First stab at brute force protection

Dockerfile

@@ -43,6 +43,7 @@ ADD docker/nginx/sal.conf /etc/nginx/sites-enabled/sal.conf
 ADD docker/nginx/nginx.conf /etc/nginx/nginx.conf
 ADD docker/settings.py $APP_DIR/sal/
 ADD docker/settings_import.py $APP_DIR/sal/
+ADD docker/brute_settings.py $APP_DIR/sal/
 ADD docker/wsgi.py $APP_DIR/
 ADD docker/gunicorn_config.py $APP_DIR/
 ADD docker/django/management/ $APP_DIR/sal/management/

README.md

@@ -24,6 +24,14 @@ You can enable, disable and re-order your plugins from the Settings page, under
 
 After re-ordering and hiding plugins from some screens, you might even want to make your own plugins. You can base your plugin off of one of the included ones, or one of mine in the [repository of optional plugins](https://github.com/salopensource/grahamgilbert-plugins). Trust me it's easy if you know python, and completely possible even if you don't. If you want more information on creating your own plugin you can follow a series of posts from my blog [part 1](http://grahamgilbert.com/blog/2014/01/26/writing-plugins-for-sal-part-1/), [part 2](http://grahamgilbert.com/blog/2014/02/07/writing-plugins-for-sal-part-2/), and [part 3](http://grahamgilbert.com/blog/2014/02/17/writing-plugins-for-sal-part-3/).
 
+## Brute force protection
+
+Sal has built in brute force protection. See it's [documentation](https://github.com/salopensource/sal/blob/master/docs/Settings.md) for more details or if you're using Docker, see how to turn it on in the [Readme](https://github.com/salopensource/sal/blob/master/docker/README.md).
+
+## LDAP Authentication
+
+There is a variant of Sal that supports LDAP authenctication. At this time, only using the [sal-ldap Docker image](https://hub.docker.com/r/macadmins/sal-ldap) is supported.
+
 ## Having problems?
 
 You should check out the [troubleshooting](https://github.com/salopensource/sal/blob/master/docs/Troubleshooting.md) page.

docker/README.md

@@ -13,6 +13,9 @@ Several options, such as the timezone and admin password are customizable using
 * ``DOCKER_SAL_ADMINS``: The admin user's details. Defaults to ``Docker User, docker@localhost``.
 * ``DOCKER_SAL_DEFAULT_MACHINE_GROUP_KEY``: By default, all machine submissions must include a machine group key otherwise an error will occur. By defining this value to an existing machine group key then machines without a group key already defined in its preferences will be placed into this group.
 * ``DOCKER_SAL_DEBUG``: Whether debug mode is enabled or not. Valid values are ``true`` and ``false``. Defaults to ``false``.
+* ``DOCKER_SAL_BRUTE_PROTECT``: Whether brute force protection mode is enabled or not. Valid values are ``true`` and ``false``. Defaults to ``false``.
+* ``DOCKER_SAL_BRUTE_COOLOFF``: Cooloff period after which failed logins will be forgotten. Must be an integer representing the number of hours. Defaults to ``3``.
+* ``DOCKER_SAL_BRUTE_LIMIT``: Number of failed login attempts allowed within the timeout period before the account is blocked. Must be an integer. Defaults to ``3``.
 
 If you require more advanced settings, for example if you want to hide certain plugins from certain Business Units or if you have a plugin that needs settings, you can override ``settings.py`` with your own. A good starting place can be found on this image's [Github repository](https://github.com/salopensource/sal/blob/master/docker/settings.py).
 

docker/brute_settings.py

@@ -0,0 +1,6 @@
+###############
+INSTALLED_APPS+= ('axes',)
+MIDDLEWARE_CLASSES+=('axes.middleware.FailedLoginMiddleware',)
+# Max number of login attemts within the ``AXES_COOLOFF_TIME``
+AXES_LOGIN_FAILURE_LIMIT = BRUTE_LIMIT
+AXES_COOLOFF_TIME=BRUTE_COOLOFF

docker/settings.py

@@ -1,6 +1,9 @@
 # Django settings for sal project.
 from system_settings import *
-from settings_import import ADMINS, TIME_ZONE, LANGUAGE_CODE, ALLOWED_HOSTS, DISPLAY_NAME, DEFAULT_MACHINE_GROUP_KEY,DEBUG
+from settings_import import ADMINS, TIME_ZONE, LANGUAGE_CODE, ALLOWED_HOSTS, DISPLAY_NAME, DEFAULT_MACHINE_GROUP_KEY,DEBUG, BRUTE_PROTECT, BRUTE_COOLOFF, BRUTE_LIMIT
+
+if BRUTE_PROTECT == True:
+    import brute_settings
 DATABASES = {
     'default': {
         'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.

