| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | Florian Sabonchi <sabonchi(at)posteo(dot)de>, pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: Bug #6337 Patch |
| Date: | 2021-07-22 09:22:31 |
| Message-ID: | CA+OCxoz1=Pu2U+JmJQshhMHLu8ztdTKguGL9=OCoskwnrwX1pw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
Hi
[please keep the list CC'd]
On Thu, Jul 22, 2021 at 10:14 AM Florian Sabonchi <sabonchi(at)posteo(dot)de>
wrote:
> Hello Dave,
>
> As you said, it doesn't make sense to ban ip addresses. Alternatively, a
> captcha could be implemented that prevents an attacker from trying to
> bruteforce an account.
>
We did discuss using a captcha, but a) I *really* dislike them, and b) most
of the good ones require internet access which not all users have.
>
> On 22.07.21 10:31, Dave Page wrote:
> > That's more difficult to deal with - there are common deployment
> > scenarios where all connections might appear to come from a single IP,
> > for example, when behind a load balancer (there are good reasons to do
> > that, even with a single pgAdmin instance) or proxy. In such cases we
> > may or may not get an X-Forwarded-For header, and even if we do it may
> > not be reliable.
>
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ashesh Vashi | 2021-07-22 09:35:17 | Re: Bug #6337 Patch |
| Previous Message | Dave Page | 2021-07-22 08:31:08 | Re: Bug #6337 Patch |