Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
What are the best practices in Django to detect and prevent DoS attacks... Are there any ready to use apps or middleware available which prevents website access and scan through bots?
You might want to read the following 3 questions over on Security Stack Exchange.
A quick description of the problem:
How does DoS/DDoS attack work?
Possible solutions and limitations of attempting mitigation in software:
How can a software application defend against DoS/DDoS?
And a bit of discussion around commonly used anti-DDoS techniques at the perimeter, rather than the application:
What techniques do advanced firewalls use to protect against DoS/DDoS?
It is really difficult to do at the application level - the earlier in the path you can drop the attack, the better.
I'd probably aim to deal with DoS at a higher level in the stack. If you're using Apache, take a look at mod_security. Or maybe a nice set of firewall rules.
Edit: Depending on your situation, you also might want to take a look at a caching server like Varnish. It's a lot harder to DoS you, if the vast majority of hits are served by the lightning quick Varnish before they even reach your regular web server.
The solution is simple, limit API with throttling and auth
The default throttling policy may be set globally, using the DEFAULT_THROTTLE_CLASSES and DEFAULT_THROTTLE_RATES settings.
The quote is from
https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I have a small flask app I want to deploy on my server and I'd like to be able to monitor it via an HTTP web interface. I don't need something complicated and I definitely don't want something that's difficult to set up. Previously I've used the Google App engine and the functionality in the Logs tab is completely fine.
The app is served through nginx & gunicorn and uses redis (w/ py-redis) and sqlite (w/ peewee). Ideally I'd like to be able to check the logs for all parts of the system from one place. Is this possible? What's the easiest way?
There is no definitive answer to the predicament and it would be whatever way you are most comfortable with.
You could change all your logging to write to a central database then create a small program which would scrape this data for you. This method also includes configuring a central syslog server:
http://www.linuxjournal.com/content/creating-centralized-syslog-server
What ever way you want to read these files is fine and all depends how much control you want. You could simply name all the logs based on hostname and rsync them to a central server from where you could parse them.
There are also free tools out there which will aid you in choosing you method take a look at:
http://www.linuxjournal.com/content/creating-centralized-syslog-server
There are also some proprietary systems you could use, such as Splunk:
http://www.splunk.com/
This is by no means a definitive list but should aim you in the right direction.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Are there generally accepted tactics for protecting Django applications against this kind of attack?
There are many libraries available for it like Django-axes, Django-defender, Django-ratelimit, these libraries mentioned all do the same thing (with a few differences between them). You can choose the one which best suits your needs.
If you are using DRF, then you don't need an additional library (axes, ratelimit, etc.) because DRF already has the throttling functionality build in.
You can check this question :**How to prevent brute force attack in Django Rest + Using Django Rest Throttling
**
You can:
Keep track of the failed login attempts and block the attacker after 3 attempts.
If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts.
You can also increase the time between login attempts after eached failed attempt. For example, 10 seconds, 30 seconds, 1 minute, 5 minutes, et cetera. This will spoil the fun pretty quickly for the attacker.
Of course, choose a secure password as that will keep the attacker guessing.
As this question was asked ~7 years ago, perhaps some more recent information might be helpful.
Implementing Google reCAPTCHA v3 might be better than blindly throttling all traffic. It can tell if someone is just hammering the password and will block them accordingly. If someone looks like a human but is just getting their password wrong, it won't block them as quickly. Google knows more about the www then any one of us, so we might as well leverage that.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 3 years ago.
Improve this question
With 145 forks, 125 open issues, and the last release almost 2years ago, django-piston appears to be approaching abandonware and since the project I'm working on is likely to be a big one, I'd like to standardise on something that's going to be around for a while. Is there something resembling a consensus in the Python/Django community regarding a preference for REST API services? Even if it's one of those 145 forks? Ideally, I'd like to find something that plays nice with #jacobian's REST Worst Practises
check http://djangopackages.com/grids/g/api/ (django-tastypie looks very promising)
I also don't like Piston very much. Don't misunderstand me. It is (or was) a good app, though it has its issues. The main problem I had working with it that it hides Debugging information coming from django.
If you are absolutely unsure about what to use roll your own. With django 1.3 and class based views you got already a good way to add an API like this. If you need OAuth or other authentication methods you can simply check existing ways in piston or other apps and use them.
Two other REST packages that may be of interest :
http://django-rest-framework.org/
http://benoitc.github.com/dj-webmachine/index.html
It is worth mentioning about
django-tastypie
This is getting faster acceptance than the others.
Django Piston project seems to be abandonned.
Django rest framework has taken a large advantage with its second version.
Note that this is valid for now (2014), time may decide different.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Web2py looks like a very nice Python framework but I am wondering if it is suitable to use for a large public web site. What sorts of issues might I run into? I'm not worried about technical scalability so much as UI/UX limitations, ability to connect other components, etc.
web2py is a very capable web server application framework. UI/UX (User interface / Experience) limitations does not arises usually from a server framework.
There are quite a number of free application that demonstrates it's capabilities:
http://www.web2py.com/appliances
If you want to compare it with other server frameworks, there are quite a few documents out there that you can read on.
Django, Turbo Gears, Web2Py, which is better for what?
The following discussion should add to information here
Anyone out there using web2py?
You have to be more specific to make a judgement or evaluate a server framework than what you have mentioned.
[Edit: based on comments]
While the examples in the link provided by mdipierro may not inspire confidence with regard to desired UI/UX solutions. It would be premature to consider that because of web2py or any other server framework. It might point to the fact that all these are implemented by a resource constrained team.
You might take a look at this list of sites powered by web2py.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
What HTTP framework should I use for a simple application with implied scalability, priferable Pythonic? I would like to be able to smoothly add new features to my app when it has already been deployed.
I'm a big fan of Pylons. It behaves just like a framework should; not excessive on the magic and contains many good components that you can pick-and-choose that help you hit the ground running. It's small and easy to deploy, and requires minimal boilerplate or other syntactic cruft. Scalability seems pretty good -- I've not run into any issues, and major parts of Reddit utilize libraries from Pylons.
Web.py
It might look too simple, but it's a joy to use.
It can be deployed on google appengine. Should scale pretty well. Can be used with any WSGI server.
This is probably one of the most scalable solutions: G-WAN + Python:
http://forum.gwan.com/index.php?p=/discussion/comment/4126/#Comment_4126
Their scalability tests (like the results) are peerless.