johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/security-scans/2026-03-22.md

8.0 KiB
Raw Blame History

Security Posture Scan — 2026-03-22

Scan time: 09:00 AM ET (13:00 UTC) Conducted by: James (weekly cron job)

Summary

Host Status Issues
forge (192.168.1.16) ⚠️ WARNING 3 findings (1 cleaned up live)
james-old (192.168.1.17) ⚠️ WARNING RDP still open (known), xrdp running
staging (192.168.1.253) CLEAN Matches baseline
prod (192.168.100.2) UNREACHABLE SSH key not installed
caddy (192.168.0.2) ⚠️ WARNING New user hans:1002 — needs confirmation
zurich (82.22.36.202) CLEAN High brute force volume (normal for VPS)

Forge (192.168.1.16) — ⚠️ WARNING

Findings

[FIXED] Zombie bash process (PID 3673859) consuming 99.9% CPU

  • Process running for 4d 21h: /bin/bash -c openclaw logs --follow | head -30 ...
  • State: R (running), 3.6MB RSS — spinning loop on openclaw log follow
  • Action taken: Killed. Process confirmed gone.

[FIXED] Rogue python3 http.server on port 8000

  • python3 -m http.server 8000 --bind 192.168.1.16 — bound to LAN interface
  • No legitimate service expected on 8000
  • Action taken: Killed. Port confirmed closed.

[INFO] Go dev server running on port 8888 (all interfaces)

  • Binary: /tmp/go-build830895623/b001/exe/server (built 07:12 today)
  • Source: /home/johan/dev/clavitor/design-system/server.go — a no-cache file server for UI dev
  • Owner: johan, no suspicious behavior, likely left running after dev session
  • Recommendation: Kill when not in active dev use. Port 8888 not in baseline — add or clean up.

[INFO] VNC (x11vnc) on port 5900 — all interfaces

  • PID 3936577: x11vnc -display :99 -rfbport 5900 -forever -bg
  • Running since Mar 18. Port 5900 not in baseline but may be needed for headed Chrome/GUI.
  • No authentication flags visible in cmdline — recommend verifying VNC has a password set.

[INFO] Port 8098 (vault1984-accounts) — not in baseline

  • vault1984-accou process on all interfaces. vault1984 project is known.
  • Baseline has port 1984 for vault1984, not 8098. Baseline needs update.

Users

Matches baseline: johan:1000, scanner:1001 ⚠️ hans@vault1984-hq key still in authorized_keys — baseline notes "pending confirmation" (added 2026-03-08)

Login History

All logins from 192.168.1.14 (Johan's Mac) or 100.114.238.41 (Tailscale). No unknown sources.

Failed Logins

Clean (no lastb entries — no brute force on this LAN host)

SSH Hardening

⚠️ Could not verify (sshd -T requires root — ran as johan)

UFW

NOT installed (known deficiency from baseline — relying on router)

fail2ban

Active (service running)

James-Old (192.168.1.17) — ⚠️ WARNING

Findings

[KNOWN] Port 3389 (RDP) still open

  • xrdp process running. Origin flagged at baseline 2026-03-01, still unresolved.
  • No new logins since Mar 2 (last: 192.168.1.14 — Johan's Mac). Clean.
  • Recommendation: If RDP is not needed, disable xrdp.

Users

Matches baseline: johan:1000, scanner:1001

Login History

All from 192.168.1.14. Last login Mar 2 (system rarely accessed).

SSH Keys

Matches baseline exactly.

Listening Ports

Within baseline. Docker: spacebot (healthy, up 11 days).

SSH Hardening / UFW

⚠️ Could not verify with user-level access (known limitation)

Staging (192.168.1.253) — CLEAN

Users

johan:1000 only

SSH Keys

Matches expected keys. One new key vs last baseline: johan@inou — legitimate dev device. (Baseline note: keys not captured at baseline — this is informational)

Listening Ports

Matches baseline. Docker: clickhouse, immich, signal-cli, jellyfin — all healthy.

Login History

All logins from 192.168.1.14. Last login Mar 1.

Prod (192.168.100.2) — UNREACHABLE

SSH returned: Permission denied (publickey,password) SSH key not installed for james@forge on prod host. Cannot audit. Action needed: Johan to install SSH key on prod or provide access.

