diff -Nur a/sql/mysqld.cc b/sql/mysqld.cc
--- a/sql/mysqld.cc	
+++ b/sql/mysqld.cc	
@@ -484,6 +484,7 @@
 ulong binlog_cache_use= 0, binlog_cache_disk_use= 0;
 ulong binlog_stmt_cache_use= 0, binlog_stmt_cache_disk_use= 0;
 ulong max_connections, max_connect_errors;
+my_bool deny_new_conn;
 /*
   Maximum length of parameter value which can be set through
   mysql_send_long_data() call.
diff -Nur a/sql/mysqld.h b/sql/mysqld.h
--- a/sql/mysqld.h	
+++ b/sql/mysqld.h	
@@ -167,6 +167,7 @@
 extern ulong table_cache_size, table_def_size;
 extern MYSQL_PLUGIN_IMPORT ulong max_connections;
 extern ulong max_connect_errors, connect_timeout;
+extern my_bool deny_new_conn;
 extern my_bool slave_allow_batching;
 extern my_bool allow_slave_start;
 extern LEX_CSTRING reason_slave_blocked;
diff -Nur a/sql/share/errmsg-utf8.txt b/sql/share/errmsg-utf8.txt
--- a/sql/share/errmsg-utf8.txt	
+++ b/sql/share/errmsg-utf8.txt	
@@ -6486,3 +6486,6 @@
 
 ER_PLUGIN_NO_INSTALL
   eng "Plugin '%s' is marked as not dynamically installable. You have to stop the server to install it."
+
+ER_NEW_CONNECTION_LOCKED
+  eng "User '%s' is not allowed to login because new connection is locked."
diff -Nur a/sql/sql_acl.cc b/sql/sql_acl.cc
--- a/sql/sql_acl.cc	
+++ b/sql/sql_acl.cc	
@@ -9431,6 +9431,11 @@
     else
       *sctx->priv_host= 0;
 
+    if (deny_new_conn && !(sctx->master_access & SUPER_ACL))
+    {
+      my_error(ER_NEW_CONNECTION_LOCKED, MYF(0), sctx->host_or_ip);
+      DBUG_RETURN(1);
+    }
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
     /*
       OK. Let's check the SSL. Historically it was checked after the password,
diff -Nur a/sql/sys_vars.cc b/sql/sys_vars.cc
--- a/sql/sys_vars.cc	
+++ b/sql/sys_vars.cc	
@@ -1678,6 +1678,14 @@
        NO_MUTEX_GUARD, NOT_IN_BINLOG,
        ON_CHECK(check_read_only), ON_UPDATE(fix_read_only));
 
+static Sys_var_mybool Sys_deny_new_conn(
+       "deny_new_conn",
+       "prevent all new connection, with the exception for "
+       "users with the SUPER privilege",
+       GLOBAL_VAR(deny_new_conn), CMD_LINE(OPT_ARG), DEFAULT(FALSE),
+       NO_MUTEX_GUARD, NOT_IN_BINLOG,
+       ON_CHECK(0), ON_UPDATE(0));
+
 // Small lower limit to be able to test MRR
 static Sys_var_ulong Sys_read_rnd_buff_size(
        "read_rnd_buffer_size",