What do you do with Django SuspiciousOperations?

Question

I've just put two Django apps to production and set DEBUG=False for the first time ever.

I'm now getting emails about errors that have occured - all the errors so far are SuspiciousOperation errors and due to the fact that something/someone is hitting the site using its IP address rather than the URL. I do not have the IP address listed in ALLOWED_HOSTS as I am never expecting someone to visit the site using this.

What is the normal thing to do in this situation? Should I be adding the IP address to the list of ALLOWED_HOSTS and possibly missing an error when something is genuinely suspicious? Or is there a way to filter these out? What is the normal practice here? Its been live for 2 days and I have nearly 20 emails. Should I just live with it?

Some of the requests are from Shodan HQ bots which worries me a little. Below is a list of errors and I put each REMOTE_ADDR into incidents.org to try and find more information which is also listed below. My two servers have very similar IP addresses which probably explains them being hit at the same time.

Date-time        Server  Path                          Remote Addr     AS Name from incidents.org

24/06/2014 06:30 server1 /                             125.96.160.190  FIBRLINK Beijing FibrLINK Networks Co.,Ltd.,CN
24/06/2014 22:05 server1 /                             66.240.236.119  CariNet, Inc., US - part of the ShodanHQ bonnet to perform internet wide scans

25/06/2014 01:25 server2 /myadmin/scripts/setup.php    108.175.157.140 SoftLayer Technologies Inc., US
25/06/2014 01:25 server2 /MyAdmin/scripts/setup.php    108.175.157.140 SoftLayer Technologies Inc., US
25/06/2014 01:25 server2 /pma/scripts/setup.php        108.175.157.140 SoftLayer Technologies Inc., US
25/06/2014 01:25 server2 /phpMyAdmin/scripts/setup.php 108.175.157.140 SoftLayer Technologies Inc., US
25/06/2014 01:25 server2 /phpmyadmin/scripts/setup.php 108.175.157.140 SoftLayer Technologies Inc., US
25/06/2014 01:25 server2 /muieblackcat                 108.175.157.140 SoftLayer Technologies Inc., US
25/06/2014 03:20 server2 /manager/html                 58.215.94.3     CHINANET-BACKBONE No.31,Jin-rong Street, CN
25/06/2014 03:20 server1 /manager/html                 58.215.94.3     CHINANET-BACKBONE No.31,Jin-rong Street, CN
25/06/2014 05:59 server2 /                             23.99.101.155   Microsoft Corporation, US
25/06/2014 05:59 server1 /                             23.99.101.155   Microsoft Corporation, US
25/06/2014 07:40 server2 /                             202.53.8.82     Beam Telecom Pvt Ltd, IN
25/06/2014 09:08 server1 /                             198.20.69.74    Microsoft Corporation, US
25/06/2014 09:08 server1 /                             198.20.69.74    Microsoft Corporation, US
25/06/2014 09:08 server1 /                             198.20.69.74    Microsoft Corporation, US
25/06/2014 09:19 server2 /                             198.20.69.98    SingleHop, US - scanner for shodan HQ, US
25/06/2014 09:19 server2 /robots.txt                   198.20.69.98    SingleHop, US - scanner for shodan HQ, US
25/06/2014 10:43 server2 /                             198.133.224.185 University of Wisconsin Madison, US
25/06/2014 10:43 server1 /robots.txt                   198.133.224.185 University of Wisconsin Madison, US

Answer 1

First, this is OK. I wouldn't call such emails ‘false positives’—someone is probably actually scanning you for vulnerabilities—but on public Internet such scanning happens all the time, in which case these error reports are just noise.

Noise is an issue, though, since among it you may not notice more legitimate error reports in your inbox.

You can get rid of these emails by

• configuring your web server, or by
• updating to Django 1.7 (RC1 currently). In Django 1.7 these actions don't cause error 500, instead they are silently handled with response 400 (see corresponding commit and ticket).

(I manage a couple of production but internal-use-only services, and we're updating our Nginx configs to get rid of these emails.)