Throttling brute force login attacks in Django

Are there generally accepted tactics for protecting Django applications against this kind of attack?


django-axes is an existing app for detecting failed login attempts. There is also a more general django-ratelimit.

You can:

  • Keep track of the failed login attempts and block the attacker after 3 attempts.
  • If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts.
  • You can also increase the time between login attempts after eached failed attempt. For example, 10 seconds, 30 seconds, 1 minute, 5 minutes, et cetera. This will spoil the fun pretty quickly for the attacker.
  • Of course, choose a secure password as that will keep the attacker guessing.

I prefer django-defender. It starts as django-axes fork with redis as backend to store fail login attempts, blocked users, IPs so it much faster than django-axes.

There are many libraries available for it like Django-axes, Django-defender, Django-ratelimit, these libraries mentioned all do the same thing (with a few differences between them). You can choose the one which best suits your needs.

If you are using DRF, then you don't need an additional library (axes, ratelimit, etc.) because DRF already has the throttling functionality build in.

You can check this question :**How to prevent brute force attack in Django Rest + Using Django Rest Throttling **

Need Your Help

SQL Server: how to query when the last transaction log backup has been taken?

sql sql-server sql-server-2008 backup transaction-log

I would like to query for all databases (in SQL Server 2008 instance) date when the last transaction log backup has been taken. How to do that? I know that this information is somewhere, but I don'...

iOS 8: UINavigationController hide back button

ios objective-c ios8 back-button iphone-6

After I run my application in iOS 8 (XCode 6.0.1, iPhone 6), the back button does not hide.