Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you protect django admin site?

I thought I might restrict it to show only on some IPs, but I have some freelance workers without static IPs that should be able to login to admin site. I rolled out a big project and I am looking for some ways to protect the admin site fom unwanted eyes.

like image 325
DataGreed Avatar asked Oct 04 '10 17:10

DataGreed


People also ask

How do I restrict access to admin pages in Django?

Django admin allows access to users marked as is_staff=True . To disable a user from being able to access the admin, you should set is_staff=False . This holds true even if the user is a superuser. is_superuser=True .

Is Django admin secure?

Besides serving static files through django is considered a bad idea, the django admin itself is pretty safe. You can take additional measure by securing it via . htaccess and force https access on it. You could also restrict access to a certain IP.


3 Answers

If you are running it behind apache you can use one of its many modules for HTTP authentication (there are similar modules for other servers). This way the user can't even get to the login page without login in.

Another option would be to block all access from remote URL's and require users to use a VPN to access the admin pages. (I think this would be too big of a hassle)

We have a site where the admin interface is on a separate domain, it doesn't hide anything but keeps them separate.

like image 88
mikerobi Avatar answered Oct 24 '22 02:10

mikerobi


1) Restrict by IP's. This may not be totally possible in your case but still you can look at allowing only few subnets, I don't think even though your users have dynamic IP's they most likely to get their IP's from same subnet if accessing on same network every time. This may reduce the risk of being open totally.

2) Change the default Admin URL to something non-obvious.

like image 40
Srikanth Chundi Avatar answered Oct 24 '22 02:10

Srikanth Chundi


We're wrestling with this question right now. We initially restricted access by IPs however (after client signoff) were asked to turn off the restriction. We currently have digest auth on top of the admin. We're considering login attempt throttling and minimum password strength requirements. I believe these would be relevant protections as protecting the admin includes protection against poor password choices.

Time and budget permitting we may look at mod_security for many things, including IP address reputation (geolocation), blacklisting, and brute force attack detection.

like image 1
Jason Leveille Avatar answered Oct 24 '22 01:10

Jason Leveille