This commit is contained in:
svemagie
@@ -1,16 +1,16 @@
|
||||
---
|
||||
date: 2026-04-21T06:28:40.000Z
|
||||
date: 2026-04-21T06:32:52.000Z
|
||||
title: Schrödinger's Honeypot on FreeBSD and nginx
|
||||
summary: Every day, bots scan my site for WordPress paths that do not exist. With a small nginx trick, those probes become self-inflicted bans. Here is how I adapted Schrödinger's Honeypot for a FreeBSD, nginx, jail setup.
|
||||
category: bsd/pf
|
||||
gardenStage: cultivate
|
||||
category: bsd
|
||||
gardenStage: evergreen
|
||||
visibility: Public
|
||||
aiTextLevel: "1"
|
||||
syndication:
|
||||
- https://bsky.app/profile/did:plc:g4utqyolpyb5zpwwodmm3hht/post/3mjyebefxei2c
|
||||
- https://blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/
|
||||
- https://news.indieweb.org/en/blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/
|
||||
updated: 2026-04-21T07:36:00.799Z
|
||||
updated: 2026-04-27T06:32:53.150Z
|
||||
webmentionResults:
|
||||
sent: 0
|
||||
failed: 0
|
||||
@@ -23,6 +23,10 @@ webmentionResults:
|
||||
reason: No webmention endpoint found
|
||||
timestamp: 2026-04-21T06:33:30.743Z
|
||||
webmentionSent: true
|
||||
mpSyndicateTo:
|
||||
- https://blog.giersig.eu/
|
||||
- https://bsky.app/profile/svemagie.bsky.social
|
||||
- https://news.indieweb.org/en
|
||||
mpUrl: https://blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/
|
||||
permalink: /articles/schroedingers-honeypot-on-freebsd-and/
|
||||
---
|
||||
@@ -189,14 +193,47 @@ cat /var/log/nginx/*access.log | awk '{print $7}' | sort | uniq -c | sort -rn |
|
||||
|
||||
The honeypot log tells the other half: what is already being caught. Comparing the two reveals the gaps. From this server’s logs:
|
||||
|
||||
| Pattern | Hits | Caught? |
|
||||
| --------------------------------------------- | ---- | ------- |
|
||||
| `info.php`, `phpinfo.php` | 64 | ❌ |
|
||||
| `etc/passwd` (path traversal) | 48 | ❌ |
|
||||
| `test.php`, `debug.php`, `php.php` | 70 | ❌ |
|
||||
| `wp_filemanager.php` (underscore, not hyphen) | 28 | ❌ |
|
||||
| `_profiler/` (Symfony debug endpoint) | 18 | ❌ |
|
||||
| `.gitlab-ci.yml` | 15 | ❌ |
|
||||
Pattern
|
||||
|
||||
Hits
|
||||
|
||||
Caught?
|
||||
|
||||
`info.php`, `phpinfo.php`
|
||||
|
||||
64
|
||||
|
||||
❌
|
||||
|
||||
`etc/passwd` (path traversal)
|
||||
|
||||
48
|
||||
|
||||
❌
|
||||
|
||||
`test.php`, `debug.php`, `php.php`
|
||||
|
||||
70
|
||||
|
||||
❌
|
||||
|
||||
`wp_filemanager.php` (underscore, not hyphen)
|
||||
|
||||
28
|
||||
|
||||
❌
|
||||
|
||||
`_profiler/` (Symfony debug endpoint)
|
||||
|
||||
18
|
||||
|
||||
❌
|
||||
|
||||
`.gitlab-ci.yml`
|
||||
|
||||
15
|
||||
|
||||
❌
|
||||
|
||||
PHP probe files are particularly common: scanners drop `phpinfo.php`, `test.php`, `info.php` to fingerprint the stack. `etc/passwd` probes arrive as both direct paths and Vite/Nuxt path traversal variants (`/@fs/etc/passwd`). The Symfony `_profiler/` endpoint is a favourite for Laravel and Symfony shops that leave debug mode on in production.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user