Re: contrib: auth_delay module

Robert Haas <robertmhaas@gmail.com>

From: Robert Haas <robertmhaas@gmail.com>
To: Itagaki Takahiro <itagaki.takahiro@gmail.com>
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>, PostgreSQL-Hackers <pgsql-hackers@postgresql.org>, KaiGai Kohei <kaigai@ak.jp.nec.com>
Date: 2010-11-04T13:09:09Z
Lists: pgsql-hackers
On Thu, Nov 4, 2010 at 6:05 AM, Itagaki Takahiro
<itagaki.takahiro@gmail.com> wrote:
> 2010/11/4 KaiGai Kohei <kaigai@kaigai.gr.jp>:
>> The attached patch is a contrib module to inject a few seconds
>> delay on authentication failed. It is also a proof of the concept
>> using the new ClientAuthentication_hook.
>>
>> This module provides a similar feature to pam_faildelay on
>> operating systems. Injection of a few seconds delay on
>> authentication fails prevents (or makes hard at least) brute-force
>> attacks, because it limits number of candidates that attacker can
>> verify within a unit of time.
>
> +1 for the feature.  We have "post_auth_delay" parameter,
> but it has different purpose; it's as DEVELOPER_OPTIONS
> for delay to attach a debugger.
>
> BTW, the module could save CPU usage of the server on attacks,
> but do nothing about connection flood attacks, right?
> If an attacker attacks the server with multiple connections,
> the server still consumes max_connections even with the module.

Hmm, I wonder how useful this is given that restriction.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company