[openstack-dev] [keystone][security] New BP for anti brute force in keystone

Morgan Fainberg morgan.fainberg at gmail.com
Wed Jan 13 14:21:40 UTC 2016


A standard method of rate limiting for OpenStack services would be a good
thing to figure out.
On Jan 13, 2016 02:56, "Jordan Pittier" <jordan.pittier at scality.com> wrote:

> Hi,
> Can't you just do some rate limiting at your webserver level ?
>
> On Tue, Jan 12, 2016 at 3:55 PM, McPeak, Travis <travis.mcpeak at hpe.com>
> wrote:
>
>> One issue to be aware of is the use of this as a Denial of Service
>> vector.  Basically an attacker can use this to lock out key accounts
>> by continuously sending invalid passwords.
>>
>> Doing this might have unexpected and undesirable results,
>> particularly in automated tasks.
>>
>> I think this feature has some definite uses, but we should definitely
>> think through use and abuse cases, and probably allow a list of
>> accounts that this should not be active for.
>>
>>
>> -Travis
>>
>> On 1/12/16, 3:11 AM, "openstack-dev-request at lists.openstack.org" <
>> openstack-dev-request at lists.openstack.org> wrote:
>>
>> >I have registered a new bp for keystone with the capability of anti
>> brute force
>> >
>> >
>> >Problem Description:
>> >the attacks of account are increasing in the cloud
>> >the attacker steals the account information by guessing the password in
>> brute force.
>> >therefore, the ability of account in anti brute force is necessary.
>> >
>> >proposed Change:
>> >1. add two configure properties for keystone: threshold for times of
>> password error consecutively, time of locked when password error number
>> reaches the threshold.
>> >2. add two properties of user information in times of password
>> consecutive errors, and last password error time. when the password of an
>> account error consecutively reaches threshold, the account will be locked
>> with a few time.
>> >3. locked account will unlock automatically when locked status time out
>> >4. the APIs of keystone which use user_name and password for
>> authentication, the message of response will add an error description when
>> the account is locked
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160113/5d2e7649/attachment.html>


More information about the OpenStack-dev mailing list