django-axes is a very simple way for you to keep track of failed login
attempts, both for the Django admin and for the rest of your site. The name is
sort of a geeky pun, since
axes can be read interpreted as:
- "access", as in monitoring access attempts
- "axes", as in tools you can use hack (generally on wood). In this case, however, the "hacking" part of it can be taken a bit further:
django-axesis intended to help you stop people from hacking (popular media definition) your website. Hilarious, right? That's what I thought too!
django-axes requires Django 1.0 or later. The application is intended to
work around the Django admin and the regular
django-axes using one of the following methods:
You can download the package from the CheeseShop or use:
to download and install
Download the latest
.tar.gz file from the downloads section and extract it
somewhere you'll remember. Use
python setup.py install to install it.
Checkout from Mercurial
Execute the following command (or use the equivalent function in a GUI such as
TortoiseHg), and make sure you're checking
django-axes out somewhere on the
hg clone http://django-axes.googlecode.com/hg django-axes hg clone http://bitbucket.org/codekoala/django-axes
Checkout from GitHub
Execute the following command, and make sure you're checking
out somewhere on the
git clone git://github.com/codekoala/django-axes.git
The easiest way to ensure that you have successfully installed
is to execute a command such as:
python -c "import axes; print axes.get_version()"
If that command completes with some sort of version number, you're probably
good to go. If you see error output, you need to check your installation (I'd
start with your
First of all, you must add this project to your list of
INSTALLED_APPS = ( 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.sites', ... 'axes', ... )
Next, install the
MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'axes.middleware.FailedLoginMiddleware' )
Finally, if you're using Django's @staff_member_required, you'll want to start importing this from axes rather than from Django:
from axes.decorators import staff_member_required
manage.py syncdb. This creates the appropriate tables in your database
that are necessary for operation.
You have a couple options available to you to customize
django-axes a bit.
These should be defined in your
AXES_LOGIN_FAILURE_LIMIT: The number of login attempts allowed before a record is created for the failed logins. Default:
AXES_LOCK_OUT_AT_FAILURE: After the number of allowed login attempts are exceeded, should we lock out this IP (and optional user agent)? Default:
True, lock out / log based on an IP address AND a user agent. This means requests from different user agents but from the same IP are treated differently. Default:
AXES_COOLOFF_TIME: If set, defines a period of inactivity after which old failed login attempts will be forgotten. Can be set to a python timedelta object or an integer. If an integer, will be interpreted as a number of hours. Default:
AXES_LOGGER: If set, specifies a logging mechanism for axes to use. Default:
AXES_LOCKOUT_TEMPLATE: If set, specifies a template to render when a user is locked out. Template receives cooloff_time and failure_limit as context variables. Default:
AXES_LOCKOUT_URL: If set, specifies a URL to redirect to on lockout. If both AXES_LOCKOUT_TEMPLATE and AXES_LOCKOUT_URL are set, the template will be used. Default:
True, you'll see slightly more logging for Axes. Default:
django-axes is extremely simple. Once you install the application
and the middleware, all you need to do is periodically check the Access
Attempts section of the admin. A log file is also created for you to keep
track of the events surrounding failed login attempts. This log file can be
found in your Django project directory, by the name of
axes.log. In the
future I plan on offering a way to customize options for logging a bit more.
By default, django-axes will lock out repeated attempts from the same IP
address. You can allow this IP to attempt again by deleting the relevant
AccessAttempt records in the admin.
You can also use the
axes_reset management command (since 1.2.5-rc1). Using Django's
manage.py axes_resetwill reset all lockouts and access records.
manage.py axes_reset ipwill clear lockout/records for ip
In your code, you can use
from axes.utils import reset.
reset()will reset all lockouts and access records.
reset(ip)will clear lockout/records for ip
reset will print a message to std out if there is nothing to reset,
unless called with
silent = True