Bug #62118 method to protect from brute force attacks
Submitted: 8 Aug 2011 23:52 Modified: 9 Aug 2011 3:14
Reporter: jj jj Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: General Severity:S4 (Feature request)
Version:5.5 OS:Any
Assigned to: CPU Architecture:Any

[8 Aug 2011 23:52] jj jj 
Description:
Lets talk today about brute force attacks.
Mysql does not provide ANY protection against brute force attacks. Of course one can limit connections to specific IPs, hosts, disable networking,  but still localhost connections are probably required. Is localhost assumed safe? Then why all those privilege,uid separations on linux etc. Who needs it then?? Localhost cant be assumed (bruteforce) safe! Bruteforce attact can come from localhost at even higher rate. 

- provide "slow response" in case of bad password (do not provide any reply for X seconds if password was wrong)
- provide methods for controlling paralel connections from same ip/host/socket that did not pass authentication yet.

How to repeat:
yep
[8 Aug 2011 23:55] jj jj 
- provide log for unsuccesful logins
[9 Aug 2011 0:07] jj jj 
max_connection_errors is of course in no way a protection as it blocks everything from that IP, and in worst case IP from local interface (if connections are not to localhost but to other local IP).
[9 Aug 2011 3:14] Valeriy Kravchuk 
Thank you for the feature request.