Re: contrib: auth_delay module - Mailing list pgsql-hackers

From Julien Rouhaud
Subject Re: contrib: auth_delay module
Date
Msg-id 20221118071301.d3m4s3s7x33f6q5i@jrouhaud
Whole thread Raw
In response to Re: contrib: auth_delay module  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Thu, Nov 17, 2022 at 05:37:51PM -0500, Tom Lane wrote:
> =?UTF-8?B?5oiQ5LmL54SV?= <zhcheng@ceresdata.com> writes:
> > The attached patch is a contrib module  to set login restrictions on users with
> > too many authentication failure. The administrator could manage several GUC
> > parameters to control the login restrictions which are listed below.
> > - set the wait time when password authentication fails.
> > - allow the wait time grows when users of the same IP consecutively logon failed.
> > - set the maximum authentication failure number from the same user. The system
> > will prevent a user who gets too many authentication failures from entering the
> > database.
>
> I'm not yet forming an opinion on whether this is useful enough
> to accept.

I'm not sure that doing that on the backend side is really a great idea, an
attacker will still be able to exhaust available connection slots.

If your instance is reachable from some untrusted network (which already sounds
scary), it's much easier to simply configure something like fail2ban to provide
the same feature in a more efficient way.  You can even block access to other
services too while at it.

Note that there's also an extension to log failed connection attempts on an
alternate file with a fixed simple format if you're worried about your regular
logs are too verbose.



pgsql-hackers by date:

Previous
From: Peter Smith
Date:
Subject: Re: Perform streaming logical transactions by background workers and parallel apply
Next
From: John Naylor
Date:
Subject: Re: [PoC] Improve dead tuple storage for lazy vacuum