On Fri, 25 Mar 2005 08:30:05 -0400, David Pratt <fairwinds@eastlink.ca> wrote:
Hi. I am working on a financial product and it appears to me that the /manage login for Zope could be a potential problem if you are running zope since your server is easily guessed and one can go to this url and try passwords. Can someone suggest an alternative to this or some modification to Zope that might make this less obvious. I best I can think of would be to do a rewrite on the /manage url but I still need manager access to zmi through the web. I plan on forcing ssl through apache when making a connection on whatever URL is used to login. Any ideas?
You can set up apache so it only allows access to "manage*" from certain adresses, like your internal net and stuff. I don't have the examples at close hand,sorry. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/