Description:
Hi,
I have been trying to simulate a malicious user attack attempt using the following method. I have tried on several servers with sequences ranging a few to thousands of connection attempts against MySQL instances configured to block a host after 10 wrong accesses (max_connect_errors=10) and none of the instances have locked me out as per output below.

darren*@darren*:/mysql/releases/msb_5_5_25$ for i in `seq 1 12`;  do      rnd=$RANDOM; mysql -udarren -p${rnd} -h*.com -P3306 ; sleep 2; done
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
ERROR 1045 (28000): Access denied for user 'darren'@'darren*.com' (using password: YES)
darren*@darren*:/mysql/releases/msb_5_5_25$ mysql -udarren -p -h*.com -P3306
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 75873
Server version: 5.1.50-community-log MySQL Community Server (GPL)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> exit
Bye

How to repeat:
set max_connect_errors=10, try to bruteforce your way into mysql and after exceeding max_connect_errors attempts login with good credentials 

Suggested fix:
MySQL should lock a host after max_connect_errors is exceeded

The * are masking the real hostname ...

I see the same problem with 5.5.26 on Mac OS X:

macbook-pro:5.5 openxs$ a=0
macbook-pro:5.5 openxs$ while [ $a -le 20 ]; do bin/mysql -uwrong -pwrong test; echo $a; let a=a+1; done
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
0
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
1
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
2
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
3
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
4
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
5
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
6
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
7
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
8
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
9
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
10
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
11
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
12
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
13
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
14
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
15
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
16
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
17
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
18
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
19
ERROR 1045 (28000): Access denied for user 'wrong'@'localhost' (using password: YES)
20
macbook-pro:5.5 openxs$ bin/mysql -uroot test -e "show variables like 'max_connect%'"
+--------------------+-------+
| Variable_name      | Value |
+--------------------+-------+
| max_connect_errors | 10    |
| max_connections    | 151   |
+--------------------+-------+

Maybe we just interpret http://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_max_connect_err... in some wrong way expecting all connections to be blocked after more than max_connect_errors attempts to connect with wrong password and/or username/password, but then manual should be clarified.

max_connect_errors was never designed to block failed authentication attempts.
It's intended primarily as a remedy to TCP floods (connect and disconnect in a quick succession). 
And with those there're different protection constraints compared to failed authentication attempts.

So I'm moving this to be a feature request for a new parameter that would limit consequtive authentication failures in way similar to how max_connect_error works for TCP floods.

What test constitutes seeing an error of max connection errors?

i.e. how do you successfully show connect and disconnect in a quick succession (this time of "quick" being unkown also)

Ronald,

http://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_max_connect_err... has : 

"If a connection is established successfully within fewer than max_connect_errors attempts after a previous connection was interrupted, the error count for the host is cleared to zero."

This means that every network error before that point should count towards max_connect_errors.

YES!! keep loosing root password..!! please fix..!!