subject:"Prevent brute\-force password attacks\?"

Re: Prevent brute-force password attacks?

2009-11-30 Thread tie

Here is a fresh module dealing with brute force cracking attempts:
http://code.google.com/p/django-brutebuster/

On Nov 9, 11:57 pm, Adam Seering  wrote:
> Hi,
>         Does there exist any code for Django to help defeat brute-force login
> attempts?  Something like blocking IP addresses from logging in if they
> try and fail too many times, etc.
>
> Adam

--

You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Prevent brute-force password attacks?

2009-11-12 Thread rebus_

How about using some system that after few failed logins gives some
CAPTCHA to solve? I think it's ok way to get rid of some bots.

I think it could be easily done by setting up custom login view.

--

You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=.

Re: Prevent brute-force password attacks?

2009-11-11 Thread Adam Seering

Hi,
Jorge:  Thanks for the link; that's close to what we want.  It looks 
like it's not so good at blocking broadcasts:

f4nt:  Actually, convincing users to choose smarter usernames/passwords 
would not help us much:

We run online registrations for large (in-person) events.  Our contact 
time with each user is very short, our ability to field support requests 
is quite small, and a subset of our users are very much not technically 
savvy (so forcing them to create good passwords would create a 
significant support burden).  Also, the cost of an individual account 
compromise is relatively low; the only real cost would be exposure of 
that user's moderately-sensitive personal information 
(name/address/phone# at worst; no CC#/SSN/etc), and we're comfortable 
saying "hey, you chose a really bad password; we tried, but there's not 
much we can do if that's your choice"...

The use case we care most about is a mass account cracking where 
someone changes or resets enough event registrations to disrupt 
attendance estimates.  Given that this is entirely preventative (we 
haven't had this problem before, but we're evaluating our security to 
make sure we're doing as good a job as we can be), it'd seem reasonable 
to have a programmatic catch for someone logging into a bunch of 
accounts in succession after a bunch of failed tries with each.

Further thoughts are certainly welcome, though.

Adam

On 11/9/09 5:06 PM, f4nt wrote:
>
> Yes, teaching users to not choose stupid username/password
> combinations. That's the only correct/true fix. Are you worried about
> the traffic that it consumes? If so, you continue to play in dicey
> territory, since you're trying to deduce harmful bots from potentially
> stupid users that just can't remember their account information. Yes,
> it's easy to see in the aftermath with human eyes the difference,
> seeing it as it happens with code, and being right 100% (which is the
> only acceptable percentage in the case of usability) is difficult.
>
> I don't personally know if anything exists to do what you want to do,
> but it shouldn't be incredibly hard to write. You could log all the
> IPs to the database, compare the frequency, and then what you do with
> them from there is up to you. You could redirect the user elsewhere,
> or serve them 404s to make them think the content's gone (could have
> ill effects on SEO in rare cases). Then you could cron up a purge
> scenario, after so many days, or if you definitely don't like the IP
> you could write the IPs out to your firewall's blacklist (at least,
> easy to do in shorewall). Ironically, doing all that will create
> potentially more database calls and traffic than just weathering the
> storm. Your call.
>
> Btw, don't mean to be blunt/rude, as that's not my intention. Just
> dealt with a lot of these scenarios as a sys admin in a former life,
> and the answer is always to beat users over the head until they stop
> choosing "god/god" as their username/password combination.
>
> On Nov 9, 3:57 pm, Adam Seering  wrote:
>> Hi,
>>  Does there exist any code for Django to help defeat brute-force 
>> login
>> attempts?  Something like blocking IP addresses from logging in if they
>> try and fail too many times, etc.
>>
>> Adam
> >
>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Prevent brute-force password attacks?

2009-11-09 Thread f4nt

Yes, teaching users to not choose stupid username/password
combinations. That's the only correct/true fix. Are you worried about
the traffic that it consumes? If so, you continue to play in dicey
territory, since you're trying to deduce harmful bots from potentially
stupid users that just can't remember their account information. Yes,
it's easy to see in the aftermath with human eyes the difference,
seeing it as it happens with code, and being right 100% (which is the
only acceptable percentage in the case of usability) is difficult.

I don't personally know if anything exists to do what you want to do,
but it shouldn't be incredibly hard to write. You could log all the
IPs to the database, compare the frequency, and then what you do with
them from there is up to you. You could redirect the user elsewhere,
or serve them 404s to make them think the content's gone (could have
ill effects on SEO in rare cases). Then you could cron up a purge
scenario, after so many days, or if you definitely don't like the IP
you could write the IPs out to your firewall's blacklist (at least,
easy to do in shorewall). Ironically, doing all that will create
potentially more database calls and traffic than just weathering the
storm. Your call.

Btw, don't mean to be blunt/rude, as that's not my intention. Just
dealt with a lot of these scenarios as a sys admin in a former life,
and the answer is always to beat users over the head until they stop
choosing "god/god" as their username/password combination.

On Nov 9, 3:57 pm, Adam Seering  wrote:
> Hi,
>         Does there exist any code for Django to help defeat brute-force login
> attempts?  Something like blocking IP addresses from logging in if they
> try and fail too many times, etc.
>
> Adam
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Prevent brute-force password attacks?

2009-11-09 Thread Jorge Bastida

Check http://code.google.com/p/django-axes/
Bye !

2009/11/9 Adam Seering 

>
> Hi,
>Does there exist any code for Django to help defeat brute-force
> login
> attempts?  Something like blocking IP addresses from logging in if they
> try and fail too many times, etc.
>
> Adam
>
>
> >
>


-- 
Benito Jorge Bastida
jo...@thecodefarm.com

thecodefarm SL
Av. Gasteiz 21, 1º Derecha
01008 Vitoria-Gasteiz
http://thecodefarm.com
Tel: (+34) 945 06 55 09

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Prevent brute-force password attacks?

2009-11-09 Thread Adam Seering


Hi,
Does there exist any code for Django to help defeat brute-force login 
attempts?  Something like blocking IP addresses from logging in if they 
try and fail too many times, etc.

Adam


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Prevent brute-force password attacks?

Re: Prevent brute-force password attacks?

Re: Prevent brute-force password attacks?

Re: Prevent brute-force password attacks?

Re: Prevent brute-force password attacks?

Prevent brute-force password attacks?

6 matches

Site Navigation

Mail list logo

Footer information