2023-12-11
Seeing how fast people will probe you after you get a new TLS certificate
For reasons outside the scope of this entry I spent some time today setting up a new Apache-based web server. More specifically, I spent some time setting up a new virtual host on a web server I'd set up last Friday. Of course this virtual host had a TLS certificate, or at least was going to once I had Let's Encrypt issue me one. Some of the time I'm a little ad-hoc with the process of setting up a HTTPS site; I'll start out by writing the HTTP site configuration, get a TLS certificate issued, edit the configuration to add in the HTTPS version, and so on. This can make it take a visible amount of time between the TLS certificate being issued, and thus appearing in Certificate Transparency logs, and there being any HTTPS website that will respond if you ask for it.
This time around I decided to follow a new approach and pre-write the HTTPS configuration, guarding it behind an Apache <IfFile> check for the TLS certificate private key. This meant that I could activate the HTTPS site pretty much moments after Let's Encrypt issued my TLS certificate. I also gave this new virtual host it's own set of logs, in fact two sets, one for the HTTP version and one for the HTTPS version. Part of why I did this is because I was curious how long after I got a TLS certificate it would be before people showed up to probe my new HTTPS site.
(It's well known by now that all sorts of people monitor Certificate Transparency logs for new names to probe. These days CT logs also make new entries visible quite fast; it's easily possible to monitor the logs in near real time. My own monitoring, which is nowhere near state of the art, was mailing me less than five minutes after the certificate was issued.)
If you've ever looked at this yourself, you probably know the answer. It took roughly a minute before the first outside probes showed up (from a 'leakix.org' IP address). Interestingly, this also provoked some re-scans of the machine's first HTTPS website, which had been set up Friday (and whose name was visible in, for example, the IP address's reverse mapping). These scans were actually more thorough than the scans against the new HTTPS virtual host. The HTTP versions of both the base name and the new virtual host were also scanned at the same time (again, the base version more thoroughly than the new virtual host).
Our firewall logs suggest that the machine was getting hit with a higher rate of random connections than before the TLS certificate was issued, along with at least one clear port scan against assorted TCP ports. This clear port scan took a while to show up, only starting about twenty minutes after the TLS certificate was issued (an eternity if you're trying to be the one who compromises a newly exposed machine before it's fixed up).
At one level none of this is really surprising to me; I knew this sort of stuff happened and I knew it could happen rapidly. At another level there's a difference between knowing it and watching your logs as it happens live in front of you.