johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: auto-commit uncommitted changes

This commit is contained in:
James 2026-02-22 12:02:06 -05:00
parent bd0465de1e
commit 3c644f2c44
9 changed files with 490 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
memory/claude-usage.db
View File

Binary file not shown.

12
memory/claude-usage.json
View File

@ -1,9 +1,9 @@
{ {
"last_updated": "2026-02-22T14:00:01.371829Z", "last_updated": "2026-02-22T17:00:02.424506Z",
"source": "api", "source": "api",
"session_percent": 0, "session_percent": 10,
"session_resets": null, "session_resets": "2026-02-22T19:00:00.358791+00:00",
"weekly_percent": 16, "weekly_percent": 17,
"weekly_resets": "2026-02-28T19:00:00.346050+00:00", "weekly_resets": "2026-02-28T19:00:00.358819+00:00",
"sonnet_percent": 20 "sonnet_percent": 22
} }

8
memory/heartbeat-state.json
View File

@ -7,13 +7,13 @@
"news": 1771597876, "news": 1771597876,
"claude_usage": 1771597876 "claude_usage": 1771597876
}, },
"lastBriefing": "2026-02-20T14:30:00.000Z", "lastBriefing": "2026-02-22T15:55:54.305561Z",
"lastWeeklyDocker": "2026-02-22T08:33:05.950745+00:00", "lastWeeklyDocker": "2026-02-22T08:33:05.950745+00:00",
"lastWeeklyHAOS": "2026-02-22T08:33:05.950745+00:00", "lastWeeklyHAOS": "2026-02-22T08:33:05.950745+00:00",
"lastWeeklyMemorySynthesis": "2026-02-22T10:05:38.031320Z", "lastWeeklyMemorySynthesis": "2026-02-22T10:05:38.031320Z",
"lastDocInbox": "2026-02-20T14:30:00.000Z", "lastDocInbox": "2026-02-20T14:30:00.000Z",
"lastTechScan": "2026-02-20T14:30:00.000Z", "lastTechScan": "2026-02-22T15:55:54.305561Z",
"lastMemoryReview": "2026-02-22T01:03:37.069142Z", "lastMemoryReview": "2026-02-22T01:03:37.069142Z",
"lastIntraDayXScan": "2026-02-22T04:32:16.162146Z", "lastIntraDayXScan": "2026-02-22T14:33:26.869606+00:00",
"lastInouSuggestion": "2026-02-22T02:18:11.508306Z" "lastInouSuggestion": "2026-02-22T14:30:55.694675+00:00"
} }

31
memory/security-baselines/caddy.md Normal file
View File

@ -0,0 +1,31 @@
# Caddy (192.168.0.2) — Security Baseline
Established: 2026-02-22
## Root SSH Authorized Keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
## Expected Users (uid>=1000)
nobody:65534 (system)
johan:1000
stijn:1001 (/var/www/flourishevents — web service account, nologin equivalent)
## Expected Listening Ports
- 22 (SSH)
- 80/443 (Caddy reverse proxy)
- 40021 (vsftpd passive FTP)
- 2019 (Caddy admin API — localhost)
- 53 (systemd-resolved — localhost)
## SSH Hardening
- PasswordAuthentication: no ✅
- PermitRootLogin: without-password ✅
- PubkeyAuthentication: yes ✅
## Known Firewall State
UFW: ACTIVE ✅
Rules: SSH (LIMIT from LAN), 80/443 (ALLOW), 40021 (ALLOW), 40000-40010 (ALLOW — FTP passive)
## Known Issues at Baseline
- fail2ban not active
- vsftpd running (FTP) — known for flourishevents site
- User `stijn` exists (/var/www/flourishevents) — web service account

