On Sun, Apr 13, 2008 at 10:36 PM, meppum <[EMAIL PROTECTED]> wrote: > Is this common practice or am I wrong about the admin sites ability to > be cracked with brute force?
I was curious about this once, too, so I ran a dictionary attack bot I, erm, "obtained" against my Django admin once. It took about fifteen hours to find a valid admin password -- and that was a shitty password (a common household cleaning product, actually) -- but in that time the site did 30x normal traffic; I'd expect any competent sysadmin would notice that much extra traffic from a single IP! If you're extra-paranoid, it's pretty easy to restrict admin access to particular IPs (do that on the Apache level), move the site from "/admin/" to somewhere else, or even run the admin on a seperate server completely behind a firewall. I know of one Django installation that's only accessible through a VPN. Jacob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
