CODEWITHSUNDEEP
djangodjango-admin
losee
losee

Reputation: 2238

How do professionals design admin access?

I have done tutorials from both Laravel and Django and they both access the admin by typing admin in the url. But I know that's not how a professional site should be designed. How does a professionally made blog have it's admin access designed. Or what is the most common way to access it? do they access it the same way the tutorials do, but instead of using the admin/ they make up a word like blatherskite/ any and all help is welcome.

Upvotes: 1

Views: 149

Answers (1)

whusterj
whusterj

Reputation: 3419

There's no single answer, but in my view, more security is typically better than less in a "professional" setting. I also think this kind of thing is best handled at the web server level, rather than in Django, because that's where you are likely to end up with the most holes, especially if you intend to scale beyond a single app server.

Here are some ideas:

Firewall access to /admin

This could be done at multiple levels, but is probably easiest at the web server. A more sophisticated solution would be to use a VPN.

For example, if you are using nginx as a reverse proxy, you could use this block in your nginx config (not tested):

location ^~ /admin/ {  # Applies to ALL of the admin portal
    # Pass proxy and report user's IP address to Django
    proxy_pass          http://127.0.0.1:8000;
    proxy_set_header    Host $host;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;

    # Define who is allowed at this location
    allow  192.168.1.1;
    allow  192.168.1.2;
    # etc...

    deny   all;   # deny all others
}

The IPs included might be your office IP or a known "safe" IP of an employee's home address. This has the drawback of making access to /admin impossible from, say, a coffee shop or other random IP. If your admin contains sensitive data, though, then that might be exactly what you want. Again, a VPN would be a more flexible, albeit sophisticated, solution.

Limit the request rate to /admin

To mitigate brute force attempts against passwords, you can limit the amount of attempts a hacker might make over a given time.

Again, using nginx:

First, set up a key and shared memory zone:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

Then, you can use it in a location block, like so:

location /admin/ {  # ONLY the admin login screen
    limit_req zone=one burst=5;
}

That will allow only one request per second to the admin login screen and queue other requests up to 5, at which point it will start returning a 503 error.

More on rate limiting and restricting access with nginx, here.

I am no security expert, but I think those precautions will take you pretty far. If hackers can't access your admin login screen and/or can't make requests fast enough to brute force a password, then this attack vector is in pretty good shape.

As others have mentioned, there are also packages for logging failed logins and banning IPs that look malicious, but I can't vouch for any of those.

Upvotes: 1

Related Questions