Re: Failed Login Attempts parameter - Mailing list pgsql-admin

From Craig Ringer
Subject Re: Failed Login Attempts parameter
Date
Msg-id 50A4B42B.1090308@2ndQuadrant.com
Whole thread Raw
In response to Re: Failed Login Attempts parameter  (Lukasz Brodziak <lukasz.brodziak@gmail.com>)
Responses Re: Failed Login Attempts parameter
List pgsql-admin
On 11/15/2012 04:40 PM, Lukasz Brodziak wrote:
> Hi,
>
> As far as I know there is no such parameter in PG. If you use PG as a
> database for your program you can implement the feature in the
> appplication by logging the failed logins in separate table(or the one
> holding application users and their passwords) and then disable login
> for the user if number of failures is bigger than specified value.
> Another way is to create a function in postgresql which will check
> failed login count and if the attempts go bigger than specified number
> it will run a REVOKE on the user role thus disabling login. Then admin
> will have to run GRANT for the user manually.

Another option would be to monitor syslog or the csvlog and lock the
user out by changing their password or revoking CONNECT rights if they
trip the threshold. It wouldn't be as responsive to high-rate brute
forcing attempts but your IDS should be handing those already.

--
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services



pgsql-admin by date:

Previous
From: Shams Khan
Date:
Subject: Re: Query Stuck in running server
Next
From: Lukasz Brodziak
Date:
Subject: Re: Failed Login Attempts parameter