On Thu, Nov 17, 2022 at 05:37:51PM -0500, Tom Lane wrote: > =?UTF-8?B?5oiQ5LmL54SV?= <zhch...@ceresdata.com> writes: > > The attached patch is a contrib module to set login restrictions on users > > with > > too many authentication failure. The administrator could manage several GUC > > parameters to control the login restrictions which are listed below. > > - set the wait time when password authentication fails. > > - allow the wait time grows when users of the same IP consecutively logon > > failed. > > - set the maximum authentication failure number from the same user. The > > system > > will prevent a user who gets too many authentication failures from entering > > the > > database. > > I'm not yet forming an opinion on whether this is useful enough > to accept.
I'm not sure that doing that on the backend side is really a great idea, an attacker will still be able to exhaust available connection slots. If your instance is reachable from some untrusted network (which already sounds scary), it's much easier to simply configure something like fail2ban to provide the same feature in a more efficient way. You can even block access to other services too while at it. Note that there's also an extension to log failed connection attempts on an alternate file with a fixed simple format if you're worried about your regular logs are too verbose.
