svemagie.net/indiekit-blog
1
0
Fork 0
Code Issues Actions Packages Projects Releases Activity

update article post
Build & Deploy / build-and-deploy (push) Has been cancelled
Details

Browse Source
This commit is contained in:
svemagie
2026-04-27 08:32:53 +02:00
parent 513bfba807
commit ce60feb285
1 changed files with 297 additions and 260 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/articles/schroedingers-honeypot-on-freebsd-and.md
+49 -12
View File
@@ -1,16 +1,16 @@
--- ---
date: 2026-04-21T06:28:40.000Z date: 2026-04-21T06:32:52.000Z
title: Schrödinger's Honeypot on FreeBSD and nginx title: Schrödinger's Honeypot on FreeBSD and nginx
summary: Every day, bots scan my site for WordPress paths that do not exist. With a small nginx trick, those probes become self-inflicted bans. Here is how I adapted Schrödinger's Honeypot for a FreeBSD, nginx, jail setup. summary: Every day, bots scan my site for WordPress paths that do not exist. With a small nginx trick, those probes become self-inflicted bans. Here is how I adapted Schrödinger's Honeypot for a FreeBSD, nginx, jail setup.
category: bsd/pf category: bsd
gardenStage: cultivate gardenStage: evergreen
visibility: Public visibility: Public
aiTextLevel: "1" aiTextLevel: "1"
syndication: syndication:
- https://bsky.app/profile/did:plc:g4utqyolpyb5zpwwodmm3hht/post/3mjyebefxei2c - https://bsky.app/profile/did:plc:g4utqyolpyb5zpwwodmm3hht/post/3mjyebefxei2c
- https://blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/ - https://blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/
- https://news.indieweb.org/en/blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/ - https://news.indieweb.org/en/blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/
updated: 2026-04-21T07:36:00.799Z updated: 2026-04-27T06:32:53.150Z
webmentionResults: webmentionResults:
sent: 0 sent: 0
failed: 0 failed: 0
@@ -23,6 +23,10 @@ webmentionResults:
reason: No webmention endpoint found reason: No webmention endpoint found
timestamp: 2026-04-21T06:33:30.743Z timestamp: 2026-04-21T06:33:30.743Z
webmentionSent: true webmentionSent: true
mpSyndicateTo:
- https://blog.giersig.eu/
- https://bsky.app/profile/svemagie.bsky.social
- https://news.indieweb.org/en
mpUrl: https://blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/ mpUrl: https://blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/
permalink: /articles/schroedingers-honeypot-on-freebsd-and/ permalink: /articles/schroedingers-honeypot-on-freebsd-and/
--- ---
@@ -189,14 +193,47 @@ cat /var/log/nginx/*access.log | awk '{print $7}' | sort | uniq -c | sort -rn |
The honeypot log tells the other half: what is already being caught. Comparing the two reveals the gaps. From this servers logs: The honeypot log tells the other half: what is already being caught. Comparing the two reveals the gaps. From this servers logs:
| Pattern | Hits | Caught? | Pattern
| --------------------------------------------- | ---- | ------- |
| `info.php`, `phpinfo.php` | 64 | ❌ | Hits
| `etc/passwd` (path traversal) | 48 | ❌ |
| `test.php`, `debug.php`, `php.php` | 70 | ❌ | Caught?
| `wp_filemanager.php` (underscore, not hyphen) | 28 | ❌ |
| `_profiler/` (Symfony debug endpoint) | 18 | ❌ | `info.php`, `phpinfo.php`
| `.gitlab-ci.yml` | 15 | ❌ |
64
`etc/passwd` (path traversal)
48
`test.php`, `debug.php`, `php.php`
70
`wp_filemanager.php` (underscore, not hyphen)
28
`_profiler/` (Symfony debug endpoint)
18
`.gitlab-ci.yml`
15
PHP probe files are particularly common: scanners drop `phpinfo.php`, `test.php`, `info.php` to fingerprint the stack. `etc/passwd` probes arrive as both direct paths and Vite/Nuxt path traversal variants (`/@fs/etc/passwd`). The Symfony `_profiler/` endpoint is a favourite for Laravel and Symfony shops that leave debug mode on in production. PHP probe files are particularly common: scanners drop `phpinfo.php`, `test.php`, `info.php` to fingerprint the stack. `etc/passwd` probes arrive as both direct paths and Vite/Nuxt path traversal variants (`/@fs/etc/passwd`). The Symfony `_profiler/` endpoint is a favourite for Laravel and Symfony shops that leave debug mode on in production.