:honey_pot: A fake Django admin login screen page.

Overview

django-admin-honeypot

Travis-CI Coverage Code Climate

django-admin-honeypot is a fake Django admin login screen to log and notify admins of attempted unauthorized access. This app was inspired by discussion in and around Paul McMillan's security talk at DjangoCon 2011.

Documentation

http://django-admin-honeypot.readthedocs.io

tl;dr

  • Install django-admin-honeypot from PyPI:

    pip install django-admin-honeypot
    
  • Add admin_honeypot to INSTALLED_APPS

  • Update your urls.py:

    urlpatterns = [
        ...
        path('admin/', include('admin_honeypot.urls', namespace='admin_honeypot')),
        path('secret/', admin.site.urls),
    ]
    
  • Run python manage.py migrate

NOTE: replace secret in the url above with your own secret url prefix

Issues
  • Undefined template variables make page look different than default Django login page

    Undefined template variables make page look different than default Django login page

    We've recently started logging missing template variables (similar to: https://docs.djangoproject.com/en/3.0/ref/templates/api/#how-invalid-variables-are-handled). In this process we noticed that the honeypot login page is complaining about three undefined variables:

    1. site_title
    2. site_header
    3. username

    Looking at the page visually, it also looked different than the actual Django login page - the title was missing from the honeypot page. After looking at django-admin-honeypot code and tinkering, I think the discrepancy is in views.py - specifically, if I add site_title to the context returned by get_context_data, it solves the issue.

    My guess is that Django templates became more and more customizable, the context wasn't updated and so now there is this discrepancy. I wanted to make sure that my understanding of this is correct before submitting a PR. @dmpayton what do you think? Does it make sense?

    (and of course, thanks for the great library!)

    opened by Sveder 12
  • Django 1.9 deprecates IPAddressField

    Django 1.9 deprecates IPAddressField

    Running ./manage.py check on django/master yields the following:

    WARNINGS: admin_honeypot.LoginAttempt.ip_address: (fields.W900) IPAddressField has been deprecated. Support for it (except in historical migrations) will be removed in Django 1.9. HINT: Use GenericIPAddressField instead.

    Not urgent, but worth considering, IMO.

    opened by mvasilkov 10
  • Django 4.0 ugettext_lazy error

    Django 4.0 ugettext_lazy error

    Hi,

    As per Django 4.0

    django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(), ungettext(), and ungettext_lazy() are removed.

    Here is the error:

    ...
    File "/somepath/lib/python3.10/site-packages/admin_honeypot/models.py", line 2, in <module>
        from django.utils.translation import ugettext_lazy as _
    ImportError: cannot import name 'ugettext_lazy' from 'django.utils.translation' (/somepath/lib/python3.10/site-packages/django/utils/translation/__init__.py)
    

    Related to https://github.com/dmpayton/django-admin-honeypot/issues/83

    Does anyone has an updated version of this since this hasn't been updated for sometime?

    opened by shawnngtq 6
  • Django 3.1+ depreciation warning for usage of ugettext() function

    Django 3.1+ depreciation warning for usage of ugettext() function

    Depreciation warning from Django 3.1+: I suggest replacing all calls to ugettext() with gettext()

    admin_honeypot\views.py:38: 
    RemovedInDjango40Warning: django.utils.translation.ugettext() is deprecated in favor of django.utils.translation.gettext().
    'title': _('Log in'),
    
    opened by dehidehidehi 6
  • Every IP address is 172.17.0.6

    Every IP address is 172.17.0.6

    Hello all :wave:.

    I've been using a forked version of this in an app running on Google App Engine. It has a custom runtime specfied by a Dockerfile. Every login attempt at the honeypot site is said to originate from 172.17.0.6, which seems to be an infrastructure-related IP, rather than the user's IP.

    The changes I made in the forked version shouldn't be a factor, so I was wondering if anyone had any thoughts?

    opened by alstr 4
  • Django 3.2 migration required if using BigAutoField

    Django 3.2 migration required if using BigAutoField

    With Django 3.2 when

    DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
    

    is set in set then a migration is required for admin_honeypot

    Migrations for 'admin_honeypot':
      /usr/local/lib/python3.8/site-packages/admin_honeypot/migrations/0003_alter_loginattempt_id.py
        - Alter field id on loginattempt
    

    This fails due to write permissions (at least in my application)

    The relevant documentation is at: https://docs.djangoproject.com/en/3.2/releases/3.2/#customizing-type-of-auto-created-primary-keys

    In django celery beat the solution was the following : https://github.com/celery/django-celery-beat/commit/7416e22f03b19173b5ebd5cf42a7125cd0d0f051

    opened by rob4acre 3
  • Fix IP identification when behind load balancer or proxy

    Fix IP identification when behind load balancer or proxy

    Currently the user IP address cannot be collected properly if the site is behind a load balancer or proxy. This code adds a fallback in those situations so that the user IP can be collected properly.

