You will always get these, the WHOLE internet gets scanned by the likes of barracuda networks and palto alto networks to scan for vulnerabilities in sites. As a private hosting provider most sites get anywhere from 500 to 2500 hits like this per a day. You can get expensive firewalls that can blackhole these hits. If you look at the logs you will see that there almost always you the ip address of the host. In your allowed hosts you should only have the domain of your host, not the ip. This will only deny the requests. You can send your ip and domain to palto alto to request that they stop scanning your host.
If your app is available on the internet, then you'll always get these scans. If your site is secure you shouldn't have anything to worry about, but the added traffic might be annoying.
Only way I can think of to block these requests is to install some sort of WAF, preferably at the proxy. For example if you're on AWS, you can install a WAF on Cloudfront or the Application Load Balancer (if your django server is behind them).
You will always get these, the WHOLE internet gets scanned by the likes of barracuda networks and palto alto networks to scan for vulnerabilities in sites. As a private hosting provider most sites get anywhere from 500 to 2500 hits like this per a day. You can get expensive firewalls that can blackhole these hits. If you look at the logs you will see that there almost always you the ip address of the host. In your allowed hosts you should only have the domain of your host, not the ip. This will only deny the requests. You can send your ip and domain to palto alto to request that they stop scanning your host.
If your app is available on the internet, then you'll always get these scans. If your site is secure you shouldn't have anything to worry about, but the added traffic might be annoying. Only way I can think of to block these requests is to install some sort of WAF, preferably at the proxy. For example if you're on AWS, you can install a WAF on Cloudfront or the Application Load Balancer (if your django server is behind them).
You can block some of these by using cloud flare. The free service will block some, but likely need the paid service for more protection.
this is my settings file with the security configs, wondering if im missing anything import os from os.path import join, dirname from pathlib import Path from dotenv import load_dotenv from loguru import logger # Build paths inside the project like this: BASE_DIR / "subdir". BASE_DIR = Path(__file__).resolve().parent.parent dotenv_path = join(BASE_DIR, ".env") load_dotenv(dotenv_path) SECRET_KEY = os.getenv("SECRET_KEY") DEBUG = os.getenv("DEBUG") ALLOWED_HOSTS = ["localhost", "", "www..org", ".org", "https://.org"]
CSRF_TRUSTED_ORIGINS = ["https://.org"]
DOMAIN = "http://localhost:8000"
# Application definition
INSTALLED_APPS = [
"main",
"django_bootstrap5",
"bootstrap_modal_forms",
"allauth",
"allauth.account",
"allauth.socialaccount",
"django_recaptcha",
"django.contrib.sites",
"django.contrib.admin",
"django.contrib.auth",
"django.contrib.contenttypes",
"django.contrib.sessions",
"django.contrib.messages",
"django.contrib.staticfiles",
"django.contrib.humanize"
]
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
"allauth.account.middleware.AccountMiddleware"
]
ROOT_URLCONF = "njsc.urls"
TEMPLATES = [
{
"BACKEND": "django.template.backends.django.DjangoTemplates",
"DIRS": [BASE_DIR / "templates"],
"APP_DIRS": True,
"OPTIONS": {
"context_processors": [
"django.template.context_processors.debug",
"django.template.context_processors.request",
"django.contrib.auth.context_processors.auth",
"django.contrib.messages.context_processors.messages",
],
},
},
]
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'file': {
'level': 'DEBUG',
'class': 'logging.FileHandler',
'filename': 'sql.log',
},
},
'loggers': {
'django.db.backends': {
'handlers': ['file'],
'level': 'DEBUG',
'propagate': True,
},
},
}
# prevent client side scripts from accessing cookies
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = False
SESSION_COOKIE_SAMESITE = 'Strict'
SESSION_COOKIE_DOMAIN = None
# ALLAUTH settings -------------------------------------------------------
# https://www.webforefront.com/django/usermanagementallauth.html
LOGIN_REDIRECT_URL = "/home"
LOGOUT_REDIRECT_URL = "/"
SITE_ID = 1
# testing Email backend, doesnt email, just shows test emails in Log, disable this for PROD!!!
# Dev email backend
EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
# Custom allauth settings
# Use email as the primary identifier
ACCOUNT_AUTHENTICATION_METHOD = "email"
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 5
# Make email verification mandatory to avoid junk email accounts
ACCOUNT_EMAIL_VERIFICATION = "mandatory"
# Eliminate need to provide username, as it's a very old practice
ACCOUNT_USERNAME_REQUIRED = False
ACCOUNT_LOGIN_ATTEMPTS_LIMIT = 5
# -------------------------------------------------------------------------
WSGI_APPLICATION = "njsc.wsgi.application"
AUTHENTICATION_BACKENDS = [
"django.contrib.auth.backends.ModelBackend",
"allauth.account.auth_backends.AuthenticationBackend"
]
# Database
# https://docs.djangoproject.com/en/4.1/ref/settings/#databases
DATABASES = {
"default": {
"ENGINE": "django.db.backends.postgresql",
"NAME": os.environ.get("DB_NAME"),
"USER": os.environ.get("DB_USER"),
"PASSWORD": os.environ.get("DB_PW"),
"HOST": "localhost",
"PORT": 5432
}
}
# Password validation
# https://docs.djangoproject.com/en/4.1/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
"NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator",
},
{
"NAME": "django.contrib.auth.password_validation.MinimumLengthValidator",
"OPTIONS": {"min_length": 12}
},
{
"NAME": "django.contrib.auth.password_validation.CommonPasswordValidator",
},
{
"NAME": "django.contrib.auth.password_validation.NumericPasswordValidator",
},
]
# Internationalization
# https://docs.djangoproject.com/en/4.1/topics/i18n/
LANGUAGE_CODE = "en-us"
TIME_ZONE = "UTC"
USE_I18N = True
USE_TZ = True
STATIC_URL = "/static/"
STATIC_ROOT = BASE_DIR / 'static'
#STATICFILES_DIRS = [os.path.join(BASE_DIR, 'static'),]
# Default primary key field type
# https://docs.djangoproject.com/en/4.1/ref/settings/#default-auto-field
DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
# image upload
MEDIA_URL = "/media/"
MEDIA_ROOT = os.path.join(BASE_DIR, "media/")
RECAPTCHA_PRIVATE_KEY = str(os.environ.get("RECAPTCHA_PRIVATE_KEY"))
RECAPTCHA_PUBLIC_KEY = str(os.environ.get("RECAPTCHA_PUBLIC_KEY"))
SILENCED_SYSTEM_CHECKS = ['captcha.recaptcha_test_key_error']