← all posts

Here come the bots

In a world of cloud native, horizontally scaling, AI generated software as a service; I choose to self host a static site rendered with straight HTML from an SBC on my desk.

There are no backups, there is no load balancer. If my raspberry pi loses Wifi or power, the site goes down. There is no SEO optimization, I don't need that. A content delivery network is a service that charges more money than I'm willing to spend on this blog site.

There is no database. That would create more complexity than I'm willing to take on. Posts are stored and synced through an Obsidian vault. I don't use paid cloud sync services for the vault. It's community made and self managed S3 bucket sync all the way.

This is the cheapest and lowest tech site I've ever made, but it's also the site that I've learned the most from. I self-host this blog from a Go service running on a raspberry pi. The Pi has a reverse proxy to handle and proxy requests I deem legit to the blog service.

I have to expose and forward a port on my home network. The outside world has to come into my house to see this page. With them, comes the bots. There are many bots:

$ sudo cat /var/log/caddy/honeypot.log | jq -r '.request.uri' | sort | uniq -c | sort -rn | head -15
    328 /
     19 /SDK/webLanguage
     18 www.google.com:443
     18 /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
     17 /favicon.ico
     15 /login
      8 /boaform/admin/formLogin
      8 api.ipify.org:443
      7 /robots.txt
      7 /.git/config
      6 /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
      6 /vendor/phpunit/Util/PHP/eval-stdin.php
      6 /vendor/phpunit/src/Util/PHP/eval-stdin.php
      6 /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
      6 /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

They scrape and probe for anything that could get them undesired control over my site. They want to SQL inject through a non-existing WordPress plugin. They want to yoink the access token from my git config.

Self hosting my own site was a project I was always too scared to take on because of this. But it's just uncomfortable enough to force me to learn tools and configuration patterns to get better at web application security.

Early in my career, my boss told me to start with the OWASP top 10. Understand each vulnerability type, and use that as a base for getting better at security best practices. I now have something that forces me to continue understanding best practices to keep my low tech site running.