this post was submitted on 12 Dec 2024
35 points (94.9% liked)

Selfhosted

40734 readers
354 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Ok, it's me again. I've been checking the sampled logs on my cloudflare website and I've noticed some very particular requests:

Some context: I'm hosting my own static website (a personal blog) at home and serving it to the internet through a Cloudflare tunnel.

Upon inspecting them it seems like they are bots and web-crawlers trying to access directories and files that don't exist on my server, (since I'm not using wordpress). While I don't really have any credentials or anything to lose on my website and these attacks are harmless so far, this is kinda scary.

Should I worry? Is this normal internet behaviour? Should I expect even worse kinds of attacks? What can I do to improve security on my website and try to block these kinds of requests/attacks?

I'm still a noob, so this is a good opportunity for learning.

Thanks

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 30 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

That looks like the internet. Every server gets bombarded with these requests. Generally: Use good passwords, make sure your software blocks bots brute-forcing passwords, after some sane amount of tries... Keep everything updated...

If you want some more attacks, install a mailserver. Or expose VNC/Windows Remote Desktop or a VOIP server. That gets the bots really worked up.

[–] [email protected] 18 points 2 weeks ago (2 children)

Fail2ban works really well.

[–] [email protected] 14 points 2 weeks ago (1 children)

Just make sure you actually enable the jails/filters for the services you use ... I've seen people just install it and that will by default just protect ssh and leave everything else as is.

[–] [email protected] 4 points 2 weeks ago
[–] [email protected] 2 points 2 weeks ago (1 children)

With fail2ban single bot behind a NAT can make the site unaccessible for all users behind that NAT.

[–] [email protected] 4 points 2 weeks ago

That's true, but might not really be a problem for most. Just set the jail time to something short (few minutes, maybe an hour).

[–] [email protected] 22 points 2 weeks ago

Yes it's normal. Attackers are scanning everything, all the time.

[–] [email protected] 15 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Those attacks you see are mostly (close to 100%) harmless bots, scripts. Yes they are trying default passwords and exploits that got patched years ago.

If you do not use default credentials and do run up to date software there is nothing to worry about.

Even brute force attacks are rare.

This is just "noise" so to speak.

If you are scared by this, you should reconsider hosting something on the internet. Yes things like fail2ban can help but only if they knock on your server multiple times and mostly only to keep your logs clean.

[–] [email protected] 4 points 1 week ago

Yeah, it was kinda scary. I had never hosted anything online, and all of the sudden I get bombarded with scans and attacks from everywhere.

But I know I can't lose anything important, and that this is expected on the internet.

It was just, uh... You know the feeling when someone tells you something is heavy, then they give it to you, and it's a bit heavier than you expected? And they go: "I told you it was heavy". And it's not a big deal, because in the end you just adjust your strenght to match that weight. But there's that one second of realisation where you go "ooop! What's this?". Yeah, it was kinda that.

[–] [email protected] 13 points 2 weeks ago (1 children)

Should I worry?

I've had this stuff in logs since the late 90's. It was concerning at first, but port scanning and scripts are the internet's background static now.

Is this normal internet behaviour?

Yup. Welcome to self hosting!

Should I expect even worse kinds of attacks?

Not that it will happen, but good security expects attacks. I like to say "Obscurity is not security."

What can I do to improve security on my website and try to block these kinds of requests/attacks?

As these scrips are targeting code you don't run, they can be ignored relatively safely.

You can take a couple steps to lock things down like not responding to ping on WAN (less enticing to port scanning) locking down firewall settings, geolocation blocking, authentication, etc.

That said, if the script changed to something you DO host, you may be in for a bad day. Good to stay on top of security patches in that case.

[–] [email protected] 2 points 1 week ago (1 children)

Thanks! I'll keep all of that in mind. I knew there were a lot of bots and scripts running rampant on the internet, but I was really surprised when I put my website online and suddendly became a target.

It's good to know I'm not really at risk and that this is expected. I'll try to learn more about cybersecurity

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

You're not a "target" as much as you are "a thing that exists." These aren't targeted attacks.

That said, you can look into adding some additional measures to your webserver if you haven't already, like dropping connections if a client requests a location they shouldn't, like trying to access /admin, /../.., /.env, and so on.

On nginx, it could be something like:

location ^/\.|)/admin|/login {
    return 444;
}

Of course, that should be modified to match whatever application you're actually using.

[–] [email protected] 5 points 2 weeks ago

I used to have SQL commands via URL parameters back in the early 2000s. I had no SQL things running, so no problem there :)