0.9.5 doesn't work without defining password for redis anymore

[jab3z]

Hello!

After upgrading to 0.9.5 if no password defined for redis url will throw an error:

redis.exceptions.DataError: Invalid input of type: 'NoneType'. Convert to a bytes, string, int or float first.

redis.exceptions.AuthenticationWrongNumberOfArgsError: wrong number of arguments for 'auth' command On 0.9.4 works fine.

BR, Dacian

[kencochrane]

Most likely relates to #218

@erdos4d any ideas?

[banderoz]

I'd like to add more details about the issue that @jab3z described above.

If there are no username and password in a redis url, django-defender sets username to 'default' and password to None by default. Since the username is not None or an empty string, redis-client tries to authorize and raises AuthenticationWrongNumberOfArgsError and DataError.

IMO, a way should be added to specify username as None or an empty string during the StrictRedis initialization in django-defender if a user's redis url doesn't contain username.

[erdos4d]

I'm on Ubuntu 22.04 with a clean install of redis 6.0.16 and defender at 0.9.5. I can set DEFENDER_REDIS_URL to redis://127.0.0.1:6379 and it works fine, I can login to the admin and see the attempt. By my reading of the code, this should set username as default and password as None in the StrictRedis constructor. Am I missing something to reproduce this? Can someone share a url/config that will reproduce? Thanks and sorry if this messed anyone up out there.

[banderoz]

@erdos4d forgot to mention, redis://127.0.0.1:6379 works fine for me too. I get the error while using a real production redis url, something like redis://abc.def.amazonaws.com:6379/1. Redis v5.0.6 and redis-client v4.3.3 are used in production.

[jab3z]

Hello,

I haven't debugged why and how the error occurs, simply found the faulty package, checked the release log to not have major changes and reverted to the old version.

Tested only locally with Redis running on docker, but the following URLs were throwing the error when login into admin:

redis://127.0.0.1:6379
redis://127.0.0.1:6379/1
redis://localhost:6379
redis://localhost:6379/1

Let me know if you'd like me to raise a PR with the fix.

BR, Dacian

[LuberLinder]

That error happend to me too and also only on the production server. What I did was:

1. Setting password "mypassword" for redis on the server (by editting /etc/redis/redis.conf or via redis-cli):

root@server:~# redis-cli 
127.0.0.1:6379> config set requirepass mypassword
127.0.0.1:6379> quit
root@server:~# service redis-server restart

2. Adding DEFENDER_REDIS_URL to Django's settings.py:

DEFENDER_REDIS_URL = 'redis://:mypassword@localhost:6379/0'

That's it. To see blocked users/ips:

root@server:~# redis-cli
127.0.0.1:6379> auth mypassword
127.0.0.1:6379> scan 0

To quick check, for example, if the user "admin" is blocked:

127.0.0.1:6379> get defender:blocked:username:admin

To quick unblock user "admin":

127.0.0.1:6379> del defender:blocked:username:admin

[pmulgaonkar]

I am getting this error with django-defender 0.9.6 and redis 4.3.5. My Django is 3.2.16. I cannot set a password on redis since it is used by several other applications. Is there a workaround? --p

[kencochrane]

What do you have for defender settings? Specifically "DEFENDER_REDIS_URL" and "DEFENDER_REDIS_NAME" ?

[kencochrane]

Also, what version of redis server are you using?

[pmulgaonkar]

Redis server v=5.0.3 DEFENDER_REDIS_URL = 'redis://127.0.0.1:6379' DEFENDER_REDIS_NAME is not set (docs say that if _NAME is set, it overrides _URL).

Not necessarily relevant, but the other settings in base.py are: DEFENDER_LOGIN_FAILURE_LIMIT = 5 DEFENDER_BEHIND_REVERSE_PROXY = True DEFENDER_LOCK_OUT_BY_IP_AND_USERNAME = True DEFENDER_ACCESS_ATTEMPT_EXPIRATION = 1 DEFENDER_STORE_ACCESS_ATTEMPTS = True DEFENDER_COOLOFF_TIME = 900 DEFENDER_LOCKOUT_TEMPLATE = 'registration/login_failed.html'

[pmulgaonkar]

Additional details: And the system is on Alma 8. Python version is 3.6.8.

[pmulgaonkar]

Here is the full traceback. Dump happens right when the initial login form loads. Well before user enters anything into the credentials field.

Environment:

Request Method: GET Request URL: https://192.168.1.37/login/

Django Version: 3.2.16 Python Version: 3.6.8 Installed Applications: ['django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'django.contrib.sites', 'django_filters', 'rest_framework.authtoken', 'rest_framework', 'allauth', 'allauth.account', 'allauth.socialaccount', 'allauth.socialaccount.providers.amazon', 'allauth.socialaccount.providers.google', 'allauth.socialaccount.providers.linkedin', 'defender', 'resources', 'rulesstatus', 'rules', 'profiles', 'users', 'reports', 'aws', 'ibm_broker'] Installed Middleware: ['django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'defender.middleware.FailedLoginMiddleware']

Traceback (most recent call last): File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/connection.py", line 713, in on_connect auth_response = self.read_response() File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/connection.py", line 839, in read_response raise response

