Read more

Root-account tries to access mariadb-database regularly

Stefan Xenopol
December 19, 2022Software engineer at makandra GmbH
Say thanks

We had a strange behaviour on one of our mariadb-servers:
Everyday at around midnight we saw that the root-account on one of our servers is trying to access the database.

# journalctl -u mariadb
Dec 16 00:00:03 cool-server mariadbd[788]: 2022-12-16  0:00:03 34996 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
Dec 17 00:00:02 cool-server mariadbd[788]: 2022-12-17  0:00:02 89012 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
Dec 18 00:00:02 cool-server mariadbd[788]: 2022-12-18  0:00:02 143027 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
Dec 19 00:00:02 cool-server mariadbd[788]: 2022-12-19  0:00:02 197043 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
Illustration online protection

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

  • Prevents you from data breaches and liability risks
  • Upgrade at your own pace
  • Works with modern Rubies
Read more Show archive.org snapshot

At first we wondered why this happens and looked at every crontab and haven't seen something that tries to authenticate at midnight on the server. But after we looked into the syslog for this host we noticed that the authentication happened right after a logrotation.

# less /var/log/syslog
Dec 19 00:00:01 cool-server systemd[1]: Starting Rotate log files...
Dec 19 00:00:02 cool-server mariadbd[788]: 2022-12-19  0:00:02 197043 [Warning] Access denied for user 'root'@'localhost' (using password: NO)

Right after that we had a look into the logrotation-configuration and saw that the mysqladmin-command is used to check if the server is running in order to rotate the log:

# vim /etc/logrotate.d/mysql-server

/var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/mysql/mariadb-slow.log /var/log/mysql/error.log {
        daily
        rotate 7
        missingok
        create 640 mysql adm
        compress
        sharedscripts
        postrotate
          test -x /usr/bin/mysqladmin || exit 0
          # check if server is running
          if mysqladmin ping > /dev/null 2>&1; then
            mysqladmin --defaults-file=/etc/mysql/debian.cnf --local flush-error-log \
              flush-engine-log flush-general-log flush-slow-log
          fi
        endscript
}

From the documentation of the parameter Show archive.org snapshot ping of the mysqladmin-command we can see that the command tries to access the database and if that command succeeds (even if access is denied) the log will be rotated.

We experienced this error on our ubuntu 20.04-servers with version 10.6.11 of mariadb-server from the official Galera-/MariaDB-Mirror.

License for source code
Posted by Stefan Xenopol to makandra Operations (2022-12-19 15:50)
This website uses short-lived cookies to improve usability.
or learn more