{"id":2202,"date":"2018-03-29T09:13:24","date_gmt":"2018-03-29T08:13:24","guid":{"rendered":"http:\/\/dasini.net\/blog\/?p=2202"},"modified":"2020-05-27T07:46:22","modified_gmt":"2020-05-27T06:46:22","slug":"mysql-security-the-connection-control-plugins","status":"publish","type":"post","link":"https:\/\/dasini.net\/blog\/2018\/03\/29\/mysql-security-the-connection-control-plugins\/","title":{"rendered":"MySQL Security &#8211; The Connection-Control Plugins"},"content":{"rendered":"<p>When thinking about security within a MySQL installation, you should consider a wide range of possible procedures \/ best practices and how they affect the security of your MySQL server and related applications. MySQL provides many tools \/ features \/ plugins in order to protect your data including some advanced features like <a href=\"http:\/\/dasini.net\/blog\/2018\/04\/10\/mysql-security-mysql-enterprise-transparent-data-encryption\/\" target=\"_blank\" rel=\"noopener noreferrer\">Transparent Data Encryption aka TDE<\/a>,\u00a0<a href=\"http:\/\/dasini.net\/blog\/2018\/04\/04\/mysql-security-mysql-enterprise-audit\/\" target=\"_blank\" rel=\"noopener noreferrer\">Audit<\/a>, <a href=\"http:\/\/dasini.net\/blog\/2019\/03\/19\/mysql-security-mysql-enterprise-data-masking-and-de-identification\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Data Masking &amp; De-Identification (opens in a new tab)\">Data Masking &amp; De-Identification<\/a>, <a href=\"http:\/\/dasini.net\/blog\/2018\/04\/16\/mysql-security-mysql-enterprise-firewall\/\" target=\"_blank\" rel=\"noopener noreferrer\">Firewall<\/a>, <a href=\"http:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/\" target=\"_blank\" rel=\"noopener noreferrer\">Password Management<\/a>, <a href=\"http:\/\/dasini.net\/blog\/2018\/03\/01\/mysql-security-password-validation-plugin\/\" target=\"_blank\" rel=\"noopener noreferrer\">Password Validation Plugin<\/a>, <a href=\"http:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/\" target=\"_blank\" rel=\"noopener noreferrer\">User Account Locking<\/a>, etc&#8230;<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=169%2C179\" alt=\"MySQL Security\" width=\"169\" height=\"179\" \/><\/p>\n<p>An ordinary threat databases could face is an attempt to discover the password by systematically trying every possible combination (letters, numbers, symbols). This is known as a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Brute-force_attack\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>brute force attack<\/strong><\/a>.<br \/>In this fourth episode of the\u00a0<strong>MySQL Security<\/strong> series, we will see how the MySQL DBA can leverage the\u00a0<a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control.html\" target=\"_blank\" rel=\"noopener noreferrer\">Connection-Control Plugins<\/a> to slow down brute force attacks.<\/p>\n<h2>The Connection-Control Plugins<\/h2>\n<p>The MySQL Server includes a plugin library that enables administrators to introduce an increasing delay in server response to clients after a certain number of consecutive failed connection attempts. This capability provides a deterrent that slows down brute force attacks that attempt to access MySQL user accounts.<\/p>\n<h3>Installation<\/h3>\n<p>In MySQL 5.7, the Connection-Control plugin is not installed by default :<\/p>\n<pre class=\"lang:mysql decode:true\" title=\"Preliminary checks\">mysql&gt; \nSELECT version();\n+-----------+\n| version() |\n+-----------+\n| 5.7.21    |\n+-----------+\n\nSELECT PLUGIN_NAME, PLUGIN_STATUS \nFROM INFORMATION_SCHEMA.PLUGINS \nWHERE PLUGIN_NAME LIKE 'connection%';\nEmpty set (0.00 sec)\n\n\nSHOW VARIABLES LIKE 'plugin_dir';\n+---------------+--------------------------+\n| Variable_name | Value                    |\n+---------------+--------------------------+\n| plugin_dir    | \/usr\/lib64\/mysql\/plugin\/ |\n+---------------+--------------------------+<\/pre>\n<p>The plugin library contains two plugins :<\/p>\n<ul>\n<li><strong>CONNECTION_CONTROL<\/strong> checks incoming connections and adds a delay to server responses as necessary.<\/li>\n<li><strong>CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS<\/strong> implements an INFORMATION_SCHEMA table that exposes more detailed monitoring information for failed connection attempts.