Re: contrib: auth_delay module

On Thu, Nov 4, 2010 at 6:35 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Jan Urbański (wulczer(at)wulczer(dot)org) wrote:
>> On 04/11/10 14:09, Robert Haas wrote:
>> > Hmm, I wonder how useful this is given that restriction.
>>
>> As KaiGai mentined, it's more to make bruteforcing difficult (read: tmie
>> consuming), right?
>
> Which it would still do, since the attacker would be bumping up against
> max_connections.  max_connections would be a DOS point, but that's no
> different from today.  Other things could be put in place to address
> that (max # of connections from a given IP or range could be implemented
> using iptables, as an example).
>
> 5 second delay w/ max connections at 100 would mean max of 20 attempts
> per second, no?  That's alot fewer than 100*(however many attempts can
> be done in a second).  Doing a stupid while true; psql -d blah; done
> managed to get 50 successful ident auths+no-db-found errors done in a
> second on one box here.  5000 >> 20, and I wasn't even trying.

OK. I was just asking. I don't object to it if people think it's
useful, especially if they are looking at it as "I would actually use
this on my system" rather than "I can imagine a hypothetical person
using this".

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company