MySQL Secure Deployment Guide  /  Installing Connection Control Plugins

Chapter 9 Installing Connection Control Plugins

The connection-control plugin library enables administrators to introduce an increasing delay in server response to clients after a certain number of consecutive failed connection attempts. This capability provides a deterrent that slows down brute force attacks that attempt to access MySQL user accounts. The connection-control plugin library contains two plugins:

  • The CONNECTION_CONTROL plugin checks incoming connections and adds a delay to server responses as necessary. This plugin also exposes system variables that enable plugin operation to be configured and a status variable that provides rudimentary monitoring information.

  • The CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS plugin implements the INFORMATION_SCHEMA.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS table that exposes additional monitoring information for failed connection attempts.

To install the connection-control plugins:

  1. Add these options under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf):

    plugin-load-add=connection_control.so
    connection-control=FORCE_PLUS_PERMANENT
    connection-control-failed-login-attempts=FORCE_PLUS_PERMANENT
    • plugin-load-add=connection_control.so

      Loads the connection_control.so library each time the server is started.

    • connection_control=FORCE_PLUS_PERMANENT

      Prevents the server from running without the CONNECTION_CONTROL plugin, and server startup fails if the plugin does not initialize successfully.

    • connection-control-failed-login-attempts=FORCE_PLUS_PERMANENT

      Prevents the server from running without the CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS plugin, and server startup fails if the plugin does not initialize successfully.

  2. To verify plugin installation, restart the server and examine the INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement:

    shell> systemctl restart mysqld
    shell> cd /usr/local/mysql 
    shell> bin/mysqladmin -u root -p version
    Enter password: (enter root password here)
    mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
           FROM INFORMATION_SCHEMA.PLUGINS
           WHERE PLUGIN_NAME LIKE 'connection%';
    +------------------------------------------+---------------+
    | PLUGIN_NAME                              | PLUGIN_STATUS |
    +------------------------------------------+---------------+
    | CONNECTION_CONTROL                       | ACTIVE        |
    | CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS | ACTIVE        |
    +------------------------------------------+---------------+

Configuring Connection Delays

The server response delay for failed connection attempts is configured using these server parameters:

Add these options under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf) so that you can adjust them later as necessary. The default values are used in this deployment.

connection_control_failed_connections_threshold=3
connection_control_min_connection_delay=1000
connection_control_max_connection_delay=2147483647

For more information about server response delay configuration, see Connection-Control Plugin Installation.

Monitoring Failed Connection Attempts

Failed connection attempts can be monitored using these information sources:

To test the connection-control plugin and view monitoring data:

  1. Open a terminal and connect to the server as root:

    shell> cd /usr/local/mysql 
    shell> bin/mysql -u root -p
    Enter password: (enter the root password here)
  2. Open a second terminal and perform four connection attempts as root, specifying an incorrect password each time. There should be a small but noticeable delay on the fourth connection attempt.

    shell> cd /usr/local/mysql 
    shell> bin/mysql -u root -p
    Enter password: (enter incorrect password here)
  3. In the first terminal, issue this statement to view Connection_control_delay_generated status variable data. Connection attempts that exceed the connection_control_failed_connections_threshold threshold value of 3 are counted.

    mysql> SHOW STATUS LIKE 'Connection_control_delay_generated';
    +------------------------------------+-------+
    | Variable_name                      | Value |
    +------------------------------------+-------+
    | Connection_control_delay_generated | 1     |
    +------------------------------------+-------+
  4. In the first terminal, issue this statement to view INFORMATION_SCHEMA.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS data. All four failed connection attempts are counted.

    mysql> SELECT FAILED_ATTEMPTS FROM INFORMATION_SCHEMA.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS;
    +-----------------+
    | FAILED_ATTEMPTS |
    +-----------------+
    |               4 |
    +-----------------+

User Comments
User comments in this section are, as the name implies, provided by MySQL users. The MySQL documentation team is not responsible for, nor do they endorse, any of the information provided here.
Sign Up Login You must be logged in to post a comment.