If a back-end is merely accessible that way though, even just seeing a login page, that's a case of already having ignored the basics and created said hole oneself, deliberately and massively.
Go-to solution is setting up VPN to the server (such as OpenVPN profiles using signed keys), then configuring anything back-end-like to reject connections unless it's from that tunnel interface. Bare minimum solution, the HTTP service should require a signed client TLS certificate imported into the browser before it shows that page at all!
SithEmpire 0 points 2 weeks ago
If a back-end is merely accessible that way though, even just seeing a login page, that's a case of already having ignored the basics and created said hole oneself, deliberately and massively.
Go-to solution is setting up VPN to the server (such as OpenVPN profiles using signed keys), then configuring anything back-end-like to reject connections unless it's from that tunnel interface. Bare minimum solution, the HTTP service should require a signed client TLS certificate imported into the browser before it shows that page at all!