this post was submitted on 11 Jan 2026
215 points (99.5% liked)

Selfhosted

60210 readers
944 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
215
How are people discovering random subdomains on my server? (lemmy.blahaj.zone)
submitted 5 months ago* (last edited 5 months ago) by BonkTheAnnoyed@lemmy.blahaj.zone to c/selfhosted@lemmy.world
85 comments fedilink hide all child comments
 

I generated 16 character (upper/lower) subdomain and set up a virtual host for it in Apache, and within an hour was seeing vulnerability scans.

How are folks digging this up? What's the strategy to avoid this?

I am serving it all with a single wildcard SSL cert, if that's relevant.

Thanks

Edit:

  • I am using a single wildcard cert, with no subdomains attached/embedded/however those work
  • I don’t have any subdomains registered with DNS.
  • I attempted dig axfr example.com @ns1.example.com returned zone transfer DENIED

Edit 2: I'm left wondering, is there an apache endpoint that returns all configured virtual hosts?

Edit 3: I'm going to go through this hardening guide and try against with a new random subdomain https://www.tecmint.com/apache-security-tips/

you are viewing a single comment's thread
view the rest of the comments
[–] androidul@lemmy.world 89 points 5 months ago* (last edited 5 months ago) (3 children)

if you use Let’s Encrypt (ACME protocol) AFAIK you can find all domains registered in a directory that even has a search, no matter if it’s wildcard or not.

It was something like this https://crt.sh/ but can’t find the site exactly anymore

LE: you can also find some here https://search.censys.io/

[–] i_stole_ur_taco@lemmy.ca 50 points 5 months ago (1 children)

Holy shit, this has every cert I’ve ever generated or renewed since 2015.

[–] vf2000@lemmy.zip 47 points 5 months ago* (last edited 5 months ago)

Certificate Transparency makes public all issued certificates in the form of a distributed ledger, giving website owners and auditors the ability to detect and expose inappropriately issued certificates.

https://en.wikipedia.org/wiki/Certificate_Transparency

[–] Shimitar@downonthestreet.eu 25 points 5 months ago (1 children)

This.

That's why temping obscurity for security is not a good idea. Doesn't take much to be "safe", at least reasonably safe. But that not much its good practice to be done :)

[–] sommerset@thelemmy.club 0 points 5 months ago (2 children)

No. Not this.

Op is doing hidden subdomain pattern. Wildcard dns and wildcard ssl.

This way subdomain acts as a password and application essentially inaccessible for bot crawls.

Works very well

[–] atzanteol@sh.itjust.works 20 points 5 months ago (1 children)

Apparently it doesn't.

[–] sommerset@thelemmy.club -1 points 5 months ago

minimal setup is still required 🤷

[–] fodor@lemmy.zip 6 points 5 months ago

Hmm. I feel like conflating a subdomain with a password is a particularly sketchy idea, but you do you.

[–] antrosapien@lemmy.ml 6 points 5 months ago (1 children)

Holy shit... I thought it was DNS resolver selling these data