Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentação do SUSE Enterprise Storage 7.1 / Security Hardening Guide / Hardening meassures / Prevent Denial Of Service (DoS)
Applies to SUSE Enterprise Storage 7.1

5 Prevent Denial Of Service (DoS)

The most important piece in preventing Denial Of Service (DoS) is to put proper quotas on users and groups to ensure that clients can not exhaust resources easily. While this is not the only way a client can impact your cluster, it's the easiest one and also can happen by accident. For details on how to setup quotas please refer to Seção 23.6, “Definindo cotas do CephFS” and Seção 21.5.2.4, “Habilitando o gerenciamento de cotas de usuários”.

Important
Important

Be aware that CephFS quotas are enforced client side, so a malicious client can ignore them and exceed the limitations. If this is a concern in your environment, do not use CephFS.

To set the quotas conviniently you can use the Ceph Dashboard.

Quotas in the dashboard
Figure 5.1: Quotas in the dashboard

Current Ceph versions do not offer advanced ways of preventing malicious clients from attacking the availability of the cluster (for exmaple, with many open connections). To ensure you notice an attack or a misconfiguration, you need to setup proper monitoring that will alert you if the cluster gets into a problematic state so you can investigate and if necessary act.