Personal Domain Security Practices: From Scan Attacks to Protection Strategies

In-depth analysis of scan attack threats faced by personal domains, sharing domain security protection strategies, including practical advice such as using VPN instead of reverse proxy and deploying edge security services, helping individual developers establish a complete domain security protection system.
Tags:
Categories:

Introduction

In the internet era, domain security has become an issue that every internet user must pay attention to. Every day, countless automated tools scan every corner of the internet, looking for potential vulnerabilities. Many people believe that only large enterprises become attack targets, but in reality, due to the reduction of attack costs and the popularization of tools, any service exposed to the internet can become a target. Domain security is not only about personal privacy and data protection, but also the foundation for maintaining the stable operation of network services. With the continuous evolution of cybersecurity threats, establishing a complete domain security protection system is becoming increasingly important, which is also the reason we continue to focus on and share security practical experiences.

Real Case Analysis

Scan Attack Example

I have a small showcase website deployed on Cloudflare, although it only has two valid URLs:

Website access logs

It still continuously suffers from scan attacks.

When the website first went online, all other URLs returned 404. On the same day, a Hong Kong host started scanning, with the source IP changing daily, but mostly from Hong Kong. Since some users come from Hong Kong IPs, it’s impossible to directly block that region. This case illustrates the automated and continuous nature of cyber attacks, and also reminds us that we need to establish a systematic domain security protection strategy.

Scan attack logs

All these URLs are attempts with various purposes. My worker only handles / and /logs-collector. These persistent attempts are basically looking for vulnerabilities. These attack attempts not only consume Cloudflare’s free request quota but also pollute log data, causing interference to system monitoring.

But having such scans consume CF’s free requests and pollute my logs isn’t a good thing either.

Later, I made all other requests return 200 with a message Host on Cloudflare Worker, don't waste your time.

Modified response

After the modification, the scan volume decreased somewhat. Although causality cannot be confirmed, this approach does convey a clear signal.

If it were a service running on my own host, being scanned like this every day without timely security updates, it would eventually be scanned for vulnerabilities and compromised. This is why we emphasize the importance of domain security. It’s not just about the success or failure of a single attack, but about the long-term security posture of the system.

For attackers, this kind of attack is simply trying non-stop every day. Breaking through one is a gain, and it’s mostly automated with low equipment and time costs. This also explains why cyber attacks are so prevalent, because for attackers, it’s a low-cost, high-return activity.

Security Threat Analysis

Attacker Characteristics

Cross-border operations are a common feature of cyber attacks. Attackers deploy attack facilities in different regions to reduce the possibility of being held accountable. The widespread use of automated tools has drastically reduced attack costs. Port scanning tools like Nmap and Masscan have become standard equipment for attackers. Attacks are usually continuous and extremely low-cost. Attackers have abundant resources of compromised machines and can frequently change IP addresses to bypass blocks. Attack times are usually chosen during late night or holidays when monitoring and response may be weaker.

Common Attack Methods

Port scanning is the first step for attackers. They batch scan open ports to identify common services like SSH, RDP, MySQL, etc. Vulnerability scanning targets known vulnerabilities in outdated software, identifying potential attack surfaces through path characteristics and filename characteristics. Additionally, attackers construct various inputs themselves, attempting to gain system privileges through input validation vulnerabilities.

Security Practices

Domain security protection requires different strategies based on service types. For self-use services and public services, completely different protection schemes should be adopted.

flowchart TD
    A[Domain service deployment] e1@--> B{Service type determination}
    B e2@-->|Self-use service| C[Choose VPN solution]
    B e3@-->|Public service| D[Choose edge security service]

    C e4@--> E[Set up internal DNS]
    C e5@--> F[Deploy Tailscale or ZeroTier]
    C e6@--> G[Configure internal fixed IP access]

    D e7@--> H[Choose Cloudflare]
    D e8@--> I[Choose Alibaba Cloud ESA]
    D e9@--> J[Configure WAF and DDoS protection]

