A very effective first step is to put it on a vhost with a domain you control, and drop traffic to the default vhost. 99.999% of scanners are just going through IPs looking for stuff, so don’t give them anything. Better yet, block any IP that scans you more than a dozen or so times.
Obviously some stuff will find you through cert issuance logs, but most of the bastards don’t bother with that level of sophistication.
A very effective first step is to put it on a vhost with a domain you control, and drop traffic to the default vhost. 99.999% of scanners are just going through IPs looking for stuff, so don’t give them anything. Better yet, block any IP that scans you more than a dozen or so times.
Obviously some stuff will find you through cert issuance logs, but most of the bastards don’t bother with that level of sophistication.