[unexistential]

I built something similar for my girlfriend's birthday a few months ago. A buzzer and a lightbulb connected through a relay to an RPi, which hosts a basic HTTP server. The server is exposed to the Internet through a reverse ssh tunnel to a VPS in the cloud.

What has taken me aback is how it regularly receives malicious traffic that I suspect is from bots scanning for vulnerable servers. The hostname is not shared anywhere public. The client app that knows the URL has only been shared to her as an APK. Made me realize there's no such thing as security through obscurity.

[asveikau]

You're saying the malicious requests are hitting the obscure path that only shows up in her apk?

Is it running https? Trying to think of how they would have gotten that, eavesdropping would be one way.

Otoh if they are hitting your host by randomly probed IP address but don't know the obscure path, that is not surprising at all. There are tons of exposed http ports unknown to their operators, and it is makes total sense that bad actors are trying to discover them.

[unexistential]

No, thankfully they're hitting paths like /phpmyadmin/index.html which do not exist on the server. Makes sense, it's probably random IP address based probes long you said.

I'm not running https but I should, to protect myself from someone MITMing the requests and possibly pwning my Pi.

[jayshua]

I wonder if having only an IPv6 address would provide enough obscurity to be reasonably secure in this case? Or maybe those allocations are still to publicly guessable?