:honey_pot: A fake Django admin login screen page.

Overview

django-admin-honeypot

Travis-CI Coverage Code Climate

django-admin-honeypot is a fake Django admin login screen to log and notify admins of attempted unauthorized access. This app was inspired by discussion in and around Paul McMillan's security talk at DjangoCon 2011.

Documentation

http://django-admin-honeypot.readthedocs.io

tl;dr

  • Install django-admin-honeypot from PyPI:

    pip install django-admin-honeypot
    
  • Add admin_honeypot to INSTALLED_APPS

  • Update your urls.py:

    urlpatterns = [
        ...
        path('admin/', include('admin_honeypot.urls', namespace='admin_honeypot')),
        path('secret/', admin.site.urls),
    ]
    
  • Run python manage.py migrate

NOTE: replace secret in the url above with your own secret url prefix

Issues
  • Undefined template variables make page look different than default Django login page

    Undefined template variables make page look different than default Django login page

    We've recently started logging missing template variables (similar to: https://docs.djangoproject.com/en/3.0/ref/templates/api/#how-invalid-variables-are-handled). In this process we noticed that the honeypot login page is complaining about three undefined variables:

    1. site_title
    2. site_header
    3. username

    Looking at the page visually, it also looked different than the actual Django login page - the title was missing from the honeypot page. After looking at django-admin-honeypot code and tinkering, I think the discrepancy is in views.py - specifically, if I add site_title to the context returned by get_context_data, it solves the issue.

    My guess is that Django templates became more and more customizable, the context wasn't updated and so now there is this discrepancy. I wanted to make sure that my understanding of this is correct before submitting a PR. @dmpayton what do you think? Does it make sense?

    (and of course, thanks for the great library!)

    opened by Sveder 12
  • Django 2.0 Compatability - reverse()

    Django 2.0 Compatability - reverse()

    #45 - Adjust import to support Django 2.0

    opened by JensAstrup 11
  • Django 1.9 deprecates IPAddressField

    Django 1.9 deprecates IPAddressField

    Running ./manage.py check on django/master yields the following:

    WARNINGS: admin_honeypot.LoginAttempt.ip_address: (fields.W900) IPAddressField has been deprecated. Support for it (except in historical migrations) will be removed in Django 1.9. HINT: Use GenericIPAddressField instead.

    Not urgent, but worth considering, IMO.

    opened by mvasilkov 10
  • Django 3.1+ depreciation warning for usage of ugettext() function

    Django 3.1+ depreciation warning for usage of ugettext() function

    Depreciation warning from Django 3.1+: I suggest replacing all calls to ugettext() with gettext()

    admin_honeypot\views.py:38: 
    RemovedInDjango40Warning: django.utils.translation.ugettext() is deprecated in favor of django.utils.translation.gettext().
    'title': _('Log in'),
    
    opened by dehidehidehi 6
  • Set client IP fixed

    Set client IP fixed

    when working behind an ELB. honeypot uses 'REMOTE_ADDR header which returns a local address.

    opened by alonraiz 5
  • Every IP address is 172.17.0.6

    Every IP address is 172.17.0.6

    Hello all :wave:.

    I've been using a forked version of this in an app running on Google App Engine. It has a custom runtime specfied by a Dockerfile. Every login attempt at the honeypot site is said to originate from 172.17.0.6, which seems to be an infrastructure-related IP, rather than the user's IP.

    The changes I made in the forked version shouldn't be a factor, so I was wondering if anyone had any thoughts?

    opened by alstr 4
  • Breaks on Django 2.0

    Breaks on Django 2.0

    ModuleNotFoundError: No module named 'django.core.urlresolvers'

    opened by flexpeace 4
  • ipware?

    ipware?

    Hi all,

    I find it kind of crazy that this library has no built in way to pull IP addresses from anything other than REMOTE_ADDR. On AWS, this is always the IP of my load balancer and it makes it completely useless.

