Skip site navigation (1) Skip section navigation (2)

Re: contrib: auth_delay module

From: Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>
To: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Cc: PostgreSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
Subject: Re: contrib: auth_delay module
Date: 2010-11-04 13:05:01
Message-ID: AANLkTi=4zU0obJJedk7OgVPc0QxymKZs+zKB5yQy4nJx@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers 
2010/11/4 KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>:
> The attached patch is a contrib module to inject a few seconds
> delay on authentication failed. It is also a proof of the concept
> using the new ClientAuthentication_hook.
>
> This module provides a similar feature to pam_faildelay on
> operating systems. Injection of a few seconds delay on
> authentication fails prevents (or makes hard at least) brute-force
> attacks, because it limits number of candidates that attacker can
> verify within a unit of time.

+1 for the feature.  We have "post_auth_delay" parameter,
but it has different purpose; it's as DEVELOPER_OPTIONS
for delay to attach a debugger.

BTW, the module could save CPU usage of the server on attacks,
but do nothing about connection flood attacks, right?
If an attacker attacks the server with multiple connections,
the server still consumes max_connections even with the module.

-- 
Itagaki Takahiro

In response to

Responses

pgsql-hackers by date

Next:From: Robert HaasDate: 2010-11-04 13:09:09
Subject: Re: contrib: auth_delay module
Previous:From: KaiGai KoheiDate: 2010-11-04 12:49:07
Subject: contrib: auth_delay module

Privacy Policy | About PostgreSQL
Copyright © 1996-2013 The PostgreSQL Global Development Group