Block Ip Middleware

[rbtsolis]

Hi, currently im working on https://github.com/philipn/django-block-ip

But i think, it's a good idea add this function in this library, what do you think about that?

[EvaSDK]

You should probably look into django-axes as well.

[9mido]

Not a bad idea to be able to block the IPs as long as collecting the IPs in the database is encrypted and does not violate PII / GDPR laws. But you might be able to get away with not encrypting if your linux server itself is secure.

Also, you need to be able to get the real IP address of the client even if the server is behind cloudflare or a load balancer. You don't want to block people if they are behind the same cloudflare IP address then everyone on your site will be blocked/rate limited which is bad. There is also the issue of IP spoofing where a malicious user could fake their IP address,

[dmpayton]

I think IP blocking falls outside the scope of django-admin-honeypot. There are many ways to handle IP blocking, in terms of both block list management and responses to blocked IPs; we're mainly concerned with raising red flags when someone might be attempting to get into the Django admin.

But it'd be cool to see a reference implementation that integrates, e.g., the honeypot signal into an existing ip block app, to automate the blocking of IPs that are honeypotted so many times in a time period. I don't know that I'd want to bake it in to django-admin-honeypot, but it would be neat to check out.

@9mido I'm not as up to speed on GDPR, but I know there's already an issue for it, so we can continue the conversation there.