    Without this, it is impossible to correctly identify a user IP and so there is no way to ban any malicious users.

    opened by benjo456 3
  • ipware?

    ipware?

    Hi all,

    I find it kind of crazy that this library has no built in way to pull IP addresses from anything other than REMOTE_ADDR. On AWS, this is always the IP of my load balancer and it makes it completely useless.

    I know I can add a middleware, but why can't we be better than this? django-axes (https://github.com/jazzband/django-axes) handles this really nicely by using django-ipware(https://github.com/un33k/django-ipware) to get the IP and allowing us to configure the ipware precedence order: https://django-axes.readthedocs.io/en/latest/4_configuration.html#configuring-reverse-proxies

    Can we do something similar here?

    opened by joetheone 3
  • Block Ip Middleware

    Block Ip Middleware

    Hi, currently im working on https://github.com/philipn/django-block-ip

    But i think, it's a good idea add this function in this library, what do you think about that?

    opened by rbtsolis 3
  • In Postgresql and Python 3 error

    In Postgresql and Python 3 error

    screenshot from 2016-05-07 11 57 19

    Environment:

    Request Method: POST Request URL: http://www.thecolornet.com/admin/login/?next=/admin/

    Django Version: 1.9.5 Python Version: 3.4.3 Installed Applications: ('django.contrib.admin', 'django.contrib.sites', 'registration', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'admin_honeypot', 'markdown_deux', 'pagedown', 'rest_framework', 'custom_user', 'imagekit', 'crispy_forms', 'storages', 'newsletter', 'comments', 'blog', 'ajaxsearch') Installed Middleware: ('django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.security.SecurityMiddleware')

    Traceback:

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

    1.             return self.cursor.execute(sql, params)
      

    The above exception (invalid input syntax for type inet: "b''" LINE 1: ...p", "path") VALUES ('[email protected]', 'b'''''::i... ^ ) was the direct cause of the following exception:

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/core/handlers/base.py" in get_response

    1.                 response = self.process_exception_by_middleware(e, request)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/core/handlers/base.py" in get_response

    1.                 response = wrapped_callback(request, _callback_args, *_callback_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/base.py" in view

    1.         return self.dispatch(request, _args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/admin_honeypot/views.py" in dispatch

    1.     return super(AdminHoneypot, self).dispatch(request, _args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/base.py" in dispatch

    1.     return handler(request, _args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/edit.py" in post

    1.         return self.form_invalid(form)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/admin_honeypot/views.py" in form_invalid

    1.         path=self.request.get_full_path(),
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/manager.py" in manager_method

    1.             return getattr(self.get_queryset(), name)(_args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/query.py" in create

    1.     obj.save(force_insert=True, using=self.db)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in save

    1.                    force_update=force_update, update_fields=update_fields)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in save_base

    1.         updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in _save_table

    1.         result = self._do_insert(cls._base_manager, using, fields, update_pk, raw)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in _do_insert

    1.                            using=using, raw=raw)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/manager.py" in manager_method

    1.             return getattr(self.get_queryset(), name)(_args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/query.py" in _insert

    1.     return query.get_compiler(using=using).execute_sql(return_id)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/sql/compiler.py" in execute_sql

    1.             cursor.execute(sql, params)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

    1.         return super(CursorDebugWrapper, self).execute(sql, params)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

    1.             return self.cursor.execute(sql, params)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/utils.py" in exit

    1.             six.reraise(dj_exc_type, dj_exc_value, traceback)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/utils/six.py" in reraise

    1.         raise value.with_traceback(tb)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

    1.             return self.cursor.execute(sql, params)
      

    Exception Type: DataError at /admin/login/ Exception Value: invalid input syntax for type inet: "b''" LINE 1: ...p", "path") VALUES ('[email protected]', 'b'''''::i... ^

    opened by ArtemBernatskyy 3
  • Compatible with Django 1.7 migration scheme

    Compatible with Django 1.7 migration scheme

    With Django 1.7 in development, and the new Schema migrations merged into the master, it would be cool to make django-admin-honeypot compatible with it. Any thoughts on that?

    opened by diegoponciano 3
  • cannot import name 'ugettext_lazy' from 'django.utils.translation'

    cannot import name 'ugettext_lazy' from 'django.utils.translation'

