Mirantis OpenStack

Feature request: add check for alerting frequent horizon unsuccessful login attempt

Bug #1556338 reported by Andrii Petrenko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Won't Fix
Wishlist
MOS Keystone
Mirantis OpenStack 10.0
8.0.x
Won't Fix
Wishlist
MOS Maintenance
Mirantis OpenStack 8.0-updates
9.x
Won't Fix
Wishlist
MOS Maintenance
Mirantis OpenStack 9.1
StackLight
Confirmed
Wishlist
LMA-Toolchain Fuel Plugins

Bug Description

For alerting brute-force attack against horizon, please create check/plugin for counting unsuccessful login attempt and set:

Total rate limit: warning threshold to 10 attempts per second, and 50 for critical.
Per IP limits: warning threshold to 5 unsuccessful attempts, and 10 for critical. threshold reset by successful attempt.

Thresholds should be adjustable by plugin configuration.

Andrii Petrenko (aplsms)
affects: fuel-plugins → mos
Evgeniya Shumakher (eshumakher)
summary: - Feature request: add ceck for alerting frequent horizon usuccessful
+ Feature request: add check for alerting frequent horizon usuccessful
login attempt
Simon Pasquier (simon-pasquier)
Changed in lma-toolchain:
importance: Undecided → Wishlist
Revision history for this message
Dina Belova (dbelova) wrote : Re: Feature request: add check for alerting frequent horizon usuccessful login attempt

Antrii, isn't it more logical to modify this bug for Keystone?

tags: added: area-horizon enhancement
Revision history for this message
Andrii Petrenko (aplsms) wrote :

IMHO: keystone serving much more services than just console logins. adding that check for keystone can have big number "false positive" because of proxies and another services on the same IP.

as former Paranoid i prefer both checks, and even more -- anomaly detection for login attempts. But it is Overhead for such case.

Revision history for this message
Dina Belova (dbelova) wrote :

I doubt that OpenStack services will often go with wrong credentials to compose that big number of false positives you're mentioning.

tags: added: area-keystone
removed: area-horizon
Changed in mos:
importance: Undecided → Wishlist
assignee: nobody → MOS Keystone (mos-keystone)
milestone: none → 10.0
status: New → Confirmed
Revision history for this message
Boris Bobrov (bbobrov) wrote :

This is a major functionality and it should not live a in a bugreport. Please work with Sheena Gregson on developing new features.

There is also bugreport https://bugs.launchpad.net/fuel/+bug/1509986. I was thinking about marking this bugreport as a duplicate of it, but here we talk about banning users after failed attempts, not about limiting the number of (potentially malicious) requests.

I am marking the bug as won't fix.

Changed in mos:
status: Confirmed → Won't Fix
Simon Pasquier (simon-pasquier)
Changed in lma-toolchain:
status: New → Confirmed
assignee: nobody → LMA-Toolchain Fuel Plugins (mos-lma-toolchain)
milestone: none → 1.0.0
Sheena Conant (sheena-conant)
summary: - Feature request: add check for alerting frequent horizon usuccessful
+ Feature request: add check for alerting frequent horizon unsuccessful
login attempt
Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

This is feature request in fact but also security issue / bug, comparing to what alternative platforms offer out of the box. Not sure about approach taken on the Stacklight side, this type of attack could be also possible (theoretically) with the help of Ceilometer alarming service and CADF.

tags: added: feature-security
Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Update to previous comment:
Detection of this type attack should be possible also with the help of Ceilometer alarming service and CADF (at least in theory).

Simon Pasquier (simon-pasquier)
Changed in lma-toolchain:
milestone: 1.0.0 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.