    E e10@--> K[Service completely hidden]
    F e11@--> K
    G e12@--> K

    H e13@--> L[Real IP hidden]
    I e14@--> L
    J e15@--> L

    classDef start fill:#E3F2FD,stroke:#1565C0,stroke-width:1px,color:#0D47A1;
    classDef decision fill:#FFF8E1,stroke:#EF6C00,stroke-width:1px,color:#E65100;
    classDef action fill:#E8F5E9,stroke:#2E7D32,stroke-width:1px,color:#1B5E20;
    classDef result fill:#F3E5F5,stroke:#6A1B9A,stroke-width:1px,color:#4A148C;
    classDef animate stroke:#EF6C00,stroke-width:2px,stroke-dasharray: 9\,5,stroke-dashoffset: 900,animation: dash 25s linear infinite;
    class A start;
    class B decision;
    class e1,e2,e3,e4,e5,e6,e7,e8,e9,e10,e11,e12,e13,e14,e15 animate;
    class C,D,E,F,G,H,I,J action;
    class K,L result;

Using VPN Instead of Reverse Proxy

Most people don’t upgrade software in a timely manner. The best strategy is not to expose your domain. Scan attacks can construct both prefixes and suffixes; all kinds of subdomains will be tried. The heavy灾区 of subdomain scanning includes nas, home, dev, test, blog, work, webdav, frp, proxy, etc. To achieve automated attacks, attackers will prepare a subdomain dictionary for automated testing. These common names will be prioritized for scanning, so avoiding these obvious subdomain names is a basic protection measure.

For self-use services, it’s recommended to use VPN technology instead of reverse proxy, which can completely hide the service within the internal network. You can set up a local DNS server, such as AdGuard Home, and configure domain resolution on it so that internal devices access via fixed IP. AdGuard Home not only provides DNS services but also has ad blocking and parental control features, making it an ideal choice for home network environments. DDNS can also be implemented using AdGuard Home’s API. Since it’s a local network environment, domains can be chosen arbitrarily without being subject to public domain name rules. The advantage of this approach is that the service is not exposed to the public internet at all, naturally avoiding the risk of scan attacks.

Using Edge Security Services

For services that must be publicly accessible, edge security services are the best choice. Cloudflare provides world-leading edge security services. Before individual developers find truly commercially valuable projects, its free version is more than sufficient. Alibaba Cloud’s ESA is also a good choice domestically. New users can try it free for 3 months. Normal payment is 10 yuan per month for a root domain, with a 50GB traffic limit. Compared to Cloudflare’s completely free services, ESA’s main advantage is better access speed within mainland China.

Security services are generally expensive, but not protecting them could lead to even greater losses if attacked. If you pay for protection, you’re looking at direct fixed expenses every day. Edge security services are like insurance—very cheap and extremely cost-effective, a classic case of letting professionals handle professional tasks.

The main purpose of edge security services is to hide your real IP. Users access edge nodes, and edge nodes compute decisions on whether to回源访问真实 IP. Its essence is a front-facing reverse proxy that integrates caching, WAF, CDN, DDoS protection, and other functions. Since a third party is inserted between the user and the service, there is a certain probability that user experience may degrade. I use both Cloudflare and ESA. In summary, it slightly degrades the experience for the best-performing users but improves the experience for more regions. Overall, it’s still a very worthwhile investment.

Summary

Domain security is a systematic project that requires different protection strategies based on service types. For self-use services, prioritize VPN solutions. Tailscale and ZeroTier are both mature and reliable choices. If DNS services are needed, you can set up AdGuard Home internally, which provides a complete DNS solution including ad blocking and parental control features. For public access needs, you can use AdGuard Private to provide encrypted DNS resolution services.

For public services that need to be accessed by the masses, it’s best to put an edge security service in front. Cloudflare provides world-leading free security protection, suitable for most individual developers. If you particularly care about access speed within mainland China, you can choose Alibaba Cloud ESA, which has a broader node distribution in China and can provide a better localized experience.

Regardless of which solution you choose, the key is to establish domain security awareness and take proactive protection measures rather than passively waiting for attacks to happen. There is no silver bullet in cybersecurity; what suits you is best.