I’m running an apache webserver open on port 80 for experimental purposes.
As a current project, I’m using the server for one-way file sharing. For instance, if I’m playing a computer game, I clip something, I get the server to convert it to an MP4 file below 10MB (so discord can genereate a video thumbnail). After this tt then generates a string of random X characters and renames the filename then it puts it on the webserver. Eg, an example link would look like “http://MYDDNS/JBVFIDSBGILSDEOIJNBADSIKD.MP4”
I know opening a server to the internet is a risk regardless. For this reason:
* I’m running apache alone, no mods, no PHP, no scripts, nothing has been activated in the conf file.
* I’ve got directory listing turned off
* I’ve got fail2ban running (custom filter so multiple 404/403 attacks within 10 mins get banned)
* The files on the server are random names which are not possible to guess (by humans anyways)
There isn’t any sensitive material on the web server because at the end of the day, anyone can access it.
And now to my point of this post; I recently found a Google bot going through some random old MP4 videos. I’ve included an example of the logs:
* How else can I secure my webserver further?
* Do I have any major security issues here that I’m missing?
* How did that bot stumble upon this link?