I have a few servers exposed on IP addresses, but they are not meant for public access. You have no authorization for 'messing' with this site: what you deem playing around, might be hacking.
You may also hit a government or military IP address, known or unknown. If you mess around with them, you may receive some unfriendly visits from men in black.
I specifically purchased my internet connection with the intention of browsing the available content of all other connected hosts.
You DO NOT have my authorization to block or restrict my ability to mess with other hosts. Doing so may be a violation of my terms of service, and interference in interstate commerce.
You have unprotected servers public facing on the internet? Cool. That's definitely not something you should be concerned about and addressing immediately.
If its on the public internet with no security, how can someone tell if their access is unauthorised? Its not really that different from connecting to facebook.com or the various publically accessible ssh servers.
I mean, your IP is being crawled by random bots dozens of time per day, what's the difference between that website and the traffic your IP gets already?
Seriously, this is a laughable concern – if you have a "public facing server" you're already listed in Google, Shodan, being probed by dozens of IPs across the world...
[21/Jun/2021:19:07:19 +0000] "GET / HTTP/1.1" 301 169 "-" "Expanse, a Palo Alto Networks company, searches across
the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"
I remember thinking that ads in server logs was a new one to me.
Let me explain, I am not running any services on standard ports. You'd have to do a port scan and find one of the ports running a web service. But they're HTTPs (with unsigned personal certificate keys, mind you) and are password protected.
I still get so. many. random people entering passwords and trying to break in. They don't look like a wordlist or automated bots, they're literally people guessing.
Just because you see a username and password screen after you nmap this public IP, doesn't give you the right to start trying to hack it.
You're making a normative argument; I'm making a positive one.
You ought not try random usernames/passwords on someone's public server, I agree. But if you expose a public server that lets someone type a username/password, you had best be ready for someone to guess values.
I have a few servers exposed on IP addresses, but they are not meant for public access. You have no authorization for 'messing' with this site: what you deem playing around, might be hacking.
You may also hit a government or military IP address, known or unknown. If you mess around with them, you may receive some unfriendly visits from men in black.