All geek questions in one place

Django gets a lot of SuspiciousOperation: invalid HTTP_HOST header

I am using Django 1.5, Apache, mod_wsgi and python 2.7, debian is hosted on linode.

Since I upgraded from django 1.3 to django 1.5, I started getting some error messages, for example: "ERROR (EXTERNAL IP): Internal Server Error: / feed /". Using this trace:

Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 92, in get_response response = middleware_method(request) File "/usr/local/lib/python2.7/dist-packages/django/middleware/common.py", line 57, in process_request host = request.get_host() File "/usr/local/lib/python2.7/dist-packages/django/http/request.py", line 72, in get_host "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host) SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): tadjenanet.montadamoslim.com

But, a few days ago, the volume of these errors increased significantly, and for a large number of URLs that I do not even have on my website.

I saw the answers here ( Invalid HTTP_HOST header in Django's SuspiciousOperation ) and I understand why I get this, but I need to know how to avoid this. server security.

+4
source share
1 answer

Basically, you cannot avoid having an attacker send you such requests. Most of these attacks were with automated penetration testing tools such as metasploit or W3AF . Fortunately, these attempts have nothing to worry about in Django 1.5 or higher. To avoid log floods, you can configure your web server to filter HTTP_HOST headers that do not match your domain for your site. Sorry, I can’t help you do this with Apache, if you are using Nginx, this article may help http://www.acloudtree.com/how-to-deny-hosts-using-nginx/

Hooray!

+4
source

Source: https://habr.com/ru/post/1500980/

More articles:


All Articles