9.4 KiB
9.4 KiB
Weekly Security Posture Scan — 2026-02-22
Scan time: Sunday, February 22nd, 2026 — ~09:01 AM EST
FIRST RUN — Baselines established in memory/security-baselines/
Summary
| Host | Firewall | SSH Hardened | fail2ban | Intrusion Indicators | Overall |
|---|---|---|---|---|---|
| forge (localhost) | ❌ None | ✅ | ❌ | None | ⚠️ WARN |
| james-old (192.168.1.17) | ❌ UFW inactive | ⚠️ Unknown | ❌ | None | ⚠️ WARN |
| staging (192.168.1.253) | ❌ UFW inactive | ⚠️ Unknown | ❌ | None | ⚠️ WARN |
| caddy (192.168.0.2) | ✅ UFW active | ✅ | ❌ | None | ⚠️ WARN |
| prod (192.168.100.2) | ❓ No access | ❓ | ❓ | ❓ | ❌ UNREACHABLE |
| zurich.inou.com | ✅ UFW active | ✅ | ✅ | Brute force (expected) | ✅ OK |
FORGE (192.168.1.16 — localhost)
Firewall
- ❌ UFW NOT INSTALLED — no host-level firewall
- Relying entirely on network-level controls (router/UDM-Pro)
SSH Hardening
- ✅
PasswordAuthentication no - PermitRootLogin: not explicitly set (Ubuntu default = prohibit-password ≈ key-only)
- PubkeyAuthentication: yes (default)
fail2ban
- ❌ Not installed/active
Listening Ports
Expected ports for this host. Notable:
- ⚠️ Port 21 (vsftpd) — FTP running as root, enabled at boot, all interfaces
- Ports 22, 139/445 (Samba), 8030, 8080, 8090, 9200-9202, 9300, 9877-9878, 9900, 18789 — all expected
Users
- nobody (65534), johan (1000) — clean
SSH Authorized Keys
- 5 keys: james@server, johan@ubuntu2404, claude@macbook, johanjongsma@MacBook, johan@thinkpad-x1
- All expected — no unknown keys
Login History
- All sessions from 192.168.1.14 (LAN) and 100.114.238.41 (Tailscale)
- Most recent: Sat Feb 21 — clean
- No failed logins
Outbound Connections
All legitimate:
- IMAP to zurich:993 (message-center)
- SSH tunnels to zurich:22
- OpenClaw API connections
- Signal/WhatsApp bridge
- 192.200.0.103:443 (unknown — Anthropic CDN likely)
Cron
/home/johan/clawd/scripts/claude-usage-check.sh(hourly) — expected/home/johan/scripts/health-push.sh(every minute) — expected
Shadow / Sudoers Perms
/etc/shadow: rw-r----- root:shadow ✅/etc/sudoers: r--r----- root:root ✅
Security Patches
- 0 pending security patches (apt list --upgradable | grep security returned empty)
Findings
| Severity | Finding |
|---|---|
| ⚠️ MEDIUM | UFW not installed — no host firewall |
| ⚠️ MEDIUM | fail2ban not active |
| ⚠️ LOW | vsftpd (FTP) running on port 21, all interfaces, root-owned process |
JAMES-OLD (192.168.1.17)
Firewall
- ❌ UFW inactive (installed but disabled)
SSH Hardening
- sshd -T returned empty (no sudo) — hardening status unknown
- Need root access to verify
fail2ban
- ❌ Not active
Listening Ports
Notable:
- ⚠️ Port 3389 (RDP/xrdp) — all interfaces (0.0.0.0)
- ⚠️ Port 21 (FTP) — all interfaces
- Port 8030 (message-bridge) — all interfaces
- Ports 22, 139/445, 1143/1025 (Proton Bridge — localhost), 8025 (MC — localhost), 9200 — expected
Users
- nobody, johan, snapd-range-524288-root, snap_daemon (all snap-related — system), scanner
scanneruser: uid=1001, shell=/usr/sbin/nologin, home=/home/scanner — SANE scanner service, expected
SSH Authorized Keys
- 3 keys: johan@ubuntu2404, claude@macbook, james@forge — clean
Login History
- Last login: Wed Feb 4 from LAN
- Machine is mostly idle (retired)
Pending Updates
- 53 pending apt updates — needs attention
Findings
| Severity | Finding |
|---|---|
| ⚠️ MEDIUM | UFW inactive on a machine with exposed ports |
| ⚠️ MEDIUM | fail2ban not active |
| ⚠️ LOW | RDP (port 3389) exposed on all interfaces |
| ⚠️ LOW | FTP (port 21) exposed |
| ⚠️ LOW | 53 pending apt updates — should patch or decommission |
STAGING (192.168.1.253)
Firewall
- ❌ UFW inactive
SSH Hardening
- Could not verify (no sudo for sshd -T) — TODO: verify next scan
fail2ban
- ❌ Not active
Listening Ports
LAN-accessible services (home lab — tolerated):
- 2283 (Immich), 8080 (signal-cli), 8096 (Jellyfin), 8123/9000 (ClickHouse)
- 18789 (OpenClaw gateway), 8082/8765/1080 (inou app)
- 22, 139/445 (Samba)
Docker Containers
- Immich (server, ML, postgres, redis) — ✅ Up 11+ days (healthy)
- ClickHouse — ✅ Up 6 hours (healthy)
- Jellyfin — ✅ Up 11 days (healthy)
- signal-cli-rest-api — ✅ Up 11 days (healthy)
Users
- nobody (65534), johan (1000) — clean
SSH Authorized Keys
- 4 keys: claude@macbook, johanjongsma@MacBook, james@server, james@forge — clean
Login History
- Most recent: Fri Feb 20 from LAN — clean
Findings
