- Zero-Day Wire
- Posts
- Defend the Web (Week 1): Attack Surface Reduction & Recon Detection
Defend the Web (Week 1): Attack Surface Reduction & Recon Detection
How to Minimize Your Attack Surface & Detect Reconnaissance Attempts
π‘οΈ Week 1: Attack Surface Reduction & Recon Detection
Defend the Web: Part 1 of 8
Welcome to Defensive Wednesday.
Hey π
Yesterday we showed you how attackers map your infrastructure through reconnaissance.
If you missed the Week 1 Offensive edition, you can read it here π link
Today we flip the script.
You're going to learn how to shrink your attack surface and detect when someone's poking around.
Here's the reality β you can't defend what you don't know exists. And attackers are already looking for what you've forgotten about.
Let's lock it down.
π§ What is Attack Surface Reduction?
Attack surface reduction means minimizing what's exposed to the internet.
Every open port, every subdomain, every service is a potential entry point.
The defender's job: Expose only what's necessary. Secure everything else.
Simple math: If you have 50 doors, you need to monitor and lock all 50. But if you only keep 5 open, your job just got 10x easier.
π― The Defensive Mindset
Attackers have time. They can probe, wait, and try again.
You need to:
Know your entire attack surface (before attackers do)
Reduce unnecessary exposure
Monitor for reconnaissance activity
Respond before exploitation happens
Defense is proactive, not reactive.
π§ The Defense Process (Step by Step)
Step 1: Map Your Own Attack Surface
Run the same tools attackers use to see what's exposed.
Subdomain Discovery
Subfinder (github.com/projectdiscovery/subfinder)
subfinder -d yourcompany.com -o your-subdomains.txt
Amass (github.com/owasp-amass/amass)
amass enum -d yourcompany.com -o amass-audit.txt
What you'll find: Forgotten subdomains, old staging servers, dev environments, shadow IT assets.
Fix it: Audit everything, decommission what's not needed, move internal tools behind VPN.
DNS Record Audit
dig yourcompany.com ANY
dig yourcompany.com TXT
Look for: Outdated A records, TXT records exposing internal info, MX records revealing mail infrastructure, CNAMEs pointing to unused services.
Fix it: Remove stale DNS records, use generic naming, implement DNSSEC, limit zone transfers.
Step 2: Port & Service Hardening
Scan yourself before attackers do with Nmap (nmap.org):
nmap -p- yourserver.com
nmap -sV -A yourserver.com
You're looking for: Unnecessary open ports, outdated service versions, services that shouldn't be internet-facing.
Port Hardening:
Close unnecessary ports β only expose 80/443. Block everything else at firewall level.
Disable unused services:
# Check running services (Linux)
systemctl list-units --type=service --state=running
# Disable unused service
sudo systemctl disable servicename
sudo systemctl stop servicename
Update service versions:
sudo apt update && sudo apt upgrade -y
Change default ports β Move SSH from port 22 to reduce automated scanning:
sudo nano /etc/ssh/sshd_config
# Change: Port 22 β Port 2299
sudo systemctl restart sshd
Firewall setup with UFW (help.ubuntu.com/community/UFW):
sudo ufw default deny incoming
sudo ufw allow 443/tcp
sudo ufw allow 80/tcp
sudo ufw enable
Step 3: Detect Reconnaissance Activity
Attackers leave traces. You need to see them.
Monitor for Port Scanning
Fail2Ban (fail2ban.org) β Auto-blocks suspicious IPs
sudo apt install fail2ban
Configure for port scan detection:
sudo nano /etc/fail2ban/jail.local
Add:
[port-scan]
enabled = true
filter = port-scan
logpath = /var/log/syslog
maxretry = 3
bantime = 86400
PSAD (cipherdyne.org/psad) β Port Scan Attack Detector
sudo apt install psad
sudo psad --fw-analyze
PSAD monitors iptables logs and detects port scans, fingerprinting, and unusual patterns.
Suricata (suricata.io) β IDS/IPS
sudo apt install suricata
sudo systemctl enable suricata
Configure rules to detect Nmap scans and recon tools.
