How could we tell you about an IP inside your own network? Look at the host using that IP and see what’s running on it.
this post was submitted on 19 Oct 2025
29 points (87.2% liked)
Selfhosted
52506 readers
2079 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Well it is definitely specific to Lemmy, I selfhost over 20 services and only Lemmy gets pinged on midnight. The only other service I saw doing this was Nextcloud, Nextcloud instance needs to reach itself, but for Lemmy it is a different IP, which is puzzling me
Sounds like either federation working as intended, or some client app trying to cache info about your instance. Might be https://fedidb.com/ or https://fediverse.observer/ or some other service.
Got the log?
Nothing in Lemmy's logs, in Pangolin's logs it's only the lines about attempted access each midnight
An ICMP ping or a web request?
If it's a web request the first thing that comes to mind is do you have BitWarden?
Yes, I do. It is probably a web request
There was a post a few days ago about someone using it and it pulled a tonne of data. I wonder if it also does polls to check if the link is still valid.
Bitwarden uses the favicon from the first link in the password entry.
For my selfhosted web pages I use the public info page of the selfhosted page (e.g. openMediaVault) and set detection to [none].
This way it won't match against the 3rd party page but I get the icon :)
BUUUT it should only poll if you activate the program/extension.
Don't know why it should poll at midnight
I do not have my Lemmy's link in the Bitwarden
Is your server running on UTC? Depending on your location midnight UTC could also be 8 AM and it could be a user with a very regular morning schedule.
Only you can find out which machine is sending this request...
My timezone is CET, so I get the ping on 2AM. The Lemmy container should be on UTC as I did not specify the timezone when launching the container. It is definitely not human, as the ping comes exactly on midnight UTC, or seconds away from midnight. I will turn off the Pangolin auth and investigate further this midnight. Again sorry for not providing more information, I was certain that it is a thing internal to Lemmy and I was just curious what it is
Update: So it turns out I was perhaps correct with my hunch. The local IP turns out to be the proxy I set for ports 80 and 443 (it was internal Wireguard IP). Unfortunately my current setup did not allow me to catch which IP the request came from (which is a problem I have to solve later) but the lemmy-proxy container got requests for GET /.well-known/nodeinfo and GET /nodeinfo/2.1. So it is probably something checking my server, likely from the Lemmy network.
And when you ping that IP address back, what happens?
Can you trace it?
Maybe setup wireshark and record what happens at that time of night...
I will definitely do that, right now I can't work with anything because the traffic gets stopped at Pangolin's level, but I will turn off Pangolin's auth for one night