    I know I can add a middleware, but why can't we be better than this? django-axes (https://github.com/jazzband/django-axes) handles this really nicely by using django-ipware(https://github.com/un33k/django-ipware) to get the IP and allowing us to configure the ipware precedence order: https://django-axes.readthedocs.io/en/latest/4_configuration.html#configuring-reverse-proxies

    Can we do something similar here?

    opened by joetheone 3
  • add chinese locale

    add chinese locale

    opened by wujuguang 3
  • In Postgresql and Python 3 error

    In Postgresql and Python 3 error

    screenshot from 2016-05-07 11 57 19

    Environment:

    Request Method: POST Request URL: http://www.thecolornet.com/admin/login/?next=/admin/

    Django Version: 1.9.5 Python Version: 3.4.3 Installed Applications: ('django.contrib.admin', 'django.contrib.sites', 'registration', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'admin_honeypot', 'markdown_deux', 'pagedown', 'rest_framework', 'custom_user', 'imagekit', 'crispy_forms', 'storages', 'newsletter', 'comments', 'blog', 'ajaxsearch') Installed Middleware: ('django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.security.SecurityMiddleware')

    Traceback:

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

    1.             return self.cursor.execute(sql, params)
      

    The above exception (invalid input syntax for type inet: "b''" LINE 1: ...p", "path") VALUES ('[email protected]', 'b'''''::i... ^ ) was the direct cause of the following exception:

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/core/handlers/base.py" in get_response

    1.                 response = self.process_exception_by_middleware(e, request)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/core/handlers/base.py" in get_response

    1.                 response = wrapped_callback(request, _callback_args, *_callback_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/base.py" in view

    1.         return self.dispatch(request, _args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/admin_honeypot/views.py" in dispatch

    1.     return super(AdminHoneypot, self).dispatch(request, _args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/base.py" in dispatch

    1.     return handler(request, _args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/views/generic/edit.py" in post

    1.         return self.form_invalid(form)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/admin_honeypot/views.py" in form_invalid

    1.         path=self.request.get_full_path(),
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/manager.py" in manager_method

    1.             return getattr(self.get_queryset(), name)(_args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/query.py" in create

    1.     obj.save(force_insert=True, using=self.db)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in save

    1.                    force_update=force_update, update_fields=update_fields)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in save_base

    1.         updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in _save_table

    1.         result = self._do_insert(cls._base_manager, using, fields, update_pk, raw)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/base.py" in _do_insert

    1.                            using=using, raw=raw)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/manager.py" in manager_method

    1.             return getattr(self.get_queryset(), name)(_args, *_kwargs)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/query.py" in _insert

    1.     return query.get_compiler(using=using).execute_sql(return_id)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/models/sql/compiler.py" in execute_sql

    1.             cursor.execute(sql, params)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

    1.         return super(CursorDebugWrapper, self).execute(sql, params)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

    1.             return self.cursor.execute(sql, params)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/utils.py" in exit

    1.             six.reraise(dj_exc_type, dj_exc_value, traceback)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/utils/six.py" in reraise

    1.         raise value.with_traceback(tb)
      

    File "/root/myproject2/myprojectenv2/lib/python3.4/site-packages/django/db/backends/utils.py" in execute

    1.             return self.cursor.execute(sql, params)
      

    Exception Type: DataError at /admin/login/ Exception Value: invalid input syntax for type inet: "b''" LINE 1: ...p", "path") VALUES ('[email protected]', 'b'''''::i... ^

    opened by ArtemBernatskyy 3
  • `notify_admins` crashes because it uses nonexistent URL `admin:admin_honeypot_loginattempt_change`

    `notify_admins` crashes because it uses nonexistent URL `admin:admin_honeypot_loginattempt_change`

    The notify_admins function in listeners.py begins with this line:

        path = reverse('admin:admin_honeypot_loginattempt_change', args=(instance.pk,))
    

    https://github.com/dmpayton/django-admin-honeypot/blob/c252b6cc18e8c690eead4d0780a49cdd3c78b8c7/admin_honeypot/listeners.py#L9

    That URL does not exist, so I'm getting spammed with error emails saying:

    NoReverseMatch at /admin/login/
    Reverse for 'admin_honeypot_loginattempt_change' not found. 'admin_honeypot_loginattempt_change' is not a valid view function or pattern name.
    
    opened by iacobfred 0
  • Added missing template vars to context data

    Added missing template vars to context data

    Fixes https://github.com/dmpayton/django-admin-honeypot/issues/62

    opened by GitRon 8
  • Fixed deprecation warnings, flake8 of code and added python and django's to travis

    Fixed deprecation warnings, flake8 of code and added python and django's to travis

    • Fixed django 4.0 deprecation warnings
    • flake8 of code
    • added python 3.5, 3.6 and 3.8 to travis
    • added django 3.1 to travis
    • created a travis matrix so all valid combinations are being tested
    • added some tags to the README
    opened by GitRon 9
  • IP Address GDPR/PII Compliance

    IP Address GDPR/PII Compliance

    Noticed some other issues and pull requests on this package regarding IP address and tracking locations.

