26
Django Admin Honeypot
When talking about Web Application security, I think one of the main page we need to defend at all cost is the webpage admin page. Once a hacker is able to gain access to the admin page, the fear would be the hacker is able to exfiltrate all our user Personal Information (PI).
There are many propose solution to keep the web app admin pages safe. The propose solutions are:
1) Only allow Admin to access the admin site through Local network or VPN.
2) Separating the domain between normal user and admin user.
But you know what, no matter how you handle securing the web app admin site. There will always be someone who will try to gain access to your website. Why not have a little fun and set up a honeypot for them. What a honeypot you may ask? A simple way of explaining it in layman terms is that its a lure for our hacker to try and attack us.
One package we can use as a honeypot is called django-admin-honeypot. Its a simple package that will replace the real admin page with a face one and register all IP that try to access the page.
Installing django-admin-honeypot is just a simple as :
pipenv install django-admin-honeypot
pipenv lock -r > requirements.txt
add admin_honeypot
in INSTALLED_APP located in settings.py
INSTALLED_APPS = [
#...
# Django-admin-honeypot
'admin_honeypot',
#...
]
urlpatterns = [
path('admin/', include('admin_honeypot.urls', namespace='admin_honeypot')),
path('secret/', admin.site.urls),
# ^-- Change this to anything you like eg:secret
#...
]
With just 3 simple steps we are able to better protect our webapp. But this is not a fool proof method of protecting our app... It is one of the step to better secure our webapp.
26