MariaDB has @@max_password_errors variable, MDEV-7598

max_password_errors totally blocks a user though, and excludes SUPER and local users from being blocked at all

So it does not protect against attacks on the users that are the "most valuable prey".

I understand why these are included as otherwise an attacker could lock out everyone able to do a FLUSH PRIVILEGES so that a block reset could only be done by a hard server restart.

But with the throttling approach there wouldn't really be a need to exclude special users, an actual admin user could still log in manually, just with an acceptable delay, while malicious or otherwise misbehaving clients would be limited to one request per delay period while basically being starved by the server.

PR is avaliable , it would be nice if PR got comments.

commented

How about this idea ? Imlement this feature like check_for_max_user_connections feature , not as mysql which implement this as an audit plugin .

something like that would be much simpler, indeed. But not in {{ check_for_max_user_connections()}}, because see how it's used:

  if (thd->user_connect &&

      (thd->user_connect->user_resources.conn_per_hour ||

       thd->user_connect->user_resources.user_conn ||

       max_user_connections_checking) &&

       check_for_max_user_connections(thd, thd->user_connect))

it's only invoked if there's some max_... liimit.

And I suggest not to implement complex user-configurable timeouts with min/max and a threshold. Just hard-code all these values, hardly anybody will want to fine-tune them

Hard code for min/max and a threshold values is much simpler. I will start do this work today

PR is ready , it would be nice if PR got comments.

It will. At the moment we're mainly working on bugs, though. and will start looking into features again in February.

This patch needs additional work. When I get back to working on this task, I'll mark it into in-progress.