Postgres Pro
Downloads
Home   >   mailing lists

Thread: Failed Login Attempts in PostgreSQL

Failed Login Attempts in PostgreSQL

From
Jagmohan Kaintura
Date:
Hi Team,
I was looking for a workaround on how we can configure Failed Login attempts feature of Oracle in PostgreSQL.
The Only requirement is End user shouldn't be allowed to Login after an "n" number of unsuccessful attempts.

Users have the ability to perform all operations on the underlying tables. So we wanted to restrict after doing "n" unsuccessful attempts.

I couldn't get any source anywhere.

Best Regards,
Jagmohan

Re: Failed Login Attempts in PostgreSQL

From
Magnus Hagander
Date:
On Fri, Nov 13, 2020 at 11:03 AM Jagmohan Kaintura
<jagmohan@tecorelabs.com> wrote:
>
> Hi Team,
> I was looking for a workaround on how we can configure Failed Login attempts feature of Oracle in PostgreSQL.
> The Only requirement is End user shouldn't be allowed to Login after an "n" number of unsuccessful attempts.
>
> Users have the ability to perform all operations on the underlying tables. So we wanted to restrict after doing "n"
unsuccessfulattempts.
 
>
> I couldn't get any source anywhere.

You can use fail2ban for example. See for example this thread here
https://www.postgresql.org/message-id/flat/61463e206b7c4c0ca17b03a59e890b78%40lmco.com,
and the config on https://github.com/rc9000/postgres-fail2ban-lockout.
(probably needs some small adaptations, but as a base it should work).

-- 
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/

Re: Failed Login Attempts in PostgreSQL

From
"Wolff, Ken L"
Date:

 

You can use fail2ban for example. See for example this thread here https://www.postgresql.org/message-id/flat/61463e206b7c4c0ca17b03a59e890b78%40lmco.com,

and the config on https://github.com/rc9000/postgres-fail2ban-lockout.

(probably needs some small adaptations, but as a base it should work).

 

--

Magnus Hagander

Me: https://www.hagander.net/

Work: https://www.redpill-linpro.com/

 

 

Having  been down this road myself, these are the options I eventually identified.  Each obviously has its benefits and drawbacks:

  • Change the Postgres source code and deploy a new version.  Believe there are examples of how to do this in Git.
  • Disable/disallow local accounts and rely on LDAP.  Be aware passwords would be passed in clear text across the network unless your DCs require SSL.
  • Disable/disallow local accounts and rely on PKI certificates.  I don’t know that this would necessarily limit failed login attempts but is definitely much more secure.
  • Procure a vendor-supported version of PostgreSQL which offers this functionality.
  • Fail2ban, as Magnus observed.
  • Leverage something like Splunk monitoring to identify failed logins and then reach back into the database to lock accounts when appropriate.

 

Hope this is of some help.

 

 

Ken