KaiGai Kohei, with a few changes by me.
SUBDIRS = \
adminpack \
+ auth_delay \
auto_explain \
btree_gin \
btree_gist \
File and log manipulation routines, used by pgAdmin
by Dave Page
+auth_delay
+ Add a short delay after a failed authentication attempt, to make
+ make brute-force attacks on database passwords a bit harder.
+ by KaiGai Kohei
+
auto_explain -
Log EXPLAIN output for long-running queries
by Takahiro Itagaki
--- /dev/null
+# contrib/auth_delay/Makefile
+
+MODULES = auth_delay
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/auth_delay
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
--- /dev/null
+/* -------------------------------------------------------------------------
+ *
+ * auth_delay.c
+ *
+ * Copyright (C) 2010, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ * contrib/auth_delay/auth_delay.c
+ *
+ * -------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "libpq/auth.h"
+#include "port.h"
+#include "utils/guc.h"
+#include "utils/timestamp.h"
+
+PG_MODULE_MAGIC;
+
+void _PG_init(void);
+
+/* GUC Variables */
+static int auth_delay_milliseconds;
+
+/* Original Hook */
+static ClientAuthentication_hook_type original_client_auth_hook = NULL;
+
+/*
+ * Check authentication
+ */
+static void
+auth_delay_checks(Port *port, int status)
+{
+ /*
+ * Any other plugins which use ClientAuthentication_hook.
+ */
+ if (original_client_auth_hook)
+ original_client_auth_hook(port, status);
+
+ /*
+ * Inject a short delay if authentication failed.
+ */
+ if (status != STATUS_OK)
+ {
+ pg_usleep(1000L * auth_delay_milliseconds);
+ }
+}
+
+/*
+ * Module Load Callback
+ */
+void
+_PG_init(void)
+{
+ /* Define custome GUC variables */
+ DefineCustomIntVariable("auth_delay.milliseconds",
+ "Milliseconds to delay before reporting authentication failure",
+ NULL,
+ &auth_delay_milliseconds,
+ 0,
+ 0, INT_MAX,
+ PGC_SIGHUP,
+ GUC_UNIT_MS,
+ NULL,
+ NULL);
+ /* Install Hooks */
+ original_client_auth_hook = ClientAuthentication_hook;
+ ClientAuthentication_hook = auth_delay_checks;
+}
--- /dev/null
+
+
+
+
auth_delay
+
+
+
+
+ auth_delay causes the server to pause briefly before
+ reporting authentication failure, to make brute-force attacks on database
+ passwords more difficult. Note that it does nothing to prevent
+ denial-of-service attacks, and may even exacerbate them, since processes
+ that are waiting before reporting authentication failure will still consume
+ connection slots.
+
+
+ In order to function, this module must be loaded via
+ in postgresql.conf.
+
+
+
+
Configuration parameters
+
+
+
+
+ auth_delay.milliseconds (int)
+
+
+
auth_delay.milliseconds configuration parameter+
+
+ The number of milliseconds to wait before reporting an authentication
+ failure. The default is 0.
+
+
+
+
+
+ In order to set these parameters in your postgresql.conf file,
+ you will need to add auth_delay to
+ . Typical usage might be:
+
+
+# postgresql.conf
+shared_preload_libraries = 'auth_delay'
+
+custom_variable_classes = 'auth_delay'
+auth_delay.milliseconds = '500'
+
+
+
+
+
Author
+
+
+
+
+
&adminpack;
+ &auth-delay;
&auto-explain;
&btree-gin;
&btree-gist;
projects / postgresql.git / commitdiff