Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15421

max allowed bad password attempts from ip

    XMLWordPrintable

Details

    Description

      It seems like it would be very desirable to have a max allowed bad password attempts for a given user from a given ip address, and then a timeout period. Both could be configured at server startup. Maybe:

      --max-bad-passwords-for-ipaddress=10
      --max-bad-passwords-lockout-reset=120

      So if a login attempts like root@'34.56.123.56' got the password wrong 10 times, that user@ipaddress combination would be locked out for 120 seconds. That same user can login from another ip immediately... it only blocks the login for that user from the ip address that failed multiple times.

      This seems like an easy way to help prevent DOS and brute force attacks.

      Can someone confirm that they would not be able to spoof an ip address and therefore create a DOS attack by locking out legitimate attempts?

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-13096 Implement option to lock user accounts after N authentication failures

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-7598 Block user accounts after failed login attempts

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              rdyas Robert Dyas
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.