Caddy (192.168.0.2) — ⚠️ WARNING

Findings

[ALERT] New user hans:1002 — not in baseline

  • User exists: uid=1002(hans) gid=1005(hans) groups=1005(hans), shell: /bin/bash
  • Has SSH authorized_keys: hans@vault1984-hq (same key as in forge's authorized_keys)
  • Login shell is bash — full interactive access
  • Not in baseline (baseline only lists johan:1000, stijn:1001)
  • This is likely related to vault1984 project (same key fingerprint as forge's hans key)
  • Needs confirmation from Johan — when was this added and why?

[INFO] Port 1984 exposed publicly via UFW

  • UFW rule 1984/tcp ALLOW IN Anywhere — vault1984 service on caddy
  • Caddy listening on port 1984 (via caddy process, not a rogue service)
  • Likely intentional (vault1984 public site) but confirm this is desired public exposure

[INFO] UFW note: 1984/tcp in public rules

  • Baseline established before this rule existed — needs baseline update

Users

stijn:1001 present (expected for flourishevents) ⚠️ hans:1002 — new, unconfirmed

SSH Keys

  • root: only james@forge (matches baseline)
  • johan: claude@macbook + johan@ubuntu2404 (matches baseline — macbook key not in baseline but expected)

Login History

System boot since Aug 5, 2025 — no interactive logins since (clean Raspberry Pi)

SSH Hardening

passwordauthentication no, permitrootlogin without-password, pubkeyauthentication yes

UFW

Active. Rules consistent with baseline + port 1984 addition.

fail2ban

Not running (known from baseline)

TLS Certificate (inou.com)

Valid: expires Jun 3, 2026 (73 days remaining — fine)

Security Patches

⚠️ linux-image-raspi kernel update available: 6.8.0-1043 → 6.8.0-1048 (security)

Zurich (82.22.36.202) — CLEAN

SSH Brute Force (fail2ban)

  • Total failed logins: 11,710 (expected for public VPS)
  • Total banned IPs: 2,709
  • Currently banned: 5 active bans
  • Jail status: 5 jails active (caddy-kuma, caddy-scanner, sshd, stalwart, vaultwarden)

Users

Matches baseline: harry:1000, harry-web:1001

SSH Keys (root)

All 5 keys match baseline exactly. No additions.

Listening Ports

All ports match baseline. No unexpected services.

SSH Hardening

passwordauthentication no, permitrootlogin without-password, pubkeyauthentication yes

UFW

Active. 24 rules — all consistent with baseline (mail ports, web, SSH, Tailscale, Kuma). Note: Port 3001 (Kuma) has UFW allow rule — this IS accessible externally. Baseline flagged this.

Docker

uptime-kuma (healthy, 13 days), vaultwarden (healthy, 11 hours — recent restart, normal)

Outbound Connections

Known connections: SSH from forge (47.197.93.62), Tailscale, caddy HTTPS request from home.

Security Patches

No pending security upgrades.

Actions Taken This Scan

  1. Killed zombie bash process (PID 3673859) — was spinning at 99.9% CPU for 5 days
  2. Killed rogue python3 -m http.server 8000 — unexpected listener on LAN interface

Open Items for Johan

  1. Caddy: hans:1002 user — Confirm this was intentional (vault1984 related?). Update baseline if so.
  2. Forge: hans@vault1984-hq SSH key — Still "pending confirmation" since 2026-03-08. Confirm or remove.
  3. Forge: Port 8888 dev server — Kill when not actively developing clavitor design system.
  4. Forge: VNC port 5900 (x11vnc) — Verify password authentication is configured. Consider restricting to LAN.
  5. Forge: Port 8098 (vault1984-accounts) — Not in baseline. Add to baseline or investigate.
  6. Prod (192.168.100.2) — SSH access needed to audit. Install james@forge key.
  7. Caddy: Kernel updatelinux-image-raspi 6.8.0-1048 security patch available.
  8. Caddy: fail2ban — Still not running (known from baseline). Consider installing.
  9. james-old: xrdp/RDP — Still flagged from baseline. If not needed, disable.
  10. Zurich: Port 3001 (Kuma) — Externally accessible. Consider closing UFW rule if Caddy proxy is sufficient.