I want a brute force protector for logins that will:
-
block based on username(eventually add ip)
-
store info about failed login to db(username, pwd, user-agent, etc)
-
When locked will tell user that they are locked out
I looked at the following apps:
-
http://code.google.com/p/django-brutebuster/ In decorators.py the method returns None when locked so the user gets the “Please enter a correct username and password. Note that both fields are case-sensitive”. I want the user to know the account is locked out.
-
https://github.com/alexkuhl/django-failedloginblocker In decorators.py the method raises an exception which means if debug=False the user will see a 500 error.
-
http://code.google.com/p/django-axes/ This doesn't include the user (has ip and user-agent). In decorators.py I'm not sure how to get the user name. Also I'm concerned about the approach of trying to log someone in and then logging them out if the account is locked. I like the approaches of #1 and #2 where they first check if the account is locked before trying to log them in.
For #1 and #2 I looked into adding the error to the form and I found this post Django - Error Message in Custom Auth Backend that says overwrite django.contrib.auth.forms.AuthenticationForm but I'm not sure how to incorporate the new form in the apps.
Does anyone have suggestions about writing a brute force protector that will do the things I want?
I posted this on stackoverflow but didn't get a response.
Brian
No comments:
Post a Comment