On Thu, May 12, 2005 at 00:23:05 +0200,
Enrico Weigelt <[EMAIL PROTECTED]> wrote:
> * Bruno Wolff III <[EMAIL PROTECTED]> wrote:
>
> > Maybe you can use client side certificates.
>
> how can they be used w/ psql ?
You should be able to get PAM to do this, but I haven't tried it to make sure.
* Wim Bertels <[EMAIL PROTECTED]> wrote:
> since brute force attacks are quit traceable (targetting one and the
> same user eg..),
> one could a script to check:
> - the percentage of failed logins/user, depending on the percentage (eg
> 75% or more failed, this should be configurable), these e
* Bruno Wolff III <[EMAIL PROTECTED]> wrote:
> Maybe you can use client side certificates.
how can they be used w/ psql ?
cu
--
-
Enrico Weigelt== metux IT service
phone: +49 36207 519931 www: http:
Bruno Wolff III schreef:
On Tue, Apr 19, 2005 at 22:54:32 +0200,
Wim Bertels <[EMAIL PROTECTED]> wrote:
not an easy problem: it always seems to end up in DoS vs Brute Force Cracking.
So the only good and simple solution i can think of: use the best possible
password encrytion (or sufficient,
On Tue, Apr 19, 2005 at 22:54:32 +0200,
Wim Bertels <[EMAIL PROTECTED]> wrote:
>
> not an easy problem: it always seems to end up in DoS vs Brute Force Cracking.
> So the only good and simple solution i can think of: use the best possible
> password encrytion (or sufficient, a statistically ze
On Tuesday 19 April 2005 22:37, Bruno Wolff III seinde rooksignalen:
> On Tue, Apr 19, 2005 at 17:00:15 +0200,
>
> Wim Bertels <[EMAIL PROTECTED]> wrote:
> > >Can't people use PAM to get this effect if they want it?
> >
> > what if u use pam with ldap, then u can use pg brute force cracking to
>
On Tue, Apr 19, 2005 at 17:00:15 +0200,
Wim Bertels <[EMAIL PROTECTED]> wrote:
> >Can't people use PAM to get this effect if they want it?
>
> what if u use pam with ldap, then u can use pg brute force cracking to
> obtain the ldap password, which is probably a bigger problem
You don't have to
Can't people use PAM to get this effect if they want it?
what if u use pam with ldap, then u can use pg brute force cracking to
obtain the ldap password, which is probably a bigger problem
For most people password guessing isn't going to be a big problem as
the database won't be accessible from to
Bruce Momjian schreef:
Wim Bertels wrote:
LS,
is there a way of securing the postgresql-server against brute force
password cracking ?
iow: is there a way of setting eg a maximum number of login attempts, or
using a time-out or ..?
+ securing on server level
No, there is not. Does anyo
On Mon, Apr 18, 2005 at 16:55:45 -0400,
Bruce Momjian wrote:
>
> I would like to pick something that matches what a typical Unix system
> does because I think the _fancy_ solutions actually cause weird problems
> like denial-of-service attacks by just trying to log in.
>
> How do typical open
Dawid Kuroczko <[EMAIL PROTECTED]> writes:
> Anyway, a simple 'sleep 2 seconds before telling that password
> was wrong' would be a good addition anyhow.
Seems pretty useless, unless we change things to also delay 2 seconds
before telling the password was good, which I doubt anyone will like ;-)
O
> And dangerous. Imagine a system with say, apache accound used
> from some Apache application. And a maluser who purposefully
> tries to log in to "apache" account and fails, thus causing a DoS
> on the web application. :)
Yes, I absolutely agree. Any scheme of the sort would have some
risks.
> > No, there is not. Does anyone want to suggest a possible implementation
> > for the TODO list?
> I would like to see a combination of number of login failures and a
> timeout, configurable via the conf file. Say, X login failures
> disables further logins for that account for Y minutes.
>
>
C. Bensend wrote:
>
> > No, there is not. Does anyone want to suggest a possible implementation
> > for the TODO list?
>
> I would like to see a combination of number of login failures and a
> timeout, configurable via the conf file. Say, X login failures
> disables further logins for that acco
> No, there is not. Does anyone want to suggest a possible implementation
> for the TODO list?
I would like to see a combination of number of login failures and a
timeout, configurable via the conf file. Say, X login failures
disables further logins for that account for Y minutes.
That would b
Wim Bertels wrote:
> LS,
>
> is there a way of securing the postgresql-server against brute force
> password cracking ?
> iow: is there a way of setting eg a maximum number of login attempts, or
> using a time-out or ..?
>
> + securing on server level
No, there is not. Does anyone want to sug
LS,
is there a way of securing the postgresql-server against brute force
password cracking ?
iow: is there a way of setting eg a maximum number of login attempts, or
using a time-out or ..?
+ securing on server level
tnx,
---(end of broadcast)---
T
17 matches
Mail list logo
