I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
Related
I am currently developping an application using Django.
What I'm trying to achieve is to have a remote server that will host configuration files. Those files are going to be numerous but quite small.
The configuration of my server is the following : on the adress 172.x.x.51 I have my Django app running with uwsgi and on 172.x.x.52 I have my nginx service connected to my uwsgi instance.
What I would like is to host the files on the nginx server.
Inside the application, I will need to access to the files and to save them (they are calculated from data from the database, so there's no need for a fileupload).
I looked on the documentation and found that I can use a Custom Storage System. The thing is, I don't think that's what I need because I want to store them the way it's done by default. I would just like to define the place where the files should be updated from Django.
Would it be better if I stored them in the media folder on my nginx instance ? How would I say to Django to go look on nginx's instance for the files ? On the server where nginx is hosted, I already host my static files and it's working.
This isn't a question about Django really. Storage backends are for file uploads, but as you say you're not doing that.
You need some way of allowing your Django instance on *.51 write to your nginx server on *.52. This might be via SSH/SCP, or by sharing directories over NFS, for example. Then you can simply save the files over that protocol to the relevant place, from where nginx can serve them.
TLDR:
Would a "real server" (Apache? Flask? Django?) be able to unify various services behind readable subdirectories (abc.work.com/svn, abc.work.com/hg) instead of using port numbers (abc.work.com:8000, abs.work.com:8001)?
Long Version:
In the last year I've learned how to serve files with Mongoose, run a minimal python webserver, host version control repositories with Subversion and Mercurial, and host a Trac issue tracker/project management framework.
In each case I've been using the easy built-in webserver provided by each tool to host it from my Windows 7 laptop at work (I'm an engineer who codes, not actually paid to be a "software guy"). In order to avoid clashing I've used different port numbers in the 8000 range for each server to listen on, and sent my coworkers links like http://machinename.domain.com:8042 to access these magical things I've created.
The first obvious problem is that I'm running a lot of these things out of a command prompt and just letting it sit open on my desktop. I also know how to call cmd.exe from VBScript in order to hide the command prompt if that's all I wanted. Many of the built-in webservers even have options to run as a service, which can get harry with permissions, but is closer to the "right" way to host a server of any kind.
The bigger problem is that I'm sending people links to my machine with different port numbers. I'm ok with them having to use my machine name - I assume I'd need the network admin folks to add a DNS entry to call it TeamAwesome.company.com instead of machinename.company.com:8000?
The bigger question is, if I did something fancy like an Apache, Django, or Flask webserver, could I set it up like machinename.company.com/trac for the trac server and machinename.company.com/hg/project1 for the HG repository for project1? I'm looking at Apache, Django, and Flask because I've been diving into Python for 2 years now and those appear the most applicable/approachable for my needs.
I understand that ideally this stuff should be hosted on a separate linux-y server machine, but I'll need to prove the usefulness of the tools I'm developing before I request server resources from my boss (who hired me to do engineering, not programming, or web development, or systems administration, etc.).
I see this looks related. Are http proxies, virtual hosts, nginx, and WebSockets things to look at?
Looking at Apache VirtualHost examples looks promising though I can't decipher if one of those examples actually does what I'm talking about. Thanks for any suggestions as I go further down the rabbit hole with this stuff!
Apache virtual hosts can be differentiated by listening ip and/or port number only.
The mod_proxy module can do what you want if you want/have those services to be running separately as well:
ProxyRequests Off
<Proxy *>
Allow from all
</Proxy>
ProxyPass /folder_a http://backend_a:1234/ retry=5
ProxyPass /folder_b http://backend_b:8888/ retry=5
# etc
However if you just want to point different urls to point to unrelated folders on your server then check the Location and Alias directives
No need for proxy settings. You can use a single virtual server, but run each application under a certain subdirectory: for example, with Django or another wsgi app, you would simply set WSGIScriptAlias to the relevant dir.
A big clarification, though: Django is not in any way a server. In fact, you need Apache or an equivalent in order to serve Django properly.
I'm new to mezzanine and Django. I have set up a site, everything is working but I can only launch the server on "development". I would like to access de site on the port 80 on the internet instead of internally, as I have no way other than redirecting the port via SSH to access it. I would like to know how to do that.
