Admin interfaces should only be accessible via VPN if they cannot be disabled completely for production mode. See our guidelines for more: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Admin_Login_Pages
This requires information. This was left open because non-employees without LDAP do, or did, use the admin area to manage some content (it gives us a nearly-free CRUD interface and is secure enough as far as the Django project itself is concerned). If no non-LDAP users require access to /admin anymore, we could put it behind VPN. However, the guidelines explicitly state that any of the following are acceptable mitigations: * Admin page behind ssl vpn (most popular option) * Account Lockout * CAPTCHA's after 5 failed logins * IP restrictions for access to the admin page The CAPTCHA approach is what we'd agreed upon the last time Sec looked at this.
Okay, if you still have non-LDAP people required in admin/, close this. CAPTCHA is indeed fine.
These bugs are all resolved, so I'm removing the security flag from them.