Bots in 30 min
I was surprised the other day to see intrusion attempts targeting a site I’d just created - by host name. It wasn’t published yet, it was an obscure name - how could anyone even know?
Well, any site you create in caddy will go out and get itself a certificate from Let’s Encrypt, as you’d expect. What you may not have expected, was that Let’s Encrypt publishes every cert it creates and that bot networks keep an eye on that and immediately launch scans against new additions.
Reminds me of the days when a Windows admin would start installing and get hacked before they were even done.
Everyone knows there’s no security through obscurity, but maybe don’t go out of your way to help the bots.
I suggest http:// before the site name until you’re ready to publish, or tls internal, maybe even use a wildcard site with handlers.