Re: contrib: auth_delay module

On 04/11/10 14:09, Robert Haas wrote:
> On Thu, Nov 4, 2010 at 6:05 AM, Itagaki Takahiro
> <itagaki.takahiro@gmail.com> wrote:
>> 2010/11/4 KaiGai Kohei <kaigai@kaigai.gr.jp>:
>>> The attached patch is a contrib module to inject a few seconds
>>> delay on authentication failed. It is also a proof of the concept
>>> using the new ClientAuthentication_hook.
>>>
>>> This module provides a similar feature to pam_faildelay on
>>> operating systems. Injection of a few seconds delay on
>>> authentication fails prevents (or makes hard at least) brute-force
>>> attacks, because it limits number of candidates that attacker can
>>> verify within a unit of time.
>>
>> +1 for the feature.  We have "post_auth_delay" parameter,
>> but it has different purpose; it's as DEVELOPER_OPTIONS
>> for delay to attach a debugger.
>>
>> BTW, the module could save CPU usage of the server on attacks,
>> but do nothing about connection flood attacks, right?
>> If an attacker attacks the server with multiple connections,
>> the server still consumes max_connections even with the module.
> 
> Hmm, I wonder how useful this is given that restriction.

As KaiGai mentined, it's more to make bruteforcing difficult (read: tmie
consuming), right?

Jan