Are there generally accepted tactics for protecting Django applications against this kind of attack?
对于保护Django应用程序不受这种攻击,是否有通用的策略?
4 个解决方案
#1
20
django-axes is an existing app for detecting failed login attempts. There is also a more general django-ratelimit.
django-axes是一个现有的用于检测失败登录尝试的应用程序。还有一个更普遍的django-ratelimit。
#2
5
You can:
您可以:
- Keep track of the failed login attempts and block the attacker after 3 attempts.
- 跟踪失败的登录尝试,并在3次尝试后阻止攻击者。
- If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts.
- 如果您不想阻塞,那么您可以记录它并显示一个CAPTCHA,使其在以后的尝试中更加困难。
- You can also increase the time between login attempts after eached failed attempt. For example, 10 seconds, 30 seconds, 1 minute, 5 minutes, et cetera. This will spoil the fun pretty quickly for the attacker.
- 您还可以在每次尝试失败后增加登录尝试之间的时间。例如,10秒,30秒,1分钟,5分钟,等等。这将很快破坏攻击者的乐趣。
- Of course, choose a secure password as that will keep the attacker guessing.
- 当然,选择一个安全的密码可以让攻击者猜测。
#3
2
I prefer django-defender. It starts as django-axes fork with redis as backend to store fail login attempts, blocked users, IPs so it much faster than django-axes.
我更喜欢django-defender。它从django-axes fork开始,以redis作为后端来存储失败的登录尝试,阻止用户,IPs,所以它比django轴快得多。
#4
1
There are many libraries available for it like Django-axes, Django-defender, Django-ratelimit, these libraries mentioned all do the same thing (with a few differences between them). You can choose the one which best suits your needs.
有许多库可以用于它,比如Django-axes, Django-defender, Django-ratelimit,这些库提到的所有库都做相同的事情(它们之间有一些区别)。你可以选择最适合你需要的。
If you are using DRF, then you don't need an additional library (axes, ratelimit, etc.) because DRF already has the throttling functionality build in.
如果您正在使用DRF,那么您不需要额外的库(轴、ratelimit等),因为DRF已经有了节流功能。
You can check this question :**How to prevent brute force attack in Django Rest + Using Django Rest Throttling **
您可以检查这个问题:**如何在Django Rest中防止暴力攻击+使用Django Rest节流**
#1
20
django-axes is an existing app for detecting failed login attempts. There is also a more general django-ratelimit.
django-axes是一个现有的用于检测失败登录尝试的应用程序。还有一个更普遍的django-ratelimit。
#2
5
You can:
您可以:
- Keep track of the failed login attempts and block the attacker after 3 attempts.
- 跟踪失败的登录尝试,并在3次尝试后阻止攻击者。
- If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts.
- 如果您不想阻塞,那么您可以记录它并显示一个CAPTCHA,使其在以后的尝试中更加困难。
- You can also increase the time between login attempts after eached failed attempt. For example, 10 seconds, 30 seconds, 1 minute, 5 minutes, et cetera. This will spoil the fun pretty quickly for the attacker.
- 您还可以在每次尝试失败后增加登录尝试之间的时间。例如,10秒,30秒,1分钟,5分钟,等等。这将很快破坏攻击者的乐趣。
- Of course, choose a secure password as that will keep the attacker guessing.
- 当然,选择一个安全的密码可以让攻击者猜测。
#3
2
I prefer django-defender. It starts as django-axes fork with redis as backend to store fail login attempts, blocked users, IPs so it much faster than django-axes.
我更喜欢django-defender。它从django-axes fork开始,以redis作为后端来存储失败的登录尝试,阻止用户,IPs,所以它比django轴快得多。
#4
1
There are many libraries available for it like Django-axes, Django-defender, Django-ratelimit, these libraries mentioned all do the same thing (with a few differences between them). You can choose the one which best suits your needs.
有许多库可以用于它,比如Django-axes, Django-defender, Django-ratelimit,这些库提到的所有库都做相同的事情(它们之间有一些区别)。你可以选择最适合你需要的。
If you are using DRF, then you don't need an additional library (axes, ratelimit, etc.) because DRF already has the throttling functionality build in.
如果您正在使用DRF,那么您不需要额外的库(轴、ratelimit等),因为DRF已经有了节流功能。
You can check this question :**How to prevent brute force attack in Django Rest + Using Django Rest Throttling **
您可以检查这个问题:**如何在Django Rest中防止暴力攻击+使用Django Rest节流**