Protecting an admin area from the public

I faced the same situation, you either only allow access to the console from certain IPs and then hardcode all public IPs or ranges that should have access to it. Or restrict access to a certain LAN range and only allow access from there. You can then set up a VPN solution and give all people that need access to the admin panel access to the VPN. People will first have to authenticate to the VPN and only then can they get access to the administrative panel (which has another log in). In this way people can still access the admin panel from anywhere (in case they are working from home) but it's not reachable for everyone.

I think it might also be a good idea to implement two factor authentication (but that's up to you to decide).

Also I suggest reading this question I posted a while ago on securing admin panels: Bruteforce vs Denial of Service


For serious sites, the biggest problem is not the existence of a path to an administration console, but the possibility of compromise due to the administrator desktop system to be malware-ridden. Both problems can be solved at once by enforcing admin logon only from specific, dedicated systems which are on the premises. This avoids all issues which can come up from the idea of allowing administrators to act from anywhere, e.g. from home or from a laptop while on holiday. Of course, this means that on-duty sysadmins must be ready to go to work at any time (or, better yet, be already there; I am ready to believe that at Ebay they always have a sysadmin on site).

For the poorer networks, you can still enforce non-password methods of logon (SSH with public key authentication, RDP with a client certificate...) which at least avoid the dreadful business of password policies.


It depends on how much effort you are willing to spend on protecting the admin area.

  • One simple but effective approach is to use a cryptographic URL to access the admin area. Something like a hash (e.g. "u59sOgpDJa~M" instead of simply "admin") or similar that changes on regular basis. This way an attacker can't go for it directly because he doesn't know the address and should search for it first.

  • In addition you must limit number of failed login attempts. It's very important so a brute force attack can't be performed easily. For example lock down the IP address for a few hours after a couple of failed logins. You can use Fail2ban, DenyHosts, OSSEC, etc. or you can implement your own. Moreover you can add a delay between each login attempt response, like a few seconds that users doesn't notice but slows down robots significantly.