Selfhosted

60210 readers

970 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

Be civil.
No spam.
Posts are to be related to self-hosting.
Don't duplicate the full text of your blog or readme if you're providing a link.
Submission headline should match the article title.
No trolling.
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

215

How are people discovering random subdomains on my server? (lemmy.blahaj.zone)

submitted 5 months ago* (last edited 5 months ago) by BonkTheAnnoyed@lemmy.blahaj.zone to c/selfhosted@lemmy.world

85 comments fedilink hide all child comments

I generated 16 character (upper/lower) subdomain and set up a virtual host for it in Apache, and within an hour was seeing vulnerability scans.

How are folks digging this up? What's the strategy to avoid this?

I am serving it all with a single wildcard SSL cert, if that's relevant.

Thanks

Edit:

I am using a single wildcard cert, with no subdomains attached/embedded/however those work
I don’t have any subdomains registered with DNS.
I attempted dig axfr example.com @ns1.example.com returned zone transfer DENIED

Edit 2: I'm left wondering, is there an apache endpoint that returns all configured virtual hosts?

Edit 3: I'm going to go through this hardening guide and try against with a new random subdomain https://www.tecmint.com/apache-security-tips/

you are viewing a single comment's thread
view the rest of the comments

[–] a@852260996.91268476.xyz 6 points 5 months ago (3 children)

@BonkTheAnnoyed@lemmy.blahaj.zone are you generating certificates for each of the random subdomains?

[–] turkalino@sh.itjust.works 7 points 5 months ago

Fitting that someone from an instance on a random subdomain commented on this lol

[–] BonkTheAnnoyed@lemmy.blahaj.zone 3 points 5 months ago (2 children)

I don't think so? I have a letsencrypt wildcard cert, and reference that in the relevant .conf

[–] a@852260996.91268476.xyz 2 points 5 months ago (1 children)

@BonkTheAnnoyed@lemmy.blahaj.zone mmm wait your logs show the new domains being targeted specifically?

[–] BonkTheAnnoyed@lemmy.blahaj.zone 3 points 5 months ago

Yep. They show up in the other_hosts...log

[–] a@852260996.91268476.xyz 2 points 5 months ago (1 children)

@BonkTheAnnoyed@lemmy.blahaj.zone have you checked on https://crt.sh/ ?

[–] BonkTheAnnoyed@lemmy.blahaj.zone 3 points 5 months ago

As expected, it doesn't show up. I had a couple of other subdomains configured before I switched to wildcard, but nothing matches the random one