    You might be able to ignore the encryption/decryption if your linux server is secured.

    Although these are great ideas and helpful for security, IP address falls under GDPR / PII laws and just keeping this tracked in the database somewhere violates these laws. To resolve this, encrypting the IP address is needed or simply do not track it at all (give users the option to do it with a setting rather than doing it by default). Decrypting this would be needed for site administrators to do something specific with a suspicious hacker IP address.

    The django-fernet-fields package encrypts and decrypts fields with the SECRET_KEY in settings. Others like django-pgcrypto-fields use the postgres pgcrypto extension to encrypt the field and users could decrypt it with a database query. It would be nice for this package to have this built in without needing to rely on these other packages and overriding the app.

    You need to be able to get the real IP address of the client even if the server is behind cloudflare or a load balancer. You don't want to block people if they are behind the same cloudflare IP address then everyone on your site will be blocked/rate limited which is bad. There is also the issue of IP spoofing where a malicious user could fake their IP address.

    These are just some ideas. Looking forward to hearing what everyone else thinks.

    opened by 9mido 2
  • Update for modern Django!

    Update for modern Django!

    Modern Django could really use this tool. I want to keep it in Two Scoops of Django 3.x!

    opened by pydanny 23
  • Expanded logging options

    Expanded logging options

    These changes were made to enable this honeypot to run in our environment:

    • Added option to log to an hpfeeds broker
    • Added option to limit the DB size (useful for lightweight deployments which log externally)
    • Added optional password collection

    I notice that the request to collect passwords was rejected in #25. That makes sense for deployments on production websites, but this honeypot is also useful in deployments where there is no live site and it is deployed solely for data collection. In this case, there is no possibility for accidental password entry and collecting passwords is very useful for research. However, this PR sets this option to False by default.

    opened by rogofsky 3
  • Add HISTORY.rst for getting fast detail information

    Add HISTORY.rst for getting fast detail information

    Recently, was release 1.1.0 and it would be nice in future to have this file with release notes. Or just add release notes at release tab: https://github.com/dmpayton/django-admin-honeypot/releases

    opened by DmytroLitvinov 0
  • module not found error on deployment

    module not found error on deployment

    Locally I was able to edit the urls.py in the /site-packages/ locally to include the tag to app_name I can't get it to work when I'm deploying heroku

    any help is appreciated

    opened by t-0-m-1-3 0
  • Why honeypot doesn't track the location from IP Address?

    Why honeypot doesn't track the location from IP Address?

    This plugin is verry usefull, but why doesn't track the location? as an example by using the GeoIP with pygeoip and track the city, or else...

    >>> gi = pygeoip.GeoIP('GeoIPCity.dat')
    >>> gi.record_by_addr('64.233.161.99')
    {
        'city': u'Mountain View',
        'region_code': u'CA',
        'area_code': 650,
        'time_zone': 'America/Los_Angeles',
        'dma_code': 807,
        'metro_code': 'San Francisco, CA',
        'country_code3': 'USA',
        'latitude': 37.41919999999999,
        'postal_code': u'94043',
        'longitude': -122.0574,
        'country_code': 'US',
        'country_name': 'United States',
        'continent': 'NA'
    }
    >>> gi.time_zone_by_addr('64.233.161.99')
    'America/Los_Angeles'
    
    opened by agusmakmun 7
Owner
Derek Payton
I write code (usually in Python), build web apps (usually with Django), and hack on electronics/IoT projects (usually with MicroPython).
Derek Payton
Jet Bridge (Universal) for Jet Admin – API-based Admin Panel Framework for your application

