Evgenij LegotskojJan. 9, 2017, 8:45 p.m.

Django - Tutorial 018. Hackers blocking IP when attempting to password guessing on Django

After we replaced the login page Django on his own customized login page , the time has come to use this substitution for the purpose of improving the security of the site. For example, the introduction of an IP attacker blocking when attempting to password guessing.

I propose such blocking variant: the three failed attempting to enter a password IP blocked for 15 minutes, if such blocking occurs for 15 minutes 3 times, then blocked IP for 24 hours.

To implement the blocking we required model, which will be located 4 fields:

  • IP address;
  • The number of password attempts;
  • Unblock time;
  • Blocking Status - True - if blocked, False - if not blocked.

Just show the result of blockages in the admin site for a couple of months already accumulated a small collection.


Now let's see how the model will look for temporary blocking of password cracking, as well as how to set up the admin panel to table locks look as shown in the figure above.

from django.db import models
from django.contrib import admin

class TemporaryBanIp(models.Model):
    class Meta:
        db_table = "TemporaryBanIp"

    ip_address = models.GenericIPAddressField("IP адрес")
    attempts = models.IntegerField("Неудачных попыток", default=0)
    time_unblock = models.DateTimeField("Время разблокировки", blank=True)
    status = models.BooleanField("Статус блокировки", default=False)

    def __str__(self):
        return self.ip_address

class TemporaryBanIpAdmin(admin.ModelAdmin):
    list_display = ('ip_address', 'status', 'attempts', 'time_unblock')
    search_fields = ('ip_address',)


Register model in the admin

from django.contrib import admin
from .models import TemporaryBanIp, TemporaryBanIpAdmin

admin.site.register(TemporaryBanIp, TemporaryBanIpAdmin)


Modify the post method of customized login page from the last article. This code also uses a special function to obtain the IP address of the request .

class ELoginView(View):

    # source of get method

    def post(self, request):
        # get data of forms from request
        form = AuthenticationForm(request, data=request.POST)

        # get IP adress form request
        ip = get_client_ip(request)
        # We obtain or create a new entry for the IP, with which to enter a password for blocking
        obj, created = TemporaryBanIp.objects.get_or_create(
                'ip_address': ip,
                'time_unblock': timezone.now()

        # if an IP is locked and unlocking time has not come
        if obj.status is True and obj.time_unblock > timezone.now():
            context = create_context_username_csrf(request)
            if obj.attempts == 3 or obj.attempts == 6:
                # then open the page with the message blocking for 15 minutes at 3 and 6 failed login attempting to login
                return render_to_response('accounts/block_15_minutes.html', context=context)
            elif obj.attempts == 9:
                # or open the page about blocking for 24 hours, with 9 of failed login attempting to login
                return render_to_response('accounts/block_24_hours.html', context=context)
        elif obj.status is True and obj.time_unblock < timezone.now():
            # if the IP is blocked, but the release time has come, then unlock IP
            obj.status = False

        # if the user entered the correct data, authorizing it, and remove the entry for IP blocking
        if form.is_valid():
            auth.login(request, form.get_user())

            next = urlparse(get_next_url(request)).path
            if next == '/admin/login/' and request.user.is_staff:
                return redirect('/admin/')
            return redirect(next)
            # otherwise count attempts to set the time and unlock and lock status 
            obj.attempts += 1
            if obj.attempts == 3 or obj.attempts == 6:
                obj.time_unblock = timezone.now() + timezone.timedelta(minutes=15)
                obj.status = True
            elif obj.attempts == 9:
                obj.time_unblock = timezone.now() + timezone.timedelta(1)
                obj.status = True
            elif obj.attempts > 9:
                obj.attempts = 1

        context = create_context_username_csrf(request)
        context['login_form'] = form

        return render_to_response('accounts/login.html', context=context)

So here's a way you can make a pretty simple opposition to brute force the password for a small site on Django.

For Django I recommend VDS-server of Timeweb hoster .

We recommend hosting TIMEWEB
We recommend hosting TIMEWEB
Stable hosting, on which the social network EVILEG is located. For projects on Django we recommend VDS hosting.
Support the author Donate


Only authorized users can post comments.
Please, Log in or Sign up

Let me recommend you a great European Fornex hosting.

Fornex has proven itself to be a stable host over the years.

For Django projects I recommend VPS hosting

Following the link you will receive a 5% discount on shared hosting services, dedicated servers, VPS and VPN

View Hosting

C ++ - Test 004. Pointers, Arrays and Loops

  • Result:50points,
  • Rating points-4

C ++ - Test 004. Pointers, Arrays and Loops

  • Result:20points,
  • Rating points-10
  • storm
  • Jan. 20, 2023, 10:30 p.m.

C++ - Тест 003. Условия и циклы

  • Result:0points,
  • Rating points-10
Popular publications in the last 90 Days
Last comments

Qt WinAPI - Lesson 004. QtIFW - Automation WinDeployQt and build installers with Qt Installer Framework

Hello Evgenij, regarding the online installer, I've tried many times to use web host for the created repo after repogen step. I tried using github but I found people talking it is not …
  • juvf
  • Jan. 17, 2023, 9:18 a.m.

Qt/C++ - Lesson 051. QMediaPlayer – simple audio player

PS. Почти дописал плеер на QML. Уперся в ограничения QML. Переписываю плеер на с++/qt, а графика останится в qml. Нашел то, что мне надо, а именно индикатор звука. Qt может перехватывать аудиопо…

Qt/C++ - Lesson 039. How to paint stroke in QSqlTableModel by value in the column?

В этом случае вижу только какой-нибудь костыль в стиле перебора по всем индексам в заголовке с помощью методу headerData . То есть пройтись в for цикле пока не будет совпадения н…
  • avt
  • Dec. 12, 2022, 8:06 p.m.

Qt/C++ - Lesson 039. How to paint stroke in QSqlTableModel by value in the column?

Спасибо за ответ. Нет, дело не в читаемости кода, в разных таблицах у меня есть столбцы с одинаковым именем, но с разными индексами. Хотел сделать решение по имени столбца для всех таблиц сразу.…
  • juvf
  • Dec. 12, 2022, 3:06 p.m.

Qt/C++ - Lesson 051. QMediaPlayer – simple audio player

Now discuss on the forum

Как создать уникальное значение поля на основе существующих значений

В принципе это можно сделать так: def unique_field(self): return '{0}_{1}'.format(self.title, self.price)class Tovar(models.Model): title=models.CharField('Наименование',max_length=…
  • Wayne
  • Jan. 27, 2023, 12:47 p.m.

Здравствуйте помогите с qml

как сделать так, чтобы зеленая фигура при движения за пределы круга пропадала на qml

Sorting the added QML elements in the ListModel

I am writing an alarm clock in QML, I am required to sort the alarms in ascending order (depending on the date or time (if there are several alarms on the same day). I've done the sorting …

QSqlRelatipnalTabelModel Qt 4.8.1 как получить id внешней связи?

Наконец-то готовы представить полноценное развитие Qt QSqlTableModel и QTableView. Посмотреть можно у нас на сайте здесь На github здесь здесь Радостная новос…
  • Pisych
  • Jan. 25, 2023, 10:01 p.m.

Ввод бухгалтерского документа в одной форме

вопрос снят. спасибо за ответы. сообразил, как сделать:)
© EVILEG 2015-2022
Recommend hosting TIMEWEB