Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15421

max allowed bad password attempts from ip

    XMLWordPrintable

    Details

      Description

      It seems like it would be very desirable to have a max allowed bad password attempts for a given user from a given ip address, and then a timeout period. Both could be configured at server startup. Maybe:

      --max-bad-passwords-for-ipaddress=10
      --max-bad-passwords-lockout-reset=120

      So if a login attempts like root@'34.56.123.56' got the password wrong 10 times, that user@ipaddress combination would be locked out for 120 seconds. That same user can login from another ip immediately... it only blocks the login for that user from the ip address that failed multiple times.

      This seems like an easy way to help prevent DOS and brute force attacks.

      Can someone confirm that they would not be able to spoof an ip address and therefore create a DOS attack by locking out legitimate attempts?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              rdyas Robert Dyas
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration