Python IP changing

Question

First of all i have seen the following post: Selenium Python Changing IP but it didn't help me that much.

So i'm currently doing a test website and im trying to make an antibrute force script, my goal is to block the ip after 5 bad tries and to lock the account if 100 different ip's are ban trying password on the account, that would make bruteforce very hard (the only problem would be the fact you could prevent an user from logging in).

My problem is that i dont have a clue on how to change ip and how to find 100 different ip's (the selenium article helped me a bit understanding how to change ip).

My need would be to either have a script working with the browser and using a website to change ip, or an add-on, or making API calls and doing everything from the command prompt and having that prompt sending request from a proxy service/vpn (by this i mean having my whole traffic under a proxy not just the browser).

I have thought of using tor to get new ips everytime

Answer 1

i recently wrote this script in python 2.7 for linux that should work perfectly for you:

#!/usr/bin/env python

import requests
from os import system

proxies = {'http':  'socks5://127.0.0.1:9050',
           'https': 'socks5://127.0.0.1:9050'}

for x in range(100):
  session = requests.session()
  session.proxies = proxies
  print session.get("http://httpbin.org/ip").text
  system("sudo service tor reload") #sudo apt-get install tor

to implement this in selenium (I didn't test this code!):

from selenium import webdriver

def change_proxy(proxy,port):
    profile = webdriver.FirefoxProfile();
    profile.set_preference("network.proxy.type", 1);
    profile.set_preference("network.proxy.http", proxy);
    profile.set_preference("network.proxy.http_port", port);
    profile.set_preference("network.proxy.ssl", proxy);
    profile.set_preference("network.proxy.ssl_port", port);
    driver = webdriver.Firefox(profile);
    return driver

Answer 2

So, as I understand it, you're trying to figure out how to test your brute force password guessing script. You don't need a lot of IPs in production, because attackers will hapilly handle the problem of finding lots of IPs to try from for you. Instead, you need to figure out how to test your code even though you don't have 100 real IPs to test from. My recommendation is to split your testing problem into two parts:

• In your website, have one function (or object method) you use everywhere to figure out what the current IP is. Test that to confirm that it works correctly and correctly detects the IP. Call that function/method in your brute force script or anywhere else you need to figure out the current IP.

• Add a development/test mode option to that script. If some special header is set, say HTTP_FAKE_IP, then take the IP from that header rather than from the IP of the connecting system. If it will be easier from your web browser to use a query parameter than an HTTP header, that's fine.

• Then generate 100 (or however many you need) IPs in your browser but rather than changing the IP, set that header/query parameter.

• Be sure to test and confirm that in production mode of your website the header cannot be used to fake the IP.

What you're doing with this approach is separating testing your brute force detection from the actual logic related to determining the IP. Yes, you need to test both those things, but you don't need to test them together. It's easier to get one or two real IPs to test your IP detection logic than to get the 100 IPs you need to test your brute force detection. You're effectively using a testing technique called mocking in order to make testing sufficiently practical to work in the real world.

Answer 3

[IMPORTANT] Note that you need to convert the port number to int, otherwise none of the approaches mentioned in this post will work.