On Thu, Nov 4, 2010 at 6:05 AM, Itagaki Takahiro <itagaki.takah...@gmail.com> wrote: > 2010/11/4 KaiGai Kohei <kai...@kaigai.gr.jp>: >> The attached patch is a contrib module to inject a few seconds >> delay on authentication failed. It is also a proof of the concept >> using the new ClientAuthentication_hook. >> >> This module provides a similar feature to pam_faildelay on >> operating systems. Injection of a few seconds delay on >> authentication fails prevents (or makes hard at least) brute-force >> attacks, because it limits number of candidates that attacker can >> verify within a unit of time. > > +1 for the feature. We have "post_auth_delay" parameter, > but it has different purpose; it's as DEVELOPER_OPTIONS > for delay to attach a debugger. > > BTW, the module could save CPU usage of the server on attacks, > but do nothing about connection flood attacks, right? > If an attacker attacks the server with multiple connections, > the server still consumes max_connections even with the module.
Hmm, I wonder how useful this is given that restriction. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
