I have a Django app (personal project) running live in production on Azure VM.
I have looked in /var/log/django.log
and I can see a long list of warnings. These look like someone is trying to scan my VM/app in order to find .env
file, login credentials, etc.
2023-04-13 16:19:12 [WARNING ] (log.log_response) Not Found: /.env
2023-04-13 16:19:12 [WARNING ] (log.log_response) Not Found: /.env
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.save
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.save
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.old
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.old
2023-04-13 16:19:16 [WARNING ] (log.log_response) Not Found: /.env.prod
2023-04-13 16:19:16 [WARNING ] (log.log_response) Not Found: /.env.prod
2023-04-13 16:19:20 [WARNING ] (log.log_response) Not Found: /.env.production
2023-04-13 16:19:20 [WARNING ] (log.log_response) Not Found: /.env.production
2023-04-13 05:35:17 [WARNING ] (log.log_response) Not Found: /owa/auth/logon.aspx
2023-04-13 05:35:17 [WARNING ] (log.log_response) Not Found: /owa/auth/logon.aspx
2023-04-13 06:02:18 [WARNING ] (log.log_response) Not Found: /login
2023-04-13 06:02:18 [WARNING ] (log.log_response) Not Found: /login
Is this something I should be concerned about?
It seems like the actor is scanning files and directories, what if he was succesful in locating my .env
file. Is he someone able to retrieve the file?
Also, do presence of these warnings indicate that my security settings are somehow weak?
Sorry if this is a newbie question, my security knowledge is very basic.
2
Answers
Is someone trying to hack you? It seems so.
In general, yes. You should assume people are scanning your website for files which you didn’t intend to expose to the public.
Which files / pages / API endpoints are exposed to the internet and which aren’t is usually set in web server configuration files.
You can also write middleware / decorators / conditions to prevent access to certain URLs in Django itself.
Disallowing or enabling e.g. directory listing on your server is possible in your web server configuration:
https://www.invicti.com/blog/web-security/disable-directory-listing-web-servers/
You can also try to use "honeypotting" wherein you enable for example a .env file to be scanned, but not navigated to normally, and then block that IP from accessing your site again:
https://www.acunetix.com/support/docs/faqs/how-to-block-automated-scanners-from-scanning-your-site/
Through your app, someone or perhaps a bot is attempting to brute-force your directory. This is typical in the modern world because there are so many scanning bots out there that check everything.
If the same group of IP addresses is consistently scanning your website, you should be concerned. I advise you to adhere to this advice in order to safeguard your web server;