我知道这是关于SO的一个很好的主题,但有人可以告诉我在django-admin保护上有一些第三方软件包支持django版本1.8 +和python 3.4+。我发现它似乎已经过时并支持< 1.7 django版本和python 2.7。
此外,有人可以解释我如何手动保护django-admin,在编写代码以保护django-admin免受暴力攻击时需要采取的步骤是什么?
答案 0 :(得分:0)
我使用两种方法:
身份验证后端缓存上次登录尝试并拒绝过于频繁的尝试。
from django.conf import settings
from django.contrib.auth.models import User
from django.contrib.auth.backends import ModelBackend
from django.core.cache import cache
import datetime
class BruteForceProtectedAuthBackend(ModelBackend):
def authenticate(self, username=None, password=None):
now = datetime.datetime.now()
last_login = cache.get(username + '-login-attempt', now - datetime.timedelta(days=1))
cache.set(username + '-login-attempt', now)
if (now - last_login) < datetime.timedelta(seconds=settings.AUTH_RATE):
return None
try:
user = User.objects.get(username=username)
if user.check_password(password):
return user
else:
return None
except User.DoesNotExist:
return None
def get_user(self, user_id):
try:
return User.objects.get(pk=user_id)
except User.DoesNotExist:
return None
中间件拒绝来自非本地IP地址的管理URL的请求。
from django.http import HttpResponseForbidden
from django.conf import settings
from ipware.ip import get_ip
class ProtectAdminSiteMiddleware(object):
def process_request(self, request):
if request.path.startswith(reverse('admin:index')):
remote_addr = get_ip(request)
if remote_addr is None:
return HttpResponseForbidden('Forbiden')
else:
if not remote_addr in settings.INTERNAL_IPS:
return HttpResponseForbidden('Forbiden')
return None