Re: throttling login attempts to avoid brute force attacks

On Jul 8, 11:03 am, Shawn Milochik <sh...@milochik.com> wrote:
> This topic came up on the list a few months back, and I just wanted to
> share the solution I've put into place.
>
> Short version:
>
> 1. Ensure that my Web server (nginx) passes the user's real IP address
> in the request.
>
> 2. For POST requests to the login URL only (to avoid any performance
> side-effects), keep a rolling count of number of requests by the IP in
> the past five minutes and use that to limit the number of attempts.
> Return HttpResponseForbidden with a message about too many log in attempts.
>
> Justification:
>
>      I'm using IP instead of user because this prevents an attacker from
> inconveniencing a legit user or getting a "fresh start" just by guessing
> a different username.
>
>      I'm throttling instead of locking the account (temporarily or
> permanently) to prevent attackers from locking out legitimate users.
>
> Details (implemented in middleware):
>
>      Middleware file creates an in-memory sqlite3 database.
>
>      All requests that aren't POSTs or to the login URL are ignored.
>
>      POST requests to the login URL cause these actions, in this order:
>          Get count of requests in last five minutes.
>          Return HttpResponseForbidden message if count is excessive.
>          Delete database entries greater than five minutes old.
>          Log this attempt.
>
> That's it. Pretty simple and effective. I hope others find it useful,
> and point out any flaws I may have missed.

Thanks for sharing your technique. I've been thinking about doing this
too. I was considering using Redis since I'm already using it for a
few other things and it has nice key expire functionality so it can do
the timeouts for you.

In addition to Simon W's solution, posted earlier, here are some other
related projects:

Instead of middleware, this one uses a decorator around any given URL.
It uses memcached, but it has a backend architecture so you could use
something else:

https://github.com/jsocol/django-ratelimit

This one also uses a decorator to wrap the contrib.auth login view,
but it also only flags POST requests that fail (don't redirect). It
seems a bit more heavy-weight since it is writing to the DB to do the
logging.

https://bitbucket.org/codekoala/django-axes

BN

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.