ssh brute force protection for Slave nodes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Committed
|
Wishlist
|
Maksim Malchuk | ||
Mitaka |
Won't Fix
|
Wishlist
|
Maksim Malchuk |
Bug Description
Detailed bug description:
Currently there doesn't exist any mechanism preventing multiple SSH login attempts on Fuel (MOS) slave nodes.
This is especially important as in Fuel GUI there is an option to assign public IP address to slave compute nodes.
Another thing to consider is that we've merged a patch which synchronizes root password for all slave nodes what have security implications.
Expected results:
Apply SSH rate limiting for NEW connections, similarly to https:/
For compute nodes, apply rate limiting with the exception of appropriate IP subnetwork used to live migration by nova-compute process (user 'nova' need to spawn multiple SSH processess during KVM live migration).
Actual result:
Lack of sshd protection.
information type: | Public → Public Security |
description: | updated |
Changed in fuel: | |
status: | New → Confirmed |
tags: | added: area-library team-bugfix |
tags: | added: feature |
tags: | removed: team-bugfix |
tags: | removed: need-info |
Changed in fuel: | |
status: | Confirmed → In Progress |
no longer affects: | fuel/newton |
Changed in fuel: | |
status: | In Progress → Confirmed |
tags: | added: feature-security |
(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:
version
steps to reproduce
For more detailed information on the contents of each of the listed sections see https:/ /wiki.openstack .org/wiki/ Fuel/How_ to_contribute# Here_is_ how_you_ file_a_ bug