How do you protect django admin site?

Question

I thought I might restrict it to show only on some IPs, but I have some freelance workers without static IPs that should be able to login to admin site. I rolled out a big proje

Answer 1

We're wrestling with this question right now. We initially restricted access by IPs however (after client signoff) were asked to turn off the restriction. We currently have digest auth on top of the admin. We're considering login attempt throttling and minimum password strength requirements. I believe these would be relevant protections as protecting the admin includes protection against poor password choices.

Time and budget permitting we may look at mod_security for many things, including IP address reputation (geolocation), blacklisting, and brute force attack detection.