Security Practices for Personal Domains

This article shares practical security experiences during personal domain usage, including scanning attack analysis, domain protection strategies, common attack vectors, and the selection of edge security services.
Tags:
Categories:

Introduction

In the internet age, cyberattacks have become the norm. Every day, countless automated tools scan every corner of the internet looking for potential vulnerabilities. Many people believe that only large enterprises become targets of attacks, but in reality, due to lowered costs of attacks and the proliferation of tools, any service exposed to the internet can become a target.

Real-World Case Analysis

Example of Scanning Attacks

I have a small showcase website deployed on Cloudflare. Although it only has two valid URLs:

However, it still continuously suffers from scanning attacks.

Initially, all other URLs returned 404. On the first day of launch, hosts from Hong Kong started scanning it. The source IP changed daily, but most were from Hong Kong. Since some users access it via Hong Kong IPs, I couldn’t just ban the region.

All the URLs above are attempts with various purposes. My worker only handles / and /logs-collector. These persistent attempts are basically to find vulnerabilities.

But this scanning consumes Cloudflare’s free request count and pollutes my logs, which isn’t a good thing.

Later, I made all other requests return 200, adding Host on Cloudflare Worker, don't waste your time.

This way, the scanning decreased slightly, though I don’t know if there’s a causal relationship.

If it were a service running on your own host, being scanned like this every day without security updates, sooner or later a vulnerability will be found.

For attackers, it’s just about trying non-stop every day. If they breach one, that’s a win. It’s basically all automated with low equipment and time costs.

Security Threat Analysis

Characteristics of Attackers

  • Cross-border attacks are common, reducing the possibility of accountability.
  • Widespread use of automated tools, including port scanning tools like Nmap, Masscan, etc.
  • Persistent attacks with low costs.
  • Abundant botnet resources, frequent IP address changes.
  • Attack times are usually chosen for late nights or holidays.

Common Attack Methods

  1. Port Scanning
    • Bulk scanning of open ports
    • Identify common services (SSH, RDP, MySQL, etc.)
  2. Vulnerability Scanning
    • Scan for legacy software with known vulnerabilities
    • Identify via path patterns and filename patterns
  3. Manually crafting inputs to exploit input validation vulnerabilities

Security Practices

Use VPN Instead of Reverse Proxy

Most people do not update their software in a timely manner. It is best not to expose your domain. Scanning can construct both postfixes and prefixes, trying all sorts of subdomains.

For example, heavy subdomain targets:

  • nas.example.com
  • home.example.com
  • dev.example.com
  • test.example.com
  • blog.example.com
  • work.example.com
  • webdav.example.com
  • frp.example.com
  • proxy.example.com

These are just written off the top of my head; for automated attacks, they definitely use a subdomain dictionary for automated testing.

You can set up a local area network (LAN) DNS server, such as AdguardHome. Configure domain resolution on it, and devices on the internal network access via fixed IPs.

DDNS can also be implemented using the AdguardHome API. Since it is a LAN, you can pick any domain name you want.

Use Edge Security Services

The “Cyber Buddha” Cloudflare goes without saying. For personal tinkerers before finding a project with real commercial value, it will definitely remain free.

In China, there is Alibaba Cloud ESA. I use both of them. Alibaba Cloud is free for 3 months; normally it’s 10 RMB per month for a root domain limited to 50GB traffic. In the face of CF being completely free, I won’t introduce it much.

Security services are generally quite expensive. If you don’t do protection and get attacked, the loss is huge. If you pay for protection, it’s like watching the “loss” directly every day.

Edge security services act as insurance—very cheap, high cost-performance security services, a classic case of letting professionals handle professional matters.

The main purpose of edge security is to hide your real IP. Users access edge nodes, and edge nodes calculate and decide whether to fetch from the origin (the real IP).

Its essence is a front-end reverse proxy, integrating caching, WAF, CDN, DDoS protection, etc. Since a third party is inserted between the user and the service, there is a certain probability it will cause a decline in user experience.

I use both CF and ESA. To sum it up, it slightly degrades the experience for the best-performing users but improves the experience for users in more regions. Overall, it is still very worth it.

Conclusion

If it’s just for self-use, prioritize VPN. Both tailscale and zerotier are good choices. If you need DNS services, you can set up AdGuardHome on the intranet. For the public network, you can use AdGuardPrivate.

If it is a public service for the general public, it is best to put a Cloudflare layer on it. If you care about access speed in Mainland China, use Alibaba ESA.

These security practices are for reference only; suggestions from the experts at V Station are very welcome.