The Connection-Control plug-in is used to control the delay of the client's response after a certain number of consecutive failed login operations. Can prevent client brute force cracking.
1. Check whether the plug-in is installed
If there is connection_control, it is already installed, if not, continue to the next step.
Two, install the plug-in
After mysql5.7, the mysql/data/lib/plugin directory adds the connection_control.so plug-in by default, just install it:
install plugin connection_control soname "connection_control.so"; #登录错误次数限制插件
install plugin connection_control_failed_login_attempts soname 'connection_control.so'; #为了把错误次数记录到表中
Three, set the plug-in
Check the installation status
Explanation:
- connection_control_failed_connections_threshold: the maximum number of consecutive failures 3 times, 0 means not open
- connection_control_max_connection_delay: The maximum time to block login after exceeding the maximum number of failures (milliseconds)
- connection_control_min_connection_delay: The minimum time to block login after exceeding the maximum number of failures (milliseconds)
Modify the configuration command: set global connection_control_failed_connections_threshold=5
Fourth, modify the my.cnf configuration file
[mysqld]
plugin-load-add = connection_control.so
connection-control = FORCE
connection-control-failed-login-attempts = FORCE
connection_control_min_connection_delay = 1000
connection_control_max_connection_delay = 86400
connection_control_failed_connections_threshold = 3
Five, query the status of the plug-in
Connection_control_delay_generated: indicates the number of times the connection control is used (users can judge whether there are violent login attempts)
Reconfigure the connection_control_failed_connections_threshold variable, the table record will be deleted (reset)
6. Query the number of failed logins for each account
use information_schema;
select * from connection_control_failed_login_attempts;
If you log in with a user that does not exist, the table records that the user name is empty, but the specific login IP will be recorded