Limiting Django admin login speed with Nginx to prevent dictionary attacks

Question

Limiting Django admin login speed with Nginx to prevent dictionary attacks

I am learning various speed methods restricting the entry of a Django admin to prevent verbal attacks.

This explains one of the solutions: http://simonwillison.net/2009/Jan/7/ratelimitcache/

However, I would prefer to do a speed limit on the web server side using Nginx.

The Nginx limit_req does just that - it allows you to specify the maximum number of requests per minute and send 503 if the user goes to: http://wiki.nginx.org/NginxHttpLimitReqModule

Perfect! I thought I hacked it until I realized that the Django login page is not in a permanent place, for example / admin / blah / gives you the login page at this URL, rather than bouncing on the standard login page.

Therefore, I cannot match URLs. Can anyone think of another way to find out what the admin page is showing (regexp HTML response?)

+4

the django nginx could admin

jturnbull Mar 31 '10 at 10:28

source share

2 answers

bmaeser is right, you must run admin in a separate instance (for example, a separate domain / subdomain / port).

You may also be interested in django-sentinel , which makes dynamically greylisting suspicious IPs / networks using memcached and auto-blacklists, repeating intruders,

+1

s29 May 24 '11 at 4:20

source share

bmaeser · Accepted Answer · 2010-03-31T13:22:55+0000

first of all: to protect the django admin a bit, I always use a URL for an admin other than / admin /, it would be a good idea to deploy the admin as a second application in a different domain or subdomain

You can limit requests per minute for the entire web application through IPTABLES / NETFILTER. a tutorial on how to do this can be found in the debian administrator . this is an example of how to protect ssh port, but you can use the same method for http.

You can use the NginxHttpLimitZone module to limit the number of simultaneous connections for a designated session or as a special case from a single IP address. Edit nginx.conf:

from www.cyberciti.biz

 ### Directive describes the zone, in which the session states are stored ie store in slimits. ### ### 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session ### limit_zone slimits $binary_remote_addr 5m; ### Control maximum number of simultaneous connections for one session ie ### ### restricts the amount of connections from a single ip address ### limit_conn slimits 5;

The above will limit the remote clients to no more than 5 simultaneous “open” connections to one remote IP address.

Limiting Django admin login speed with Nginx to prevent dictionary attacks

More articles: