Re: contrib: auth_delay module

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: Jan Urbański <wulczer@wulczer.org>
Cc: Robert Haas <robertmhaas@gmail.com>, Itagaki Takahiro <itagaki.takahiro@gmail.com>, KaiGai Kohei <kaigai@kaigai.gr.jp>, PostgreSQL-Hackers <pgsql-hackers@postgresql.org>, KaiGai Kohei <kaigai@ak.jp.nec.com>
Date: 2010-11-04T13:35:16Z
Lists: pgsql-hackers
* Jan Urbański (wulczer@wulczer.org) wrote:
> On 04/11/10 14:09, Robert Haas wrote:
> > Hmm, I wonder how useful this is given that restriction.
> 
> As KaiGai mentined, it's more to make bruteforcing difficult (read: tmie
> consuming), right?

Which it would still do, since the attacker would be bumping up against
max_connections.  max_connections would be a DOS point, but that's no
different from today.  Other things could be put in place to address
that (max # of connections from a given IP or range could be implemented
using iptables, as an example).

5 second delay w/ max connections at 100 would mean max of 20 attempts
per second, no?  That's alot fewer than 100*(however many attempts can
be done in a second).  Doing a stupid while true; psql -d blah; done
managed to get 50 successful ident auths+no-db-found errors done in a
second on one box here.  5000 >> 20, and I wasn't even trying.

	Thanks,

		Stephen