Skip site navigation (1) Skip section navigation (2)

Re: brute force attacking the password

From: Dawid Kuroczko <qnex42(at)gmail(dot)com>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: brute force attacking the password
Date: 2005-04-18 20:59:39
Message-ID: 758d5e7f0504181359974fe9@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-admin
> > No, there is not.  Does anyone want to suggest a possible implementation
> > for the TODO list?
> I would like to see a combination of number of login failures and a
> timeout, configurable via the conf file.  Say, X login failures
> disables further logins for that account for Y minutes.
> 
> That would be groovy.  :)

And dangerous.  Imagine a system with say, apache accound used
from some Apache application.  And a maluser who purposefully
tries to log in to "apache" account and fails, thus causing a DoS
on the web application. :)

...of course with careful planning and right implementation it
would be very good.

Anyway, a simple 'sleep 2 seconds before telling that password
was wrong' would be a good addition anyhow.  [ if it already is
inside PgSQL, please forgive me :) ]


  Regards,
      Dawid

In response to

Responses

pgsql-admin by date

Next:From: Pallav KalvaDate: 2005-04-18 21:05:53
Subject: Re: Postgres Log rotation not working in 8.0.2
Previous:From: Bruce MomjianDate: 2005-04-18 20:55:45
Subject: Re: brute force attacking the password

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group