Security Measures for TiDB Cloud Serverless Public Endpoints

Hello,

I would like to ask about the security measures in place for TiDB Cloud Serverless.
We are planning to use TiDB Cloud Serverless with a public endpoint, as required by our business needs.
Given its global accessibility, we are concerned about the potential risk of attacks, particularly brute force login attempts.
Could you please explain what protections are in place against such threats? Additionally, is there a way for users to detect these attacks on their own?

Thank you for your help.

TiDB Cloud Serverless employs several security measures to protect against brute force login attempts and to help users detect such attacks. Here are the key security features and practices:

  1. TLS Connections: TiDB Cloud Serverless requires all connections to be encrypted using Transport Layer Security (TLS). This ensures that data transmitted between the client and the server is secure, reducing the risk of interception during brute force attacks. For more details on TLS connections, you can refer to the TLS Connections to TiDB Cloud Serverless documentation.

  2. Password Management Policies: Although TiDB Cloud Serverless primarily uses TLS for authentication, it also supports password management policies for additional security. These policies include password complexity requirements, password expiration, and prevention of password reuse. These measures help ensure that user credentials are strong and less susceptible to brute force attacks. More information on password management can be found in the TiDB Password Management documentation.

  3. Failed-Login Tracking and Account Locking: TiDB implements a policy to track failed login attempts and temporarily lock accounts after multiple unsuccessful login attempts. This feature is crucial in mitigating brute force attacks by preventing repeated login attempts with incorrect passwords. This policy is part of the broader password management strategy outlined in the TiDB Password Management documentation.

  4. User Alerts and Monitoring: While specific tools or alerts for detecting brute force attacks are not explicitly detailed in the provided documents, users are encouraged to monitor their access logs and set up alerts for unusual login activities. This proactive monitoring can help detect potential brute force attempts early.

By implementing these security measures, TiDB Cloud Serverless provides a robust defense against brute force login attempts, ensuring the integrity and confidentiality of user data. For further details on these security features, you can explore the provided documentation links.

Hello Friend. Thanks for using TiDB Cloud Serverless. To control who can access your cluster from Public Endpoint, you can disable Public Endpoint completely or use Authorized Networks to restrict what IP addresses are allowed to connect to your cluster.

1 Like