| Severity | Finding |
|---|---|
| ⚠️ MEDIUM | UFW inactive (LAN-only machine, tolerated) |
| ⚠️ MEDIUM | fail2ban not active |
| ℹ️ INFO | Many open ports — consistent with home lab role |
CADDY (192.168.0.2)
Firewall
- ✅ UFW active with rules:
- SSH limited from LAN (/22)
- 80/443 ALLOW any
- 40021/tcp ALLOW (FTP passive)
- 40000-40010/tcp ALLOW (FTP data)
SSH Hardening
- ✅
PasswordAuthentication no - ✅
PermitRootLogin without-password - ✅
PubkeyAuthentication yes
fail2ban
- ❌ Not active — public-facing host, this is a gap
Listening Ports
- 22, 80, 443, 2019 (Caddy admin — localhost), 40021 (vsftpd), 53 (systemd-resolved)
- All expected
Users
- nobody, johan, stijn (/var/www/flourishevents — web service account) — all expected
Root SSH Keys
- 1 key: james@forge — clean
Login History
- Last interactive login: Sat Jan 31 — long ago
- 1 failed login: james@192.168.1.16 (Mon Feb 9) — from forge, expected (James SSH auth attempt)
Findings
| Severity | Finding |
|---|---|
| ⚠️ MEDIUM | fail2ban not active on public-facing host |
| ℹ️ INFO | Only james@forge in root authorized_keys (minimal attack surface) |
PROD (192.168.100.2)
Status
- ❌ UNREACHABLE — SSH authentication failed (too many auth failures)
- May require specific SSH key or non-root user
- Action needed: Establish access method for security scans
Findings
| Severity | Finding |
|---|---|
| ❌ UNKNOWN | Cannot scan prod — access method needed |
ZURICH (zurich.inou.com / 82.22.36.202)
Firewall
- ✅ UFW active with comprehensive rules:
- 22, 80, 443, Tailscale, 25/143/587/465/993/4190 (mail)
SSH Hardening
- ✅
PasswordAuthentication no - ✅
PermitRootLogin without-password - ✅
PubkeyAuthentication yes
fail2ban
- ✅ Active (systemctl reports active)
Brute Force Activity
- ⚠️ HIGH volume SSH brute force detected (20 failed attempts in ~15 min window today)
- Example IPs: 80.94.92.164, 89.155.5.35, 20.185.243.158, 2.57.121.25, 57.128.214.238, 20.88.55.220, 101.47.163.102, 34.78.29.97, 139.59.157.104, 23.227.147.163
- Usernames attempted: sol, opnsense, zookeeper, user, solana, listen, jfrog, polycom, rdp, serveradmin, borgbackup, blink, pound
- Risk: LOW — password auth disabled, key-only auth, fail2ban active
- This is expected/normal for a public VPS with port 22 open
Listening Ports
All expected:
- 22 (SSH), 80/443 (Caddy), 25/143/587/465/993/995/110/4190 (Stalwart mail)
- 2019 (Caddy admin — localhost), 2586 (ntfy — localhost), 8080/8880/8443 (localhost)
- 3001 (Uptime Kuma — all interfaces; UFW blocks external, no UFW rule for 3001)
Docker Containers
- uptime-kuma (louislam/uptime-kuma:1) — ✅ Up 3 days (healthy)
- vaultwarden (vaultwarden/server) — ✅ Up 12 hours (healthy)
Users
- nobody (65534), harry (1000 — /var/www/harryhaasjes, nologin), harry-web (1001 — nologin)
- All expected service accounts
Root SSH Keys
- 5 keys: claude@macbook, james@server, james@james, james@forge, johan@thinkpad-x1 — all expected
Login History
- Last interactive: root from 47.197.93.62 (Johan's home IP) — Jan 27 — clean
Findings
| Severity | Finding |
|---|---|
| ℹ️ INFO | High SSH brute force volume — mitigated (key-only + fail2ban) |
| ℹ️ INFO | Port 3001 (Kuma) binding 0.0.0.0 — UFW blocks externally, but should bind localhost |
| ℹ️ INFO | POP3 (110/995) listening but not in UFW rules — consider adding or disabling |
Action Items
| Priority | Host | Action |
|---|---|---|
| HIGH | forge | Install UFW or document why host firewall isn't needed |
| HIGH | forge | Install fail2ban |
| MEDIUM | forge | Review vsftpd — is FTP still needed? Disable if not |
| MEDIUM | james-old | Patch 53 pending updates, or decommission machine |
| MEDIUM | james-old | Enable UFW or document retirement status |
| MEDIUM | caddy | Install fail2ban (public-facing, should have brute-force protection) |
| MEDIUM | staging | Verify SSH hardening as root |
| MEDIUM | prod | Establish SSH access method for security scans |
| LOW | zurich | Change Kuma to bind localhost only (--listen 127.0.0.1) |
| LOW | zurich | Consider UFW rule for POP3 (995) if intentionally offered |
No Intrusion Indicators Found
- No unknown users on any accessible host
- No rogue SSH keys
- No suspicious processes
- All login history from known IPs (LAN, Tailscale, Johan's home IP)
- Zurich brute force — normal internet noise, all blocked
Next scan: 2026-03-01 | Baselines: memory/security-baselines/