I know we're all having fun with our locally deployed LLM instances, but I just wanted to take a moment to remind everyone that obscurity is not enough to protect you from scrapers and crawlers.
As a practice of my extremely basic OSINT skills, I decided to check how many publicly exposed devices (IPv4 only) had ports that matched the hash of LM Studio's Express.js server.
373 - That's not a small number :(
That's not just how many devices had a port serving LM Studio to the open internet, 373 is just the number of devices serving LM Studio instances that do not require an API key (as the hash would be different).
Again, this gives full unfettered access to your models and allows people to interact with your instances of LM Studio, or whatever platform decides it's a good idea to have no API key by default.
Unless you know what you're doing (you don't if you show up on this map), do not expose your LLM platforms to the wide internet.
Harden your installs, use tailscale, reverse proxies with auth, etc...