2.11 Implement Connection Delays to Limit Failed Login Attempts - connection_control_min_connection_delay

Information

MySQL Server can enable administrators to introduce an increasing delay in server response to clients after a certain number of consecutive failed connection attempts.

Rationale:

Delaying connection attempts provides a deterrent that slows down brute force attacks that attempt to access MySQL user accounts.

Solution

Add the following lines to my.cnf:

[mysqld]
plugin-load-add=connection_control.so
connection-control=FORCE_PLUS_PERMANENT
connection-control-failed-login-attempts=FORCE_PLUS_PERMANENT
connection_control_failed_connections_threshold=5
connection_control_min_connection_delay=60000
connection_control_max_connection_delay=1920000

Delays are in milliseconds for server response to failed connection attempt.

60000 (ms - 1 minute)

1920000 (ms, 32 minutes)

For each user set

ALTER USER <user> FAILED_LOGIN_ATTEMPTS 12;

See Also

https://workbench.cisecurity.org/files/3859

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|16

Plugin: MySQLDB

Control ID: 7661e6a21298ca82e38e17dcca43f8320418ddbe091b150cfefd91ec7459d6ee