1

I have a Django app (personal project) running live in production on Azure VM.

I have looked in /var/log/django.log and I can see a long list of warnings. These look like someone is trying to scan my VM/app in order to find .env file, login credentials, etc.

2023-04-13 16:19:12 [WARNING ] (log.log_response) Not Found: /.env
2023-04-13 16:19:12 [WARNING ] (log.log_response) Not Found: /.env
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.save
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.save
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.old
2023-04-13 16:19:14 [WARNING ] (log.log_response) Not Found: /.env.old
2023-04-13 16:19:16 [WARNING ] (log.log_response) Not Found: /.env.prod
2023-04-13 16:19:16 [WARNING ] (log.log_response) Not Found: /.env.prod
2023-04-13 16:19:20 [WARNING ] (log.log_response) Not Found: /.env.production
2023-04-13 16:19:20 [WARNING ] (log.log_response) Not Found: /.env.production

2023-04-13 05:35:17 [WARNING ] (log.log_response) Not Found: /owa/auth/logon.aspx
2023-04-13 05:35:17 [WARNING ] (log.log_response) Not Found: /owa/auth/logon.aspx
2023-04-13 06:02:18 [WARNING ] (log.log_response) Not Found: /login
2023-04-13 06:02:18 [WARNING ] (log.log_response) Not Found: /login

Is this something I should be concerned about?

It seems like the actor is scanning files and directories, what if he was succesful in locating my .env file. Is he someone able to retrieve the file?

Also, do presence of these warnings indicate that my security settings are somehow weak?

Sorry if this is a newbie question, my security knowledge is very basic.

LLaP
  • 2,528
  • 4
  • 22
  • 34
  • 1
    Yes, someone is poking about looking for a problem. I recommend you add something like the django equivalent of flasks ipban. – JonSG Apr 13 '23 at 14:53
  • I'm not an expert either but it seems confidential environment variables should be set by your deployment configuration, not stored in an .env file. For example, see [tutorial-django-app-service-postgres](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/tutorial-django-app-service-postgres) under the "Deploy the Code" section. Or perhaps something like Azure Key Vault is another option. This is another level of protection - if they do get your .env file they still won't have your secret keys and passwords. – topsail Apr 13 '23 at 18:00

2 Answers2

0

Is someone trying to hack you? It seems so.

Is this something I should be concerned about?

In general, yes. You should assume people are scanning your website for files which you didn't intend to expose to the public.

Which files / pages / API endpoints are exposed to the internet and which aren't is usually set in web server configuration files.

You can also write middleware / decorators / conditions to prevent access to certain URLs in Django itself.

Disallowing or enabling e.g. directory listing on your server is possible in your web server configuration: https://www.invicti.com/blog/web-security/disable-directory-listing-web-servers/

You can also try to use "honeypotting" wherein you enable for example a .env file to be scanned, but not navigated to normally, and then block that IP from accessing your site again: https://www.acunetix.com/support/docs/faqs/how-to-block-automated-scanners-from-scanning-your-site/

Sebastian Dix
  • 13
  • 4
0

Through your app, someone or perhaps a bot is attempting to brute-force your directory. This is typical in the modern world because there are so many scanning bots out there that check everything.

If the same group of IP addresses is consistently scanning your website, you should be concerned. I advise you to adhere to this advice in order to safeguard your web server;

  1. Set up and secure a proxy (Nginx, Tomcat, Apache, etc.) in front of your Django application. Nginx hardening instructions can be found here.1
  2. Install stateful firewall in your network if at all possible.
  3. If you were using a Linux server and had any suspicions, you should check out this link for self-checking to determine whether any compromises had taken place.
utilized will
  • 1
  • 1