Reference: https://mariadb.com/kb/en/server-system- variables/#max_user_connections
I sort of guessed this functionality from the config name.
Is the abuse of the nature where you are rejecting unwelcome connection attempts from random sources?
A website is getting lots of requests until it reaches the max_user_connections
If so, that does not relate to max_user_connections which only increments when a connection is successful and sustained to mariadb. The limit here is for simultaneous and successful connections - Maria doesn't keep count of unsuccessful accounts from specific users other than some global counter status such as those in %conn%.
Say we have db usera, userb, userc all on the same clienthost ip. I suspect that if usera exhausts its max_user_connections, continued requests are not being counted any more under usera but under clienthost. At some point max_connections will be reached resulting in userb and userc failure. (It looks like this is what I am experiencing currenlty) This can be mitigated by not counting these failed connections of usera to the global max_connections (or closing them more quickly?). This way you will probably safeguard the operation of userb and userc from the same clienthost ip.
Preventing such random connections from the internet to mariadb is usually achieved using a firewall, rather than MariaDb - stop malicious activity as early in the transaction as you can to avoid risk and resource load.
I agree.
If your instance of Mariadb is open to the internet, it's not surprising the bots are hammering it.
It is not. More indirectly via website.
Apologies if I've misunderstood and for some reason you are allowing wanting each of these sources to connect up to 250 times and they do have accounts. (seems a lot to me and isn't what I'd call abuse - I know who's connecting and would ask them to reduce that number if they were causing problems, but okay).
These 250 are from different a different user responding to this thread. I am testing with between 50 and 150. I 'noticed' that lowering this resulted in what seemed to have the clienthost ip being blocked. This fuels my suspection that continuos requests on blocked users is accumulating to the global 'ip' counter.
If so, then this is indeed the right setting - but check the link above and ensure those accounts do not have SUPER or CONNECTION ADMIN privileges as those privs intentionally disregard this value.
These are mostly read (select) only accounts.