32 lines
952 B
Markdown
32 lines
952 B
Markdown
# Caddy (192.168.0.2) — Security Baseline
|
|
Established: 2026-02-22
|
|
|
|
## Root SSH Authorized Keys
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
|
|
|
|
## Expected Users (uid>=1000)
|
|
nobody:65534 (system)
|
|
johan:1000
|
|
stijn:1001 (/var/www/flourishevents — web service account, nologin equivalent)
|
|
|
|
## Expected Listening Ports
|
|
- 22 (SSH)
|
|
- 80/443 (Caddy reverse proxy)
|
|
- 40021 (vsftpd passive FTP)
|
|
- 2019 (Caddy admin API — localhost)
|
|
- 53 (systemd-resolved — localhost)
|
|
|
|
## SSH Hardening
|
|
- PasswordAuthentication: no ✅
|
|
- PermitRootLogin: without-password ✅
|
|
- PubkeyAuthentication: yes ✅
|
|
|
|
## Known Firewall State
|
|
UFW: ACTIVE ✅
|
|
Rules: SSH (LIMIT from LAN), 80/443 (ALLOW), 40021 (ALLOW), 40000-40010 (ALLOW — FTP passive)
|
|
|
|
## Known Issues at Baseline
|
|
- fail2ban not active
|
|
- vsftpd running (FTP) — known for flourishevents site
|
|
- User `stijn` exists (/var/www/flourishevents) — web service account
|