Security - CephX brute-force protection through auto-blacklisting¶
Summary
Currently there is no easy way to detect and protect the CephX authentication framework against brute-force attacks. As discussed at this OpenStack Summit presentation [1].
- extend code to log all failed CephX authentications to enable monitoring to pick up these events
- add a logger to CephX to count failed attempts (per IP, Client, ...)
- add a configurable "auto-blacklist" mechanism to exclude clients after n-failed attempts
[1] http://www.slideshare.net/dalgaaf/open-stacksummitvancouver-cephsecurity
Owners
Danny Al-Gaaf (Deutsche Telekom)
Name (Affiliation)
Name
Interested Parties
If you are interested in contributing to this blueprint, or want to be a "speaker" during the Summit session, list your name here.
Name (Affiliation)
Name (Affiliation)
Name
Current Status
Noting implemented yet!
Detailed Description
Open Questions:- Log events based on source IP or other information?
- Blocking:
- Is it something that we want in Ceph itself or should the blocking task be passed to external monitoring?
- Does it makes sense to block IPs? This may lead to block complete hosts with multiple VMs from different tenants.
- Log false attemts to database to have this information available even after restart of the MONs?
- If we block: need interface to check log entries, enable and disable blocking on entry base
- Unblock after a defined time?
Work items
TBD
Coding tasks
Task 1
Task 2
Task 3
Build / release tasks
Task 1
Task 2
Task 3
Documentation tasks
Task 1
Task 2
Task 3
Deprecation tasks
Task 1
Task 2
Task 3