►
From YouTube: CDS Jewel -- CephX brute-force protection
A
C
C
If
it's,
for
example,
let's
say
tried
10
times
was
the
wrong
key
to
authenticate
on
the
system
and
then
broken
the
questions
here.
What
should
we
use
to
to
block
him?
Should
we
use
the
IP
address,
or
is
there
anything
else
we
can
use
to
identify
the
attacker?
In
this
case,
I
mean
blocking
in
IP
would
also
lead
to
potentially
blocking
a
complete
host
and
therefore
blocking
multiple
other
VMS
or
tenants
or
whatever,
and
it
could
be
a
problem.
Maybe
yes,.
A
A
Soft
clients
connects,
they
have
my
specific
nods
and
they
try
to
get
it.
I
have
them.
They
target
local,
unique
ID
designed
to
them
by
the
monitors.
I
think
that
maybe
after
they
actually
authenticate
so
the
rep
you,
but
we
can
identify
them
not
just
by
the
IP,
but
also
by
the
actual
tcp
connection
there
using
okay.
A
My
clients
tonight
they
have
their
own
unique
identifier.
It
they
generated
based
on
I,
had
I
think
it's
mostly
a
space
in
the
process.
Id
and
yes,.
A
D
D
Ever
used
failed
to
ban
a
lot
and
it
has
nothing
to
be
pretty
standard
to
at
least
on
the
linux
side,
and
I
mean
it's
largely
descript
wherever
you
wanted
the
scans
long
log
messages.
So
as
long
as
you
have
a
you
know,
descriptive
enough
log
message
saying
this
client
by
this
IP
address
and
authentication
failed.
Then
you
can
write
fail2ban
rules
and
say
well
when
I
see
this
from
this
IP
address
this
many
times
in
this
often,
you
know
initiate
the
following
action,
which
you
can
never
run
a
new
set
command
of
SEF
X.
B
C
C
B
A
Could
be
an
issue
with
things
like
the
colonel
clan,
like
a
current
bank,
reacting
for
many
different,
actual
tenants
using
the
like
getting
the
same
amount
or
different
meds,
but
only
trip.
B
That
case,
the
client
side
in
that
that
the
trust
of
client
portion
needs
to
know
enough
to
stop.
In
other
words,
if
it's
possible
to
get
the
client
to
consider
to
get
the
kernel
client
to
constantly
flood
the
monitors
with
incorrect
authentication
attempts,
then
the
correct
answer
is
total
block
them.
C
A
A
C
C
A
C
C
C
A
A
A
C
I
mean
in
our
case
we
run
and
virtualized
network
functions
on
this
cloud
and
first
you
need
to
break
all
that
transports.
Reimer.
Then
you
need
to
break
out
of
the
kvm
and
stands
and
it
could
be
hard
but
yeah.
It
was
something
that's
maybe
easy
to
implement
and
would
have
a
lot
I
I'm
sure.
So
a
lot
of
people
may
have
this
problem
and.
C
C
If
you
mounted
on
the
vm,
then
you
have
to
write
net
focus
on
that
would
be
another
problem.
So
a
client
would
maybe
a
bit
always
to
add
sessle,
so
I
mean
we
don't
use
of
as
for
now,
but
that
would
be
the
problematic
case.
I
guess
there.
You
need
it
at
least
because
the
client
or
the
kvm
instance
guest
tips
as
our
full
access
rights
until.
C
C
C
And
add
we
discussed
also
in
a
lot
of
our
estas
day.
One
discussion
you
may
be
put
shortly
discusses
to
have
a
way
to
put
the
administration
network
or
a
network
where
the
administrator
connects
to
and
send
commands
reply
stir
to
a
different
network
than
the
public
network.
Any
question
is
what
what,
if
it
make
sense
for
you
for
you
or
if
it
makes
no
sense
and
how
much
I
thought
that
would
be
to
have
an
additional
network
separate
network
for
only
the
new
commands
in
which
water
always
keys,
yeah
yeah.
A
B
C
B
Curious
thing:
well,
ok,
so
it
would
be
pretty
trivial
to
crash
every
owes
to
you
in
the
cluster
that
that
that
wouldn't
be
hard.
That
would
be
really
easy
act,
which
is
good
by
the
way,
because
if
they
didn't
crash
they
would
do
something
really
untoward
which
would
be
bad,
but.
B
C
B
C
B
C
B
C
B
The
the
virtue
of
doing
that
is
in
systems
where
the
administrative
commands
are
the
are
the
destructive
ones,
but
in
our
case
it's
only
in
some
of
the
problematic
one.
It
may
still
be
worth
it.
I
don't
know
that
it's
that
hard,
but
it
wouldn't
protect
us
from
there
out
there.
There
is
a
large
set
of
things
it
wouldn't
protect
us
from.
I
guess.