[openstack-dev] [keystone][security] New BP for anti brute force in keystone
jordan.pittier at scality.com
Wed Jan 13 10:55:25 UTC 2016
Can't you just do some rate limiting at your webserver level ?
On Tue, Jan 12, 2016 at 3:55 PM, McPeak, Travis <travis.mcpeak at hpe.com>
> One issue to be aware of is the use of this as a Denial of Service
> vector. Basically an attacker can use this to lock out key accounts
> by continuously sending invalid passwords.
> Doing this might have unexpected and undesirable results,
> particularly in automated tasks.
> I think this feature has some definite uses, but we should definitely
> think through use and abuse cases, and probably allow a list of
> accounts that this should not be active for.
> On 1/12/16, 3:11 AM, "openstack-dev-request at lists.openstack.org" <
> openstack-dev-request at lists.openstack.org> wrote:
> >I have registered a new bp for keystone with the capability of anti brute
> >Problem Description:
> >the attacks of account are increasing in the cloud
> >the attacker steals the account information by guessing the password in
> brute force.
> >therefore, the ability of account in anti brute force is necessary.
> >proposed Change:
> >1. add two configure properties for keystone: threshold for times of
> password error consecutively, time of locked when password error number
> reaches the threshold.
> >2. add two properties of user information in times of password
> consecutive errors, and last password error time. when the password of an
> account error consecutively reaches threshold, the account will be locked
> with a few time.
> >3. locked account will unlock automatically when locked status time out
> >4. the APIs of keystone which use user_name and password for
> authentication, the message of response will add an error description when
> the account is locked
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev