Re: contrib: auth_delay module

On Thu, Nov 4, 2010 at 6:05 AM, Itagaki Takahiro
<itagaki.takahiro@gmail.com> wrote:
> 2010/11/4 KaiGai Kohei <kaigai@kaigai.gr.jp>:
>> The attached patch is a contrib module to inject a few seconds
>> delay on authentication failed. It is also a proof of the concept
>> using the new ClientAuthentication_hook.
>>
>> This module provides a similar feature to pam_faildelay on
>> operating systems. Injection of a few seconds delay on
>> authentication fails prevents (or makes hard at least) brute-force
>> attacks, because it limits number of candidates that attacker can
>> verify within a unit of time.
>
> +1 for the feature.  We have "post_auth_delay" parameter,
> but it has different purpose; it's as DEVELOPER_OPTIONS
> for delay to attach a debugger.
>
> BTW, the module could save CPU usage of the server on attacks,
> but do nothing about connection flood attacks, right?
> If an attacker attacks the server with multiple connections,
> the server still consumes max_connections even with the module.

Hmm, I wonder how useful this is given that restriction.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company