Home > mailing lists

Thread: contrib: auth_delay module

contrib: auth_delay module

From

成之焕

Date:

16 November 2022, 06:37:25

font{ line-height: 1.6; } ul,ol{ padding-left: 20px; list-style-position: inside; }

The attached patch is a contrib module to set login restrictions on users with

too many authentication failure. The administrator could manage several GUC

parameters to control the login restrictions which are listed below.

- set the wait time when password authentication fails.

- allow the wait time grows when users of the same IP consecutively logon failed.

- set the maximum authentication failure number from the same user. The system

will prevent a user who gets too many authentication failures from entering the

database.

I hope this will be useful to future development.

Thanks.

-----

zhcheng@ceresdata.com

Attachment

pgsql-v12.8-auth-delay.1.patch

Re: contrib: auth_delay module

From

Tom Lane

Date:

18 November 2022, 01:37:51

=?UTF-8?B?5oiQ5LmL54SV?= <zhcheng@ceresdata.com> writes:
> The attached patch is a contrib module  to set login restrictions on users with
> too many authentication failure. The administrator could manage several GUC
> parameters to control the login restrictions which are listed below.
> - set the wait time when password authentication fails.
> - allow the wait time grows when users of the same IP consecutively logon failed.
> - set the maximum authentication failure number from the same user. The system
> will prevent a user who gets too many authentication failures from entering the
> database.

I'm not yet forming an opinion on whether this is useful enough
to accept.  However, I wonder why you chose to add this functionality
to auth_delay instead of making a new, independent module.
It seems fairly unrelated to what auth_delay does, and the
newly-created requirement that the module be preloaded might
possibly break some existing use-case for auth_delay.

Also, a patch that lacks user documentation and has no code comments to
speak of seems unlikely to draw serious review.

            regards, tom lane

Re: contrib: auth_delay module

From

Julien Rouhaud

Date:

18 November 2022, 10:13:01

On Thu, Nov 17, 2022 at 05:37:51PM -0500, Tom Lane wrote:
> =?UTF-8?B?5oiQ5LmL54SV?= <zhcheng@ceresdata.com> writes:
> > The attached patch is a contrib module  to set login restrictions on users with
> > too many authentication failure. The administrator could manage several GUC
> > parameters to control the login restrictions which are listed below.
> > - set the wait time when password authentication fails.
> > - allow the wait time grows when users of the same IP consecutively logon failed.
> > - set the maximum authentication failure number from the same user. The system
> > will prevent a user who gets too many authentication failures from entering the
> > database.
>
> I'm not yet forming an opinion on whether this is useful enough
> to accept.

I'm not sure that doing that on the backend side is really a great idea, an
attacker will still be able to exhaust available connection slots.

If your instance is reachable from some untrusted network (which already sounds
scary), it's much easier to simply configure something like fail2ban to provide
the same feature in a more efficient way.  You can even block access to other
services too while at it.

Note that there's also an extension to log failed connection attempts on an
alternate file with a fixed simple format if you're worried about your regular
logs are too verbose.