Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to lock out IP addresses after too many authentication failures?

Is there a stock way to lock out IP addresses after too many authentication failures? I don't see how the built-in throttling would accomplish this, because throttling only kicks in after authentication and permissions succeed.

like image 375
jacob Avatar asked Apr 25 '13 13:04

jacob


1 Answers

Thanks Tom. I subclassed authentication with the following code:

def authenticate(self, request):

    #
    # first check to see that IP address is not locked out
    # due to too many failed authentication requests.
    #
    auth_failure_key = 'LOGIN_FAILURES_AT_%s' % request.META.get('REMOTE_ADDR')

    auth_failures = cache.get(auth_failure_key) or 0

    # allow up to 3 failures per hour
    if auth_failures >= 3:
        raise exceptions.AuthenticationFailed('Locked out: too many authentication failures')

    try:
        return super(TokenAuthentication, self).authenticate(request)
    except exceptions.AuthenticationFailed as e:

        # update cache
        cache.set(auth_failure_key, auth_failures + 1, 3600)

        raise e
like image 72
jacob Avatar answered Oct 03 '22 05:10

jacob