Jet Bridge for Jet Admin – Admin panel framework for your application Description About Jet Admin: https://about.jetadmin.io Live Demo: https://app.je

Jet Admin 1.1k Jan 16, 2022
aiohttp admin is generator for admin interface based on aiohttp

aiohttp admin is generator for admin interface based on aiohttp

Mykhailo Havelia 9 Dec 1, 2021
📱 An extension for Django admin that makes interface mobile-friendly. Merged into Django 2.0

Django Flat Responsive django-flat-responsive is included as part of Django from version 2.0! ?? Use this app if your project is powered by an older D

elky 248 Dec 3, 2021
An improved django-admin-tools dashboard for Django projects

django-fluent-dashboard The fluent_dashboard module offers a custom admin dashboard, built on top of django-admin-tools (docs). The django-admin-tools

django-fluent 302 Dec 30, 2021
A Django app for easily adding object tools in the Django admin

Django Object Actions If you've ever tried making admin object tools you may have thought, "why can't this be as easy as making Django Admin Actions?"

Chris Chang 424 Jan 15, 2022
Disable dark mode in Django admin user interface in Django 3.2.x.

Django Non Dark Admin Disable or enable dark mode user interface in Django admin panel (Django==3.2). Installation For install this app run in termina

Artem Galichkin 3 Jan 10, 2022
Modern responsive template for the Django admin interface with improved functionality. We are proud to announce completely new Jet. Please check out Live Demo

Django JET Modern template for Django admin interface with improved functionality Attention! NEW JET We are proud to announce completely new Jet. Plea

Geex Arts 3.2k Jan 10, 2022
Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap.

Xadmin Drop-in replacement of Django admin comes with lots of goodies, fully extensible with plugin support, pretty UI based on Twitter Bootstrap. Liv

差沙 4.6k Jan 16, 2022
A jazzy skin for the Django Admin-Interface (official repository).

Django Grappelli A jazzy skin for the Django admin interface. Grappelli is a grid-based alternative/extension to the Django administration interface.

Patrick Kranzlmueller 3.2k Jan 15, 2022
A Django admin theme using Twitter Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed apps.

django-admin-bootstrapped A Django admin theme using Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed ap

null 1.6k Dec 14, 2021
django's default admin interface made customizable. popup windows replaced by modals. :mage: :zap:

django-admin-interface django-admin-interface is a modern responsive flat admin interface customizable by the admin itself. Features Beautiful default

Fabio Caccamo 1k Jan 12, 2022
Extendable, adaptable rewrite of django.contrib.admin

django-admin2 One of the most useful parts of django.contrib.admin is the ability to configure various views that touch and alter data. django-admin2

Jazzband 1.1k Dec 27, 2021
Modern theme for Django admin interface

Django Suit Modern theme for Django admin interface. Django Suit is alternative theme/skin/extension for Django administration interface. Project home

Kaspars Sprogis 2.1k Jan 16, 2022
Django application and library for importing and exporting data with admin integration.

django-import-export django-import-export is a Django application and library for importing and exporting data with included admin integration. Featur

null 2.3k Jan 12, 2022
"Log in as user" for the Django admin.

django-loginas About "Login as user" for the Django admin. loginas supports Python 3 only, as of version 0.4. If you're on 2, use 0.3.6. Installing dj

Stavros Korokithakis 292 Dec 26, 2021
Visually distinguish environments in Django Admin

django-admin-env-notice Visually distinguish environments in Django Admin. Based on great advice from post: 5 ways to make Django Admin safer by hakib

Yuri Shikanov 236 Jan 3, 2022
A new style for Django admin

Djamin Djamin a new and clean styles for Django admin based in Google projects styles. Quick start Install djamin: pip install -e git://github.com/her

Herson Leite 234 Oct 20, 2021
Responsive Theme for Django Admin With Sidebar Menu

Responsive Django Admin If you're looking for a version compatible with Django 1.8 just install 0.3.7.1. Features Responsive Sidebar Menu Easy install

Douglas Miranda 823 Jan 16, 2022
A Django admin theme using Twitter Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed apps.

django-admin-bootstrapped A Django admin theme using Bootstrap. It doesn't need any kind of modification on your side, just add it to the installed ap

null 1.6k Dec 14, 2021