Security - CephX brute-force protection through auto-blacklisting¶

Summary
Currently there is no easy way to detect and protect the CephX authentication framework against brute-force attacks. As discussed at this OpenStack Summit presentation [1].

• extend code to log all failed CephX authentications to enable monitoring to pick up these events
• add a logger to CephX to count failed attempts (per IP, Client, ...)
• add a configurable "auto-blacklist" mechanism to exclude clients after n-failed attempts

[1] http://www.slideshare.net/dalgaaf/open-stacksummitvancouver-cephsecurity

Owners
Danny Al-Gaaf (Deutsche Telekom)
Name (Affiliation)
Name

Interested Parties
If you are interested in contributing to this blueprint, or want to be a "speaker" during the Summit session, list your name here.
Name (Affiliation)
Name (Affiliation)
Name

Current Status
Please describe the current status of Ceph as it relates to this blueprint.  Is there something that this replaces?  Are there current features that are related?

Detailed Description
This is the big one!  Please provide a detailed description for the proposed change.  Where appropriate, include your architectural approach, a list of systems involved, important consequences, and issues that are still unresolved.

Work items
This section should contain a list of work tasks created by this blueprint.  Please include engineering tasks as well as related build/release and documentation work.  If this blueprint requires cleanup of deprecated features, please list those tasks as well.

Coding tasks
Task 1
Task 2
Task 3

Build / release tasks
Task 1
Task 2
Task 3

Documentation tasks
Task 1
Task 2
Task 3

Deprecation tasks
Task 1
Task 2
Task 3