnight on the server. But after we looked into the syslog for this host we noticed that the authentication happened right after a logrotation.

# less /var/log/syslog
Dec 19 00:00:01 cool-server systemd[1]: Starting Rotate log files...
Dec 19 00:00:02 cool-server mariadbd[788]: 2022-12-19  0:00:02 197043 [Warning] Access denied for user 'root'@'localhost' (using password: NO)

Right after that we had a look into the logrotation-configuration and saw that the mysqladmin-command is used to check if the server is running in order to rotate the log:

# vim /etc/logrotate.d/mysql-server

/var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/mysql/mariadb-slow.log /var/log/mysql/error.log {
        daily
        rotate 7
        missingok
        create 640 mysql adm
        compress
        sharedscripts
        postrotate
          test -x /usr/bin/mysqladmin || exit 0
          # check if server is running
          if mysqladmin ping > /dev/null 2>&1; then
            mysqladmin --defaults-file=/etc/mysql/debian.cnf --local flush-error-log \
              flush-engine-log flush-general-log flush-slow-log
          fi
        endscript
}

From the documentation of the parameter Show archive.org snapshot ping of the mysqladmin-command we can see that the command tries to access the database and if that command succeeds (even if access is denied) the log will be rotated.

We experienced this error on our ubuntu 20.04-servers with version 10.6.11 of mariadb-server from the official Galera-/MariaDB-Mirror.

Stefan Xenopol
Last edit
Stefan Xenopol
License
Source code in this card is licensed under the MIT License.