Re: contrib: auth_delay module

From: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
To: Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>
Cc: PostgreSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
Subject: Re: contrib: auth_delay module
Date: 2010-11-04 13:55:15
Message-ID: 4CD2BB43.80507@kaigai.gr.jp
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

(2010/11/04 22:05), Itagaki Takahiro wrote:
> 2010/11/4 KaiGai Kohei<kaigai(at)kaigai(dot)gr(dot)jp>:
>> The attached patch is a contrib module to inject a few seconds
>> delay on authentication failed. It is also a proof of the concept
>> using the new ClientAuthentication_hook.
>>
>> This module provides a similar feature to pam_faildelay on
>> operating systems. Injection of a few seconds delay on
>> authentication fails prevents (or makes hard at least) brute-force
>> attacks, because it limits number of candidates that attacker can
>> verify within a unit of time.
>
> +1 for the feature. We have "post_auth_delay" parameter,
> but it has different purpose; it's as DEVELOPER_OPTIONS
> for delay to attach a debugger.
>
> BTW, the module could save CPU usage of the server on attacks,
> but do nothing about connection flood attacks, right?
> If an attacker attacks the server with multiple connections,
> the server still consumes max_connections even with the module.
>
Good point. The pam_faildelay being the model of this feature also
does nothing for flood of connections attack.
However, if it closes the connection immediately, the attacker can
try to verify next candidate very soon. Do you have any good idea?

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2010-11-04 14:04:55 Re: contrib: auth_delay module
Previous Message Tom Lane 2010-11-04 13:49:41 Re: why does plperl cache functions using just a bool for is_trigger