My 2c: The analogy is pretty straightforward here; - changing the admin URL is like putting your house's front door key slot in a strange, unique place, so that additional *knowledge* is required to unlock it. - django-axes, fail2ban, etc is like having a bouncer standing beside the door, watching for suspicious activity and ejecting anyone who clearly doesn't have a genuine key.
Changing your admin URL is not a waste of time, but if your time is precious, spend it on ensuring your users have strong passwords, and that your logon page can't be abused. D On Thu, 3 Dec 2020 at 07:08, 'Aaron C. de Bruyn' via Django developers (Contributions to Django itself) <django-developers@googlegroups.com> wrote: > On Wed, Dec 2, 2020 at 9:23 AM Collin Anderson <cmawebs...@gmail.com> > wrote: > >> > combination of blocking IPs and having a different admin URL would >> raise the bar quite a bit. >> >> So having a different default admin URL would help, right? >> > > Sure. But so would disconnecting the network cable from your server. :) > It's all about practicality. > > Using something similar to django-axes raises the bar quite a bit, but > simply obscuring the URL doesn't do much. > > I have plenty of apps exposed with the admin URL being '/admin/', but no > one's been able to compromise the site because I use django-axes to block > repeated attempts, and I have a strong password. On several of the sites I > require logins with a YubiKey. > > In my worthless opinion, I think it would be better to leave it in the > urlconf but commented out with a note that says "you might want to change > the admin URL to something different before you enable it for $REASONS". > Maybe have something in the docs on deploying your code into production > that goes over it too. > > -A > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAEE%2BrGqvVXrAZbWwuieitTVTNuKzR%2B%2BWWqc-6HsO4LO0OhvEog%40mail.gmail.com > <https://groups.google.com/d/msgid/django-developers/CAEE%2BrGqvVXrAZbWwuieitTVTNuKzR%2B%2BWWqc-6HsO4LO0OhvEog%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- ====================== Daryl Egarr, Director Kawhai Consultants Ltd Cell 021 521 353 da...@kawhai.net ====================== -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CALzH9qupvNQuaRF4jyTXM684DdNi%3DVWeN6W7pFJhZaVQJY9zyw%40mail.gmail.com.
