This thread has two topics. One is about the constant bot scanning that occurs on domains, and the other is what do you display for unauthorized users trying to access your admin page.
Bot scanning
I have separated my 404 errors from the other errors, so I can be more alert of the actual errors that I need to care about. With this I am noticing that differing IPs keep scanning my site for vulnerabilities, like old Wordpress sites, login pages etc.
Is that something I should take notice of? Sure, I don’t actually have any of those sites, but do you guys block those IPs or anything else? Surely just banning IPs is useless as they keep changing. Is this just something one has to live with?
Unauthenticated users trying to access your admin pages
I have a website with a user interface and an admin interface, like many other sites. On this site, you have to be a logged in user to do anything on the site. Thus, you are faced with a login form from the get-go if you are not logged in.
I’m curious how you guys handle unauthorized requests to your admin interface. If they try to access a non-existant route in your admin prefix (admin/non-existing-controller/index), surely you give them a 404 error. What if it’s an actual route on your site, do you give them an “Access denied” kind of error page if they are logged in and a redirect if they are not, or do you just give them the same 404 error, as a way to conceal your actual admin routes? Or even conceal that you in fact have an admin interface at all. This links in with the other topic in this thread, about bots trying to find vulnerabilities on your site. If they see that /admin is an actual route, they have found “something”.
I am doing the latter. All unauthorized requests receive a 404 error. This gives me a dilemma when an admin receives an email with a link to a route in the admin interface, but is not logged in. The admin is then faced with a 404 error, making it appear as though the email is giving out a non-working link. If I redirect them to the login form, they will then log in and be redirected back to the link from the email. But then my admin routes are “visible” from the outside.
A workaround could be to append something in the query params in the link when sending an email, letting me know this is an actual admin trying to access the site, and have them redirected to the login form. I just want to hear from you guys what you do on your own projects.