6.4.2 The Connection-Control Plugins
As of MySQL 5.7.17, MySQL Server includes a plugin library that enables administrators to introduce an increasing delay in server response to connection attempts after a configurable number of consecutive failed attempts. This capability provides a deterrent that slows down brute force attacks against MySQL user accounts. The plugin library contains two plugins:
CONNECTION_CONTROLchecks incoming connection attempts and adds a delay to server responses as necessary. This plugin also exposes system variables that enable its operation to be configured and a status variable that provides rudimentary monitoring information.
CONNECTION_CONTROLplugin uses the audit plugin interface (see Section 220.127.116.11, “Writing Audit Plugins”). To collect information, it subscribes to the
MYSQL_AUDIT_CONNECTION_CLASSMASKevent class, and processes
MYSQL_AUDIT_CONNECTION_CHANGE_USERsubevents to check whether the server should introduce a delay before responding to connection attempts.
INFORMATION_SCHEMAtable that exposes more detailed monitoring information for failed connection attempts.
The following sections provide information about connection-control plugin installation and configuration. For information about the
CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS table, see Section 24.34.1, “The INFORMATION_SCHEMA CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS Table”.