Skip to content
This repository has been archived by the owner on Jan 27, 2021. It is now read-only.

Bruteforce protection for Django projects based on Redis. Simple, powerful, extendable.

License

Notifications You must be signed in to change notification settings

orsinium-archive/django-bruteforce-protection

Repository files navigation

DjBrut

DjBrut logo

Build Status PyPI version Status Code size License

DjBrut -- simple brutforce protection for Django project.

Default checkers:

  • Max requests for IP.
  • Max requests for user.
  • Max requests for one CSRF-token (stupid but effective).
  • Max requests frequency limitation.

DjBrut use Redis as storage for all counters.

Installation

pip install djbrut

Usage

from django.http import HttpResponse
from djbrut import Attempt

def some_view(request):
    attempt = Attempt('some rule type name', request)
    # check
    if not attempt.check():
        # error
        return HttpResponse(attempt.error)
    # success
    ...

You can see example project for more details.

Configuring

Just set up rules:

BRUTEFORCE_LIMITS = {
    'default': Rule(
        user=100,       # max requests for one user by BRUTEFORCE_TIMELIMIT
        ip=300,         # max requests for one IP by BRUTEFORCE_TIMELIMIT
        csrf=50,        # max requests with one CSRF token by BRUTEFORCE_TIMELIMIT
        freq=0,         # max request frequency for client [seconds]
    ),
    'some rule type name': Rule(
        user=100,       # max requests for one user by BRUTEFORCE_TIMELIMIT
        ip=300,         # max requests for one IP by BRUTEFORCE_TIMELIMIT
        csrf=50,        # max requests with one CSRF token by BRUTEFORCE_TIMELIMIT
        freq=0,         # max request frequency for client [seconds]
    ),
}

Attempt get rule type name as first arg. If rule type name not found in keys of BRUTEFORCE_LIMITS, 'default' will be used. If you don't set default rule then passed rule type must be exists in BRUTEFORCE_LIMITS keys.

BRUTEFORCE_TIMELIMIT -- time to live for all attempts counters.

You can see default settings for more params such as custom error message.

Advanced usage. Create custom checker

If you want use custom checker:

  1. Create custom checker like built-in.
  2. Create new Rules with your checker attribute.
  3. Add your checker to BRUTEFORCE_CHECKERS