# Caddy (192.168.0.2) — Security Baseline
Established: 2026-02-22

## Root SSH Authorized Keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge

## Expected Users (uid>=1000)
nobody:65534 (system)
johan:1000
stijn:1001 (/var/www/flourishevents — web service account, nologin equivalent)

## Expected Listening Ports
- 22 (SSH)
- 80/443 (Caddy reverse proxy)
- 40021 (vsftpd passive FTP)
- 2019 (Caddy admin API — localhost)
- 53 (systemd-resolved — localhost)

## SSH Hardening
- PasswordAuthentication: no ✅
- PermitRootLogin: without-password ✅
- PubkeyAuthentication: yes ✅

## Known Firewall State
UFW: ACTIVE ✅
Rules: SSH (LIMIT from LAN), 80/443 (ALLOW), 40021 (ALLOW), 40000-40010 (ALLOW — FTP passive)

## Known Issues at Baseline
- fail2ban not active
- vsftpd running (FTP) — known for flourishevents site
- User `stijn` exists (/var/www/flourishevents) — web service account