During handling of the above exception (wrong number of arguments for 'auth' command), another exception occurred: File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/django/core/handlers/exception.py", line 47, in inner response = get_response(request) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/django/core/handlers/base.py", line 181, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/django/views/generic/base.py", line 70, in view return self.dispatch(request, *args, **kwargs) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/django/utils/decorators.py", line 43, in _wrapper return bound_method(*args, **kwargs) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/defender/decorators.py", line 21, in wrapper if utils.is_already_locked(request): File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/defender/utils.py", line 393, in is_already_locked ip_blocked = is_source_ip_already_locked(get_ip(request)) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/defender/utils.py", line 386, in is_source_ip_already_locked return REDIS_SERVER.get(get_ip_blocked_cache_key(ip_address)) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/commands/core.py", line 1705, in get return self.execute_command("GET", name) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/client.py", line 1235, in execute_command conn = self.connection or pool.get_connection(command_name, **options) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/connection.py", line 1387, in get_connection connection.connect() File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/connection.py", line 623, in connect self.on_connect() File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/connection.py", line 719, in on_connect self.send_command("AUTH", self.password, check_health=False) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/connection.py", line 800, in send_command self.pack_command(*args), check_health=kwargs.get("check_health", True) File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/connection.py", line 858, in pack_command for arg in map(self.encoder.encode, args): File "/home/raxak/.virtualenvs/raxak/lib/python3.6/site-packages/redis/connection.py", line 109, in encode f"Invalid input of type: '{typename}'. "

Exception Type: DataError at /login/ Exception Value: Invalid input of type: 'NoneType'. Convert to a bytes, string, int or float first.

[kencochrane]

@pmulgaonkar any chance you can try this version out? I think it will fix your issue, but not 100% https://github.com/jazzband/django-defender/pull/227

[pmulgaonkar]

Sorry. I don't understand. You want me to pull the file [defender/connection.py] and replace the one in my current build? Or do you want me to try with redis >= 6

--p

[kencochrane]

Try with the 'connection.py' file that is in that PR/branch on your local build, using your current redis server.

Ken

[pmulgaonkar]

Tried it. Error went away and login was permitted. However defender does not trigger even after multiple incorrect password attempts.

[kencochrane]

I'm glad the error went away, but I'm confused as to why defender isn't working. Does it work fine with the older version 0.9.4?

[pmulgaonkar]

Will revert version and try again, but we have been using defender successfully for a long time with defender 0.6.0. Now going through the process of upgrading along with redis and django, and started with 0.9.6.

But downgrading to 0.9.4 also does not not work. No redis error, but defender functionality (blocking) does not happen.

Probably something in my code since we are using a custom login function that we had to modify while upgrading django. (Old system was still on django 1.11) Probably something we are doing wrong.

Will test and report.

[kencochrane]

At first look, that looks fine to me. Not sure why that isn't working.

[pmulgaonkar]

My previous comment vanished. I systematically redid the code and now everything is working, but with 0.9.4.

Thanks for all your help @kencochrane Really appreciate it.

[kencochrane]

Great, my fix has been merged into the master branch. Feel free to try that version, hopefully that works for you.

I'll cut a new release this weekend when I get a chance.

[kencochrane]

@pmulgaonkar @jab3z I released 0.9.7 with the fix for using Redis 5 with no password; see if that works for you.

[warmnerds]

am having the same problem here, redis server activates the localhost url even when i hardcode the redis url from a managed redis server

[kencochrane]

What versions are you using?

[warmnerds]

Am using redis == 5.0.0 django-redis == 5.3.0 django-defender == 0.9.7

The managed redis works just fine but the moment I start implementing Django defender functionalities then it stops working. Like it loads the localhost redis url...

This is happening in production environment and even in development environment the managed redis url does not load....

On Mon, Nov 20, 2023, 20:41 Ken Cochrane @.***> wrote:

What versions are you using?

— Reply to this email directly, view it on GitHub https://github.com/jazzband/django-defender/issues/219#issuecomment-1819611475, or unsubscribe https://github.com/notifications/unsubscribe-auth/A4I6IMGEHAY7WIO7NGYGMBDYFOP4TAVCNFSM5YNQQL42U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBRHE3DCMJUG42Q . You are receiving this because you commented.Message ID: @.***>

[warmnerds]

Noted that I have not provided the redis name and password since the managed redis server only gives you the redis url....

On Mon, Nov 20, 2023, 21:14 Hope Sain @.***> wrote:

Am using redis == 5.0.0 django-redis == 5.3.0 django-defender == 0.9.7

The managed redis works just fine but the moment I start implementing Django defender functionalities then it stops working. Like it loads the localhost redis url...

This is happening in production environment and even in development environment the managed redis url does not load....

On Mon, Nov 20, 2023, 20:41 Ken Cochrane @.***> wrote:

What versions are you using?

— Reply to this email directly, view it on GitHub https://github.com/jazzband/django-defender/issues/219#issuecomment-1819611475, or unsubscribe https://github.com/notifications/unsubscribe-auth/A4I6IMGEHAY7WIO7NGYGMBDYFOP4TAVCNFSM5YNQQL42U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBRHE3DCMJUG42Q . You are receiving this because you commented.Message ID: @.***>

[kencochrane]

And you don’t see any errors or messages in the logs at all?

do you see the same error when running the version that is on the master branch?

[warmnerds]

The error message I see is that ConnectionError

Error 10061 connecting to localhost:6379. No connection could be made because the target machine actively refused it.

This happens even when I use a managed redis url.

Like instead of using the managed redis url then it uses the localhost..

On Mon, Nov 20, 2023, 21:26 Ken Cochrane @.***> wrote:

And you don’t see any errors or messages in the logs at all?

do you see the same error when running the version that is on the master branch?

— Reply to this email directly, view it on GitHub https://github.com/jazzband/django-defender/issues/219#issuecomment-1819668944, or unsubscribe https://github.com/notifications/unsubscribe-auth/A4I6IMAFZA7MT5UX6HOXST3YFOVGHAVCNFSM5YNQQL42U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBRHE3DMOBZGQ2A . You are receiving this because you commented.Message ID: @.***>

[kencochrane]

Ok, do you see that same error using the latest version on the master branch?

[warmnerds]

Yes, am seeing the same error. even with the latest versions. and it is a stressful experience...