moinmoinの最新版/1.9.8について、ここに記述してください。 {{{ * surge protection for authentication (currently only for MoinAuth): 57 a) surge protect by IP 58 This covers the case someone is trying to authenticate way too 59 often - we don't look at the username here, just at the remote IP 60 address. If surge protection kicks in for some specific IP, that IP 61 won't be able to try to authenticate any more until surge_lockout_time 62 is over. 63 Note: be careful with users behind proxies or NAT routers - these are 64 common and legitimate cases with (potentially lots of) 65 authentication requests coming from same IP. 66 if it is a trusted proxy, you can configure moin so it sees the 67 real remote IP address (not just the proxy's address). 68 b) surge protect by name 69 This covers the case someone is trying to authenticate for a 70 specific user name way too often (e.g. when someone tries to attack the 71 wiki admin's account). We don't look at the IP here, just at the user 72 name. If surge protection kicks in for some specific user name, that user 73 name will not be able to try to authenticate any more until 74 surge_lockout_time is over. 75 Note: this even covers widely distributed attacks against a user, but 76 you should only enable this if you are aware that the "real" user 77 also won't be able to authenticate while surge protection is active 78 (at least not using the account for that specific username). 79 Thus, there is some denial-of-service danger with this if the 80 attacker can guess or find your valid user names (which isn't too 81 difficult if your wiki is publicly readable). 82 This is bad, but technically hard to avoid. 83 Configuration (allowing 10 authentication attempts per hour): 84 surge_action_limits = { 85 # ... 86 'auth-ip': (10, 3600), # same remote ip (any name) 87 'auth-name': (10, 3600), # same name (any remote ip) 88 } }}}