Is there a stock way to lock out IP addresses after too many authentication failures? I don't see how the built-in throttling would accomplish this, because throttling only kicks in after authentication and permissions succeed.
Thanks Tom. I subclassed authentication with the following code:
def authenticate(self, request):
#
# first check to see that IP address is not locked out
# due to too many failed authentication requests.
#
auth_failure_key = 'LOGIN_FAILURES_AT_%s' % request.META.get('REMOTE_ADDR')
auth_failures = cache.get(auth_failure_key) or 0
# allow up to 3 failures per hour
if auth_failures >= 3:
raise exceptions.AuthenticationFailed('Locked out: too many authentication failures')
try:
return super(TokenAuthentication, self).authenticate(request)
except exceptions.AuthenticationFailed as e:
# update cache
cache.set(auth_failure_key, auth_failures + 1, 3600)
raise e
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With