40
memory/security-baselines/forge.md Normal file
View File

@ -0,0 +1,40 @@
# Forge (192.168.1.16) — Security Baseline
Established: 2026-02-22
## SSH Authorized Keys (johan)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4vdTyAAgy6PTsTLy64zQ8HwB3n3N3HQ3VfpLnItN7f johan@ubuntu2404
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpdYKhUPal5p9oI6kN85PAB7oZ+j0P2+xCzvt1rord6 johanjongsma@Johans-MacBook-Pro.local
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF johan@thinkpad-x1
## Expected Users (uid>=1000)
nobody:65534 (system)
johan:1000
## Expected Listening Ports
- 22 (SSH)
- 21 (vsftpd — known, ⚠️ review if needed)
- 139/445 (Samba)
- 8030 (message-bridge — all interfaces)
- 8080 (signal-cli — all interfaces)
- 8090 (OCR service — all interfaces)
- 9200 (james-dashboard)
- 9201 (docsys)
- 9202 (Fully dashboard)
- 9300 (dealroom)
- 9877/9878 (node)
- 9900 (docproc)
- 18789 (openclaw-gateway — all interfaces)
- 18792 (openclaw browser — localhost)
- 11434 (ollama — localhost)
- 8025 (message-center — localhost)
- 13001 (SSH tunnel to zurich:3001 — localhost)
## Known Firewall State
UFW: NOT INSTALLED — ⚠️ no host firewall (relying on router/network controls)
## Known Issues at Baseline
- UFW not installed (known deficiency)
- fail2ban not active
- vsftpd running on port 21 — needs review

35
memory/security-baselines/james-old.md Normal file
View File

@ -0,0 +1,35 @@
# James-Old (192.168.1.17) — Security Baseline
Established: 2026-02-22
## SSH Authorized Keys (johan)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4vdTyAAgy6PTsTLy64zQ8HwB3n3N3HQ3VfpLnItN7f johan@ubuntu2404
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
## Expected Users (uid>=1000)
nobody:65534 (system)
johan:1000
snapd-range-524288-root:524288 (snap service — system)
snap_daemon:584788 (snap service — system)
scanner:1001 (SANE scanner service — system, nologin shell)
## Expected Listening Ports
- 22 (SSH)
- 21 (FTP — known)
- 139/445 (Samba)
- 3389 (RDP — xrdp, known)
- 3350 (xrdp-sesman — localhost)
- 8025 (message-center — localhost)
- 8030 (message-bridge — all interfaces)
- 9200 (dashboard)
- 1143 (Proton Bridge IMAP — localhost)
- 1025 (Proton Bridge SMTP — localhost)
## Known Firewall State
UFW: INACTIVE — ⚠️ no host firewall
## Known Issues at Baseline
- UFW inactive (known deficiency — retired machine)
- fail2ban not active
- RDP (3389) exposed — known, used for remote desktop
- 53 pending apt updates

43
memory/security-baselines/staging.md Normal file
View File

@ -0,0 +1,43 @@
# Staging (192.168.1.253) — Security Baseline
Established: 2026-02-22
## SSH Authorized Keys (johan)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpdYKhUPal5p9oI6kN85PAB7oZ+j0P2+xCzvt1rord6 johanjongsma@Johans-MacBook-Pro.local
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
## Expected Users (uid>=1000)
nobody:65534 (system)
johan:1000
## Expected Listening Ports
- 22 (SSH)
- 139/445 (Samba)
- 2283 (Immich — all interfaces)
- 8080 (signal-cli-rest-api — all interfaces)
- 8096 (Jellyfin — all interfaces)
- 8123 (ClickHouse HTTP — all interfaces)
- 9000 (ClickHouse TCP — all interfaces)
- 18789 (openclaw-gateway — all interfaces)
- 18792 (openclaw browser — localhost)
- 1080 (portal)
- 8082 (inou api)
- 8765 (inou viewer)
## Docker Containers (Known)
- clickhouse (clickhouse/clickhouse-server)
- immich_server (ghcr.io/immich-app/immich-server)
- immich_machine_learning
- immich_postgres
- immich_redis
- jellyfin
- signal-cli-rest-api
## Known Firewall State
UFW: INACTIVE — ⚠️ no host firewall
## Known Issues at Baseline
- UFW inactive (LAN only, home lab — tolerated)
- fail2ban not active
- SSH hardening not verified (sshd -T requires root)

40
memory/security-baselines/zurich.md Normal file
View File

@ -0,0 +1,40 @@
# Zurich (zurich.inou.com / 82.22.36.202) — Security Baseline
Established: 2026-02-22
## Root SSH Authorized Keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIhEtv7t3njNoG+mnKElR+rasMArdc8DnHON22lreT7 james@james
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF johan@thinkpad-x1
## Expected Users (uid>=1000)
nobody:65534 (system)
harry:1000 (/var/www/harryhaasjes — web service, nologin)
harry-web:1001 (/home/harry-web — web service, nologin)
## Expected Listening Ports
- 22 (SSH — all interfaces)
- 25/143/587/465/993/995/110/4190 (Stalwart mail server)
- 80/443 (Caddy)
- 2019 (Caddy admin — localhost)
- 2586 (ntfy — localhost, behind Caddy)
- 3001 (Uptime Kuma — all interfaces, UFW blocks external)
- 8080 (Vaultwarden — localhost, behind Caddy)
- 8880/8443 (Stalwart admin — localhost)
- 41641 (Tailscale UDP)
## SSH Hardening
- PasswordAuthentication: no ✅
- PermitRootLogin: without-password ✅
- PubkeyAuthentication: yes ✅
## Known Firewall State
UFW: ACTIVE ✅
Rules: 22, 80, 443, 41641 (Tailscale), tailscale0, 25, 587, 465, 993, 143, 4190
## Known Issues at Baseline
- High SSH brute force volume — expected for public VPS, mitigated by key-only auth + fail2ban
- Port 3001 (Kuma) exposed on all interfaces — but UFW blocks it externally (no rule for 3001)
- Port 110/995 (POP3) not in UFW rules — blocked externally even though Stalwart listens
- Docker: uptime-kuma, vaultwarden

