# Security Scan — 2026-03-22 Afternoon **Performed:** 2026-03-22 ~14:40 EDT **Scope:** forge (192.168.1.16), caddy (192.168.0.2), zurich (82.22.36.202), staging (192.168.1.253) **Note:** james-old (192.168.1.17) decommissioned — removed from scope --- ## Summary of Findings | Host | Status | Critical | High | Medium | Actions Taken | |------|--------|----------|------|--------|---------------| | forge | ⚠️ Issues | 0 | 2 | 2 | 2 processes killed | | caddy | ⚠️ Issues | 0 | 2 | 1 | None (needs follow-up) | | zurich | ⚠️ Watch | 0 | 1 | 1 | None | | staging | ✅ OK | 0 | 0 | 1 | None | --- ## FORGE (192.168.1.16) ### Listening Ports vs Baseline All baseline ports confirmed running. Additional ports found: | Port | Process | Status | |------|---------|--------| | 8888 | `server` (clavitor design-system) | ⚠️ **KILLED** — was running, now gone | | 8000 | `python3 -m http.server --bind 0.0.0.0` | 🔴 **UNEXPECTED + KILLED** — unauthorized HTTP server on all interfaces | | 8098 | `vault1984-account` | ⚠️ Not in baseline — vault1984 project component, needs baseline update | | 18484 | `fireworks-proxy` (localhost) | OK — known tool | | 19933 | SSH tunnel `→ zurich:143` (localhost) | OK — transient IMAP tunnel (sleep 30 TTL) | ### Actions Taken - **Port 8888 killed** (pid 1409487 — clavitor dev server) - **Port 8000 killed** (pid 1434991 — python3 http.server 0.0.0.0) — SECURITY INCIDENT per AGENTS.md policy; this was an exposed HTTP server with no auth on all interfaces. Unknown how long it had been running. ### VNC / x11vnc (Port 5900) — HIGH RISK - **Status:** RUNNING — `x11vnc -display :99 -rfbport 5900 -forever -bg` - **Password:** ❌ **NOT SET** — no `-passwd` or `-rfbauth` flag, no `.vnc/passwd`, no `.x11vncrc` - **Exposure:** Listening on `0.0.0.0` and `[::]` — all interfaces - **Risk:** Anyone on LAN (or any interface) can connect to display :99 without authentication - **Recommendation:** Either kill x11vnc if not needed, or restart with `-rfbauth ~/.vnc/passwd` after setting a password with `x11vnc -storepasswd` ### SSH Authorized Keys All 6 keys match baseline exactly: - `james@server` ✅ - `johan@ubuntu2404` ✅ - `claude@macbook` ✅ - `johanjongsma@Johans-MacBook-Pro.local` ✅ - `johan@thinkpad-x1` ✅ - `hans@vault1984-hq` ✅ **CONFIRMED LEGITIMATE** — same key (`AAAAIDUxlVDVtTA3gw4psRs/OeFSW6ExczzgFy2otLS4NVzn`) appears consistently on both forge and caddy's `hans` user. Hans is Zurich agent, vault1984 project. Key absent from zurich (expected — no Zurich access needed). Baseline "pending confirmation" status resolved: **legitimate**. ### Failed Systemd Units None ✅ ### Security Updates None pending ✅ ### Disk Usage / → 237G / 469G (54%) — healthy ✅ ### Processes - fail2ban running (root) — ✅ improvement over baseline which showed it inactive - Multiple `claude` CLI instances, chrome/playwright instances — all normal - `opencode` — known dev tool - No unexpected root processes --- ## CADDY (192.168.0.2) ### Listening Ports vs Baseline New ports since baseline (both via Caddy reverse proxy + UFW rules added): | Port | Process | Status | |------|---------|--------| | 1984 | caddy (reverse proxy) | ⚠️ New — vault1984 proxied, UFW rule added | | 2283 | caddy (reverse proxy) | ⚠️ New — Immich proxied | All other baseline ports confirmed ✅ ### SSH Authorized Keys (root) 🔴 **DISCREPANCY vs baseline:** - Baseline had 3 keys: `james@forge`, `claude@macbook`, `johan@ubuntu2404` - Current: only `james@forge` present - `claude@macbook` and `johan@ubuntu2404` **missing from root's authorized_keys** - Needs investigation — intentional removal or accidental? ### Hans User — NEW USER - **Status:** User `hans` (uid=1002) exists with `/bin/bash` shell — **NOT in baseline** - SSH key: `hans@vault1984-hq` — same key as on forge (confirmed legitimate vault1984 agent key) - This user was likely created as part of vault1984 integration — but wasn't in the Feb 2026 baseline - **Action needed:** Confirm hans user creation was intentional; update baseline ### Failed Systemd Units - `fail2ban.service` — ❌ **FAILED** since 2026-03-01 (3 weeks!) — needs fix ### Pending Security Updates - `linux-image-raspi` 6.8.0-1048.52 — kernel security update pending ### UFW Active ✅ — Port 1984 rule added since baseline (vault1984 project) ### Disk Usage 3.2G / 29G (12%) — healthy ✅ --- ## ZURICH (82.22.36.202) ### Listening Ports vs Baseline All expected ports confirmed. No unexpected ports ✅ ### UFW Active ✅ — **BUT:** Port 3001 (Uptime Kuma) now has explicit `ALLOW Anywhere` rule in UFW. Baseline noted: "Port 3001 (Kuma) exposed on all interfaces — but UFW blocks it externally (no rule for 3001)" **Current state: Kuma is now publicly accessible on the internet (no auth beyond Kuma's own login)** - Kuma is password-protected (user: james), but the intent was to block it externally - Consider restricting to Tailscale only: `ufw delete allow 3001/tcp` + allow on tailscale0 only ### SSH Authorized Keys (root) All 5 keys match baseline exactly ✅: - `claude@macbook`, `james@server`, `james@james`, `james@forge`, `johan@thinkpad-x1` - No hans@vault1984-hq key (consistent — not expected) ### Failed Systemd Units None ✅ ### Security Updates None pending ✅ ### Disk Usage 77G / 118G (69%) — getting high, worth monitoring. Budget ~36G free. ### Users harry:1000, harry-web:1001 — match baseline ✅ --- ## STAGING (192.168.1.253) ### Listening Ports vs Baseline All match baseline ✅: - 22 (SSH), 139/445 (Samba), 2283 (Immich), 8080, 8096 (Jellyfin), 8123 (HA), 9000 - 1080 (portal), 8082 (inou api), 8765 (inou viewer), 9124 (dbquery) ### SSH Authorized Keys - `claude@macbook` ✅ - `johanjongsma@Johans-MacBook-Pro.local` ✅ - `james@server` ✅ - `james@forge` ✅ - `johan@inou` ⚠️ — not captured in baseline (baseline was incomplete for staging) ### Failed Systemd Units None ✅ ### Pending Security Updates None ✅ ### Disk Usage 74G / 229G (35%) — healthy ✅ ### UFW Could not check (user-level access, no sudo) — unchanged from baseline limitation --- ## Action Items | Priority | Host | Item | |----------|------|------| | HIGH | forge | Kill or password-protect x11vnc on port 5900 (currently NO PASSWORD) | | HIGH | caddy | Investigate missing root SSH keys (claude@macbook + johan@ubuntu2404 gone) | | MEDIUM | caddy | Fix fail2ban.service (failed since 2026-03-01) | | MEDIUM | caddy | Install kernel security update (linux-image-raspi 6.8.0-1048.52) | | MEDIUM | zurich | Restrict port 3001 (Kuma) — currently world-accessible via UFW | | LOW | forge | Add port 8098 (vault1984-account) to baseline if intentional | | LOW | caddy | Add hans user to baseline if intentional | | LOW | staging | Capture johan@inou key in baseline | | LOW | zurich | Monitor disk usage (69%) | --- ## Completed Actions - ✅ **forge port 8888 killed** — clavitor design-system dev server (pid 1409487) - ✅ **forge port 8000 killed** — unauthorized python3 http.server on 0.0.0.0 (pid 1434991) - ✅ **hans@vault1984-hq key confirmed legitimate** — consistent across forge + caddy, vault1984 agent --- ## Previous Scan Reference See `/home/johan/clawd/memory/security-scans/2026-03-22.md` for morning scan.