Security - CephX brute-force protection through auto-blacklisting » History » Version 2
Danny Al-Gaaf, 07/01/2015 10:44 AM
1 | 1 | Danny Al-Gaaf | h3. +*Security - CephX brute-force protection through auto-blacklisting*+ |
---|---|---|---|
2 | |||
3 | |||
4 | *Summary* |
||
5 | Currently there is no easy way to detect and protect the CephX authentication framework against brute-force attacks. As discussed at this OpenStack Summit presentation [1]. |
||
6 | |||
7 | What we need is: |
||
8 | * extend code to log all failed CephX authentications to enable monitoring to pick up these events |
||
9 | * add a logger to CephX to count failed attempts (per IP, Client, ...) |
||
10 | * add a configurable "auto-blacklist" mechanism to exclude clients after n-failed attempts |
||
11 | |||
12 | [1] http://www.slideshare.net/dalgaaf/open-stacksummitvancouver-cephsecurity |
||
13 | |||
14 | *Owners* |
||
15 | Danny Al-Gaaf (Deutsche Telekom) |
||
16 | Name (Affiliation) |
||
17 | Name |
||
18 | |||
19 | *Interested Parties* |
||
20 | If you are interested in contributing to this blueprint, or want to be a "speaker" during the Summit session, list your name here. |
||
21 | Name (Affiliation) |
||
22 | Name (Affiliation) |
||
23 | Name |
||
24 | |||
25 | *Current Status* |
||
26 | 2 | Danny Al-Gaaf | Noting implemented yet! |
27 | 1 | Danny Al-Gaaf | |
28 | *Detailed Description* |
||
29 | |||
30 | 2 | Danny Al-Gaaf | Open Questions: |
31 | * Log events based on source IP or other information? |
||
32 | * Blocking: |
||
33 | ** Is it something that we want in Ceph itself or should the blocking task be passed to external monitoring? |
||
34 | ** Does it makes sense to block IPs? This may lead to block complete hosts with multiple VMs from different tenants. |
||
35 | ** Log false attemts to database to have this information available even after restart of the MONs? |
||
36 | ** If we block: need interface to check log entries, enable and disable blocking on entry base |
||
37 | ** Unblock after a defined time? |
||
38 | |||
39 | 1 | Danny Al-Gaaf | *Work items* |
40 | 2 | Danny Al-Gaaf | TBD |
41 | 1 | Danny Al-Gaaf | |
42 | *Coding tasks* |
||
43 | Task 1 |
||
44 | Task 2 |
||
45 | Task 3 |
||
46 | |||
47 | *Build / release tasks* |
||
48 | Task 1 |
||
49 | Task 2 |
||
50 | Task 3 |
||
51 | |||
52 | *Documentation tasks* |
||
53 | Task 1 |
||
54 | Task 2 |
||
55 | Task 3 |
||
56 | |||
57 | *Deprecation tasks* |
||
58 | Task 1 |
||
59 | Task 2 |
||
60 | Task 3 |