As I was experimenting with the new ZenDenPen launch I noticed that just a few seconds after I put a new subdomain UP, I already had traffic.
But that’s impossible, I just put it online. How did the bots get to it ?
This led me to think I has a security vulnerability somewhere:
- Was it on my desktop? Laptop?
- Was it a binary I had installed/downloaded without compiling?
- Was my raspberrypi compromised?
- Was my VPS compromised?
- Am I part of a botnet ?
It turned out that It’s just Certificate Transparency meaning that LetsEncrypt and all SSL/TLS certificate providers are required to store logs of all certificates
WHy Is this a problem?
Well, looking at the accesslogs.. I’ve got hundreds of requests for a variety of scripts. There are bots which verify install scripts etc.
This can be a problem if you put a new wordpress or any app online that it tries to automatically configure it, so it will hack into your system one way or another
Potential solutions
Buy Wildcard domain *.example.com
Buy a SSL/TLS wildcard domain, so then if you publish a subdomain one, bots won’t find it automatically.
OR fiddle around and get a TLS certificate via DNS and certbot.
Caddy Block IP’s
Use a variation of the following script to disallow anything but your IP from using the subdomain untill you’re finished configuring it
sudo vim /etc/caddy/Caddyfile
---
https://subdomain.example.com {
@blocked not remote_ip your_ip_here;
respond @blocked "Nope!" 403
respond "Yes, you are allowed" 200
}