Merge pull request jly8866#56 from woshihaoren/master

安全加固
zwunix · Feb 1, 2018 · 9d199df · 9d199df
2 parents 6e2bcef + 0f2cd0c
commit 9d199df
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -100,6 +100,10 @@ cd archer && python3 manage.py createsuperuser<br/>
 3. centos需要执行yum install openldap-devel<br/>
 4. settings中以AUTH_LDAP开头的配置，需要根据自己的ldap对应修改<br/>
 
+### admin后台加固，防暴力破解
+1.patch目录下，名称为：django_1.8.17_admin_secure_archer.patch
+2.使用命令：patch  python/site-packages/django/contrib/auth/views.py django_1.8.17_admin_secure_archer.patch
+
 ### 已经制作好的docker镜像：
 * 如果不想自己安装上述，可以直接使用做好的docker镜像，安装步骤：
     1. docker run -p 80:80 -d docker.gaoxiaobang.com/prod/archer    (需要确保docker宿主机80端口能够使用)

diff --git a/archer/settings.py b/archer/settings.py
@@ -221,6 +221,7 @@
 MAIL_REVIEW_FROM_ADDR='[email protected]'                                               #发件人，也是登录SMTP server需要提供的用户名
 MAIL_REVIEW_FROM_PASSWORD=''                                                         #发件人邮箱密码，如果为空则不需要login SMTP server
 MAIL_REVIEW_DBA_ADDR=['[email protected]', '[email protected]']        #DBA地址，执行完毕会发邮件给DBA，以list形式保存
+MAIL_REVIEW_SECURE_ADDR=['[email protected]', '[email protected]']     #登录失败，等安全相关发送地址
 #是否过滤【DROP DATABASE】|【DROP TABLE】|【TRUNCATE PARTITION】|【TRUNCATE TABLE】等高危DDL操作：
 #on是开，会首先用正则表达式匹配sqlContent，如果匹配到高危DDL操作，则判断为“自动审核不通过”；off是关，直接将所有的SQL语句提交给inception，对于上述高危DDL操作，只备份元数据
 CRITICAL_DDL_ON_OFF='off'
diff --git a/patch/django_1.8.17_admin_secure_archer.patch b/patch/django_1.8.17_admin_secure_archer.patch
@@ -0,0 +1,59 @@
+--- views.py	2018-01-23 11:53:00.179201491 +0800
++++ python/site-packages/django/contrib/auth/views.py	2018-01-23 11:58:10.668286140 +0800
+@@ -24,7 +24,14 @@
+ from django.views.decorators.cache import never_cache
+ from django.views.decorators.csrf import csrf_protect
+ from django.views.decorators.debug import sensitive_post_parameters
+-
++# 账户锁定
++from django.conf import settings
++from sql.sendmail import MailSender
++import datetime
++import logging
++logger = logging.getLogger('default')
++login_failure_counter = {}
++# 账户锁定end
+
+ @sensitive_post_parameters()
+ @csrf_protect
+@@ -41,8 +48,22 @@
+
+     if request.method == "POST":
+         form = authentication_form(request, data=request.POST)
+-        if form.is_valid():
+-
++        
++        # 增加账户锁定
++        failed_cnt = settings.LOCK_CNT_THRESHOLD
++        locking_time = settings.LOCK_TIME_THRESHOLD
++        username = request.POST['username']
++        mailSender = MailSender()
++        now_time = datetime.datetime.now()
++        mail_title = 'login inception admin'
++        login_failed_message = ''
++        
++        if username in login_failure_counter and login_failure_counter[username]['cnt'] >= failed_cnt and (now_time - login_failure_counter[username]["last_failure_time"]).seconds <= locking_time:
++            login_failed_message = 'user:{},login /admin failed, account locking...'.format(username)
++            logger.warning(login_failed_message)
++            mailSender.sendEmail(mail_title, login_failed_message, getattr(settings, 'MAIL_REVIEW_SECURE_ADDR'))
++        elif form.is_valid():
++            logger.info('user:{},login /admin success'.format(username))
+             # Ensure the user-originating redirection url is safe.
+             if not is_safe_url(url=redirect_to, host=request.get_host()):
+                 redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL)
+@@ -51,6 +72,15 @@
+             auth_login(request, form.get_user())
+
+             return HttpResponseRedirect(redirect_to)
++        else:
++            if username in login_failure_counter and (now_time - login_failure_counter[username]["last_failure_time"]).seconds <= locking_time:
++                login_failure_counter[username]["cnt"] += 1
++            else:
++                login_failure_counter[username] = {"cnt":1, "last_failure_time": datetime.datetime.now()}
++            login_failed_message = 'user:{},login /admin failed, fail count:{}'.format(username, login_failure_counter[username]["cnt"])
++            logger.warning(login_failed_message)
++            mailSender.sendEmail(mail_title, login_failed_message, getattr(settings, 'MAIL_REVIEW_SECURE_ADDR'))
++        #账户锁定end        
+     else:
+         form = authentication_form(request)
+
diff --git a/sql/sendmail.py b/sql/sendmail.py
@@ -21,6 +21,7 @@ def __init__(self):
             self.MAIL_REVIEW_FROM_ADDR = getattr(settings, 'MAIL_REVIEW_FROM_ADDR')
             self.MAIL_REVIEW_FROM_PASSWORD = getattr(settings, 'MAIL_REVIEW_FROM_PASSWORD')
             self.MAIL_REVIEW_DBA_ADDR = getattr(settings, 'MAIL_REVIEW_DBA_ADDR')
+            self.MAIL_REVIEW_SECURE_ADDR = getattr(settings, 'MAIL_REVIEW_SECURE_ADDR')
 
         except AttributeError as a:
             print("Error: %s" % a)

diff --git a/sql/views_ajax.py b/sql/views_ajax.py
@@ -34,7 +34,7 @@
 def log_mail_record(login_failed_message):
     mail_title = 'login inception'
     logger.warning(login_failed_message)
-    mailSender.sendEmail(mail_title, login_failed_message, getattr(settings, 'MAIL_REVIEW_DBA_ADDR'))
+    mailSender.sendEmail(mail_title, login_failed_message, getattr(settings, 'MAIL_REVIEW_SECURE_ADDR'))
 
 #ajax接口，登录页面调用，用来验证用户名密码
 @csrf_exempt