On Sun, Nov 28, 2010 at 7:10 PM, Jeff Janes <jeff.janes@gmail.com> wrote:
> Oh, I wasn't complaining. I think that having max_connections be
> charged for the duration even if the socket is dropped is the only
> reasonable thing to do, and wanted to verify that it did happen.
> Otherwise the module wouldn't do a very good job at its purpose, the
> attacker would simply wait a few milliseconds and then assume it got
> the wrong password and kill the connection and start new one.
Good point.
> Preventing the brute force password attack by shunting it into a DOS
> attack instead seems reasonable.
OK.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company