Comment

Comment on Do bots/scrapers check uncommon ports?

smiletolerantly@awful.systems ⁨10⁩ ⁨hours⁩ ago

I am scratching my head here: why open up ports at all? It it just to avoid having to pay for a domain? The usual way to go about this is to only proxy 443 traffic to the intended host/vm/port based on the (sub) domain, and just drop everything else, including requests on 443 that do not match your subdomains.

Granted, there are some services actually requiring open ports, but the majority don’t (and you mention a webserver, where we’re definitely back to: why open anything beyond 443?).

source

Sort:hotnew top

confusedpuppy@lemmy.dbzer0.com ⁨10⁩ ⁨hours⁩ ago
My ISP blocks incoming data to common ports unless you get a business account. That’s why I used Cloudflare’s tunnel service initially. I changed my plans with the domain name I currently own and I don’t feel comfortable giving more power and data to an American Tech company so this is my alternative path.

I use Caddy as my reverse proxy so I only have one uncommon port open. My plans changed from many people accessing my site to just me and very few select friends of mine which does not need a business account.

source
- smiletolerantly@awful.systems ⁨10⁩ ⁨hours⁩ ago
  
  My ISP blocks incoming data to common ports unless you get a business account.
  
  Oof, sorry, that sucks. I think you could still go the route I described though: For your domain example.com and example service myservice, listen on port :12345 and drop everything that isn’t requesting myservice.example.com:12345. Then forward the matching requests to your services actual port, e.g. 23456, which is closed to the internet.
  
  source
  - confusedpuppy@lemmy.dbzer0.com ⁨9⁩ ⁨hours⁩ ago
    I think I am already doing that. My Kiwix docker container port is set to 127.0.0.1:8080:8080 and my reverse proxy is only open to port 12345 but will redirect kiwi.example. com:12345 to port 8080 on the local machine.
    
    I’ve learned that docker likes to manipulate iptables without any notice to other programs like UFW. I have to be specific in making sure docker containers only announce themselves to the local machine only.
    
    I’ve also used this guide to harden Caddy and adjusted that to my needs. I took the advice from another user and use wildcard domain certs instead of issuing certs for each sub domain, that way only the wildcard domain is visible when I search it up at https://crt.sh/. That way I’m not advertising my sub domains that I am using.
    
    source
    smiletolerantly@awful.systems ⁨8⁩ ⁨hours⁩ ago
    TBH, it sounds like you have nothing to worry about then! Open ports aren’t really an issue in-and-on itself, they are problematic because the software listening on them might be vulnerable, and the (standard-) ports can provide knowledge about the nature pf the application, making it easier to target specific software with an exploit.
    
    Since a bot has no way of finding out what services you are running, they could only attack caddy - which I’d put down as a negligible danger.
    
    source