Django Security

Short Byte to trick the script kiddies.

After reviewing the logs of several django sites. I noticed a lot(several hundred thousand) login attempts to the django admin section of the sites. The logs also revealed lots of attempts for common software admins like wp-admin etc. I noticed that as soon as the attacker got a 404, they left. But if they got a login failed, it was like blood in the water. Here is a little django view magic I cooked up.

    def login(request):
        if request.user.is_staff:
            return redirect("/renamedadminarea")
        else:
            raise Http404("File not found")

Since users are logging in from the site itself, and then sometimes going to the admin area, I could 404 non-logged in users(the script kiddies).

I could have just changed the /admin/ path in the urls.py file, but I didn't want to change any urls around for poor users that had bookmarked things and such.