# Weekly Security Posture Scan — 2026-03-01 Scan time: 09:01–09:15 AM EST Scanner: James (OpenClaw cron) ## Summary | Host | Status | Findings | |------|--------|----------| | forge (localhost) | ⚠️ WARNING | passwordauth YES, new port 1984, new user scanner | | zurich.inou.com | ⚠️ WARNING | 17 upgradable packages | | caddy (192.168.0.2) | ⚠️ WARNING | SSH daemon not responding, extra SSH keys | | james-old (192.168.1.17) | ⚠️ WARNING | Port 3389 (RDP) open, no baseline (first scan) | | staging (192.168.1.253) | ℹ️ INFO | First scan, no baseline | | prod (192.168.100.2) | ❌ ERROR | Access denied — could not scan | --- ## Forge (localhost / 192.168.1.16) ### 🔴 CRITICAL: SSH Password Auth Enabled - `passwordauthentication yes` — differs from baseline expectation - Baseline expected: `no` - **Action needed:** Set `PasswordAuthentication no` in `/etc/ssh/sshd_config` ### ⚠️ New Service: vault1984 on Port 1984 - Process: `./vault1984` (pid 3020492, started ~06:01) - Binary: `/home/johan/dev/vault1984/vault1984` - Not in baseline port list - Appears to be Johan's dev project — confirm and add to baseline if intentional ### ℹ️ New User: scanner:1001 - Added since Feb 22 baseline - Per TOOLS.md: dedicated scanner user for SMB share (`\\...\docsys`) - **Legitimate** — update baseline ### ✅ Clean Items - SSH keys: match baseline exactly (5 keys, all known) - Logins: all from 192.168.1.14 (Johan's MacBook) — no suspicious IPs - No failed logins (empty lastb) - fail2ban running (root process active) - Crontab: only known jobs (usage-check, health-push, ddns-update) - Docker: not installed (expected) - permitrootlogin: no ✅ ### ℹ️ OCR Service - Port 8090 was offline at scan time — restarted by systemd at 09:03 AM during scan - Now active — monitor for stability --- ## Zurich (zurich.inou.com / 82.22.36.202) ### ⚠️ Upgradable Packages: 17 - `apt list --upgradable` returns 17 packages - May include security patches — run `apt upgrade` soon ### ⚠️ Brute Force Volume (Normal for Public VPS) - fail2ban: 904 total banned, 11 currently banned - Recent attempts: nvidia, ubnt, user, debian, config usernames - `harryhaa` username attempt from 172.94.9.65 — targeting the harry web user by name (not alarming, common scraping) - All blocked by fail2ban ✅ ### ✅ Clean Items - SSH hardened: `passwordauthentication no`, `permitrootlogin without-password` ✅ - UFW active with expected rules ✅ - Users: harry:1000, harry-web:1001 — match baseline ✅ - SSH keys: all 5 match baseline ✅ - Docker: uptime-kuma (up 10d), vaultwarden (up 12h) — expected ✅ - Last successful logins: only from 47.197.93.62 (home public IP) ✅ --- ## Caddy (192.168.0.2) ### ⚠️ SSH Daemon Not Responding on Port 22 - `Connection refused` from 192.168.1.16 (forge) - UFW rules should allow 192.168.0.0/22 → 22 - Possible: SSH service down, port changed, or firewall misconfiguration - Connected via Tailscale instead (required re-auth — not completed in scan) - **Action needed:** Verify SSH service is running on caddy ### ⚠️ Extra SSH Keys Not in Baseline - Baseline (Feb 22): only `james@forge` - Current: also has `claude@macbook` and `johan@ubuntu2404` - These are known keys, likely added intentionally — confirm and update baseline ### ✅ Clean Items - UFW: active with expected rules ✅ - Users: nobody, johan:1000, stijn:1001 — match baseline ✅ - No failed or suspicious logins - Caddy/FTP services presumably running (UFW rules in place) --- ## James-Old (192.168.1.17) — First Scan ### ⚠️ Port 3389 (RDP) Open — Investigate - RDP listener detected on all interfaces - This machine is on LAN, not public — but still unexplained - No baseline exists — adding this as known but flagged for review ### ℹ️ Port 21 (FTP) Open - Same as forge — known from Spacebot/Andrew context - LAN only — low risk ### Users - nobody, johan:1000, snapd-range-524288-root:524288, snap_daemon:584788, scanner:1001 - Snap-related users expected if snap packages installed - scanner:1001 — parallel with forge scanner user (SMB) ### Ports - 18789 (OpenClaw), 19898 (Spacebot/Andrew), 8030 (message-bridge), 8080 (signal-cli), 9200 (dashboard), 22, 139/445 (Samba), 21 (FTP), 3389 (RDP) ### Logins - All from 192.168.1.14 (Johan's Mac) — clean ### SSH Hardening - Could not check (insufficient privilege as `johan` user — `sshd -T` returned nothing) --- ## Staging (192.168.1.253) — First Scan ### ℹ️ Services Running (All LAN-only, expected for dev) - Port 2283: likely Immich - Port 8096: Jellyfin - Port 8123: Home Assistant - Port 8080: various - Port 1080/8082/8765/9124: inou portal, api, viewer, dbquery - Port 18789: OpenClaw - Port 22/139/445: SSH/Samba ### Users - nobody, johan:1000 — clean ### Logins - All from 192.168.1.14 (Johan's Mac) — clean ### SSH Hardening - Could not check (insufficient privilege as `johan` user) --- ## Prod (192.168.100.2) — ERROR - Access denied — `Too many authentication failures` - SSH key not installed or key rotation occurred - Could not scan - **Action needed:** Re-establish SSH access to prod --- ## Action Items 1. 🔴 **FORGE: Fix SSH password auth** — `sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl restart sshd` 2. ⚠️ **CADDY: Verify SSH daemon** — check if sshd is running 3. ⚠️ **ZURICH: Run apt upgrade** — 17 pending packages 4. ⚠️ **JAMES-OLD: Investigate RDP port 3389** — who opened it? 5. ⚠️ **PROD: Restore SSH access** — key auth failing 6. ℹ️ **Update baselines**: add scanner user (forge/james-old), vault1984 port, caddy extra keys