logo
podcast Podcast
get help Get Unstuck

Your brand new server is already getting attacked

Don't let your guard down

Joel Clermont
Joel Clermont
2025-05-07

I recently set up a new server for a project, and when I looked at the access logs, I was surprised to see it was already being actively scanned for exploits.

And these were site-specific logs, meaning it wasn't just the server's IP address getting scanned, but the host name for this new staging domain I just set up.

How could this be? How would an attacker know about this new domain that I just created?

There's an interesting clue in the logs. Take a look and see if you can spot it:

Server logs

Notice that the very first two log entries mention acme-challenge. These two requests are challenges required for the issuance of a TLS certificate using Let's Encrypt.

Five seconds after the certificate was issued, the flood of probe requests began. What is the connection?

Certificate authorities, like Let's Encrypt, publish a list of newly-issued certificates in a public database called the Certificate Transparency log. This allows a domain owner to monitor for unauthorized issuance of certificates for their domain.

However, this also means that attackers can monitor this log to find domains they want to target, even domains used for "secret" staging environments with brand-new servers.

So never assume that no one will find your server just because it's new or not yet publicized. Always take the necessary precautions to secure your server from the start.

Here to help,

Joel

P.S. Security is an important consideration when building your Laravel app. Download our free book: 7 Steps to a Secure Laravel App.

Toss a coin in the jar if you found this helpful.
Want a tip like this in your inbox every weekday? Sign up below 👇🏼
email
No spam. Only real-world advice you can use.