Skip site navigation (1) Skip section navigation (2)

Re: contrib: auth_delay module

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Jan Urbański <wulczer(at)wulczer(dot)org>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>,Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>,KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>,PostgreSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>,KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
Subject: Re: contrib: auth_delay module
Date: 2010-11-04 13:35:16
Message-ID: 20101104133516.GN26232@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-hackers
* Jan Urbański (wulczer(at)wulczer(dot)org) wrote:
> On 04/11/10 14:09, Robert Haas wrote:
> > Hmm, I wonder how useful this is given that restriction.
> 
> As KaiGai mentined, it's more to make bruteforcing difficult (read: tmie
> consuming), right?

Which it would still do, since the attacker would be bumping up against
max_connections.  max_connections would be a DOS point, but that's no
different from today.  Other things could be put in place to address
that (max # of connections from a given IP or range could be implemented
using iptables, as an example).

5 second delay w/ max connections at 100 would mean max of 20 attempts
per second, no?  That's alot fewer than 100*(however many attempts can
be done in a second).  Doing a stupid while true; psql -d blah; done
managed to get 50 successful ident auths+no-db-found errors done in a
second on one box here.  5000 >> 20, and I wasn't even trying.

	Thanks,

		Stephen

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2010-11-04 13:49:41
Subject: Re: why does plperl cache functions using just a bool for is_trigger
Previous:From: Robert HaasDate: 2010-11-04 13:16:45
Subject: Re: Comparison with "true" in source code

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group