A standard method of rate limiting for OpenStack services would be a good thing to figure out. On Jan 13, 2016 02:56, "Jordan Pittier" <[email protected]> wrote:
> Hi, > Can't you just do some rate limiting at your webserver level ? > > On Tue, Jan 12, 2016 at 3:55 PM, McPeak, Travis <[email protected]> > wrote: > >> One issue to be aware of is the use of this as a Denial of Service >> vector. Basically an attacker can use this to lock out key accounts >> by continuously sending invalid passwords. >> >> Doing this might have unexpected and undesirable results, >> particularly in automated tasks. >> >> I think this feature has some definite uses, but we should definitely >> think through use and abuse cases, and probably allow a list of >> accounts that this should not be active for. >> >> >> -Travis >> >> On 1/12/16, 3:11 AM, "[email protected]" < >> [email protected]> wrote: >> >> >I have registered a new bp for keystone with the capability of anti >> brute force >> > >> > >> >Problem Description: >> >the attacks of account are increasing in the cloud >> >the attacker steals the account information by guessing the password in >> brute force. >> >therefore, the ability of account in anti brute force is necessary. >> > >> >proposed Change: >> >1. add two configure properties for keystone: threshold for times of >> password error consecutively, time of locked when password error number >> reaches the threshold. >> >2. add two properties of user information in times of password >> consecutive errors, and last password error time. when the password of an >> account error consecutively reaches threshold, the account will be locked >> with a few time. >> >3. locked account will unlock automatically when locked status time out >> >4. the APIs of keystone which use user_name and password for >> authentication, the message of response will add an error description when >> the account is locked >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
