# Zurich (zurich.inou.com / 82.22.36.202) — Security Baseline
Established: 2026-02-22

## Root SSH Authorized Keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIhEtv7t3njNoG+mnKElR+rasMArdc8DnHON22lreT7 james@james
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF johan@thinkpad-x1

## Expected Users (uid>=1000)
nobody:65534 (system)
harry:1000 (/var/www/harryhaasjes — web service, nologin)
harry-web:1001 (/home/harry-web — web service, nologin)

## Expected Listening Ports
- 22 (SSH — all interfaces)
- 25/143/587/465/993/995/110/4190 (Stalwart mail server)
- 80/443 (Caddy)
- 2019 (Caddy admin — localhost)
- 2586 (ntfy — localhost, behind Caddy)
- 3001 (Uptime Kuma — all interfaces, UFW blocks external)
- 8080 (Vaultwarden — localhost, behind Caddy)
- 8880/8443 (Stalwart admin — localhost)
- 41641 (Tailscale UDP)

## SSH Hardening
- PasswordAuthentication: no ✅
- PermitRootLogin: without-password ✅
- PubkeyAuthentication: yes ✅

## Known Firewall State
UFW: ACTIVE ✅
Rules: 22, 80, 443, 41641 (Tailscale), tailscale0, 25, 587, 465, 993, 143, 4190

## Known Issues at Baseline
- High SSH brute force volume — expected for public VPS, mitigated by key-only auth + fail2ban
- Port 3001 (Kuma) exposed on all interfaces — but UFW blocks it externally (no rule for 3001)
- Port 110/995 (POP3) not in UFW rules — blocked externally even though Stalwart listens
- Docker: uptime-kuma, vaultwarden