When connection requests to a MySQL database from a given host are interrupted, MySQL keeps track of the number of successive interruptions in the host cache. MySQL will eventually block the host, giving them a message [1129] “Host ‘host_name’ is blocked because of many connection errors.” The number of connect errors it takes to block a host is controlled by the variable max_connect_errors and the default value for this variable is 100.

If a connection request fails many times but eventually holds a successful, uninterrupted connection, the counter is set back to zero for that host so only successive errors are counted in a field sum_connect_errors in the performance_schema.host_cache table. The number is not cumulative over time.

There are several details to note with this limited security measure. For instance, the host cache only logs nonlocal TCP connections.

Also, it does not keep track of, or block hosts, who are unable to authenticate by providing an incorrect password. So this does not block hosts from potential brute force attacks. Another thing to note: The host cache has a limited size (host_cache_size) and follows a least recently used algorithm to purge the oldest entries when space is needed.

Given that the (tallied) connect errors doesn’t help to protect against brute force attacks, often max_connect_errors is increased to a very large number such as 1000000 in order to avoid a crucial application or client from being blocked from connecting to the database.

If a host has been blocked, running the flush hosts command is the advised way to unblock the host though it will unblock all other blocked hosts in the process.

If connections are routed through MySQLRouter, a different error occurs. Clients receive Error 1129 and a “Too many connection errors from” message. Clearing the host_cache, in this case, involves a restart of the MySQLRouter instance.

Summary:

The MySQL variable max_connect_errors may be increased from the default of 100 to prevent an error and blocking of a known host connecting to the MySQL database. The host_cache table in the performance_schema schema keeps track only of interrupted connection requests, not access denied occurrences so using this as a means of preventing and blocking hosts who may be performing a brute force attack is not possible. Overall, the sum of the connect errors is a limited security measure. If a known host is blocked MySQL advises “unblock with ‘mysqladmin flush-hosts’,” which will clear all blocked hosts.

Share This