moinmoinの最新版/1.9.8について、ここに記述してください。
* surge protection for authentication (currently only for MoinAuth):
57 a) surge protect by IP
58 This covers the case someone is trying to authenticate way too
59 often - we don't look at the username here, just at the remote IP
60 address. If surge protection kicks in for some specific IP, that IP
61 won't be able to try to authenticate any more until surge_lockout_time
62 is over.
63 Note: be careful with users behind proxies or NAT routers - these are
64 common and legitimate cases with (potentially lots of)
65 authentication requests coming from same IP.
66 if it is a trusted proxy, you can configure moin so it sees the
67 real remote IP address (not just the proxy's address).
68 b) surge protect by name
69 This covers the case someone is trying to authenticate for a
70 specific user name way too often (e.g. when someone tries to attack the
71 wiki admin's account). We don't look at the IP here, just at the user
72 name. If surge protection kicks in for some specific user name, that user
73 name will not be able to try to authenticate any more until
74 surge_lockout_time is over.
75 Note: this even covers widely distributed attacks against a user, but
76 you should only enable this if you are aware that the "real" user
77 also won't be able to authenticate while surge protection is active
78 (at least not using the account for that specific username).
79 Thus, there is some denial-of-service danger with this if the
80 attacker can guess or find your valid user names (which isn't too
81 difficult if your wiki is publicly readable).
82 This is bad, but technically hard to avoid.
83 Configuration (allowing 10 authentication attempts per hour):
84 surge_action_limits = {
85 # ...
86 'auth-ip': (10, 3600), # same remote ip (any name)
87 'auth-name': (10, 3600), # same name (any remote ip)
88 }