mysql error on log access denied

[leonep]

Hello,
i have a lot of notice entries in mysqld.log.
i tried changing the password from whm as well but it keeps flooding my log
where can i look for responsible for this?
............luckily everything is ok and running on the server !


2022-11-24T20:35:53.233369Z 671 [Note] Access denied for user 'root'@'localhost' (using password: NO)
2022-11-24T20:36:07.996364Z 686 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2022-11-24T20:36:07.996491Z 687 [Note] Access denied for user 'root'@'localhost' (using password: NO)
2022-11-24T20:36:08.233812Z 688 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2022-11-24T20:36:08.233971Z 689 [Note] Access denied for user 'root'@'localhost' (using password: NO)
2022-11-24T20:36:23.234368Z 695 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2022-11-24T20:36:23.234471Z 696 [Note] Access denied for user 'root'@'localhost' (using password: NO)
2022-11-24T20:36:38.234840Z 706 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2022-11-24T20:36:38.234998Z 707 [Note] Access denied for user 'root'@'localhost' (using password: NO)
2022-11-24T20:36:53.235314Z 724 [Note] Access denied for user 'root'@'localhost' (using password: YES)
2022-11-24T20:36:53.235465Z 725 [Note] Access denied for user 'root'@'localhost' (using password: NO)
...................
...................



mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 977
Server version: 5.7.39-cll-lve MySQL Community Server - (GPL)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> status
--------------
mysql Ver 14.14 Distrib 5.7.39, for Linux (x86_64) using EditLine wrapper

Connection id: 977
Current database:
Current user: [email protected]
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.39-cll-lve MySQL Community Server - (GPL)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 17 min 51 sec

Threads: 1 Questions: 90375 Slow queries: 0 Opens: 2396 Flush tables: 1 Open tables: 1936 Queries per second avg: 84.383
--------------

 

[ServerHealers]

It is possible something else configured in your server having wrong password and it keep trying to authenticate. We had a situation in the past on a customer server, where the MySQL monitor script they had for Nagios causing this after a MySQL root password reset as they forgot to update the new password in the script. It could be something similar, and correcting it would stop it.

Alternatively, it could be a website hosted on your server with root user and a wrong password in its config file (This is not a recommended approach I know, however, I've seen some people doing this when they follow some online articles). If this is the case, I'd suggest creating a new MySQL user and assign it to the site's database and put that new user details in the config file instead of root user.

 

[leonep]

great, thanks for the help. but how did you understand and identify that it was that specific script for nagios ?

 

[ServerHealers]

As a first step, we confirmed with the customer whether they used any monitor inhouse or by a previous management company and proceed further once they confirmed that they used Nagios for monitoring the server. It was easy for us when we get that information, and saved a lot of time.

If you have similar setup, I'd suggest looking at /etc/nrpe.d/ directory for any Nagios configs where we usually configure checks or could be /etc/check_mk/mysql.cfg if CheckMk in use. If these are not, then it would be time consuming in troubleshooting where exactly these logins are configured incorrectly.