PG
PRO
pgref.dev/mariadb/errors/1130
1130ERRORTier 1 — Safe✅ HIGH confidence

Host is not allowed to connect to this MySQL server

Category: Access ControlVersions: All MariaDB / MySQL versions

🔴 Production Risk Error

HIGH — blocks all connections from ungranted hosts.

What this means

Error 1130 (SQLSTATE HY000) is raised when a client's host does not match any host entry in the mysql.user table for the given username. The server rejects the connection before authentication even begins.

Why it happens

  1. 1User account was created with 'user'@'localhost' but the client is connecting from a different IP
  2. 2User account uses a specific IP (e.g. 'user'@'192.168.1.10') that does not match the actual client IP
  3. 3DNS reverse-lookup failure causes the resolved hostname to differ from the grant
  4. 4skip-name-resolve is enabled but the grant uses a hostname instead of an IP

How to reproduce

A client connecting from a host not listed in the user's grant.

trigger — this will ERROR
-- From a remote machine:
mysql -h db.example.com -u appuser -p
-- appuser only has a grant for 'appuser'@'localhost'
ERROR 1130 (HY000): Host '203.0.113.45' is not allowed to connect to this MySQL server

Fix 1: Create or extend the user grant for the correct host

When the client host is known and the connection is intentional.

fix
-- Grant access from a specific IP:
CREATE USER 'appuser'@'203.0.113.45' IDENTIFIED BY 'secret';
GRANT SELECT, INSERT, UPDATE, DELETE ON myapp.* TO 'appuser'@'203.0.113.45';

-- Or use a wildcard for any host (use with care):
CREATE USER 'appuser'@'%' IDENTIFIED BY 'secret';
GRANT SELECT, INSERT ON myapp.* TO 'appuser'@'%';
FLUSH PRIVILEGES;

Why this works

'%' matches any host. Prefer specific IPs or subnets in production to limit attack surface.

Fix 2: Enable skip-name-resolve and use IP-based grants

When DNS lookups are slow or unreliable.

fix
-- In my.cnf / server.cnf:
-- [mysqld]
-- skip-name-resolve

-- All grants must then use IP addresses, not hostnames.

Why this works

skip-name-resolve disables reverse DNS lookups, speeding up connection setup and avoiding hostname mismatch errors.

What not to do

Grant '%' from any host in production without network-level controls

Why it's wrong: Exposes the database to the public internet; combine with firewall rules if '%' is necessary.

Dangerous variant

⚠️ Warning

Using '%' with a weak password is a common ransomware attack vector against publicly exposed MariaDB/MySQL instances.

Sources

📚 Official docs: https://mariadb.com/kb/en/configuring-mariadb-for-remote-client-access/

🔧 Source ref: MariaDB Server error code 1130 / ER_HOST_NOT_PRIVILEGED

📖 Further reading: MariaDB Remote Client Access

📖 Further reading: MariaDB skip-name-resolve

Confidence assessment

✅ HIGH confidence

Stable. Host matching behaviour is unchanged across versions.

See also

📄 Reference pages

GRANTmysql.userskip-name-resolve
⚙️ This error reference was generated with AI assistance and reviewed for accuracy. Examples are provided to illustrate common scenarios and may not cover every case. Always test fixes in a development environment before applying to production. Spotted an error? Suggest a correction →
All MariaDB errors