This section describes how to install the connection-control
plugins, connection_control and
CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS. For
general information about installing plugins, see
Section 5.5.2, “Installing and Uninstalling Plugins”.
To be usable by the server, the plugin library file must be
located in the MySQL plugin directory (the directory named by
the plugin_dir system
variable). If necessary, set the value of
plugin_dir at server startup to
tell the server the plugin directory location.
The plugin library file base name is
connection_control. The file name suffix
differs per platform (for example, .so for
Unix and Unix-like systems, .dll for
Windows).
To load the plugins at server startup, use the
--plugin-load option to name the
library file that contains them. With this plugin-loading
method, the option must be given each time the server starts.
For example, put these lines in your my.cnf
file (adjust the .so suffix for your
platform as necessary):
[mysqld] plugin-load=connection_control.so
Alternatively, to register the plugins at runtime, use these statements (adjust the extension as necessary):
INSTALL PLUGIN connection_control SONAME 'connection_control.so'; INSTALL PLUGIN connection_control_failed_login_attempts SONAME 'connection_control.so';
INSTALL PLUGIN loads a plugin,
and also registers it in the mysql.plugins
table to cause the plugin to be loaded for each subsequent
normal server startup.
To verify plugin installation, examine the
INFORMATION_SCHEMA.PLUGINS table or
use the SHOW PLUGINS statement
(see Section 5.5.3, “Obtaining Server Plugin Information”). For
example:
mysql>SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINSWHERE PLUGIN_NAME LIKE 'connection%';+------------------------------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +------------------------------------------+---------------+ | CONNECTION_CONTROL | ACTIVE | | CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS | ACTIVE | +------------------------------------------+---------------+
If the plugins have been previously registered with
INSTALL PLUGIN or are loaded with
--plugin-load, you can use the
--connection-control and
--connection-control-failed-login-attempts
options at server startup to control plugin activation. For
example, to load the plugins at startup and prevent them from
being removed at runtime, use these options:
[mysqld] plugin-load=connection_control.so connection-control=FORCE_PLUS_PERMANENT connection-control-failed-login-attempts=FORCE_PLUS_PERMANENT
If it is desired to prevent the server from running without a
given connection-control plugin, use an option value of
FORCE or
FORCE_PLUS_PERMANENT to force server startup
to fail if the plugin does not initialize successfully.
It is possible to install one plugin without the other, but
both must be installed for full connection-control capability.
In particular, installing only the
CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS
plugin is of little use because without the
connection_control plugin to provide the
data that populates the
CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS
table, retrievals from the table will always be empty.
To enable you to configure its operation, the
connection_control plugin exposes several
system variables:
connection_control_failed_connections_threshold:
The number of consecutive failed connection attempts
permitted to clients before the server adds a delay for
subsequent connection attempts.
connection_control_min_connection_delay:
The amount of delay to add for each consecutive connection
failure above the threshold.
connection_control_max_connection_delay:
The maximum delay to add.
To entirely disable checking for failed connection attempts,
set
connection_control_failed_connections_threshold
to zero. If
connection_control_failed_connections_threshold
is nonzero, the amount of delay is zero up through that many
consecutive failed connection attempts. Thereafter, the amount
of delay is the number of failed attempts above the threshold,
multiplied by
connection_control_min_connection_delay
milliseconds. For example, with the default
connection_control_failed_connections_threshold
and
connection_control_min_connection_delay
values of 3 and 1000, respectively, there is no delay for the
first three consecutive failed connection attempts by a
client, a delay of 1000 milliseconds for the fourth failed
attempt, 2000 milliseconds for the fifth failed attempt, and
so on, up to the maximum delay permitted by
connection_control_max_connection_delay.
You can set the connection_control system
variables at server startup or runtime. Suppose that you want
to permit four consecutive failed connection attempts before
the server starts delaying its responses, and to increase the
delay by 1500 milliseconds for each additional failure after
that. To set the relevant variables at server startup, put
these lines in your my.cnf file:
[mysqld] plugin-load=connection_control.so connection_control_failed_connections_threshold=4 connection_control_min_connection_delay=1500
To set the variables at runtime, use these statements:
SET GLOBAL connection_control_failed_connections_threshold = 4; SET GLOBAL connection_control_min_connection_delay = 1500;
SET
GLOBAL sets the value for the running MySQL
instance. To make the change permanent, add a line in your
my.cnf file, as shown previously.
