You can add of layer of security to your Drupal installation by requiring http authentication to access Drupal's admin pages. This authentication would happen outside of drupal and as such, may be less susceptible to certain types of attacks. Certainly, if there is a security hole in Drupal that can be exploited without any interaction with the admin interface, this technique won't help at all. But it may act as a deterrent in some cases.

By http authentication, I mean using Apache's access control directives, e.g. AuthType, AuthName, AuthBasicProvider, etc. As for usernames and passwords, you can either access Drupal's user database directly or you can keep a separate database of admin users specifically for http authentication. From a security standpoint, I think the latter is better but usability is always a concern. If you only have a few admins, I don't think usability is such an issue.

I've also used this technique to secure phpBB admin pages. One difference with phpBB is that phpBB actually has a directory called admin with admin functions inside. Drupal's /admin directory is virtual. It doesn't exist in the file system yet it is a valid URL.

These instructions assume that you have Clean URLs enabled in Drupal. You can still accomplish this without Clean URLs; just modify the path accordingly. You'll probably want to do a regex match if you aren't using clean URLs.

Add the following to the virtual host for your Drupal install:

        <Location "/admin">
            AuthType Basic
            AuthName "Admin Pages"
            AuthBasicProvider dbm
            AuthDBMUserFile /etc/apache2/users
            Require user admin
            Order allow,deny
            # Allow from 192.168.0.0/24
            Allow from all
        </Location>

You'll need to have mod_authn_dbm or equivalent enabled for the above to work. Check your system documentation on how best to enable Apache modules. On Debian, you can use a2enmod to enable modules.

In my configuration, this block is located just before the block for the document root, which in my case contains the Rewrite directives for Clean URLs. If you try to put Location directives inside the <Directory> block, Apache will balk. You can also put these directives in .htaccess files if that is how your Drupal is setup. Be sure that the authentication happens before the rewrite. Otherwise, the requested URL will not match. Generally speaking, you want to try to put your Apache directives directly into the virtual host config rather than a .htaccess file. With AllowOverride All, Apache needs to check every directory for the existence of the .htaccess file, which results in a slight performance hit.

The above configuration assumes you are creating a DBM user database. You can use a regular file instead of a DBM database but regular files tend not to scale very well. To use a file, replace AuthDBMUserFile with AuthUserFile and remove the AuthBasicProvider line.

If you don't already have a DBM database with a user 'admin' at /etc/apache2/users, you can create one with the following command:

$ dbmmanage /etc/apache2/users adduser admin

You will be prompted for a password.

If you want to limit authentication to clients coming from specific IPs, comment out the 'Allow from all' line and uncomment the previous line, replacing the IPs in the example with those that you want to allow.

If all goes well, you should be prompted with a separate username/password login when clicking on Drupal's Administer link.