    /home/com/venv/bin/python /com/manage.py runserver 8000 
    Watching for file changes with StatReloader
    Exception in thread django-main-thread:
    Traceback (most recent call last):
      File "/usr/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
        self.run()
      File "/usr/lib/python3.10/threading.py", line 953, in run
        self._target(*self._args, **self._kwargs)
      File "/com/venv/lib/python3.10/site-packages/django/utils/autoreload.py", line 64, in wrapper
        fn(*args, **kwargs)
      File "/com/venv/lib/python3.10/site-packages/django/core/management/commands/runserver.py", line 125, in inner_run
        autoreload.raise_last_exception()
      File "/com/venv/lib/python3.10/site-packages/django/utils/autoreload.py", line 87, in raise_last_exception
        raise _exception[1]
      File "/com/venv/lib/python3.10/site-packages/django/core/management/__init__.py", line 398, in execute
        autoreload.check_errors(django.setup)()
      File "/com/venv/lib/python3.10/site-packages/django/utils/autoreload.py", line 64, in wrapper
        fn(*args, **kwargs)
      File "/com/venv/lib/python3.10/site-packages/django/__init__.py", line 24, in setup
        apps.populate(settings.INSTALLED_APPS)
      File "/com/venv/lib/python3.10/site-packages/django/apps/registry.py", line 116, in populate
        app_config.import_models()
      File "/com/venv/lib/python3.10/site-packages/django/apps/config.py", line 304, in import_models
        self.models_module = import_module(models_module_name)
      File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
        return _bootstrap._gcd_import(name[level:], package, level)
      File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
      File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
      File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
      File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
      File "<frozen importlib._bootstrap_external>", line 883, in exec_module
      File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
      File "/com/venv/lib/python3.10/site-packages/admin_honeypot/models.py", line 2, in <module>
        from django.utils.translation import ugettext_lazy as _
    ImportError: cannot import name 'ugettext_lazy' from 'django.utils.translation' (/com/venv/lib/python3.10/site-packages/django/utils/translation/__init__.py)
    

    I am surely use most current versions of dependencies.

    Django 4.0.6 django-admin-honeypot 1.1.0

    However, I saw some of issues from this repository about this errors and You said like this but It doesn't seem to solved! Please help

    opened by kreimben 0
  • Django fastdev template errors on /admin route due to missing variables in the context

    Django fastdev template errors on /admin route due to missing variables in the context

    Context

    I followed the documentation and configured my honeypot url. so that when the user visits /admin, their entries are logged as login attempts in the database.

    I ran into template errors after I installed django-fastdev where the following template tags were missing on the admin route: subtitle, site_title, is_popup, and site_header

    These are probably missing because I never configured them for my original admin page. There is a ticket about the subtitle being missing in this official Django issue. https://code.djangoproject.com/ticket/32681

    Steps to Reproduce

    1 - Follow the doc and get honeypot intercepting /admin requests 2 - Visit /admin route Admin login page shows as expected 3 - Pip install django-fastdev 4 - Visit /admin route again Template errors occur

    Workaround

    I went into the admin_honeypot.views.AdminHoneyPot and added these four variables to get_context_data

        def get_context_data(self, **kwargs):
            context = super(AdminHoneypot, self).get_context_data(**kwargs)
            path = self.request.get_full_path()
            context.update({
                'app_path': path,
                REDIRECT_FIELD_NAME: reverse('admin_honeypot:index'),
                'title': _('Log in'),
                'subtitle': None, # added
                'site_title': None, # added
                'is_popup': None, # added
                'site_header': None # added
    
            })
            return context
    

    Now when I visit /admin I don't have any more template errors

    Environment

    django-fastdev 1.7.2 Python 3.9.7 Django 3.2.13

    opened by jsolly 0
  • No longer used libary -ugettext_lazy change to gettext_lazy as _

    No longer used libary -ugettext_lazy change to gettext_lazy as _

    I've changed all ugettext_lazy as _ to gettext_lazy as _ and it working, but I have problem when deploying app on heroku..

    from django.utils.translation import ugettext_lazy as _ remote: ImportError: cannot import name 'ugettext_lazy' from 'django.utils.translation' (/app/.heroku/python/lib/python3.10/site-packages/django/utils/translation/init.py)

    opened by papadi166 5
  • `notify_admins` crashes because it uses nonexistent URL `admin:admin_honeypot_loginattempt_change`

    `notify_admins` crashes because it uses nonexistent URL `admin:admin_honeypot_loginattempt_change`

    The notify_admins function in listeners.py begins with this line:

        path = reverse('admin:admin_honeypot_loginattempt_change', args=(instance.pk,))
    

    https://github.com/dmpayton/django-admin-honeypot/blob/c252b6cc18e8c690eead4d0780a49cdd3c78b8c7/admin_honeypot/listeners.py#L9

