johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/security-scans/2026-03-22.md

216 lines
8.0 KiB
Markdown
Raw Blame History

# Security Posture Scan — 2026-03-22
Scan time: 09:00 AM ET (13:00 UTC)
Conducted by: James (weekly cron job)
## Summary
| Host | Status | Issues |
|------|--------|--------|
| forge (192.168.1.16) | ⚠️ WARNING | 3 findings (1 cleaned up live) |
| james-old (192.168.1.17) | ⚠️ WARNING | RDP still open (known), xrdp running |
| staging (192.168.1.253) | ✅ CLEAN | Matches baseline |
| prod (192.168.100.2) | ❌ UNREACHABLE | SSH key not installed |
| caddy (192.168.0.2) | ⚠️ WARNING | New user `hans:1002` — needs confirmation |
| zurich (82.22.36.202) | ✅ CLEAN | High brute force volume (normal for VPS) |
---
## Forge (192.168.1.16) — ⚠️ WARNING
### Findings
**[FIXED] Zombie bash process (PID 3673859) consuming 99.9% CPU**
- Process running for 4d 21h: `/bin/bash -c openclaw logs --follow | head -30 ...`
- State: R (running), 3.6MB RSS — spinning loop on openclaw log follow
- Action taken: Killed. Process confirmed gone.
**[FIXED] Rogue python3 http.server on port 8000**
- `python3 -m http.server 8000 --bind 192.168.1.16` — bound to LAN interface
- No legitimate service expected on 8000
- Action taken: Killed. Port confirmed closed.
**[INFO] Go dev server running on port 8888 (all interfaces)**
- Binary: `/tmp/go-build830895623/b001/exe/server` (built 07:12 today)
- Source: `/home/johan/dev/clavitor/design-system/server.go` — a no-cache file server for UI dev
- Owner: johan, no suspicious behavior, likely left running after dev session
- Recommendation: Kill when not in active dev use. Port 8888 not in baseline — add or clean up.
**[INFO] VNC (x11vnc) on port 5900 — all interfaces**
- PID 3936577: `x11vnc -display :99 -rfbport 5900 -forever -bg`
- Running since Mar 18. Port 5900 not in baseline but may be needed for headed Chrome/GUI.
- No authentication flags visible in cmdline — recommend verifying VNC has a password set.
**[INFO] Port 8098 (vault1984-accounts) — not in baseline**
- `vault1984-accou` process on all interfaces. vault1984 project is known.
- Baseline has port 1984 for vault1984, not 8098. Baseline needs update.
### Users
✅ Matches baseline: `johan:1000`, `scanner:1001`
⚠️ `hans@vault1984-hq` key still in authorized_keys — baseline notes "pending confirmation" (added 2026-03-08)
### Login History
✅ All logins from 192.168.1.14 (Johan's Mac) or 100.114.238.41 (Tailscale). No unknown sources.
### Failed Logins
✅ Clean (no lastb entries — no brute force on this LAN host)
### SSH Hardening
⚠️ Could not verify (`sshd -T` requires root — ran as johan)
### UFW
❌ NOT installed (known deficiency from baseline — relying on router)
### fail2ban
✅ Active (service running)
---
## James-Old (192.168.1.17) — ⚠️ WARNING
### Findings
**[KNOWN] Port 3389 (RDP) still open**
- `xrdp` process running. Origin flagged at baseline 2026-03-01, still unresolved.
- No new logins since Mar 2 (last: `192.168.1.14` — Johan's Mac). Clean.
- Recommendation: If RDP is not needed, disable xrdp.
### Users
✅ Matches baseline: `johan:1000`, `scanner:1001`
### Login History
✅ All from 192.168.1.14. Last login Mar 2 (system rarely accessed).
### SSH Keys
✅ Matches baseline exactly.
### Listening Ports
✅ Within baseline. Docker: spacebot (healthy, up 11 days).
### SSH Hardening / UFW
⚠️ Could not verify with user-level access (known limitation)
---
## Staging (192.168.1.253) — ✅ CLEAN
### Users
`johan:1000` only
### SSH Keys
Matches expected keys. One new key vs last baseline: `johan@inou` — legitimate dev device.
(Baseline note: keys not captured at baseline — this is informational)
### Listening Ports
✅ Matches baseline. Docker: clickhouse, immich, signal-cli, jellyfin — all healthy.
### Login History
✅ All logins from 192.168.1.14. Last login Mar 1.
---
## Prod (192.168.100.2) — ❌ UNREACHABLE
SSH returned: `Permission denied (publickey,password)`
SSH key not installed for james@forge on prod host. Cannot audit.
