Probably not. It’s most likely automated scanning and the subdomains seem common enough to be included in wordlists. Another possibility is that the subdomains have leaked somehow, do you use LetsEncrypt? If so, the existence of your subdomains is public knowledge and can easily be picked up by bots.
maybe you issued one certificate with multiple domains, mixing internet facing ones with purely internal. It is very easy to discover hidden subdomains inspecting the certificate you get from a public service
Its one reason i use DNS challenge wildcard domains.
I know security through obscurity is not security, and that a leaked wildcard cert is more damaging… However the likelihood of a leaked cert is slim, the convenience is huge, the attack window isn’t huge (well, 90 days) and less published information about internals feels more secure.
If anyone is interested in mitigation, the only way around this AFAIK is to start with a brand new domain, only use wildcard certs (with DNS validation), and don’t bundle multiple renewals into a single cert.
Also, don’t enter your domain or related IP address into dns reverse engineering tools (like dnsdumpster), and check certificate transparency logs (https://crt.sh) to see what information related to your cert renewals has been published.
This won’t stop automated bots from scanning your ip for domains, but should significantly reduce the amount of bots that discover them
Those services are running on some ports and someone was able to see that there are services running on those ports. Now they (or more likely, their script) is trying to find out what those services/versions are to see if there are exploits.
So to OPs question should they be worried? No. This is par for the course today. But is a great example of why you need to be vigilant in updating your services and platforms, use strong passwords, MFA, etc.
Here’s good piece of guidance for any and all who are managing a domain/network.
The lower on the pyramid of pain you can make it a pain in the ass for a would-be intruder, the sooner they’ll give up. In OPs example, they are moving from ‘Domain names’ to ‘network/host artifacts’ if they fail to get enough info to keep digging down, they’ll likely stay there and persist for awhile and then give up if they don’t find a crack.
It’s not just let’s encrypt - the common names of any SSL cert issued by a public CA have to be recorded in a public certificate transparency log. You can use tools like https://crt.sh to search the logs
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
deleted by creator
deleted by creator
deleted by creator
deleted by creator
deleted by creator
deleted by creator
deleted by creator
deleted by creator
If I had to guess after managing enterprise WAF across hundreds of domains…
It’s either a crowler or vulnerability scanner, and may be scanning by IP address. I don’t think you configured anything wrong.
You may want to add some form of captcha or user agent based filter to get rid of it. Good news is that it’s not necessarily something to worry about.
I’d avoid IP based blocking. It’s only temporarily effective.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
[Thread #613 for this sub, first seen 19th Mar 2024, 10:35] [FAQ] [Full list] [Contact] [Source code]
As long as you set your home server properly, with allow rules, firewalls and stuff, you’ll be fine
But don’t be sloppy, take care of your server
deleted by creator
deleted by creator
deleted by creator
Probably not. It’s most likely automated scanning and the subdomains seem common enough to be included in wordlists. Another possibility is that the subdomains have leaked somehow, do you use LetsEncrypt? If so, the existence of your subdomains is public knowledge and can easily be picked up by bots.
deleted by creator
maybe you issued one certificate with multiple domains, mixing internet facing ones with purely internal. It is very easy to discover hidden subdomains inspecting the certificate you get from a public service
Its one reason i use DNS challenge wildcard domains.
I know security through obscurity is not security, and that a leaked wildcard cert is more damaging… However the likelihood of a leaked cert is slim, the convenience is huge, the attack window isn’t huge (well, 90 days) and less published information about internals feels more secure.
If anyone is interested in mitigation, the only way around this AFAIK is to start with a brand new domain, only use wildcard certs (with DNS validation), and don’t bundle multiple renewals into a single cert.
Also, don’t enter your domain or related IP address into dns reverse engineering tools (like dnsdumpster), and check certificate transparency logs (https://crt.sh) to see what information related to your cert renewals has been published.
This won’t stop automated bots from scanning your ip for domains, but should significantly reduce the amount of bots that discover them
I think it is generally okay to bundle the root domain certificate and the wildcard for its subdomains into a single renewal.
So for example:
Yepp sorry - what I meant was bundling multiple different root domains, e.g.
example.com&example1234567.orgin the same cert.I currently do as you mentioned above, renewing with just one root bundled with its accompanying subdomain wildcard.
This is my thought as well.
Those services are running on some ports and someone was able to see that there are services running on those ports. Now they (or more likely, their script) is trying to find out what those services/versions are to see if there are exploits.
So to OPs question should they be worried? No. This is par for the course today. But is a great example of why you need to be vigilant in updating your services and platforms, use strong passwords, MFA, etc.
Here’s good piece of guidance for any and all who are managing a domain/network.
The lower on the pyramid of pain you can make it a pain in the ass for a would-be intruder, the sooner they’ll give up. In OPs example, they are moving from ‘Domain names’ to ‘network/host artifacts’ if they fail to get enough info to keep digging down, they’ll likely stay there and persist for awhile and then give up if they don’t find a crack.
It’s not just let’s encrypt - the common names of any SSL cert issued by a public CA have to be recorded in a public certificate transparency log. You can use tools like https://crt.sh to search the logs