I thought I might restrict it to show only on some IPs, but I have some freelance workers without static IPs that should be able to login to admin site. I rolled out a big project and I am looking for some ways to protect the admin site fom unwanted eyes.
Django admin allows access to users marked as is_staff=True . To disable a user from being able to access the admin, you should set is_staff=False . This holds true even if the user is a superuser. is_superuser=True .
Besides serving static files through django is considered a bad idea, the django admin itself is pretty safe. You can take additional measure by securing it via . htaccess and force https access on it. You could also restrict access to a certain IP.
If you are running it behind apache you can use one of its many modules for HTTP authentication (there are similar modules for other servers). This way the user can't even get to the login page without login in.
Another option would be to block all access from remote URL's and require users to use a VPN to access the admin pages. (I think this would be too big of a hassle)
We have a site where the admin interface is on a separate domain, it doesn't hide anything but keeps them separate.
1) Restrict by IP's. This may not be totally possible in your case but still you can look at allowing only few subnets, I don't think even though your users have dynamic IP's they most likely to get their IP's from same subnet if accessing on same network every time. This may reduce the risk of being open totally.
2) Change the default Admin URL to something non-obvious.
We're wrestling with this question right now. We initially restricted access by IPs however (after client signoff) were asked to turn off the restriction. We currently have digest auth on top of the admin. We're considering login attempt throttling and minimum password strength requirements. I believe these would be relevant protections as protecting the admin includes protection against poor password choices.
Time and budget permitting we may look at mod_security for many things, including IP address reputation (geolocation), blacklisting, and brute force attack detection.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With