Django security app - IP/email/country blocking, rate limiting, login tracking, auto-blocking
Project description
NAI Security
Django security package for IP blocking, country blocking, email blocking, rate limiting, and login tracking.
Features
- IP Blocking - Block specific IPs manually or automatically
- Country Blocking - Block/allow countries using GeoIP
- Email Blocking - Block disposable emails and specific addresses
- Domain Blocking - Block email domains (disposable, spam, etc.)
- User Agent Blocking - Block bots, scrapers, attack tools
- Rate Limiting - Custom rate limit rules per endpoint
- Login History - Track user logins with anomaly detection
- Auto-Blocking - Automatically block IPs/countries based on attack patterns
- Security Logs - Comprehensive logging of all security events
- Axes Integration - Dynamic login attempt limits, cooloff time, and per-attempt expiry via admin panel (requires django-axes >= 8.3)
- Whitelisted Users - Exempt specific users from security checks
Installation
pip install nai-security
With all optional dependencies:
pip install nai-security[all]
Or install from GitHub:
pip install git+https://github.com/nematiai/nai-security.git
Quick Start
1. Add to INSTALLED_APPS
INSTALLED_APPS = [
...
"nai_security",
]
2. Add Middleware
Important:
nai_security.middleware.SecurityMiddlewaremust be placed afterdjango.contrib.auth.middleware.AuthenticationMiddleware. The package validates this at startup and raisesImproperlyConfiguredif misordered.
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.common.CommonMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware", # must be before
"django.contrib.messages.middleware.MessageMiddleware",
"nai_security.middleware.SecurityMiddleware", # after auth
"nai_security.middleware.RateLimitLoggingMiddleware", # optional
]
3. Configure Settings
GEOIP_PATH = "/path/to/GeoLite2-Country.mmdb"
# Optional: override default exempt paths (default: /health/, /ready/, /favicon.ico)
NAI_SECURITY_EXEMPT_PATHS = ["/health/", "/health", "/ready/", "/ready", "/favicon.ico"]
4. Run Migrations
python manage.py migrate
5. Download GeoIP Database
python manage.py download_geoip
Dependencies
Required:
- Django >= 4.2
- geoip2 >= 4.0
- redis >= 4.0
Optional:
django-axes >= 8.3— login attempt tracking and lockout; without it axes features are silently disableddjango-ratelimit >= 4.0— rate limiting per endpointdjango-import-export >= 3.0— admin import/export for blocked emails/domains; without it those buttons are hiddendjango-unfold >= 0.10— admin UI theme; without it falls back to standard Django admincelery— background tasks (auto-block processing, sync, reports); without it tasks are no-ops
Axes Integration
Enable brute-force protection with dynamic settings controlled from the admin panel:
# settings.py
INSTALLED_APPS = [
...
"axes",
"nai_security",
]
AXES_HANDLER = 'nai_security.handlers.axes_integration.DynamicAxesHandler'
AUTHENTICATION_BACKENDS = [
'axes.backends.AxesStandaloneBackend',
'django.contrib.auth.backends.ModelBackend',
]
This gives you admin-configurable control over:
| Setting | Description |
|---|---|
| Max login attempts | Failed attempts before lockout (default: 5) |
| Cooloff time | Minutes before locked accounts auto-unlock (0 = permanent) |
| Attempt expiry | Each failed attempt expires independently — requires cooloff > 0 |
All changes take effect immediately — no server restart required.
Validation: Enabling attempt expiry with cooloff set to 0 will raise a validation error in the admin panel.
Management Commands
# Download GeoIP database
python manage.py download_geoip
# Sync disposable email domains and bad bot lists
python manage.py sync_security_lists
python manage.py sync_security_lists --domains-only
python manage.py sync_security_lists --bots-only
Celery Tasks
from celery.schedules import crontab
CELERY_BEAT_SCHEDULE = {
'security-auto-blocks': {
'task': 'security.process_auto_blocks',
'schedule': crontab(minute='*/5'),
},
'security-cleanup-expired': {
'task': 'security.cleanup_expired_blocks',
'schedule': crontab(minute=0, hour='*'),
},
'security-sync-lists': {
'task': 'security.sync_security_lists',
'schedule': crontab(minute=0, hour=0, day_of_week=0),
},
'security-daily-report': {
'task': 'security.generate_security_report',
'schedule': crontab(minute=0, hour=6),
},
}
Models
| Model | Description |
|---|---|
BlockedIP |
Blocked IP addresses |
BlockedCountry |
Blocked countries |
AllowedCountry |
Allowed countries (whitelist mode) |
BlockedEmail |
Blocked email addresses |
BlockedDomain |
Blocked email domains |
BlockedUserAgent |
Blocked user agents |
WhitelistedIP |
IPs that bypass all checks |
WhitelistedUser |
Users exempted from security checks (see exemption types below) |
RateLimitRule |
Custom rate limit rules |
LoginHistory |
User login tracking |
SecurityLog |
Security event logs |
SecuritySettings |
Global settings (singleton) |
User Exemptions (WhitelistedUser)
Exempt specific users from security checks via the admin panel or ORM:
| Exemption Type | Bypasses |
|---|---|
all |
Entire security middleware — IP, country, user-agent |
ip_block |
IP blocking only |
geo_block |
Country/geo blocking only |
rate_limit |
Rate limit logging only |
Exemptions support optional expiration (expires_at) and can be toggled via is_active.
Upgrading to 1.9.1
Breaking changes:
SecurityMiddlewarenow requiresAuthenticationMiddlewareto be placed before it inMIDDLEWARE. If misordered, the app raisesImproperlyConfiguredat startup. Previously the middleware silently failed to resolve users.NAI_SECURITY_USER_RESOLVERsetting has been removed. User resolution now usesrequest.userdirectly (guaranteed by middleware ordering).parse_user_agentnow correctly detects Android, iOS, and Opera (previously misidentified as Linux, macOS, and Chrome respectively).
Testing
python -m pytest
License
MIT License
Author
Ali Nemati - NEMATI AI
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
nai_security-1.10.0.tar.gz
(45.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file nai_security-1.10.0.tar.gz.
File metadata
- Download URL: nai_security-1.10.0.tar.gz
- Upload date:
- Size: 45.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8d6a46777b61df091f2da65803914d26a688cb650b7240581c7f4307e717a218
|
|
| MD5 |
eed0f70066cbbcd9e2fc28a4c5a3f110
|
|
| BLAKE2b-256 |
20eb9f4e4a374f408cfce9722385ae3095c86ce4298b94249a32f521be31f522
|
File details
Details for the file nai_security-1.10.0-py3-none-any.whl.
File metadata
- Download URL: nai_security-1.10.0-py3-none-any.whl
- Upload date:
- Size: 46.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
296e3e30d9b80e3dd31fdc037804a2b2a989021fc0b4699a84d80a32ddd0510a
|
|
| MD5 |
d9837f8187d3fad4bc7832f5446c1cc2
|
|
| BLAKE2b-256 |
37a47f671b0ff23cc9c7e8736eae0a009dc8ce846c83c0486dfcea0f0c9af1af
|