docker/settings_import.py

@@ -11,6 +11,27 @@
 except:
     DEBUG = False
 
+# Read the Brute force protection setting from env var
+try:
+    if getenv('DOCKER_SAL_BRUTE_PROTECT').lower() == 'true':
+        BRUTE_PROTECT = True
+    else:
+        BRUTE_PROTECT = False
+except:
+    BRUTE_PROTECT = False
+
+# Read the Brute force protection timeout setting from env var
+try:
+    BRUTE_COOLOFF = int(getenv('DOCKER_SAL_BRUTE_COOLOFF'))
+except:
+    BRUTE_COOLOFF = 3
+
+# Read the Brute force protection limit setting from env var
+try:
+    BRUTE_LIMIT = int(getenv('DOCKER_SAL_BRUTE_LIMIT'))
+except:
+    BRUTE_LIMIT = 3
+
 # Read list of admins from $DOCKER_SAL_ADMINS env var
 admin_list = []
 if getenv('DOCKER_SAL_ADMINS'):

docs/Settings.md

@@ -2,6 +2,22 @@
 
 By modifying ``sal/settings.py`` you can customise how plugins and data is displayed in Sal. If you are upgrading from a previous version of Sal, refer to this document to see how your ``settings.py`` file should be changed to take advantage of any new features. There are defaults set in ``sal/system_settings.py``, but they can be overridden if you choose.
 
+## Enabling brute force protection
+
+You can add the following to your ``sal/settings.py`` to enable brute force protection. Change ``BRUTE_LIMIT`` to the number of login attempts allowed before the account is locked, ``BRUTE_COOLOFF`` is the time after which any locked accounts will be unlocked. ``BRUTE_PROTECT`` **must** be set to ``True`` to enable the unlocking UI in the user management page.
+
+```python
+BRUTE_PROTECT = True
+BRUTE_COOLOFF = 3
+BRUTE_LIMIT = 3
+###############
+INSTALLED_APPS+= ('axes',)
+MIDDLEWARE_CLASSES+=('axes.middleware.FailedLoginMiddleware',)
+# Max number of login attemts within the ``AXES_COOLOFF_TIME``
+AXES_LOGIN_FAILURE_LIMIT = BRUTE_LIMIT
+AXES_COOLOFF_TIME=BRUTE_COOLOFF
+```
+
 ## LIMIT_PLUGIN_TO_FRONT_PAGE
 
 These plugins will only be shown on the front page. They will not appear anywhere else.

sal/system_settings.py

@@ -2,6 +2,9 @@
 DEBUG = False
 TEMPLATE_DEBUG = DEBUG
 APPEND_SLASH=True
+BRUTE_PROTECT = False
+BRUTE_COOLOFF = 3
+BRUTE_LIMIT = 3
 PROJECT_DIR = os.path.abspath(os.path.join(os.path.dirname(os.path.abspath(__file__)), os.path.pardir))
 ADMINS = (
     # ('Your Name', 'your_email@example.com'),
@@ -226,4 +229,4 @@
   SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
   # Allow all host headers
-  ALLOWED_HOSTS = ['*']
+  ALLOWED_HOSTS = ['*']

sal/urls.py

@@ -8,6 +8,7 @@
 
 urlpatterns = patterns('',
     # Examples:
+    url(r'^login$', 'django.contrib.auth.views.login'),
     url(r'^login/$', 'django.contrib.auth.views.login'),
     url(r'^logout/$', 'django.contrib.auth.views.logout_then_login'),
     url(r'^changepassword/$', 'django.contrib.auth.views.password_change', name='password_change'),

setup/requirements.txt

@@ -19,4 +19,5 @@ urllib3==1.10
 wsgiref==0.1.2
 djangorestframework==3.1.3
 python-memcached==1.57
-unicodecsv==0.14.1
+unicodecsv==0.14.1
+django-axes==1.5.0