I am not exaggerating this: I …

I am not exaggerating this:

I created a new hostname in DNS, then added it to my existing webserver config.

It was online for 3 seconds – 3! – before getting a 404 request for /.git/config.

If you’re relying on obscurity to protect your services, get that right out your fool head today. You have about 3 seconds to get your act together.

In the time it took me to type this, I got another 62 requests:

     30 "/"
      3 "/.git/config"
      2 "/.vscode/sftp.json"
      2 "/v2/_catalog"
      2 "/telescope/requests"
      2 "/server-status"
      2 "/server"
      2 "/s/431323e2230323e2134323e2239313/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties"
      2 "/?rest_route=/wp/v2/users/"
      2 "/login.action"
      2 "/.env"
      2 "/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application"
      2 "/.DS_Store"
      2 "/debug/default/view?panel=config"
      2 "/config.json"
      2 "/_all_dbs"
      2 "/about"

Related