<\/li>\n<\/ul>\n<p>As usual, you can easily register the plugins at runtime with <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/install-plugin.html\" target=\"_blank\" rel=\"noopener noreferrer\">INSTALL PLUGIN<\/a>\u00a0statement :<\/p>\n<pre class=\"lang:mysql decode:true\" title=\"Install Connection-Control Plugins\">mysql&gt; \nINSTALL PLUGIN CONNECTION_CONTROL SONAME 'connection_control.so';\nQuery OK, 0 rows affected (0.02 sec)\n\n\nINSTALL PLUGIN CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS SONAME 'connection_control.so';\nQuery OK, 0 rows affected (0.00 sec)\n\n\nSELECT PLUGIN_NAME, PLUGIN_STATUS \nFROM INFORMATION_SCHEMA.PLUGINS \nWHERE PLUGIN_NAME LIKE 'connection%';\n+------------------------------------------+---------------+\n| PLUGIN_NAME                              | PLUGIN_STATUS |\n+------------------------------------------+---------------+\n| CONNECTION_CONTROL                       | ACTIVE        |\n| CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS | ACTIVE        |\n+------------------------------------------+---------------+<\/pre>\n<p>Alternatively you can modify the configuration file (my.cnf \/ my.ini) and then restart the server<\/p>\n<pre class=\"lang:vim decode:true\" title=\"Connection-Control Plugin Installation\">[mysqld]\nplugin-load-add=connection_control.so<\/pre>\n<p>If the plugins have been previously registered with <strong>INSTALL PLUGIN<\/strong> or are loaded with <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/server-options.html#option_mysqld_plugin-load-add\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>plugin-load-add<\/strong><\/a>, you can use the <strong>connection-control<\/strong> and <strong>connection-control-failed-login-attempts<\/strong> options at server startup to control plugin activation.<\/p>\n<p>e.g. to load the plugins at startup and prevent them from being removed at runtime, use these options :<\/p>\n<pre class=\"lang:vim decode:true\" title=\"load the plugins at startup and prevent them from being removed at runtime\">[mysqld]\nplugin-load-add=connection_control.so\nconnection-control=FORCE_PLUS_PERMANENT\nconnection-control-failed-login-attempts=FORCE_PLUS_PERMANENT<\/pre>\n<h3>Configuration<\/h3>\n<p>To enable you to configure its operation, the CONNECTION_CONTROL plugin exposes 3 system variables :<\/p>\n<ul>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control-variables.html#sysvar_connection_control_failed_connections_threshold\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>connection_control_failed_connections_threshold<\/strong><\/a> : The number of consecutive failed connection attempts permitted to clients before the server adds a delay for subsequent connection attempts.<\/li>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control-variables.html#sysvar_connection_control_min_connection_delay\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>connection_control_min_connection_delay<\/strong><\/a> : The amount of delay to add for each consecutive connection failure above the threshold.<\/li>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control-variables.html#sysvar_connection_control_max_connection_delay\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>connection_control_max_connection_delay<\/strong><\/a> : The maximum delay to add.<\/li>\n<\/ul>\n<p><em><span style=\"text-decoration: underline;\">Note<\/span> :\u00a0To entirely disable checking for failed connection attempts, set connection_control_failed_connections_threshold to zero.<\/em><\/p>\n<p>Default values are :<\/p>\n<pre class=\"lang:mysql decode:true\" title=\"Connection-Control variables\">mysql&gt; \nSHOW VARIABLES LIKE 'connection_control%';\n+-------------------------------------------------+------------+\n| Variable_name                                   | Value      |\n+-------------------------------------------------+------------+\n| connection_control_failed_connections_threshold | 3          |\n| connection_control_max_connection_delay         | 2147483647 |\n| connection_control_min_connection_delay         | 1000       |\n+-------------------------------------------------+------------+<\/pre>\n<p>You can modify these variables at runtime with <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/set-variable.html\" target=\"_blank\" rel=\"noopener noreferrer\">SET GLOBAL<\/a> :<\/p>\n<pre class=\"lang:mysql decode:true\" title=\"Connection-Control