[ic] Moving the admin interface to a different url

[Paul Jordan]

interchange-users-bounces at icdevgroup.org wrote:
> On Monday, November 12, 2007 2:14 PM Mike Heins wrote:
> 
>> Quoting John1 (list_subscriber at yahoo.co.uk):
>>> I'd like to implement some "security by obscurity" by moving the
>>> admin interface to a different location rather than /admin.
>>> 
>>> Please can anyone tell me what I need to do to relocate it.
>> 
>> Not recommended.
>> 
> OK, fair enough.
> 
>> Much better to do is to run a separate interchange server instance
>> that has the admin pages and tags, removing those completely from
>> production. In some cases, you can put the IC server behind a company
>> firewall completely, making it only accessible via VPN.
>> 
> OK, so in this scenario presumably the admin GUI would be on a
> different domain/IP but would still have to be at /admin.
> 
> i.e.
> website would be at www.websitedomain.com
> admin GUI at www.admindomain.com/admin
> 
> Do I understand correctly?
> 
> I just thought it would be nice if there was a simple way to move
> admin pages from:
> www.websitedomain.com/admin
> to say:
> www.websitedomain.com/adminqwerty


This really would not afford you much security. You can alter the login page so
it is harder to tell that it is interchange, and remove the version number from
the bottom. I really don't know why were are showing strangers the version
number of the server there anyways.

You can however:

	set some "retry" limiting mechanism on the login form

	add a captcha field - maybe if the visitor is from an 
	unknown IP (i.e., road user) so it does not inconvenience everyone?

	make the form submission be verified by a random code, that was
	attained during a previous page to make it hard for
	people to post *their* forms to your process. Make the code change
	every submissiont to assure it is not some program.




Paul Jordan

Gish Network
  For Print, Web and Life
  paul at gishnetwork.com