0

I've been getting many of these error emails from my django site. They look like they are triggered from some automated exploit. Here is one example.

Referrer: http://example.com/fck/editor/filemanager/upload/test.html
Requested URL: /fck/editor/filemanager/upload/test.html
User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
IP address: 127.0.0.1

Please help me answer 2 questions:

  1. How can I configure Django to log the real ip origin of the exploiter, i.e., something along the lines of REMOTE_ADDR instead of the localhost ip.

  2. Is there a way to reject requests with fake referrers to begin with? The requested and referred URLs are certainly not valid links from my own example.com site, and have never been.

Thanks

lastoneisbearfood
  • 3,955
  • 5
  • 26
  • 25
  • At least with respect to 1, what you're asking is possible; Django's `HttpRequest` [has an attribute `META`](https://docs.djangoproject.com/en/dev/ref/request-response/#django.http.HttpRequest.META) that is a dictionary containing all available HTTP headers, which can include REMOTE_ADDR, and it's possible to create [custom error reports](https://docs.djangoproject.com/en/dev/howto/error-reporting/#custom-error-reports). But I wonder whether what you're really looking for is an application firewall (like mod_security or naxsi) to stop automated attacks. – Liv Mar 26 '13 at 12:38
  • Thanks for pointing me to mod_security and naxsi. If you're willing to write your comment as an answer with an example custom error report (for others who will stumble on this question), I'd be happy to accept it as an answer. Thanks again. – lastoneisbearfood Mar 29 '13 at 05:23

1 Answers1

0

I figured out my own problem so in case anyone else need this info, here goes...

I kept getting the localhost ip in the error email because my django server lives behind a reverse proxy on the same machine. In this scenario REMOTE_ADDR is always the localhost address.

There is no template or custom error reporting mechanism to get other variables into the broken link email because the email is hardcoded in django's CommonMiddleware The custom error reports mentioned in previous comments has nothing to do with this.

So in order to get the real ip address, I wrote a middleware to replace REMOTE_ADDR with HTTP_X_FORWARDED_FOR. Supposedly there is a security issue involved since HTTP_X_FORWARDED_FOR can be easily faked but that is all that can be done without a CommonMiddleWare patch to actually include both ip variables.

lastoneisbearfood
  • 3,955
  • 5
  • 26
  • 25