[MDEV-7598] Block user accounts after failed login attempts Created: 2015-02-17 Updated: 2023-01-01 Resolved: 2019-01-08 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Plugins |
| Fix Version/s: | 10.4.2 |
| Type: | Task | Priority: | Major |
| Reporter: | Rasmus Johansson (Inactive) | Assignee: | Vladislav Vaintroub |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | pf5, security | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Description |
|
Add functionality to block/disable user accounts if failed login attempts occur. During earlier discussions it was mentioned that this should be done in the server or in a special authentication plugin. |
| Comments |
| Comment by Rasmus Johansson (Inactive) [ 2015-02-17 ] |
|
Assigning to you serg for design. |
| Comment by Sergei Golubchik [ 2018-11-12 ] |
|
A possible implementation: ACL_USER has a failed_logiins counter. It's incremented when a login fails, it's reset to 0 when a login succeeds. When it reaches a certain limit all future logins fail too. FLUSH PRIVILEGES resets it, obviously. The limit can be set by a global variable. It'd need some safeguards to avoid blocking a root user. First, it's per account, so root@localhost can only be blocked if somebody can brute-force from localhost. Second, failed_logins could only be incremented for a failed password, so falied loigins using unix_socket plugin will never block an account. |
| Comment by Ralf Gebhardt [ 2018-11-13 ] |
Couldn't the limit be set per user? Maybe using the global variable just as a default. Per role would be nice. But given that the role can be changed for a user, that would not work. |
| Comment by Sergei Golubchik [ 2018-11-14 ] |
|
It could be, of course. But we don't have a per-host limit, either — and it seems to work good enough. Different per-user limits look like overengineering to me. |