291
memory/security-scans/2026-02-22.md Normal file
View File

@ -0,0 +1,291 @@
# Weekly Security Posture Scan — 2026-02-22
Scan time: Sunday, February 22nd, 2026 — ~09:01 AM EST
**FIRST RUN** — Baselines established in `memory/security-baselines/`
## Summary
| Host | Firewall | SSH Hardened | fail2ban | Intrusion Indicators | Overall |
|------|----------|--------------|----------|----------------------|---------|
| forge (localhost) | ❌ None | ✅ | ❌ | None | ⚠️ WARN |
| james-old (192.168.1.17) | ❌ UFW inactive | ⚠️ Unknown | ❌ | None | ⚠️ WARN |
| staging (192.168.1.253) | ❌ UFW inactive | ⚠️ Unknown | ❌ | None | ⚠️ WARN |
| caddy (192.168.0.2) | ✅ UFW active | ✅ | ❌ | None | ⚠️ WARN |
| prod (192.168.100.2) | ❓ No access | ❓ | ❓ | ❓ | ❌ UNREACHABLE |
| zurich.inou.com | ✅ UFW active | ✅ | ✅ | Brute force (expected) | ✅ OK |
---
## FORGE (192.168.1.16 — localhost)
### Firewall
- ❌ **UFW NOT INSTALLED** — no host-level firewall
- Relying entirely on network-level controls (router/UDM-Pro)
### SSH Hardening
- ✅ `PasswordAuthentication no`
- PermitRootLogin: not explicitly set (Ubuntu default = prohibit-password ≈ key-only)
- PubkeyAuthentication: yes (default)
### fail2ban
- ❌ **Not installed/active**
### Listening Ports
Expected ports for this host. Notable:
- ⚠️ Port 21 (vsftpd) — FTP running as root, enabled at boot, all interfaces
- Ports 22, 139/445 (Samba), 8030, 8080, 8090, 9200-9202, 9300, 9877-9878, 9900, 18789 — all expected
### Users
- nobody (65534), johan (1000) — **clean**
### SSH Authorized Keys
- 5 keys: james@server, johan@ubuntu2404, claude@macbook, johanjongsma@MacBook, johan@thinkpad-x1
- **All expected** — no unknown keys
### Login History
- All sessions from 192.168.1.14 (LAN) and 100.114.238.41 (Tailscale)
- Most recent: Sat Feb 21 — clean
- **No failed logins**
### Outbound Connections
All legitimate:
- IMAP to zurich:993 (message-center)
- SSH tunnels to zurich:22
- OpenClaw API connections
- Signal/WhatsApp bridge
- 192.200.0.103:443 (unknown — Anthropic CDN likely)
### Cron
- `/home/johan/clawd/scripts/claude-usage-check.sh` (hourly) — expected
- `/home/johan/scripts/health-push.sh` (every minute) — expected
### Shadow / Sudoers Perms
- `/etc/shadow`: rw-r----- root:shadow ✅
- `/etc/sudoers`: r--r----- root:root ✅
### Security Patches
- 0 pending security patches (apt list --upgradable | grep security returned empty)
### Findings
| Severity | Finding |
|----------|---------|
| ⚠️ MEDIUM | UFW not installed — no host firewall |
| ⚠️ MEDIUM | fail2ban not active |
| ⚠️ LOW | vsftpd (FTP) running on port 21, all interfaces, root-owned process |
---
## JAMES-OLD (192.168.1.17)
### Firewall
- ❌ **UFW inactive** (installed but disabled)
### SSH Hardening
- sshd -T returned empty (no sudo) — hardening status unknown
- Need root access to verify
### fail2ban
- ❌ **Not active**
### Listening Ports
Notable:
- ⚠️ Port 3389 (RDP/xrdp) — all interfaces (0.0.0.0)
- ⚠️ Port 21 (FTP) — all interfaces
- Port 8030 (message-bridge) — all interfaces
- Ports 22, 139/445, 1143/1025 (Proton Bridge — localhost), 8025 (MC — localhost), 9200 — expected
### Users
- nobody, johan, snapd-range-524288-root, snap_daemon (all snap-related — system), scanner
- `scanner` user: uid=1001, shell=/usr/sbin/nologin, home=/home/scanner — **SANE scanner service, expected**
### SSH Authorized Keys
- 3 keys: johan@ubuntu2404, claude@macbook, james@forge — **clean**
### Login History
- Last login: Wed Feb 4 from LAN
- Machine is mostly idle (retired)
### Pending Updates
- **53 pending apt updates** — needs attention
### Findings
| Severity | Finding |
|----------|---------|
| ⚠️ MEDIUM | UFW inactive on a machine with exposed ports |
| ⚠️ MEDIUM | fail2ban not active |
| ⚠️ LOW | RDP (port 3389) exposed on all interfaces |
| ⚠️ LOW | FTP (port 21) exposed |
| ⚠️ LOW | 53 pending apt updates — should patch or decommission |
---
## STAGING (192.168.1.253)
### Firewall
- ❌ **UFW inactive**
### SSH Hardening
- Could not verify (no sudo for sshd -T) — **TODO: verify next scan**
### fail2ban
- ❌ **Not active**
### Listening Ports
LAN-accessible services (home lab — tolerated):
- 2283 (Immich), 8080 (signal-cli), 8096 (Jellyfin), 8123/9000 (ClickHouse)
- 18789 (OpenClaw gateway), 8082/8765/1080 (inou app)
- 22, 139/445 (Samba)
### Docker Containers
- Immich (server, ML, postgres, redis) — ✅ Up 11+ days (healthy)
- ClickHouse — ✅ Up 6 hours (healthy)
- Jellyfin — ✅ Up 11 days (healthy)
- signal-cli-rest-api — ✅ Up 11 days (healthy)
### Users
- nobody (65534), johan (1000) — **clean**
### SSH Authorized Keys
- 4 keys: claude@macbook, johanjongsma@MacBook, james@server, james@forge — **clean**
