See feature request BUG#25822.

For security reasons people request that we log access denied errors within 
the error log, for people trying to connect with bad passwords. 

This could be done as extra functionality to the log-warnings=2 setting, 
until we get a more unified "security auditing" log. 

The contributed proposed patch, from Mark Leith, enables this, some 
sample output based on 5.1bk:

070124 11:45:19 [Note] libexec/mysqld: ready for connections.
Version: '5.1.15-beta-debug'  socket:
'/Users/markleith/mysql/mysql-5.1-passwords.sock' 
port: 5115  Source distribution
070124 11:45:19 [Note] SCHEDULER: Loaded 0 events
070124 11:45:52 [Warning] Got signal 1 from thread 1
070124 11:47:39 [Warning] Access denied for user 'mark'@'localhost' (using
password: NO)
070124 11:47:42 [Warning] Access denied for user 'mark'@'localhost' (using
password: NO)
070124 11:49:18 [Warning] Access denied for user 'mark'@'localhost' (using
password: NO)
070124 11:49:36 [Warning] Access denied for user 'mark'@'localhost' (using
password: YES)

See BUG#25822 "Log Access Denied errors for bad passwords 

in the error log" for HLS details.

Mark Leith's patch @2007-08-22, subject still to changes

suggested by Kostja:



===== sql_parse.cc 1.619 vs edited =====

--- 1.619/sql/sql_parse.cc      2007-01-18 23:02:56 +00:00

+++ edited/sql_parse.cc 2007-01-24 11:53:10 +00:00

@@ -480,6 +480,13 @@

                     thd->main_security_ctx.user,

                     thd->main_security_ctx.host_or_ip,

                     passwd_len ? ER(ER_YES) : ER(ER_NO));

+  if (global_system_variables.log_warnings > 1)

+  {

+    sql_print_warning(ER(ER_ACCESS_DENIED_ERROR),

+                      thd->main_security_ctx.user,

+                      thd->main_security_ctx.host_or_ip,

+                      passwd_len ? ER(ER_YES) : ER(ER_NO));      

+  }

   DBUG_RETURN(-1);

 #endif /* NO_EMBEDDED_ACCESS_CHECKS */

 }

You must be logged in to tag this worklog

No Comments yet