configuration\">mysql&gt; \nSET GLOBAL connection_control_failed_connections_threshold = 2;\nQuery OK, 0 rows affected (0.00 sec)\n\n \nSET GLOBAL connection_control_min_connection_delay = 1000;\nQuery OK, 0 rows affected (0.00 sec)\n\n \nSHOW VARIABLES LIKE 'connection_control%';\n+-------------------------------------------------+------------+\n| Variable_name                                   | Value      |\n+-------------------------------------------------+------------+\n| connection_control_failed_connections_threshold | 2          |\n| connection_control_max_connection_delay         | 2147483647 |\n| connection_control_min_connection_delay         | 1000       |\n+-------------------------------------------------+------------+<\/pre>\n<p>Indeed they can be made persistent with the configuration file :<\/p>\n<pre class=\"lang:vim decode:true\" title=\"Connection Delay Configuration\">[mysqld]\nplugin-load-add=connection_control.so\nconnection-control=FORCE_PLUS_PERMANENT\nconnection-control-failed-login-attempts=FORCE_PLUS_PERMANENT\nconnection_control_failed_connections_threshold=2\nconnection_control_min_connection_delay=1000<\/pre>\n<p>Let&rsquo;s test the Connection-Control plugin behavior with a threshold = 2 and a delay = 1 second :<\/p>\n<pre class=\"lang:sh decode:true\" title=\"Test #1\">$ time mysql -uroot -pWrongPwd\nERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)\n\nreal\t0m0.070s\n\n\n$ time mysql -uroot -pWrongPwd\nERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)\n\nreal\t0m0.067s\n\n\n$ time mysql -uroot -pWrongPwd\nERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)\n\nreal\t0m1.069s\n\n\n$ time mysql -uroot -pWrongPwd\nERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)\n\nreal\t0m2.061s\n\n\n$ time mysql -uroot -pWrongPwd\nERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)\n\nreal\t0m3.072s\n\n\n$ time mysql -uroot -pWrongPwd\nERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)\n\nreal\t0m4.065s<\/pre>\n<p>Please focus on the command execution time i.e. real NmN.NNNs<\/p>\n<p>Starting at the 3rd attempts the delay between each connection increase (approximately +1s (= 1000 ms) between each new failed connection attempts).<\/p>\n<h3>Monitoring<\/h3>\n<p>To monitor failed connections, use these information sources:<\/p>\n<ul>\n<li>The <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control-variables.html#statvar_Connection_control_delay_generated\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Connection_control_delay_generated<\/strong><\/a> status variable indicates the number of times the server added a delay to its response to a failed connection attempt. This does not count attempts that occur before reaching the threshold defined by the <em>connection_control_failed_connections_threshold<\/em> system variable.<\/li>\n<li>The <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control-failed-login-attempts-table.html\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>INFORMATION_SCHEMA.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS<\/strong><\/a> table provides information about the current number of consecutive failed connection attempts per client user\/host combination. This counts all failed attempts, regardless of whether they were delayed.<\/li>\n<\/ul>\n<pre class=\"lang:mysql decode:true\" title=\"Connection-Control Failure Monitoring\">mysql&gt; \nSHOW STATUS LIKE 'connection_control%';\n+------------------------------------+-------+\n| Variable_name                      | Value |\n+------------------------------------+-------+\n| Connection_control_delay_generated | 4     |\n+------------------------------------+-------+\n\n\nSELECT * FROM INFORMATION_SCHEMA.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS;\n+--------------------+-----------------+\n| USERHOST           | FAILED_ATTEMPTS |\n+--------------------+-----------------+\n| 'root'@'localhost' |               6 |\n+--------------------+-----------------+<\/pre>\n<p>You can easily monitor different user accounts :<\/p>\n<pre class=\"lang:sh decode:true\" title=\"Test #2\">$ time mysql -uWrongUser -pWrongPwd\nERROR 1045 (28000): Access denied for user 'WrongUser'@'localhost' (using password: YES)\n\nreal\t0m0.065s\n\n\n$ time mysql -uWrongUser -pWrongPwd\nERROR 1045 (28000): Access denied for user 'WrongUser'@'localhost' (using password: YES)\n\nreal\t0m0.088s\n\n\n$ time mysql -uWrongUser -pWrongPwd\nERROR 1045 (28000): Access denied for user 'WrongUser'@'localhost' (using password: YES)\n\nreal\t0m1.063s\n\n\n$ time mysql -uWrongUser -pWrongPwd\nERROR 1045 (28000): Access denied for user 'WrongUser'@'localhost' (using password: YES)\n\nreal\t0m2.076s<\/pre>\n<p>Connection-Control failure monitoring :<\/p>\n<pre class=\"lang:mysql decode:true \" title=\"Connection-Control Failure Monitoring #2\">mysql&gt; \nSHOW STATUS LIKE 'connection_control%';\n+------------------------------------+-------+\n| Variable_name                      | Value |\n+------------------------------------+-------+\n| Connection_control_delay_generated | 6     |\n+------------------------------------+-------+\n\n\nSELECT * FROM INFORMATION_SCHEMA.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS ;\n+-------------------------+-----------------+\n| USERHOST                | FAILED_ATTEMPTS |\n+-------------------------+-----------------+\n| 'WrongUser'@'localhost' |               4 |\n| 'root'@'localhost'      |               6 |\n+-------------------------+-----------------+<\/pre>\n<h3>Uninstalling Plugins<\/h3>\n<p>To remove the plugins, use the <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/uninstall-plugin.html\" target=\"_blank\" rel=\"noopener noreferrer\">UNINSTALL PLUGIN<\/a> statement :<\/p>\n<ul>\n<li>UNINSTALL PLUGIN CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS;<\/li>\n<li>UNINSTALL PLUGIN CONNECTION_CONTROL;<\/li>\n<\/ul>\n<pre class=\"lang:mysql decode:true\" title=\"Uninstalling Plugins\">mysql&gt; \nUNINSTALL PLUGIN CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS;\nQuery OK, 0 rows affected (0.01 sec)\n\n\nUNINSTALL PLUGIN CONNECTION_CONTROL;\nQuery OK, 0 rows affected (0.01 sec)\n<\/pre>\n<p><em><span style=\"text-decoration: underline;\">Note<\/span> :\u00a0Update the configuration file (my.cnf \/ my.ini) if necessary<\/em><\/p>\n<h2>In order to go further<\/h2>\n<h3>MySQL Security Series<\/h3>\n<ol>\n<li><a href=\"http:\/\/dasini.net\/blog\/2018\/03\/01\/mysql-security-password-validation-plugin\/\" target=\"_blank\" rel=\"noopener noreferrer\">Password Validation Plugin<\/a><\/li>\n<li><a href=\"http:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/\" target=\"_blank\" rel=\"noopener noreferrer\">Password Management<\/a><\/li>\n<li><a href=\"http:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/\" target=\"_blank\" rel=\"noopener noreferrer\">User Account Locking<\/a><\/li>\n<li><a href=\"http:\/\/dasini.net\/blog\/2018\/03\/29\/mysql-security-the-connection-control-plugins\/\" target=\"_blank\" rel=\"noopener noreferrer\">The Connection-Control Plugins<\/a><\/li>\n<li><a href=\"http:\/\/dasini.net\/blog\/2018\/04\/04\/mysql-security-mysql-enterprise-audit\/\" target=\"_blank\" rel=\"noopener noreferrer\">Enterprise Audit<\/a><\/li>\n<li><a href=\"http:\/\/dasini.net\/blog\/2018\/04\/10\/mysql-security-mysql-enterprise-transparent-data-encryption\/\" target=\"_blank\" rel=\"noopener noreferrer\">Enterprise Transparent Data Encryption (TDE)<\/a><\/li>\n<li><a href=\"http:\/\/dasini.net\/blog\/2018\/04\/16\/mysql-security-mysql-enterprise-firewall\/\" target=\"_blank\" rel=\"noopener noreferrer\">Enterprise Firewall<\/a><\/li>\n<li><a href=\"http:\/\/dasini.net\/blog\/2019\/03\/19\/mysql-security-mysql-enterprise-data-masking-and-de-identification\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Enterprise Data Masking and De-Identification (opens in a new tab)\">Enterprise Data Masking and De-Identification<\/a><\/li>\n<\/ol>\n<h3>Reference Manual<\/h3>\n<ul>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control.html\" target=\"_blank\" rel=\"noopener noreferrer\">MySQL 5.7 Connection-Control Plugins<\/a><\/li>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control-installation.html\" target=\"_blank\" rel=\"noopener noreferrer\">MySQL 5.7 Connection-Control Plugin Installation<\/a><\/li>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/connection-control-variables.html\" target=\"_blank\" rel=\"noopener noreferrer\">MySQL 5.7 Connection-Control System and Status Variables<\/a><\/li>\n<\/ul>\n<h3>MySQL Security<\/h3>\n<ul>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/mysql-security-excerpt\/5.7\/en\/\" target=\"_blank\" rel=\"noopener noreferrer\">Security in MySQL<\/a><\/li>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/mysql-secure-deployment-guide\/5.7\/en\/\" target=\"_blank\" rel=\"noopener noreferrer\">MySQL 5.7 Secure Deployment Guide<\/a><\/li>\n<li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/security.html\" target=\"_blank\" rel=\"noopener noreferrer\">MySQL 5.7 Reference Manual &#8211; Security<\/a><\/li>\n<\/ul>\n\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security Serie &#8211; Password Management<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a aria-label=\"Random Password Generation? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Random Password Generation<\/a><\/li><li><a aria-label=\"Password Expiration Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/21\/mysql-security-password-expiration-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Expiration Policy<\/a><\/li><li><a aria-label=\"Password Reuse Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Reuse Policy<\/a><\/li><li><a aria-label=\"Password Verification-Required Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/05\/mysql-security-password-verification-required-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Verification-Required Policy<\/a><\/li><li><a aria-label=\"Failed-Login Tracking and Temporary Account Locking? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/12\/mysql-security-failed-login-tracking-and-temporary-account-locking\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Failed-Login Tracking and Temporary Account Locking<\/a><\/li><li><a href=\"http:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/\" target=\"_blank\" aria-label=\"Dual Password Support (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Dual Password Support<\/a><\/li><\/ul>\n\n\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><a rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\" target=\"_blank\" class=\"aioseop-link\"><span style=\"text-decoration: underline;\">Olivier&rsquo;s MySQL Channel<\/span><\/a><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/youtu.be\/k4K-scd4oI0\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Establish a policy for password expiration with MySQL\">Establish a policy for password expiration with MySQL<\/a><\/li><li><a href=\"https:\/\/youtu.be\/VND0KvuX7bc\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Create users with a random password in MySQL\">Create users with a random password in MySQL<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=4z6-dlGT-Mc\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Enable restrictions on reuse of previous passwords with MySQL\">Enable restrictions on reuse of previous passwords with MySQL<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=1RwlU14TDWk\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Require MySQL users to provide their current password to change it\">Require MySQL users to provide their current password to change it<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=6HO_ciRbiXw\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Temporary Account Locking in MySQL\">Temporary Account Locking in MySQL<\/a><\/li><\/ul>\n\n\n<\/div><\/div>\n\n\n\n<div style=\"height:75px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>Thanks for using MySQL!<\/strong><\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/groups\/12524512\/\" target=\"_blank\" rel=\"noopener\" title=\"Olivier DASINI on Linkedin\">Follow me on Linkedin<\/a><\/p>\n\n\n\n<p>Watch my videos on my <a href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier's MySQL Channel\">YouTube channel<\/a> and <a href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\/?sub_confirmation=1\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Subscribe\">subscribe<\/a>.<\/p>\n\n\n\n<p>My <a href=\"https:\/\/www.slideshare.net\/freshdaz\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier DASINI on Slideshare\">Slideshare account<\/a>.<\/p>\n\n\n\n<p>My <a href=\"https:\/\/speakerdeck.com\/freshdaz\/\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier DASINI on Speaker Deck\">Speaker Deck account<\/a>.<\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>Thanks for using HeatWave &amp; MySQL!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>An ordinary threat databases could face is an attempt to discover the password by systematically trying every possible combination (letters, numbers, symbols). This is known as a brute force attack.