    That URL does not exist, so I'm getting spammed with error emails saying:

    NoReverseMatch at /admin/login/
    Reverse for 'admin_honeypot_loginattempt_change' not found. 'admin_honeypot_loginattempt_change' is not a valid view function or pattern name.
    
    opened by iacobfred 0
Owner
Derek Payton
I write code (usually in Python), build web apps (usually with Django), and hack on electronics/IoT projects (usually with MicroPython).
Derek Payton
Jet Bridge (Universal) for Jet Admin – API-based Admin Panel Framework for your application

Jet Bridge for Jet Admin – Admin panel framework for your application Description About Jet Admin: https://about.jetadmin.io Live Demo: https://app.je

Jet Admin 1.2k Aug 11, 2022
aiohttp admin is generator for admin interface based on aiohttp

aiohttp admin is generator for admin interface based on aiohttp

Mykhailo Havelia 17 Jul 29, 2022
📱 An extension for Django admin that makes interface mobile-friendly. Merged into Django 2.0

Django Flat Responsive django-flat-responsive is included as part of Django from version 2.0! ?? Use this app if your project is powered by an older D

elky 249 Apr 2, 2022
An improved django-admin-tools dashboard for Django projects

django-fluent-dashboard The fluent_dashboard module offers a custom admin dashboard, built on top of django-admin-tools (docs). The django-admin-tools

django-fluent 318 Jul 25, 2022
A Django app for easily adding object tools in the Django admin

Django Object Actions If you've ever tried making admin object tools you may have thought, "why can't this be as easy as making Django Admin Actions?"

Chris Chang 485 Aug 10, 2022
Disable dark mode in Django admin user interface in Django 3.2.x.

Django Non Dark Admin Disable or enable dark mode user interface in Django admin panel (Django==3.2). Installation For install this app run in termina

Artem Galichkin 5 Apr 13, 2022
Modern responsive template for the Django admin interface with improved functionality. We are proud to announce completely new Jet. Please check out Live Demo

Django JET Modern template for Django admin interface with improved functionality Attention! NEW JET We are proud to announce completely new Jet. Plea

Geex Arts 3.3k Aug 14, 2022
Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap.

Xadmin Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap. Liv

差沙 4.7k Aug 10, 2022
A jazzy skin for the Django Admin-Interface (official repository).

Django Grappelli A jazzy skin for the Django admin interface. Grappelli is a grid-based alternative/extension to the Django administration interface.

Patrick Kranzlmueller 3.3k Aug 5, 2022
A Django admin theme using Twitter Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed apps.

django-admin-bootstrapped A Django admin theme using Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed ap

null 1.6k Jun 26, 2022
django's default admin interface made customizable. popup windows replaced by modals. :mage: :zap:

django-admin-interface django-admin-interface is a modern responsive flat admin interface customizable by the admin itself. Features Beautiful default

Fabio Caccamo 1.2k Aug 12, 2022
Extendable, adaptable rewrite of django.contrib.admin

django-admin2 One of the most useful parts of django.contrib.admin is the ability to configure various views that touch and alter data. django-admin2

Jazzband 1.2k Aug 4, 2022
Modern theme for Django admin interface

Django Suit Modern theme for Django admin interface. Django Suit is alternative theme/skin/extension for Django administration interface. Project home

Kaspars Sprogis 2.2k Aug 6, 2022
Django application and library for importing and exporting data with admin integration.

django-import-export django-import-export is a Django application and library for importing and exporting data with included admin integration. Featur

null 2.5k Aug 11, 2022
"Log in as user" for the Django admin.

django-loginas About "Login as user" for the Django admin. loginas supports Python 3 only, as of version 0.4. If you're on 2, use 0.3.6. Installing dj

Stavros Korokithakis 318 Jul 29, 2022
Visually distinguish environments in Django Admin

django-admin-env-notice Visually distinguish environments in Django Admin. Based on great advice from post: 5 ways to make Django Admin safer by hakib

Yuri Shikanov 252 Aug 11, 2022
A new style for Django admin

Djamin Djamin a new and clean styles for Django admin based in Google projects styles. Quick start Install djamin: pip install -e git://github.com/her

Herson Leite 236 Jul 30, 2022
Responsive Theme for Django Admin With Sidebar Menu

Responsive Django Admin If you're looking for a version compatible with Django 1.8 just install 0.3.7.1. Features Responsive Sidebar Menu Easy install

Douglas Miranda 844 Jul 27, 2022
A Django admin theme using Twitter Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed apps.

django-admin-bootstrapped A Django admin theme using Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed ap

null 1.6k Jun 26, 2022