This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.

Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security Hardening Guide / Hardening meassures / Prevent Denial Of Service (DoS)
Applies to SUSE Enterprise Storage 7

5 Prevent Denial Of Service (DoS)

The most important piece in preventing Denial Of Service (DoS) is to put proper quotas on users and groups to ensure that clients can not exhaust resources easily. While this is not the only way a client can impact your cluster, it's the easiest one and also can happen by accident. For details on how to setup quotas please refer to Book “Administration and Operations Guide”, Chapter 23 “Clustered file system”, Section 23.6 “Setting CephFS quotas” and Book “Administration and Operations Guide”, Chapter 21 “Ceph Object Gateway”, Section 21.5.2.4 “Enabling user quota management”.

Important
Important

Be aware that CephFS quotas are enforced client side, so a malicious client can ignore them and exceed the limitations. If this is a concern in your environment, do not use CephFS.

To set the quotas conviniently you can use the Ceph Dashboard.

Quotas in the dashboard
Figure 5.1: Quotas in the dashboard

Current Ceph versions do not offer advanced ways of preventing malicious clients from attacking the availability of the cluster (for exmaple, with many open connections). To ensure you notice an attack or a misconfiguration, you need to setup proper monitoring that will alert you if the cluster gets into a problematic state so you can investigate and if necessary act.