Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django getting lots of SuspiciousOperation: Invalid HTTP_HOST header

I'm using Django 1.5, Apache, mod_wsgi and python 2.7, debian hosted on linode.

Since I upgraded from django 1.3 to django 1.5, I started receive some error messages, for example: "ERROR (EXTERNAL IP): Internal Server Error: /feed/". With this traceback:

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 92, in get_response
    response = middleware_method(request)

  File "/usr/local/lib/python2.7/dist-packages/django/middleware/common.py", line 57, in process_request
    host = request.get_host()

  File "/usr/local/lib/python2.7/dist-packages/django/http/request.py", line 72, in get_host
    "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): tadjenanet.montadamoslim.com

But, a few days ago, the volume of this errors increased greatly, and for a lot of url's that I don't even have in my website.

I saw the answers here(Django's SuspiciousOperation Invalid HTTP_HOST header) and I understand why I'm getting this, but I need to know how to avoid this increasing my server security.

like image 233
Fernando Freitas Alves Avatar asked Oct 04 '22 01:10

Fernando Freitas Alves


1 Answers

Basically, you cannot avoid that an attacker send you that kind of requests. Most of this attacks came from automatic penetration test tools like metasploit or W3AF. Fortunately, those attempts are not something to worry about in Django 1.5 or above. For avoiding the log flooding, you can configure your web server to filter HTTP_HOST headers that don't match with your website domain. Sorry, I cannot help you to do it with Apache, if using Nginx, this article can helps http://www.acloudtree.com/how-to-deny-hosts-using-nginx/

Cheers!

like image 177
Cartucho Avatar answered Oct 05 '22 22:10

Cartucho