Ceph

h3. +*Security - CephX brute-force protection through auto-blacklisting*+

*Summary*

Currently there is no easy way to detect and protect the CephX authentication framework against brute-force attacks. As discussed at this OpenStack Summit presentation [1].

What we need is:

* extend code to log all failed CephX authentications to enable monitoring to pick up these events

* add a logger to CephX to count failed attempts (per IP, Client, ...)

* add a configurable "auto-blacklist" mechanism to exclude clients after n-failed attempts

[1] http://www.slideshare.net/dalgaaf/open-stacksummitvancouver-cephsecurity

*Owners*

Danny Al-Gaaf (Deutsche Telekom)

Name (Affiliation)

Name

*Interested Parties*

If you are interested in contributing to this blueprint, or want to be a "speaker" during the Summit session, list your name here.

Name (Affiliation)

Name (Affiliation)

Name

*Current Status*

Noting implemented yet!

*Detailed Description*

Open Questions:

* Log events based on source IP or other information?

* Blocking:

** Is it something that we want in Ceph itself or should the blocking task be passed to external monitoring?

** Does it makes sense to block IPs? This may lead to block complete hosts with multiple VMs from different tenants.

** Log false attemts to database to have this information available even after restart of the MONs?

** If we block: need interface to check log entries, enable and disable blocking on entry base

** Unblock after a defined time?

*Work items*

TBD

*Coding tasks*

Task 1

Task 2

Task 3

*Build / release tasks*

Task 1

Task 2

Task 3

*Documentation tasks*

Task 1

Task 2

Task 3

*Deprecation tasks*

Task 1

Task 2

Task 3