| From: | Craig Ringer <craig(at)2ndQuadrant(dot)com> |
|---|---|
| To: | Lukasz Brodziak <lukasz(dot)brodziak(at)gmail(dot)com> |
| Cc: | Frank Cavaliero <fcavalie(at)us(dot)ibm(dot)com>, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Failed Login Attempts parameter |
| Date: | 2012-11-15 09:21:47 |
| Message-ID: | 50A4B42B.1090308@2ndQuadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On 11/15/2012 04:40 PM, Lukasz Brodziak wrote:
> Hi,
>
> As far as I know there is no such parameter in PG. If you use PG as a
> database for your program you can implement the feature in the
> appplication by logging the failed logins in separate table(or the one
> holding application users and their passwords) and then disable login
> for the user if number of failures is bigger than specified value.
> Another way is to create a function in postgresql which will check
> failed login count and if the attempts go bigger than specified number
> it will run a REVOKE on the user role thus disabling login. Then admin
> will have to run GRANT for the user manually.
Another option would be to monitor syslog or the csvlog and lock the
user out by changing their password or revoking CONNECT rights if they
trip the threshold. It wouldn't be as responsive to high-rate brute
forcing attempts but your IDS should be handing those already.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Lukasz Brodziak | 2012-11-15 09:32:21 | Re: Failed Login Attempts parameter |
| Previous Message | Shams Khan | 2012-11-15 09:11:34 | Re: Query Stuck in running server |