Website Under Attack
This morning I woke up to over 7000 emails from my Django server of Disallowed Host errors. My app is correctly rejecting the requests, which are all coming from a single IP address and are also trying to access my site at the IP level rather than the domain. Here is an example: Invalid HTTP_HOST header: '35.230.16.13:6868'. You may need to add '35.230.16.13' to ALLOWED_HOSTS.
DisallowedHost at /druid/index.html
Invalid HTTP_HOST header: '35.230.16.13:6868'. You may need to add '35.230.16.13' to ALLOWED_HOSTS.
Request Method: GET
Request URL: http://35.230.16.13:6868/druid/index.html
Exception Value: Invalid HTTP_HOST header: '35.230.16.13:6868'. You may need to add '35.230.16.13' to ALLOWED_HOSTS.
Request information:
USER: [unable to retrieve the current user]
GET: No GET data
POST: No POST data
FILES: No FILES data
COOKIES: No cookie data
META:
HTTP_ACCEPT = '/'
HTTP_ACCEPT_ENCODING = 'gzip'
HTTP_ACCEPT_LANGUAGE = 'en'
HTTP_CONNECTION = 'close'
HTTP_HOST = '35.230.16.13:6868'
HTTP_USER_AGENT = 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Information Security Team InfraSec Scanner'
PATH_INFO = '/druid/index.html'
QUERY_STRING = ''
RAW_URI = '/druid/index.html'
REMOTE_ADDR = '34.87.32.244'
REMOTE_PORT = '49742'
REQUEST_METHOD = 'GET'
SCRIPT_NAME = ''
SERVER_NAME = '0.0.0.0'
SERVER_PORT = '6868'
SERVER_PROTOCOL = 'HTTP/1.1'
SERVER_SOFTWARE = 'gunicorn/20.1.0'
The HTTP_USER_AGENT and the REMOTE_ADDR are the same in all 7000 requests. The path it is attempting to access changes, and it sometimes includes POST data with usernames and passwords at an attempt to login with default IDs (like username="admin" password="123321"). This is eating through my email allotment with Amazon SES, but I don't want to turn off error notifications. The site is set up wiht Cloudflare nameservers, but as the bot is hitting the IP it seems to be bypassing the firewalls. Am I able to block an IP at the server level through railway?
9 Replies
Project ID:
c69d7554-5299-4bf1-8e33-58cd68ebc682c69d7554-5299-4bf1-8e33-58cd68ebc682
Am I able to block an IP at the server level through railway?no, railway does not provide a firewall, you would want to block the traffic at cloudflare
Given that the request is hitting your app at the IP level, it's not going through cloudflare
That's extremely odd
For now, turn off your email notifications. If your app is set up securely, you shouldn't have to worry about this
I'm hesitant to ping in the team here as this is just a bot attack, nothing to get them involved in. It's just odd that your IP was hit
The invalid host header error is a client side error, not server side. Not sure why you're recieving emails about that
It's Django sending me emails, usually nice to know an error happened it gives me the traceback to help catch a bug. Unfortunately it's classifying the Disallowed host message as an error, which it isn't in this case. Its just doing it's job.I'
I'm also being targeted on 4/5 websites - it's straneg enough that I did a malware scan but it showed nothing.
strange*
This sort of stuff isn't targeted usually, just a bot scraping the internet trying to find vulnerabilities
The other three sites are just classic spam bots with account signup forms and contact forms. Adding a captcha solved those. Guessing it will die down once they realize they are getting nothing accomplished?
You got it, once the bot has gone through its script it'll move on to the next site
Sounds good. Thanks for the help!