Re: Securing the admin site
> To change the URL root to something else, did you just have replace > r'^admin/' with something else in the URL conf file? Or, did you have > to also do some other hacking? Yes, just change the r'^admin/' to something else. Richard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing the admin site
trickyb wrote: > This is a somewhat open-ended question: what are people doing to > secure their admin sites against unwelcome visitors? On my site, what > I've done is change the URL root from /admin/ to something else so > that casual visitors do not know where to look. Richard, To change the URL root to something else, did you just have replace r'^admin/' with something else in the URL conf file? Or, did you have to also do some other hacking? I ask because we're thinking of doing the same thing. John --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing the admin site
On Mar 30, 2:37 am, "James Bennett" <[EMAIL PROTECTED]> wrote: > I guess I'm not sure what's meant by "securing" here; accessing > anything in the admin app requires the user to be authenticated and > marked as staff first. And there's really no harm in someone stumbling > across the admin login page, so I'm not sure what the point of hiding > it would be other than to try to layer obscurity where it's not really > needed (and if you wanted to do that you should just make all your URL > patterns end in '.aspx' or something... ;)). My reasonning was that a script-kiddy familiar with Django would know that there is usually an admin site at /admin/ and could try a brute- force attack against it; if nothing else, this could cripple webserver performance. It is just 'security through obscurity', agreed; but it takes only a second to implement :-) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing the admin site
On 3/29/07, Jeremy Dunck <[EMAIL PROTECTED]> wrote: > Eh, it depends what you're doing. Entering CC numbers? You probably want > SSL. I'd want much more than SSL ;) I guess I'm not sure what's meant by "securing" here; accessing anything in the admin app requires the user to be authenticated and marked as staff first. And there's really no harm in someone stumbling across the admin login page, so I'm not sure what the point of hiding it would be other than to try to layer obscurity where it's not really needed (and if you wanted to do that you should just make all your URL patterns end in '.aspx' or something... ;)). -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing the admin site
On 3/29/07, trickyb <[EMAIL PROTECTED]> wrote: > is in itself an answer: the admin site is safe > enough as it is :-) Eh, it depends what you're doing. Entering CC numbers? You probably want SSL. Entering blog posts? Not so much. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing the admin site
> on how to restrict access and redirect to ssl based on many criteria (url, > username, certificate ...) I'd wondered about using SSL for securing the admin site, just wasn't sure if it was worth the effort. I guess that the fact that my question did not generate 10 immediate "OMG The Admin Site Is Not Safe In Default Configuration You Must Do Something!!!" answers is in itself an answer: the admin site is safe enough as it is :-) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing the admin site
> > > This is a somewhat open-ended question: what are people doing to > secure their admin sites against unwelcome visitors? On my site, what > I've done is change the URL root from /admin/ to something else so > that casual visitors do not know where to look. > I guess apache is quite powerful here, see htacces, mod_auth and mod_rewrite http://httpd.apache.org/docs/2.0/howto/htaccess.html on how to restrict access and redirect to ssl based on many criteria (url, username, certificate ...) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Securing the admin site
Hello, This is a somewhat open-ended question: what are people doing to secure their admin sites against unwelcome visitors? On my site, what I've done is change the URL root from /admin/ to something else so that casual visitors do not know where to look. I'm wondering now if that's enough, or if there are other simple measures to take? Any input welcomed! Richard --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---