logoalt Hacker News

luckman212today at 4:32 PM3 repliesview on HN

Fair, but what about names that are specific enough to give an attacker a clue to a potential attack surface, like "authelia.example.com" - now they know you've likely got an Authelia setup, and can start digging for exploitable CVEs etc. I'm in the process of removing all my individual certs and replacing with a wildcard cert served by Traefik. Is that a bad idea?


Replies

bbkanetoday at 4:33 PM

Can they dig for exploitable CVEs if they're not on the Wireguard network? It is a clue to your infrastructure, but I personally think the simplicity is worth it.

icedchaitoday at 5:46 PM

Do the names resolve to publicly routeable IPs? If not, I wouldn't worry about it.

nijavetoday at 5:01 PM

My IaC is on public GitHub. They could do a network scan to find software then fingerprint to find version anyway.

Removing attack surface is better than trying to hide it.