On Fri, Jul 8, 2011 at 5:03 PM, Shawn Milochik <[email protected]> wrote:
> This topic came up on the list a few months back, and I just wanted to > share the solution I've put into place. > > Short version: > > 1. Ensure that my Web server (nginx) passes the user's real IP address in > the request. > > 2. For POST requests to the login URL only (to avoid any performance > side-effects), keep a rolling count of number of requests by the IP in the > past five minutes and use that to limit the number of attempts. Return > HttpResponseForbidden with a message about too many log in attempts. > > Justification: > > I'm using IP instead of user because this prevents an attacker from > inconveniencing a legit user or getting a "fresh start" just by guessing a > different username. > > I'm throttling instead of locking the account (temporarily or > permanently) to prevent attackers from locking out legitimate users. > > Details (implemented in middleware): > > Middleware file creates an in-memory sqlite3 database. > Have you considered using an atomic caching server for storing the state of an IPs 'throttle' count? It has the added benefit of giving you future support for distributed use, wouldn't be as performance heavy as writing to a database, and deals with any race condition problems quite nicely. > > All requests that aren't POSTs or to the login URL are ignored. > > POST requests to the login URL cause these actions, in this order: > Get count of requests in last five minutes. > Return HttpResponseForbidden message if count is excessive. > Delete database entries greater than five minutes old. > Log this attempt. > > That's it. Pretty simple and effective. I hope others find it useful, and > point out any flaws I may have missed. > > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to django-users+unsubscribe@** > googlegroups.com <django-users%[email protected]>. > For more options, visit this group at http://groups.google.com/** > group/django-users?hl=en<http://groups.google.com/group/django-users?hl=en> > . > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
