Is there a stock way to lock out IP addresses after too many authentication failures? I don't see how the built-in throttling would accomplish this, because throttling only kicks in after authentication and permissions succeed.
问问题
1506 次
2 回答
9
谢谢汤姆。我使用以下代码对身份验证进行了子类化:
def authenticate(self, request):
#
# first check to see that IP address is not locked out
# due to too many failed authentication requests.
#
auth_failure_key = 'LOGIN_FAILURES_AT_%s' % request.META.get('REMOTE_ADDR')
auth_failures = cache.get(auth_failure_key) or 0
# allow up to 3 failures per hour
if auth_failures >= 3:
raise exceptions.AuthenticationFailed('Locked out: too many authentication failures')
try:
return super(TokenAuthentication, self).authenticate(request)
except exceptions.AuthenticationFailed as e:
# update cache
cache.set(auth_failure_key, auth_failures + 1, 3600)
raise e
于 2013-04-25T17:29:27.517 回答
5
不是开箱即用,不。您需要继承其中一个身份验证类并在自定义身份验证类中自己实现该行为。
于 2013-04-25T14:15:56.613 回答