Security - CephX brute-force protection through auto-blacklisting » History » Version 1
Danny Al-Gaaf, 06/12/2015 05:44 PM
Initial description
1 | 1 | Danny Al-Gaaf | h3. +*Security - CephX brute-force protection through auto-blacklisting*+ |
---|---|---|---|
2 | |||
3 | |||
4 | *Summary* |
||
5 | Currently there is no easy way to detect and protect the CephX authentication framework against brute-force attacks. As discussed at this OpenStack Summit presentation [1]. |
||
6 | |||
7 | What we need is: |
||
8 | * extend code to log all failed CephX authentications to enable monitoring to pick up these events |
||
9 | * add a logger to CephX to count failed attempts (per IP, Client, ...) |
||
10 | * add a configurable "auto-blacklist" mechanism to exclude clients after n-failed attempts |
||
11 | |||
12 | [1] http://www.slideshare.net/dalgaaf/open-stacksummitvancouver-cephsecurity |
||
13 | |||
14 | *Owners* |
||
15 | Danny Al-Gaaf (Deutsche Telekom) |
||
16 | Name (Affiliation) |
||
17 | Name |
||
18 | |||
19 | *Interested Parties* |
||
20 | If you are interested in contributing to this blueprint, or want to be a "speaker" during the Summit session, list your name here. |
||
21 | Name (Affiliation) |
||
22 | Name (Affiliation) |
||
23 | Name |
||
24 | |||
25 | *Current Status* |
||
26 | Please describe the current status of Ceph as it relates to this blueprint. Is there something that this replaces? Are there current features that are related? |
||
27 | |||
28 | *Detailed Description* |
||
29 | This is the big one! Please provide a detailed description for the proposed change. Where appropriate, include your architectural approach, a list of systems involved, important consequences, and issues that are still unresolved. |
||
30 | |||
31 | *Work items* |
||
32 | This section should contain a list of work tasks created by this blueprint. Please include engineering tasks as well as related build/release and documentation work. If this blueprint requires cleanup of deprecated features, please list those tasks as well. |
||
33 | |||
34 | *Coding tasks* |
||
35 | Task 1 |
||
36 | Task 2 |
||
37 | Task 3 |
||
38 | |||
39 | *Build / release tasks* |
||
40 | Task 1 |
||
41 | Task 2 |
||
42 | Task 3 |
||
43 | |||
44 | *Documentation tasks* |
||
45 | Task 1 |
||
46 | Task 2 |
||
47 | Task 3 |
||
48 | |||
49 | *Deprecation tasks* |
||
50 | Task 1 |
||
51 | Task 2 |
||
52 | Task 3 |