From: | Dawid Kuroczko <qnex42(at)gmail(dot)com> |
---|---|
To: | pgsql-admin(at)postgresql(dot)org |
Subject: | Re: brute force attacking the password |
Date: | 2005-04-18 20:59:39 |
Message-ID: | 758d5e7f0504181359974fe9@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
> > No, there is not. Does anyone want to suggest a possible implementation
> > for the TODO list?
> I would like to see a combination of number of login failures and a
> timeout, configurable via the conf file. Say, X login failures
> disables further logins for that account for Y minutes.
>
> That would be groovy. :)
And dangerous. Imagine a system with say, apache accound used
from some Apache application. And a maluser who purposefully
tries to log in to "apache" account and fails, thus causing a DoS
on the web application. :)
...of course with careful planning and right implementation it
would be very good.
Anyway, a simple 'sleep 2 seconds before telling that password
was wrong' would be a good addition anyhow. [ if it already is
inside PgSQL, please forgive me :) ]
Regards,
Dawid
From | Date | Subject | |
---|---|---|---|
Next Message | Pallav Kalva | 2005-04-18 21:05:53 | Re: Postgres Log rotation not working in 8.0.2 |
Previous Message | Bruce Momjian | 2005-04-18 20:55:45 | Re: brute force attacking the password |