<br \/>\nIn this fourth episode of the\u00a0MySQL 5.7 Security series, we will see how the MySQL DBA can leverage the\u00a0Connection-Control Plugins to slow down brute force attacks.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[203,365],"tags":[381,367],"class_list":["post-2202","post","type-post","status-publish","format-standard","hentry","category-mysql-en","category-security","tag-connection-control-plugins","tag-security"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9LfWW-zw","jetpack-related-posts":[{"id":2177,"url":"https:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/","url_meta":{"origin":2202,"position":0},"title":"MySQL Security &#8211; User Account Locking","author":"Olivier DASINI","date":"14 mars 2018","format":false,"excerpt":"For security reasons some context require you to setup a user account locking policy. Thus an unauthorized user is not able (anymore) to login to the MySQL server. In this 3rd article of the\u00a0MySQL 5.7 Security series, we\u00a0will see how to [un]lock a user account.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3557,"url":"https:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/","url_meta":{"origin":2202,"position":1},"title":"MySQL Security &#8211; Random Password Generation","author":"Olivier DASINI","date":"15 avril 2020","format":false,"excerpt":"MySQL has the capability of generating random passwords for user accounts, as an alternative to requiring explicit administrator-specified literal passwords.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/VND0KvuX7bc\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":2136,"url":"https:\/\/dasini.net\/blog\/2018\/03\/01\/mysql-security-password-validation-plugin\/","url_meta":{"origin":2202,"position":2},"title":"MySQL Security \u2013 Password Validation Plugin","author":"Olivier DASINI","date":"1 mars 2018","format":false,"excerpt":"In this article, 1st of a MySQL 5.7 Security series, we will see how to enforce Strong Passwords with Password Validation Plugin when using MySQL 5.7. Authentication with ID and password is a very simple and common (because it\u2019s simple) way to secure the access to a resource, however the\u2026","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":2156,"url":"https:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/","url_meta":{"origin":2202,"position":3},"title":"MySQL Security \u2013 Password Management","author":"Olivier DASINI","date":"7 mars 2018","format":false,"excerpt":"Some regulations required\u00a0that the password is renewed in a timely and appropriate manner (e.g. every 90 days). In this article, 2nd of the MySQL 5.7 Security series, we will see how to\u00a0to establish a policy for password expiration\u00a0with MySQL 5.7\u00a0Password\u00a0Management.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3567,"url":"https:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/","url_meta":{"origin":2202,"position":4},"title":"MySQL Security &#8211; Dual Password Support","author":"Olivier DASINI","date":"19 mai 2020","format":false,"excerpt":"Dual-password capability makes it possible to seamlessly perform credential changes without downtime.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3575,"url":"https:\/\/dasini.net\/blog\/2020\/05\/12\/mysql-security-failed-login-tracking-and-temporary-account-locking\/","url_meta":{"origin":2202,"position":5},"title":"MySQL Security &#8211; Failed-Login Tracking and Temporary Account Locking","author":"Olivier DASINI","date":"12 mai 2020","format":false,"excerpt":"DBA can configure user accounts such that too many consecutive login failures cause temporary account locking.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/6HO_ciRbiXw\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/2202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/comments?post=2202"}],"version-history":[{"count":36,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/2202\/revisions"}],"predecessor-version":[{"id":3730,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/2202\/revisions\/3730"}],"wp:attachment":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/media?parent=2202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/categories?post=2202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/tags?post=2202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}