And another question, is Nginx included with Mezzanine automatically ? Cause I have a tuned up Nginx server there and I'm not sure what I need to do, if run it with my existing Nginx server or with the one included with Django if that is how it works .... thank you for bring some light on this.
NGINX is not included with Mezzanine, it's an entirely separate piece of software, similar to Apache.
Mezzanine includes a fabric script which can automatically set up a production server if you'd like to use it, and will install NGINX on the server for you, among many other things.
Given your question, I can't recommend enough that you read and understand all the related documentation on this topic. Start with the Mezzanine link below, it references many other documentation sites - Django, Fabric, NGINX, plus more.
Enjoy the adventure: http://mezzanine.jupo.org/docs/deployment.html
I have a setup with one authoring site and two remote publishing sites.
If I publish from the /Home/ content tree from authoring that is reflected in all remote targets.
If I publish from any other content tree, say /Quotations/, that is not reflected in any of the remote targets. It is, however, reflected on the authoring machine's "Internet" site so the changes are being published locally.
The log file on the authoring site says that the publish of the Quotations content tree worked correctly and that N number of items were published (varies depending on how much I change and/or if I do a full or incremental publish but N is about what I expect it to be).
I'm feeling I've missed something in configuration but not sure where to look.
Many thanks!
rjsjr
A couple of ideas:
Are the templates and other items needed on the remote targets there to properly store the content? If "Quotations" is using different templates that aren't published onto the remote target then you may be publishing empty content items.
Are the remote targets configured within Sitecore's config files to be the proper databases to be pushing the content?
Time for another approach, could we isolate the problem to being one of the following:
DB server. This would be taking the database for the remote target and running it on another web server to ensure that the DB is doing everything correctly in terms of serving up the data.
Web server. This would be taking the web server that hosts the remote target and pointing it at another server to see that there isn't anything wrong with the web server like a misconfiguration in IIS or something like that.
Connectivity between the two. This is what is left if the DB works with another web server and the web server works with another DB server as each part can be eliminated as the problem being solely in one area.
Or do we know it is that last one that is the ugliest one to try to debug?
Are Home and Quotations siblings of each other? If not, then there may be something above Quotations that is the source of the problem.
That I don't know. I'd be tempted to ask this on the Sitecore forms on their site if you are certified in Sitecore you should be able to access it.
I am trying to create simple flex application, which uses django as a back-end part. Have a question:
Usually when I run my application Flex Builder creates a file in a directory on my local PC and then opens a browser and points to it. Everything was fine, but when I decided to link django server to flex applications via xml data providers I started to get security errors. (Related to absence of crossdomain.xml). When I created the file and put it on the server:
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="http://127.0.0.1:8000"/>
<allow-access-from domain="127.0.0.1"/>
</cross-domain-policy>
Then tried the application again, I got error in console of my FB Error: Request for resource at http://127.0.0.1:8000/go/active/ by requestor from file:///Users/oleg/Documents/FB3/usersList/bin-debug/usersList.swf is denied due to lack of policy file permissions.
I don't know how to fix the error. But also the question is there a way to configure FB3 to put my swf files to the server directly, so I will not need any crossdomain?
Thanks
Oleg
We struggled with this a lot. The Flex security stuff didn't strike me as well built, but perhaps we just had different approaches in mind than Adobe's developers. The solution that worked for us was to serve both the SWF and the dynamic data from the same host and port.
On our development boxes, we tell Apache to serve the SWF from a directory in the workspace, and the dynamic data from a local copy of the app. When we push to production, SWF and app get pushed simultaneously to the same virtual host.
If that's inconvenient for you, the Apache ProxyPass directive can be used to make Apache front for other servers. I've not used that in production, but it's been very handy for developer setups.
I don't know a way to get FlexBuilder to automatically deploy your changed SWF; you could certainly look into an automation approach (like Maven and Flex-Mojos) to make that happen.
That said, getting rid of that error is usually just a matter of adding a policy file to the server.
The second error is caused because you're trying to fetch http resources from a "file" location. My recommendation is that you change your Flex Builder project so it outputs to a location within the Django web site, rather than to the flex-bin directory. This setting can be changed in the properties dialog of the project. Then, you should be able to have your front-end and back-end share the same protocol and domain.