Currently there is no easy way to detect and protect the CephX authentication framework against brute-force attacks. As discussed at this OpenStack Summit presentation .
- extend code to log all failed CephX authentications to enable monitoring to pick up these events
- add a logger to CephX to count failed attempts (per IP, Client, ...)
- add a configurable "auto-blacklist" mechanism to exclude clients after n-failed attempts
Danny Al-Gaaf (Deutsche Telekom)
If you are interested in contributing to this blueprint, or want to be a "speaker" during the Summit session, list your name here.
Noting implemented yet!
Detailed DescriptionOpen Questions:
- Log events based on source IP or other information?
- Is it something that we want in Ceph itself or should the blocking task be passed to external monitoring?
- Does it makes sense to block IPs? This may lead to block complete hosts with multiple VMs from different tenants.
- Log false attemts to database to have this information available even after restart of the MONs?
- If we block: need interface to check log entries, enable and disable blocking on entry base
- Unblock after a defined time?
Build / release tasks