Re: Failed Login Attempts parameter

From: Craig Ringer <craig(at)2ndQuadrant(dot)com>
To: Lukasz Brodziak <lukasz(dot)brodziak(at)gmail(dot)com>
Cc: Frank Cavaliero <fcavalie(at)us(dot)ibm(dot)com>, pgsql-admin(at)postgresql(dot)org
Subject: Re: Failed Login Attempts parameter
Date: 2012-11-15 09:21:47
Message-ID: 50A4B42B.1090308@2ndQuadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

On 11/15/2012 04:40 PM, Lukasz Brodziak wrote:
> Hi,
>
> As far as I know there is no such parameter in PG. If you use PG as a
> database for your program you can implement the feature in the
> appplication by logging the failed logins in separate table(or the one
> holding application users and their passwords) and then disable login
> for the user if number of failures is bigger than specified value.
> Another way is to create a function in postgresql which will check
> failed login count and if the attempts go bigger than specified number
> it will run a REVOKE on the user role thus disabling login. Then admin
> will have to run GRANT for the user manually.

Another option would be to monitor syslog or the csvlog and lock the
user out by changing their password or revoking CONNECT rights if they
trip the threshold. It wouldn't be as responsive to high-rate brute
forcing attempts but your IDS should be handing those already.

--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Lukasz Brodziak 2012-11-15 09:32:21 Re: Failed Login Attempts parameter
Previous Message Shams Khan 2012-11-15 09:11:34 Re: Query Stuck in running server