Brute-force attack prevention on OpenStack controller

Brute-force attack prevention on OpenStack controller

The Identity service does not provide the brute-force protection capability. That is why, this use case will help you install the Web Application Firewall (WAF) with rules dedicated to mitigating and limiting the strength of the brute-force attack that an attacker outside runs through the OpenStack Dashboard service (Horizon) connected to the public network.

Caution

The use case has several limitations and does not cover the following type of attacks:

  • An external attack through the public Keystone endpoint, because it may lead to blocking proxy IPs when an attacker goes through the public OpenStack Dashboard. To prevent the brute-force attack on the Keystone level, enable notification of failed login attempts in the OpenStack Identity service. See Enable CADF notifications in Keystone for more details.

  • An internal attack from within the security perimeter when the Management network is compromised.

  • The brute-force prevention using IP blocking is useless for an attack strengthen by a botnet.

To prevent the brute-force attack that comes through the OpenStack Dashboard, on the OpenStack controller, complete the following steps:

  1. Install ModSecurity on the OpenStack controllers.

  2. Create brute-force rules for ModSecurity.

  3. Verify alerts generated by ModSecurity in log files.