And here is another stab at it: http://code.google.com/p/django-brutebuster/
On Dec 17, 9:30 pm, Tom <[email protected]> wrote: > Hello Everyone, > > I noticed that Django's contrib.auth doesn't provide a mechanism for > detecting a password brute force attack. This is necessary for a > couple projects I'm working so I have to implement some kind of > solution and would really like to do it in such a way that it could > get contributed back to the community. I'd like to propose possible > two variants to the way that system works and would appreciate > feedback. > > The first option is the more user customizable one, I propose a new > signal (possibly called LoginAttempt) which User.check_password() > would fire before returning so that users could implement their own > logging and lockout policies. This is likely what I will implement > first so that our internal implementation doesn't interfere with > future general implementations. > > The second option, which is much more thorough, would add a > LoginAttemptLogEntry model which would look something like this: > > class LoginAttemptLogEntry(models.Model): > user = models.ForeignKey(User, null=True) > datetime = models.DateTime(auto_now_add=True) > success = models.BooleanField() > > Then either ModelBackend.authenticate() or User.check_password() would > log each login attempt using the LoginAttemptLogEntry. Any user's > account which had more than N (configurable in settings, default to > 5?) consecutive unsuccessful login attempts would get locked. A > successful password reset would then re-enable the account. > > I'd welcome any feedback, particularly from owners/committers of > contrib.auth. > > Thanks, > > Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