The
connection_control_min_connection_delay
and
connection_control_max_connection_delay
system variables have fixed minimum and maximum values of 1000
and 2147483647, respectively. In addition, the permitted range
of values of each variable also depends on the current value
of the other:
connection_control_min_connection_delay
cannot be set greater than the current value of
connection_control_max_connection_delay.
connection_control_max_connection_delay
cannot be set less than the current value of
connection_control_min_connection_delay.
Thus, to make the changes required for some configurations,
you might need to set the variables in a specific order.
Suppose that the current minimum and maximum delays are 1000
and 2000, and that you want to set them to 3000 and 5000. You
cannot first set
connection_control_min_connection_delay
to 3000 because that is greater than the current
connection_control_max_connection_delay
value of 2000. Instead, set
connection_control_max_connection_delay
to 5000, then set
connection_control_min_connection_delay
to 3000.
When the connection_control plugin is
installed, it checks connection attempts and tracks whether
they fail or succeed. For this purpose, a failed connection
attempt is one for which the client user and host match a
known MySQL account but the provided credentials are
incorrect, or do not match any known account.
Failed-connection counting is based on the user/host combination for each connection attempt. Determination of the applicable user name and host name takes proxying into account and occurs as follows:
If the client user proxies another user, the proxying
user's information is used. For example, if
external_user@example.com proxies
proxy_user@example.com, connection
counting uses the proxying user,
external_user@example.com, rather than
the proxied user,
proxy_user@example.com. Both
external_user@example.com and
proxy_user@example.com must have valid
entries in the mysql.user system table
and a proxy relationship between them must be defined in
the mysql.proxies_priv system table
(see Section 6.3.8, “Proxy Users”).
If the client user does not proxy another user, but does
match a mysql.user entry, counting uses
the CURRENT_USER() value
corresponding to that entry. For example, if a user
user1 connecting from a host
host1.example.com matches a
user1@host1.example.com entry, counting
uses user1@host1.example.com. If the
user matches a user1@%.example.com,
user1@%.com, or
user1@% entry instead, counting uses
user1@%.example.com,
user1@%.com, or
user1@%, respectively.
For the cases just described, the connection attempt matches
some mysql.user entry, and whether the
request succeeds or fails depends on whether the client
provides the correct authentication credentials. For example,
if the client presents an incorrect password, the connection
attempt fails.
If the connection attempt matches no
mysql.user entry, the attempt fails. In
this case, no CURRENT_USER()
value is available and connection-failure counting uses the
user name provided by the client and the client host as
determined by the server. For example, if a client attempts to
connect as user user2 from host
host2.example.com, the user name part is
available in the client request and the server determines the
host information. The user/host combination used for counting
is user2@host2.example.com.
The server maintains information about which client hosts
can possibly connect to the server (essentially the union of
host values for mysql.user entries). If a
client attempts to connect from any other host, the server
rejects the attempt at an early stage of connection setup:
ERROR 1130 (HY000): Host 'host_name' is not
allowed to connect to this MySQL server
Because this type of rejection occurs so early,
connection_control does not see it, and
does not count it.
To monitor failed connections, use these information sources:
The
Connection_control_delay_generated
status variable indicates the number of times the server
added a delay to its response to a failed connection
attempt. This does not count attempts that occur before
reaching the threshold defined by the
connection_control_failed_connections_threshold
system variable.
The INFORMATION_SCHEMA
CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS
table provides information about the current number of
consecutive failed connection attempts per client
user/host combination. This counts all failed attempts,
regardless of whether they were delayed.
Assigning a value to
connection_control_failed_connections_threshold
at runtime resets all accumulated failed-connection counters
to zero, which has these visible effects:
The
Connection_control_delay_generated
status variable is reset to zero.
The
CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS
table becomes empty.