Security Best Practices for Personal Domains

This article shares practical security experiences from using personal domains, including scanning attack analysis, domain protection strategies, common attack techniques, and choices for edge security services.
Tags:
Categories:

Preface

In the Internet era, cyber attacks have become the norm. Every day, countless automated tools scan every corner of the web looking for vulnerabilities. Many believe only large corporations become targets, but due to lower attack costs and widespread tooling, any service exposed to the Internet can be attacked.

Real-World Case Analysis

Scanning Attack Example

A small demo site I host on Cloudflare has only two valid URLs:

Yet it is continuously scanned.

Initially, all other URLs returned 404. On the first day after launch, hosts in Hong Kong began probing; source IPs change daily, mostly from Hong Kong. Since some legitimate users also access from Hong Kong, blocking by region isn’t an option.

All of these URLs are probes driven by various motives. My Worker only handles / and /logs-collector; these relentless attempts are essentially hunting for vulnerabilities.

While they burn through Cloudflare’s free request quota and pollute my logs, I later configured every other request to respond with 200 and the message “Host on Cloudflare Worker, don’t waste your time.”

After that, probes dropped somewhat (though whether this is causal is unclear).

Had this service been hosted on my own machine, continuous scanning without timely security updates would eventually lead to compromise. Attackers simply schedule round-the-clock automated attempts; success requires minimal cost and effort.

Security Threat Analysis

Attacker Characteristics

  • Cross-border operations to minimize legal risk
  • Heavy use of automation—Nmap, Masscan, and similar port scanners
  • Persistently low-cost attacks
  • Abundant bot resources with ever-changing IP addresses
  • Attacks often launched at night or on holidays

Common Attack Methods

  1. Port Scanning
    • Batch scanning of open ports
    • Identification of common services (SSH, RDP, MySQL, etc.)
  2. Vulnerability Scanning
    • Targeting known vulnerabilities in outdated software
    • Signature-based path and filename identification
  3. Input Crafting via validation flaws

Security Practices

VPN Instead of Reverse Proxy

Most people don’t keep software up to date. Ideally, the real origin IP is never exposed; attackers not only enumerate subdomains by prefix but also craft random prefixes.

Hot targets for subdomain scanning:

  • nas.example.com
  • home.example.com
  • dev.example.com
  • test.example.com
  • blog.example.com
  • work.example.com
  • webdav.example.com
  • frp.example.com
  • proxy.example.com

These are just off-the-cuff examples; attackers run automated dictionaries.

Set up a local DNS server like AdGuardHome, add DNS records for internal domains, and have all internal devices use fixed LAN IPs. DDNS can be achieved via AdGuardHome’s API; on a LAN, you can choose any domain name you like.

Using Edge Security Services

The savior of cyberspace—Cloudflare—will remain free for individual tinkerers until a truly commercial project emerges.

Domestically, Alibaba Cloud’s ESA is available; both are in my stack. ESA offers three free months, then ¥10 per root domain per month with a 50 GB traffic cap—but compared to Cloudflare’s fully free tier, there’s little more to say.

Security services tend to be expensive, and the damage from a successful attack can far exceed daily costs of protection. Think of edge security as inexpensive insurance: let the pros handle security.

Their main purpose is hiding the real IP. Clients hit the edge node first; the node decides whether to forward to the origin.

Essentially, edge security is a reverse proxy in front of you, combining caching, WAF, CDN, and DDoS protection. Adding an intermediary can introduce latency, but overall, the trade-off is worthwhile—in my experience, power users may see a slight drop, while users in more regions enjoy speedups.

I use both CF and ESA. Conclusion: slight degradation for a small group is outweighed by broad regional gains and is absolutely worth it.

Summary

For self-use services, prioritize VPN solutions like Tailscale or ZeroTier. For DNS, run AdGuardHome on your LAN; for public DNS, use AdGuardPrivate.

For public-facing services intended for general audiences, wrap them with Cloudflare. If mainland China performance matters, use Ali ESA.

These practices are provided for reference; feedback from V2EX veterans is warmly welcomed.