### Login History
- Most recent: Fri Feb 20 from LAN — clean
### Findings
| Severity | Finding |
|----------|---------|
| ⚠️ MEDIUM | UFW inactive (LAN-only machine, tolerated) |
| ⚠️ MEDIUM | fail2ban not active |
| INFO | Many open ports — consistent with home lab role |
---
## CADDY (192.168.0.2)
### Firewall
- ✅ **UFW active** with rules:
- SSH limited from LAN (/22)
- 80/443 ALLOW any
- 40021/tcp ALLOW (FTP passive)
- 40000-40010/tcp ALLOW (FTP data)
### SSH Hardening
- ✅ `PasswordAuthentication no`
- ✅ `PermitRootLogin without-password`
- ✅ `PubkeyAuthentication yes`
### fail2ban
- ❌ **Not active** — public-facing host, this is a gap
### Listening Ports
- 22, 80, 443, 2019 (Caddy admin — localhost), 40021 (vsftpd), 53 (systemd-resolved)
- All expected
### Users
- nobody, johan, stijn (/var/www/flourishevents — web service account) — **all expected**
### Root SSH Keys
- 1 key: james@forge — **clean**
### Login History
- Last interactive login: Sat Jan 31 — long ago
- 1 failed login: james@192.168.1.16 (Mon Feb 9) — from forge, expected (James SSH auth attempt)
### Findings
| Severity | Finding |
|----------|---------|
| ⚠️ MEDIUM | fail2ban not active on public-facing host |
| INFO | Only james@forge in root authorized_keys (minimal attack surface) |
---
## PROD (192.168.100.2)
### Status
- ❌ **UNREACHABLE** — SSH authentication failed (too many auth failures)
- May require specific SSH key or non-root user
- **Action needed:** Establish access method for security scans
### Findings
| Severity | Finding |
|----------|---------|
| ❌ UNKNOWN | Cannot scan prod — access method needed |
---
## ZURICH (zurich.inou.com / 82.22.36.202)
### Firewall
- ✅ **UFW active** with comprehensive rules:
- 22, 80, 443, Tailscale, 25/143/587/465/993/4190 (mail)
### SSH Hardening
- ✅ `PasswordAuthentication no`
- ✅ `PermitRootLogin without-password`
- ✅ `PubkeyAuthentication yes`
### fail2ban
- ✅ **Active** (systemctl reports active)
### Brute Force Activity
- **⚠️ HIGH volume SSH brute force detected** (20 failed attempts in ~15 min window today)
- Example IPs: 80.94.92.164, 89.155.5.35, 20.185.243.158, 2.57.121.25, 57.128.214.238, 20.88.55.220, 101.47.163.102, 34.78.29.97, 139.59.157.104, 23.227.147.163
- **Usernames attempted:** sol, opnsense, zookeeper, user, solana, listen, jfrog, polycom, rdp, serveradmin, borgbackup, blink, pound
- **Risk: LOW** — password auth disabled, key-only auth, fail2ban active
- This is expected/normal for a public VPS with port 22 open
### Listening Ports
All expected:
- 22 (SSH), 80/443 (Caddy), 25/143/587/465/993/995/110/4190 (Stalwart mail)
- 2019 (Caddy admin — localhost), 2586 (ntfy — localhost), 8080/8880/8443 (localhost)
- 3001 (Uptime Kuma — all interfaces; UFW blocks external, no UFW rule for 3001)
### Docker Containers
- uptime-kuma (louislam/uptime-kuma:1) — ✅ Up 3 days (healthy)
- vaultwarden (vaultwarden/server) — ✅ Up 12 hours (healthy)
### Users
- nobody (65534), harry (1000 — /var/www/harryhaasjes, nologin), harry-web (1001 — nologin)
- **All expected** service accounts
### Root SSH Keys
- 5 keys: claude@macbook, james@server, james@james, james@forge, johan@thinkpad-x1 — **all expected**
### Login History
- Last interactive: root from 47.197.93.62 (Johan's home IP) — Jan 27 — clean
### Findings
| Severity | Finding |
|----------|---------|
| INFO | High SSH brute force volume — mitigated (key-only + fail2ban) |
| INFO | Port 3001 (Kuma) binding 0.0.0.0 — UFW blocks externally, but should bind localhost |
| INFO | POP3 (110/995) listening but not in UFW rules — consider adding or disabling |
---
## Action Items
| Priority | Host | Action |
|----------|------|--------|
| HIGH | forge | Install UFW or document why host firewall isn't needed |
| HIGH | forge | Install fail2ban |
| MEDIUM | forge | Review vsftpd — is FTP still needed? Disable if not |
| MEDIUM | james-old | Patch 53 pending updates, or decommission machine |
| MEDIUM | james-old | Enable UFW or document retirement status |
| MEDIUM | caddy | Install fail2ban (public-facing, should have brute-force protection) |
| MEDIUM | staging | Verify SSH hardening as root |
| MEDIUM | prod | Establish SSH access method for security scans |
| LOW | zurich | Change Kuma to bind localhost only (`--listen 127.0.0.1`) |
| LOW | zurich | Consider UFW rule for POP3 (995) if intentionally offered |
---
## No Intrusion Indicators Found
- No unknown users on any accessible host
- No rogue SSH keys
- No suspicious processes
- All login history from known IPs (LAN, Tailscale, Johan's home IP)
- Zurich brute force — normal internet noise, all blocked
---
*Next scan: 2026-03-01 | Baselines: memory/security-baselines/*