1. Output of caddy version
:
./caddy.exe version
v2.5.1
2. How I run Caddy:
As a reverse proxy for my JellyFin Server in Windows 11 with TLS.a. System environment:
Edition | Windows 11 Pro |
---|---|
Version | 21H2 |
Installed on | 8/8/2022 |
OS build | 22000.856 |
Experience | Windows Feature Experience Pack 1000.22000.856.0 |
b. Command:
NA
c. Service/unit/compose file:
rrprod.tplinkdns.com {
log {
output file access.log {
roll_size 10mb
roll_keep 20
roll_keep_for 720h
}
}
reverse_proxy 127.0.0.1:8096
}
d. My complete Caddy config:
rrprod.tplinkdns.com {
log {
output file access.log {
roll_size 10mb
roll_keep 20
roll_keep_for 720h
}
}
reverse_proxy 127.0.0.1:8096
}
3. The problem I’m having:
Im using caddy as a reverse proxy for my JellyFin media server. Its a public facing setup which I use and ever since my media server has gone publiic to the internet I’m getting the following pop-ups from my antivirus BitDefender almost thrice every 30 mins:
Description of the above message:
Feature: Online Threat Prevention
Activity resembling botnet behavior was made by xx.xx.xx.xx We blocked the connection to prevent the infection of your device which would have been used to propagate the threat.
And the frequent IP addresses from where attack originates are as below:
164.92.105.208
45.141.239.148
45.61.186.139
193.233.179.14
188.166.8.119
45.141.239.135
62.197.136.60
Fed up of these notifications which affect my gameplay while playing games, I raised this with BitDefender support, gave them the logs of the OS they wanted and finally they told me that all the suspicious connections were generated by caddy
(for some reason I cant post the entire path to caddy.exe as its not allowing me to post) which dto connect to http://124.123.97.236:80/boaform/admin/formLogin
.
4. What I already tried:
Upon searching about boaform/admin/formLogin
I came to know thats its a type of attack used to take priviliged access of the OS in a certain manner. Moreover, none of the above IPs are reflected in the access logs of caddy.
5. Need Help in:
- a. What is wrong in my setup? Is this nothing but a botnet attack?
- b. If yes, then how come the IP addresses aren’t being reflected in the access log. Is bitdefender is detecting these connections before they hit Caddy?
- c. If no, then how can I find the user-agents of these requests and block them via caddy itself?
- d. What is
boaform/admin/formLogin
? I never hosted this in caddy. Where is this path coming from? - e. What change shall I do to my media server setup to avoid this? Shall I host it in a subpath instead of / like for e.g
rrprod.tplinkdns.com/subpath
?