Re: brute force attacking the password
| От | Dawid Kuroczko |
|---|---|
| Тема | Re: brute force attacking the password |
| Дата | |
| Msg-id | 758d5e7f0504181359974fe9@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: brute force attacking the password ("C. Bensend" <benny@bennyvision.com>) |
| Ответы |
Re: brute force attacking the password
Re: brute force attacking the password |
| Список | pgsql-admin |
> > No, there is not. Does anyone want to suggest a possible implementation
> > for the TODO list?
> I would like to see a combination of number of login failures and a
> timeout, configurable via the conf file. Say, X login failures
> disables further logins for that account for Y minutes.
>
> That would be groovy. :)
And dangerous. Imagine a system with say, apache accound used
from some Apache application. And a maluser who purposefully
tries to log in to "apache" account and fails, thus causing a DoS
on the web application. :)
...of course with careful planning and right implementation it
would be very good.
Anyway, a simple 'sleep 2 seconds before telling that password
was wrong' would be a good addition anyhow. [ if it already is
inside PgSQL, please forgive me :) ]
Regards,
Dawid
В списке pgsql-admin по дате отправления: