skip to Main Content

I have a Django app (personal project) running live in production on Azure VM.

I have looked in /var/log/django.log and I can see a long list of warnings. These look like someone is trying to scan my VM/app in order to find .env file, login credentials, etc.

2023-04-13 16:19:12 [WARNING ] (log.log_response) Not Found: /.env
2023-04-13 16:19:12 [WARNING ] (log.log_response) Not Found: /.env
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.save
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.save
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.old
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.old
2023-04-13 16:19:16 [WARNING ] (log.log_response) Not Found: /.env.prod
2023-04-13 16:19:16 [WARNING ] (log.log_response) Not Found: /.env.prod
2023-04-13 16:19:20 [WARNING ] (log.log_response) Not Found: /.env.production
2023-04-13 16:19:20 [WARNING ] (log.log_response) Not Found: /.env.production
2023-04-13 05:35:17 [WARNING ] (log.log_response) Not Found: /owa/auth/logon.aspx
2023-04-13 05:35:17 [WARNING ] (log.log_response) Not Found: /owa/auth/logon.aspx
2023-04-13 06:02:18 [WARNING ] (log.log_response) Not Found: /login
2023-04-13 06:02:18 [WARNING ] (log.log_response) Not Found: /login

Is this something I should be concerned about?

It seems like the actor is scanning files and directories, what if he was succesful in locating my .env file. Is he someone able to retrieve the file?

Also, do presence of these warnings indicate that my security settings are somehow weak?

Sorry if this is a newbie question, my security knowledge is very basic.

2

Answers


  1. Is someone trying to hack you? It seems so.

    Is this something I should be concerned about?

    In general, yes. You should assume people are scanning your website for files which you didn’t intend to expose to the public.

    Which files / pages / API endpoints are exposed to the internet and which aren’t is usually set in web server configuration files.

    You can also write middleware / decorators / conditions to prevent access to certain URLs in Django itself.

    Disallowing or enabling e.g. directory listing on your server is possible in your web server configuration:
    https://www.invicti.com/blog/web-security/disable-directory-listing-web-servers/

    You can also try to use "honeypotting" wherein you enable for example a .env file to be scanned, but not navigated to normally, and then block that IP from accessing your site again:
    https://www.acunetix.com/support/docs/faqs/how-to-block-automated-scanners-from-scanning-your-site/

    Login or Signup to reply.
  2. Through your app, someone or perhaps a bot is attempting to brute-force your directory. This is typical in the modern world because there are so many scanning bots out there that check everything.

    If the same group of IP addresses is consistently scanning your website, you should be concerned. I advise you to adhere to this advice in order to safeguard your web server;

    1. Set up and secure a proxy (Nginx, Tomcat, Apache, etc.) in front of your Django application. Nginx hardening instructions can be found here.1
    2. Install stateful firewall in your network if at all possible.
    3. If you were using a Linux server and had any suspicions, you should check out this link for self-checking to determine whether any compromises had taken place.
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search