Monitor DNS Queries
Watch for: Spikes in DNS queries, zone transfer attempts, queries for non-existent subdomains.
Monitor DNS queries:
sudo tcpdump -i any -n port 53
Disable DNS zone transfers:
In BIND config (/etc/bind/named.conf):
zone "yourcompany.com" {
type master;
file "/etc/bind/zones/yourcompany.com";
allow-transfer { none; };
};
Step 4: OSINT Defense
Remember theHarvester (github.com/laramies/theHarvester) and Google Dorking? Here's how to defend against it.
Email Exposure Mitigation
Problem: Public emails create phishing targets.
Fix: Remove emails from public docs, use contact forms, use generic emails (info@, support@).
Check exposure:
theHarvester -d yourcompany.com -b all
Metadata Scrubbing
Clean metadata with ExifTool (exiftool.org):
exiftool -all= document.pdf
Google Dork Defense
Test yourself:
site:yourcompany.com filetype:pdf
site:yourcompany.com inurl:admin
site:yourcompany.com intitle:"index of"
Fix exposures: Use robots.txt, add authentication, remove directory listings, use Google Search Console to remove indexed pages.
Step 5: Monitor Internet-Wide Scans
You can't stop Shodan (shodan.io) and Censys (search.censys.io) from scanning you, but you can monitor what they see.
Check exposure on Shodan:
hostname:yourcompany.com
Check Censys:
services.tls.certificates.leaf.names: yourcompany.com
Look for: Exposed services, old servers, misconfigured instances, exposed databases.
Set up alerts: Create Shodan alerts, monitor Censys for changes.
Step 6: Cloud Asset Management
AWS:
aws ec2 describe-instances
aws s3 ls
Azure:
az resource list --output table
π οΈ Complete Tool List
Recon Detection
Tool | Purpose | Link |
|---|---|---|
Fail2Ban | Auto-block suspicious IPs | |
PSAD | Port scan detection | |
Suricata | IDS/IPS | |
Snort | Intrusion detection | |
Zeek | Network security monitor |
Hardening
Tool | Purpose | Link |
|---|---|---|
UFW | Firewall management | |
Lynis | Security auditing | |
OpenSCAP | Compliance scanning |
π Learning Resources
Guides:
CIS Benchmarks β cisecurity.org/cis-benchmarks
NIST Cybersecurity Framework β nist.gov/cyberframework
OWASP Attack Surface Analysis β owasp.org
SANS Reading Room β sans.org/white-papers
Practice:
TryHackMe: "Cyber Defense" path
Hack The Box: Blue Team labs
Set up a honeypot to see recon in action
Books:
"Blue Team Handbook" by Don Murdoch
"Defensive Security Handbook" by Lee Brotherston & Amanda Berlin
"Network Security Assessment" by Chris McNab
β Week 1 Defense Checklist
[ ] Mapped complete attack surface (subdomains, IPs, services)
[ ] Closed unnecessary ports and disabled unused services
[ ] Implemented firewall rules (default deny)
[ ] Set up recon detection (Fail2Ban or IDS)
[ ] Audited DNS records and removed stale entries
[ ] Tested yourself with Google Dorks and fixed exposures
[ ] Checked Shodan/Censys for your assets
[ ] Cleaned metadata from public documents
π― Key Takeaways
You can't defend what you don't know exists. Map your attack surface regularly.
Reduce exposure. Every service is a potential entry point. Minimize ruthlessly.
Think like an attacker. Use the same recon tools on yourself.
Detection matters. You can't stop all recon, but you can see it happening.
Automate monitoring. Set up alerts for new assets and scan attempts.
Defense is continuous. Your attack surface changes constantly. Audit regularly.
That's Week 1 Defense π‘οΈ
You now know how to shrink your attack surface and spot reconnaissance before it turns into an attack.
Next Tuesday: We're attacking Authentication & Session Management.
Next Wednesday: We'll show you how to build authentication systems attackers can't break.
Stay sharp.
Your Feedback MattersDid You Enjoy This Weekβs Defensive Tutorial? |
β ZwireβοΈ
P.S. Got questions? Reply to this email. I read everything.
Reply