Does anyone know of a Django App which can be used to extend django auth and lock accounts if a brute force password guessing attack is mounted?
Ie, an account lockout mechanism that restricts the number of login attempts.
Asked
Active
Viewed 6,011 times
6
-
Possible duplicate of [Lock out users after too many failed login attempts](http://stackoverflow.com/questions/9033287/lock-out-users-after-too-many-failed-login-attempts) – Jonny Oct 19 '16 at 09:15
-
I guess the possible duplicate Jonny mentions asks it in a more 'stack overflow' appropriate manner, so please use that instead. The answer i got 7 years ago was very useful at the time :-) – stephendwolff Jan 16 '18 at 10:06
4 Answers
6
http://pypi.python.org/pypi/django-axes/ is what you are looking for.
JamesO
- 25,178
- 4
- 40
- 42
-
1Actually, it isn't quite perfect for my needs - it locks access to an IP address (and user-agent if desired) after a number of failed attempts, and this could be problematic in a situation where multiple users access a site on a NAT'ed network. Ie all users in an office will be locked out if one user goes over the limit! – stephendwolff Mar 03 '11 at 15:02
2
This one is still maintained (2018): https://github.com/kencochrane/django-defender
dan-klasson
- 13,734
- 14
- 63
- 101
2
I created django-failedloginblocker for this purpose, and used django-brutebuster and, to a lesser extent, django-axes as inspiration.
Alex Kuhl
- 1,814
- 1
- 13
- 19
-
both these look useful too - though i used django-axes in the end. – stephendwolff Apr 28 '11 at 10:10
1
You can also try http://pypi.python.org/pypi/django-lockout/0.1.0
mmrs151
- 3,924
- 2
- 34
- 38
-
Thanks @mmrs151 - i'll have a look at that at some point, though i'm not currently working on the project. – stephendwolff Jul 29 '11 at 16:16
-
this very simple package worked great for us for a long time but is abandoned with no py3 support – claytond Mar 11 '19 at 22:58