johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/security-scans/2026-03-22-afternoon.md

7.2 KiB
Raw Permalink Blame History

Security Scan — 2026-03-22 Afternoon

Performed: 2026-03-22 ~14:40 EDT
Scope: forge (192.168.1.16), caddy (192.168.0.2), zurich (82.22.36.202), staging (192.168.1.253)
Note: james-old (192.168.1.17) decommissioned — removed from scope

Summary of Findings

Host Status Critical High Medium Actions Taken
forge ⚠️ Issues 0 2 2 2 processes killed
caddy ⚠️ Issues 0 2 1 None (needs follow-up)
zurich ⚠️ Watch 0 1 1 None
staging OK 0 0 1 None

FORGE (192.168.1.16)

Listening Ports vs Baseline

All baseline ports confirmed running. Additional ports found:

Port Process Status
8888 server (clavitor design-system) ⚠️ KILLED — was running, now gone
8000 python3 -m http.server --bind 0.0.0.0 🔴 UNEXPECTED + KILLED — unauthorized HTTP server on all interfaces
8098 vault1984-account ⚠️ Not in baseline — vault1984 project component, needs baseline update
18484 fireworks-proxy (localhost) OK — known tool
19933 SSH tunnel → zurich:143 (localhost) OK — transient IMAP tunnel (sleep 30 TTL)

Actions Taken

  • Port 8888 killed (pid 1409487 — clavitor dev server)
  • Port 8000 killed (pid 1434991 — python3 http.server 0.0.0.0) — SECURITY INCIDENT per AGENTS.md policy; this was an exposed HTTP server with no auth on all interfaces. Unknown how long it had been running.

VNC / x11vnc (Port 5900) — HIGH RISK

  • Status: RUNNING — x11vnc -display :99 -rfbport 5900 -forever -bg
  • Password: NOT SET — no -passwd or -rfbauth flag, no .vnc/passwd, no .x11vncrc
  • Exposure: Listening on 0.0.0.0 and [::] — all interfaces
  • Risk: Anyone on LAN (or any interface) can connect to display :99 without authentication
  • Recommendation: Either kill x11vnc if not needed, or restart with -rfbauth ~/.vnc/passwd after setting a password with x11vnc -storepasswd

SSH Authorized Keys

All 6 keys match baseline exactly:

  • james@server
  • johan@ubuntu2404
  • claude@macbook
  • johanjongsma@Johans-MacBook-Pro.local
  • johan@thinkpad-x1
  • hans@vault1984-hq CONFIRMED LEGITIMATE — same key (AAAAIDUxlVDVtTA3gw4psRs/OeFSW6ExczzgFy2otLS4NVzn) appears consistently on both forge and caddy's hans user. Hans is Zurich agent, vault1984 project. Key absent from zurich (expected — no Zurich access needed). Baseline "pending confirmation" status resolved: legitimate.

Failed Systemd Units

None

Security Updates

None pending

Disk Usage

/ → 237G / 469G (54%) — healthy

Processes

  • fail2ban running (root) — improvement over baseline which showed it inactive
  • Multiple claude CLI instances, chrome/playwright instances — all normal
  • opencode — known dev tool
  • No unexpected root processes

CADDY (192.168.0.2)

Listening Ports vs Baseline

New ports since baseline (both via Caddy reverse proxy + UFW rules added):

Port Process Status
1984 caddy (reverse proxy) ⚠️ New — vault1984 proxied, UFW rule added
2283 caddy (reverse proxy) ⚠️ New — Immich proxied

All other baseline ports confirmed

SSH Authorized Keys (root)

🔴 DISCREPANCY vs baseline:

  • Baseline had 3 keys: james@forge, claude@macbook, johan@ubuntu2404
  • Current: only james@forge present
  • claude@macbook and johan@ubuntu2404 missing from root's authorized_keys
  • Needs investigation — intentional removal or accidental?

Hans User — NEW USER

  • Status: User hans (uid=1002) exists with /bin/bash shell — NOT in baseline
  • SSH key: hans@vault1984-hq — same key as on forge (confirmed legitimate vault1984 agent key)
  • This user was likely created as part of vault1984 integration — but wasn't in the Feb 2026 baseline
  • Action needed: Confirm hans user creation was intentional; update baseline

Failed Systemd Units

  • fail2ban.service FAILED since 2026-03-01 (3 weeks!) — needs fix

Pending Security Updates

  • linux-image-raspi 6.8.0-1048.52 — kernel security update pending

UFW

Active — Port 1984 rule added since baseline (vault1984 project)

Disk Usage

3.2G / 29G (12%) — healthy

ZURICH (82.22.36.202)

Listening Ports vs Baseline

All expected ports confirmed. No unexpected ports

UFW

Active BUT: Port 3001 (Uptime Kuma) now has explicit ALLOW Anywhere rule in UFW.
Baseline noted: "Port 3001 (Kuma) exposed on all interfaces — but UFW blocks it externally (no rule for 3001)"
Current state: Kuma is now publicly accessible on the internet (no auth beyond Kuma's own login)

  • Kuma is password-protected (user: james), but the intent was to block it externally
  • Consider restricting to Tailscale only: ufw delete allow 3001/tcp + allow on tailscale0 only

SSH Authorized Keys (root)

All 5 keys match baseline exactly :

  • claude@macbook, james@server, james@james, james@forge, johan@thinkpad-x1
  • No hans@vault1984-hq key (consistent — not expected)

Failed Systemd Units

None

Security Updates

None pending

Disk Usage

77G / 118G (69%) — getting high, worth monitoring. Budget ~36G free.

Users

harry:1000, harry-web:1001 — match baseline

STAGING (192.168.1.253)

Listening Ports vs Baseline

All match baseline :

  • 22 (SSH), 139/445 (Samba), 2283 (Immich), 8080, 8096 (Jellyfin), 8123 (HA), 9000
  • 1080 (portal), 8082 (inou api), 8765 (inou viewer), 9124 (dbquery)

SSH Authorized Keys

  • claude@macbook
  • johanjongsma@Johans-MacBook-Pro.local
  • james@server
  • james@forge
  • johan@inou ⚠️ — not captured in baseline (baseline was incomplete for staging)

Failed Systemd Units

None

Pending Security Updates

None

Disk Usage

74G / 229G (35%) — healthy

UFW

Could not check (user-level access, no sudo) — unchanged from baseline limitation

Action Items

Priority Host Item
HIGH forge Kill or password-protect x11vnc on port 5900 (currently NO PASSWORD)
HIGH caddy Investigate missing root SSH keys (claude@macbook + johan@ubuntu2404 gone)
MEDIUM caddy Fix fail2ban.service (failed since 2026-03-01)
MEDIUM caddy Install kernel security update (linux-image-raspi 6.8.0-1048.52)
MEDIUM zurich Restrict port 3001 (Kuma) — currently world-accessible via UFW
LOW forge Add port 8098 (vault1984-account) to baseline if intentional
LOW caddy Add hans user to baseline if intentional
LOW staging Capture johan@inou key in baseline
LOW zurich Monitor disk usage (69%)

Completed Actions

  • forge port 8888 killed — clavitor design-system dev server (pid 1409487)
  • forge port 8000 killed — unauthorized python3 http.server on 0.0.0.0 (pid 1434991)
  • hans@vault1984-hq key confirmed legitimate — consistent across forge + caddy, vault1984 agent

Previous Scan Reference

See /home/johan/clawd/memory/security-scans/2026-03-22.md for morning scan.