Stop Hackers at the Gate: Restricting Brute-Force Attacks with MySQL’s Connection Control Plugin

Why MySQL Connection Control Plugin ?

Security is a top concern for any database administrator, especially when your MySQL server is exposed to external traffic or connected to public networks. Attackers often target port 3306 with brute-force or automated connection attempts, trying to guess user credentials or flood the server with invalid connections.

The MySQL Connection Control Plugin is designed to address exactly this kind of scenario.

By introducing progressive delays after a configurable number of failed login attempts, this plugin helps to:

• Slow down brute-force attacks on MySQL user accounts
• Discourage automated login attempts from bots or malicious scripts
• Provide audit visibility via a system table of failed login attempts

In short, the Connection Control Plugin is a simple but powerful tool every MySQL DBA should consider enabling in their defense strategy.
 

What is MySQL Connection Control Plugin ?

The Connection Control Plugin is a built-in MySQL security feature that helps protect your server from repeated failed login attempts — often caused by brute-force attacks or bots.

It keeps track of failed logins, and once a set limit is reached, it adds a delay before allowing more attempts from the same source. The delay increases with each failure, making automated attacks slower and much less effective.

It consists of two parts:

1. CONNECTION_CONTROL – The core plugin that introduces the connection delay mechanism.
2. CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS – Tracks failed login attempts per user and host, available in the information_schema.

Installization

You can either load it via my.cnf, or use an interactive SQL session like below:

[MYSQLD]
#connection_plugins
plugin-load-add=connection_control.so
plugin-load-add=connection_control_failed_login_attempts.so

mysql> INSTALL PLUGIN CONNECTION_CONTROL SONAME 'connection_control.so';
Query OK, 0 rows affected (0.03 sec)
mysql> INSTALL PLUGIN CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS SONAME 'connection_control.so';
Query OK, 0 rows affected (0.01 sec)

Once installed, the plugin can be listed from Information_Schema:

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'connection%';
+------------------------------------------+---------------+
| PLUGIN_NAME                              | PLUGIN_STATUS |
+------------------------------------------+---------------+
| CONNECTION_CONTROL                       |        ACTIVE |
| CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS |        ACTIVE |
+------------------------------------------+---------------+
2 rows in set (0.00 sec)

Plugin Configuration
Once the Connection Control Plugin is installed, you can configure it to suit your security needs. These settings allow you to define how many failed login attempts are allowed before MySQL starts applying a progressive delay between new connection attempts.

mysql> SET GLOBAL connection_control_failed_connections_threshold = 2;
Query OK, 0 rows affected (0.00 sec)
mysql> SET GLOBAL connection_control_min_connection_delay = 3000;
Query OK, 0 rows affected (0.00 sec)

Block aggressive retries after 2 failed attempts and introduce a 3-second delay.

Note:The delay is in milliseconds, not microseconds.

Login Attempt Handling with Connection Control Plugin (flow chart)

Tracking Login Attempts
The Connection Control Plugin keeps track of failed login attempts and stores them in an internal table. You can monitor this information using the information_schema.

Before attempting failed login

mysql> SELECT * FROM information_schema.connection_control_failed_login_attempts;
Empty set (0.00 sec)

This confirms there are currently no failed login attempts recorded

Let’s simulate multiple failed login attempts to see the plugin in action. In this example, we will trigger 10 failed login attempts from the same client IP using incorrect credentials.

Result:-
As you can see, the first two attempts respond quickly, but starting from the 3rd attempt, the delay increases progressively. 

2 failed attempts allowed without delay

From the 3rd attempt onward, delay starts at 3 seconds and increases

jenishkar@ubuntu:~/mysql$ ./sec.sh
Sat Jun 21 11:21:58 IST 2025
0.005
Sat Jun 21 11:21:58 IST 2025
0.004

Sat Jun 21 11:21:58 IST 2025
3.004
Sat Jun 21 11:22:08 IST 2025
4.005

This behavior is exactly what we configured.

Monitoring Failed Login Attempts

// 3 failed attempt

mysql> SELECT * FROM information_schema.connection_control_failed_login_attempts;
+--------------------+-----------------+
| USERHOST           | FAILED_ATTEMPTS |
+--------------------+-----------------+
| 'unknownuser'@'%'  | 3               |
+--------------+-----------------------+
1 row in set (0.00 sec)

Even after many failed login attempts, the plugin does not permanently block access. It only delays connection attempts.

jenishkar@ubuntu:~/mysql$ ./bin/mysql -u unknownuser -p --socket=/tmp/MySQL06.sock 
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 58
Server version: 8.0.33 MySQL Community Server - GPL

mysql> SELECT * FROM information_schema.connection_control_failed_login_attempts;
Empty set (0.25 sec)

After the successful login it will clear the cache.

Conclusion
At Mafiree, we use the MySQL Connection Control Plugin to protect against brute-force attacks by introducing smart delays after repeated login failures. By leveraging powerful built-in MySQL features, we help keep our client's databases secure, stable, and well-protected.