If the following error occurs, it means that mysqld has received many connection requests from the given host that were interrupted in the middle:
Host 'host_name' is blocked because of many connection errors.
Unblock with 'mysqladmin flush-hosts'
The value of the
max_connect_errors
system
variable determines how many successive interrupted connection
requests are permitted. After
max_connect_errors
failed
requests without a successful connection,
mysqld assumes that something is wrong (for
example, that someone is trying to break in), and blocks the
host from further connections until you flush the host cache
by executing a FLUSH HOSTS
statement, a TRUNCATE TABLE
statement that truncates the Performance Schema
host_cache
table, or a
mysqladmin flush-hosts command.
To adjust the permitted number of successive connection
errors, set
max_connect_errors
at server
startup. For example, put these lines in the server
my.cnf
file:
[mysqld]
max_connect_errors=10000
The value can also be set at runtime:
SET GLOBAL max_connect_errors=10000;
If you get the Host
'
error message for a given host, you should first verify that
there is nothing wrong with TCP/IP connections from that host.
If you are having network problems, it does no good to
increase the value of
host_name
' is blockedmax_connect_errors
.
For more information about how the host cache works, see Section 8.12.4.2, “DNS Lookup Optimization and the Host Cache”.
I was looking for a way to block hosts (for sometime) based on authentication failure counts (i.e. block bad attempts for a few minutes/hours and release automatically).
About a year ago I wrote something to block hackers to my SIP server which has proved successful.
Hence, I adapted it to MySQL.
The code/explanation is at http://www.abelcanada.com/securemysql.php for anybody who it interested.
This model can be adapted for any software which is used for IP (or any other) login and parameters can be changed to suite each individual requirement.
This complements IPTABLES, but is a better solution as it blocks the IP as a service, rather than global.
Anthonus