Project

General

Profile

Security - CephX brute-force protection through auto-blacklisting

Summary
Currently there is no easy way to detect and protect the CephX authentication framework against brute-force attacks. As discussed at this OpenStack Summit presentation [1].

What we need is:
  • extend code to log all failed CephX authentications to enable monitoring to pick up these events
  • add a logger to CephX to count failed attempts (per IP, Client, ...)
  • add a configurable "auto-blacklist" mechanism to exclude clients after n-failed attempts

[1] http://www.slideshare.net/dalgaaf/open-stacksummitvancouver-cephsecurity

Owners
Danny Al-Gaaf (Deutsche Telekom)
Name (Affiliation)
Name

Interested Parties
If you are interested in contributing to this blueprint, or want to be a "speaker" during the Summit session, list your name here.
Name (Affiliation)
Name (Affiliation)
Name

Current Status
Noting implemented yet!

Detailed Description

Open Questions:
  • Log events based on source IP or other information?
  • Blocking:
    • Is it something that we want in Ceph itself or should the blocking task be passed to external monitoring?
    • Does it makes sense to block IPs? This may lead to block complete hosts with multiple VMs from different tenants.
    • Log false attemts to database to have this information available even after restart of the MONs?
    • If we block: need interface to check log entries, enable and disable blocking on entry base
    • Unblock after a defined time?

Work items
TBD

Coding tasks
Task 1
Task 2
Task 3

Build / release tasks
Task 1
Task 2
Task 3

Documentation tasks
Task 1
Task 2
Task 3

Deprecation tasks
Task 1
Task 2
Task 3