Action needed: Johan to install SSH key on prod or provide access.
---
## Caddy (192.168.0.2) — ⚠️ WARNING
### Findings
**[ALERT] New user `hans:1002` — not in baseline**
- User exists: `uid=1002(hans) gid=1005(hans) groups=1005(hans)`, shell: `/bin/bash`
- Has SSH authorized_keys: `hans@vault1984-hq` (same key as in forge's authorized_keys)
- Login shell is bash — full interactive access
- Not in baseline (baseline only lists `johan:1000`, `stijn:1001`)
- This is likely related to vault1984 project (same key fingerprint as forge's hans key)
- **Needs confirmation from Johan** — when was this added and why?
**[INFO] Port 1984 exposed publicly via UFW**
- UFW rule `1984/tcp ALLOW IN Anywhere` — vault1984 service on caddy
- Caddy listening on port 1984 (via caddy process, not a rogue service)
- Likely intentional (vault1984 public site) but confirm this is desired public exposure
**[INFO] UFW note: `1984/tcp` in public rules**
- Baseline established before this rule existed — needs baseline update
### Users
`stijn:1001` present (expected for flourishevents)
⚠️ `hans:1002` — new, unconfirmed
### SSH Keys
- root: only `james@forge` ✅ (matches baseline)
- johan: `claude@macbook` + `johan@ubuntu2404` ✅ (matches baseline — macbook key not in baseline but expected)
### Login History
System boot since Aug 5, 2025 — no interactive logins since (clean Raspberry Pi)
### SSH Hardening
`passwordauthentication no`, `permitrootlogin without-password`, `pubkeyauthentication yes`
### UFW
✅ Active. Rules consistent with baseline + port 1984 addition.
### fail2ban
❌ Not running (known from baseline)
### TLS Certificate (inou.com)
✅ Valid: expires Jun 3, 2026 (73 days remaining — fine)
### Security Patches
⚠️ `linux-image-raspi` kernel update available: 6.8.0-1043 → 6.8.0-1048 (security)
---
## Zurich (82.22.36.202) — ✅ CLEAN
### SSH Brute Force (fail2ban)
- Total failed logins: **11,710** (expected for public VPS)
- Total banned IPs: **2,709**
- Currently banned: 5 active bans
- Jail status: 5 jails active (caddy-kuma, caddy-scanner, sshd, stalwart, vaultwarden) ✅
### Users
✅ Matches baseline: `harry:1000`, `harry-web:1001`
### SSH Keys (root)
✅ All 5 keys match baseline exactly. No additions.
### Listening Ports
✅ All ports match baseline. No unexpected services.
### SSH Hardening
`passwordauthentication no`, `permitrootlogin without-password`, `pubkeyauthentication yes`
### UFW
✅ Active. 24 rules — all consistent with baseline (mail ports, web, SSH, Tailscale, Kuma).
Note: Port 3001 (Kuma) has UFW allow rule — this IS accessible externally. Baseline flagged this.
### Docker
✅ uptime-kuma (healthy, 13 days), vaultwarden (healthy, 11 hours — recent restart, normal)
### Outbound Connections
✅ Known connections: SSH from forge (47.197.93.62), Tailscale, caddy HTTPS request from home.
### Security Patches
✅ No pending security upgrades.
---
## Actions Taken This Scan
1. **Killed** zombie bash process (PID 3673859) — was spinning at 99.9% CPU for 5 days
2. **Killed** rogue `python3 -m http.server 8000` — unexpected listener on LAN interface
## Open Items for Johan
1. **Caddy: `hans:1002` user** — Confirm this was intentional (vault1984 related?). Update baseline if so.
2. **Forge: `hans@vault1984-hq` SSH key** — Still "pending confirmation" since 2026-03-08. Confirm or remove.
3. **Forge: Port 8888 dev server** — Kill when not actively developing clavitor design system.
4. **Forge: VNC port 5900 (x11vnc)** — Verify password authentication is configured. Consider restricting to LAN.
5. **Forge: Port 8098 (vault1984-accounts)** — Not in baseline. Add to baseline or investigate.
6. **Prod (192.168.100.2)** — SSH access needed to audit. Install james@forge key.
7. **Caddy: Kernel update**`linux-image-raspi` 6.8.0-1048 security patch available.
8. **Caddy: fail2ban** — Still not running (known from baseline). Consider installing.
9. **james-old: xrdp/RDP** — Still flagged from baseline. If not needed, disable.
10. **Zurich: Port 3001 (Kuma)** — Externally accessible. Consider closing UFW rule if Caddy proxy is sufficient.
Reference in New Issue View Git Blame Copy Permalink