MySQL – Limit Server Login Attempts Without Fail2ban

MySQLphpmyadmin

I would like to limit login attempts via phpMyAdmin to protect against brute-force attacks. I found solution above, but it is based on fail2ban.

[mysqld-iptables]
enabled  = true
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
       sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/mysqld.log
maxretry = 5

Are there any other, maybe "native" solution for this purpose? Should I use maybe access restriction instead of limiting?

Best Answer

No, phpMyAdmin doesn't have any built-in protection directly against brute force attacks. phpMyAdmin can log failed connection attempts to syslog, a feature which was added specifically so that fail2ban could be easily used for this protection (rather than re-developing the wheel in the application itself). You may be able to work something out with MySQL's resource limits, but those are really designed for restricting valid authenticated users, not stopping brute force attacks. As an alternative, if you have a firewall front end, you may be able to enact some protections there if you really wish to not use fail2ban, but the officially sanctioned means is indeed using fail2ban.

Related Solutions

Mysql – Saving every thesql user login attempts

If you're concerned about failed logins, that implies that your server is accessible from the Internet. It shouldn't be.

There is, however, a way to get the information without resorting to the general log.

According to the manual you can trigger logging these failed connections to the error log with the system variable log_warnings:

If the value is greater than 1, aborted connections are written to the error log, and access-denied errors for new connection attempts are written.

This is a dynamic variable, but changing it at run-time does not appear to trigger the logging behavior. Add this to your my.cnf in the [mysqld] section:

log-warnings = 2

Restart the server daemon.

You should then start to see failed logins in your MySQL error log.

I don't know what you mean by "saving password details." The password is sent from the client to the server as...

SHA1( password ) XOR SHA1( "20-bytes random data from server" <concat> SHA1( SHA1( password ) ) )

...so you're not going to find the client's attempted password getting logged anywhere. The server doesn't know what password the client used. It only knows whether it used the correct one, by doing its own calculation of the hash the client would have returned if the client had known the right password.

Phptheadmin – Login issue, takes me back to the login page after logging in

Turns out the issue was memcache. I'd added it for other reasons and set PHP to use it for sessions. Nothing broke (or so I thought) and all seemed well. Turns out it's this very reason phpMyAdmin was not working. phpMyAdmin does not support memcache being used for sessions in PHP, it requires files.

Best Answer

Related Solutions

Mysql – Saving every thesql user login attempts

Phptheadmin – Login issue, takes me back to the login page after logging in

Related Question