Ceph

h3. +*Security - CephX brute-force protection through auto-blacklisting*+

*Summary*

Currently there is no easy way to detect and protect the CephX authentication framework against brute-force attacks. As discussed at this OpenStack Summit presentation [1].

What we need is:

* extend code to log all failed CephX authentications to enable monitoring to pick up these events

* add a logger to CephX to count failed attempts (per IP, Client, ...)

* add a configurable "auto-blacklist" mechanism to exclude clients after n-failed attempts

[1] http://www.slideshare.net/dalgaaf/open-stacksummitvancouver-cephsecurity

*Owners*

Danny Al-Gaaf (Deutsche Telekom)

Name (Affiliation)

Name

*Interested Parties*

If you are interested in contributing to this blueprint, or want to be a "speaker" during the Summit session, list your name here.

Name (Affiliation)

Name (Affiliation)

Name

*Current Status*

Please describe the current status of Ceph as it relates to this blueprint.  Is there something that this replaces?  Are there current features that are related?

*Detailed Description*

This is the big one!  Please provide a detailed description for the proposed change.  Where appropriate, include your architectural approach, a list of systems involved, important consequences, and issues that are still unresolved.

*Work items*

This section should contain a list of work tasks created by this blueprint.  Please include engineering tasks as well as related build/release and documentation work.  If this blueprint requires cleanup of deprecated features, please list those tasks as well.

*Coding tasks*

Task 1

Task 2

Task 3

*Build / release tasks*

Task 1

Task 2

Task 3

*Documentation tasks*

Task 1

Task 2

Task 3

*Deprecation tasks*

Task 1

Task 2

Task 3