Bug #69967 Add ability to block connections from host based on invalid authentication
Submitted: 8 Aug 2013 23:40
Reporter: Todd Farmer (OCA) Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:5.6.13 OS:Any
Assigned to: CPU Architecture:Any

[8 Aug 2013 23:40] Todd Farmer
It would be useful if MySQL provided a mechanism to block hosts from which excessive failed authentication failures emanate.  max_connect_errors can be sometimes misunderstood to provide this functionality, but it really only limits problems caused by bad networks or SYN flood attacks - in fact, authentication failures *reset* the host counter (as the handshake, though unsuccessful, did complete).  The max_connect_errors mechanism is also tightly coupled to the host cache, making it useless for certain deployments and hosts.

How to repeat:
See above.

Suggested fix:
Provide mechanism to block hosts based on cumulative or consecutive authentication failures.