Bug #17318 allow to throttle/lock user after x wrong password entries
Submitted: 11 Feb 2006 8:31 Modified: 12 Feb 2006 9:39
Reporter: Ralf Hauser Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: General Severity:S4 (Feature request)
Version: OS:Any
Assigned to: CPU Architecture:Any
Triage: Triaged: D5 (Feature request)

[11 Feb 2006 8:31] Ralf Hauser
Description:
Once we allow to connect via SSL, obviously it must be assumed that db-client to  db-server connections cross hostile territory. Then, it should possible to prevent unlimited password guessing.

How to repeat:
just connect
[11 Feb 2006 8:45] Ralf Hauser
This would require some recovery measures (via admin), policies when to lock (more than 3 wrong pws because connection pools typically would lock-out in one erroneous attempt) or how much to throttle/slow down - e.g. only one bad PW every 15 minutes? And counter-measures to prevent denial-of-service attacks exploiting this feature.

see also: "provide a port that only accepts SSL connection and only serves SSL-enabled users" - Bug #17319 and 
the complementary connector/J RFE is Bug #17320
[12 Feb 2006 9:39] Valeriy Kravchuk
Thank you for a reasonable feature request. I hope, it will be implemented some day.