moinmoinの最新版/1.9.8について、ここに記述してください。

  * surge protection for authentication (currently only for MoinAuth):
    57     a) surge protect by IP
    58        This covers the case someone is trying to authenticate way too
    59        often - we don't look at the username here, just at the remote IP
    60        address. If surge protection kicks in for some specific IP, that IP
    61        won't be able to try to authenticate any more until surge_lockout_time
    62        is over.
    63        Note: be careful with users behind proxies or NAT routers - these are
    64              common and legitimate cases with (potentially lots of)
    65              authentication requests coming from same IP.
    66              if it is a trusted proxy, you can configure moin so it sees the
    67              real remote IP address (not just the proxy's address).
    68     b) surge protect by name
    69        This covers the case someone is trying to authenticate for a
    70        specific user name way too often (e.g. when someone tries to attack the
    71        wiki admin's account). We don't look at the IP here, just at the user
    72        name. If surge protection kicks in for some specific user name, that user
    73        name will not be able to try to authenticate any more until
    74        surge_lockout_time is over.
    75        Note: this even covers widely distributed attacks against a user, but
    76              you should only enable this if you are aware that the "real" user
    77              also won't be able to authenticate while surge protection is active
    78              (at least not using the account for that specific username).
    79              Thus, there is some denial-of-service danger with this if the
    80              attacker can guess or find your valid user names (which isn't too
    81              difficult if your wiki is publicly readable).
    82              This is bad, but technically hard to avoid.

    83     Configuration (allowing 10 authentication attempts per hour):
    84         surge_action_limits = {
    85             # ...
    86             'auth-ip': (10, 3600),  # same remote ip (any name)
    87             'auth-name': (10, 3600),  # same name (any remote ip)
    88          }