[ic] Moving the admin interface to a different url
Paul Jordan
jordan at gishnetwork.com
Sat Nov 17 12:45:39 EST 2007
interchange-users-bounces at icdevgroup.org wrote:
> On Monday, November 12, 2007 2:14 PM Mike Heins wrote:
>
>> Quoting John1 (list_subscriber at yahoo.co.uk):
>>> I'd like to implement some "security by obscurity" by moving the
>>> admin interface to a different location rather than /admin.
>>>
>>> Please can anyone tell me what I need to do to relocate it.
>>
>> Not recommended.
>>
> OK, fair enough.
>
>> Much better to do is to run a separate interchange server instance
>> that has the admin pages and tags, removing those completely from
>> production. In some cases, you can put the IC server behind a company
>> firewall completely, making it only accessible via VPN.
>>
> OK, so in this scenario presumably the admin GUI would be on a
> different domain/IP but would still have to be at /admin.
>
> i.e.
> website would be at www.websitedomain.com
> admin GUI at www.admindomain.com/admin
>
> Do I understand correctly?
>
> I just thought it would be nice if there was a simple way to move
> admin pages from:
> www.websitedomain.com/admin
> to say:
> www.websitedomain.com/adminqwerty
This really would not afford you much security. You can alter the login page so
it is harder to tell that it is interchange, and remove the version number from
the bottom. I really don't know why were are showing strangers the version
number of the server there anyways.
You can however:
set some "retry" limiting mechanism on the login form
add a captcha field - maybe if the visitor is from an
unknown IP (i.e., road user) so it does not inconvenience everyone?
make the form submission be verified by a random code, that was
attained during a previous page to make it hard for
people to post *their* forms to your process. Make the code change
every submissiont to assure it is not some program.
Paul Jordan
Gish Network
For Print, Web and Life
paul at gishnetwork.com
More information about the interchange-users
mailing list