johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/security-scans/2026-03-09.md

175 lines
7.6 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Weekly Security Posture Scan — 2026-03-09
Scan time: 09:0309:20 AM EST
Scanner: James (OpenClaw cron)
## Summary
| Host | Status | Key Findings |
|------|--------|--------------|
| forge (localhost) | 🔴 WARNING | python3 http.server on 9999 exposing /tmp to LAN; new SSH key hans@vault1984-hq; new agentchat:7777 |
| zurich.inou.com | ✅ CLEAN | 1 upgradable pkg; brute force normal; all services healthy |
| caddy (192.168.0.2) | ⚠️ WARNING | New user hans:1002 (not in baseline); SSH keys changed; port 2283 added |
| james-old (192.168.1.17) | ⚠️ WARNING | RDP 3389 still open (ongoing); k2-watchdog cron |
| staging (192.168.1.253) | ✅ CLEAN | All expected services; logins clean |
| prod (192.168.100.2) | ✅ CLEAN | SSH restored; services expected |
---
## Forge (localhost / 192.168.1.16)
### 🔴 CRITICAL: Python HTTP Server Exposing /tmp on Port 9999
- Process: `python3 -m http.server 9999 --bind 0.0.0.0`
- CWD: `/tmp` — serving the ENTIRE /tmp directory to all interfaces
- Binary: `/usr/bin/python3.12 (deleted)` — orphaned process, binary was updated/deleted
- UFW: Port 9999 accessible from entire LAN (192.168.0.0/22 → ALLOW Anywhere rule)
- **Files exposed:** `clawvault-preview.db`, `clawvault-preview.db-shm/wal`, `cron_keys.txt`, `Caddyfile.bak`, `Caddyfile.new`, dev logs, API test files, android APKs, SQL dumps, etc.
- **Action needed:** Kill this process immediately — `kill 866793`
- **Origin:** Started ~Mar 7 01:14 AM, likely left running from a dev session
### ⚠️ New SSH Key: hans@vault1984-hq
- Added to `~/.ssh/authorized_keys` on Mar 8 at 01:46 AM
- Comment: `hans@vault1984-hq` — appears to be vault1984 project key
- Not in baseline (baseline was last updated Mar 1)
- **Action:** Confirm this is intentional; update baseline if so
### ⚠️ New Service: agentchat on Port 7777
- Binary: `/home/johan/dev/agentchat/agentchat`
- Started ~Mar 8 04:55 AM
- Not in baseline
- **Action:** Confirm intentional; add to baseline if so
### ✅ FIXED: SSH Hardening (Previously Critical)
- `passwordauthentication no` ✅ ← FIXED from last week's critical finding!
- `permitrootlogin no`
- `pubkeyauthentication yes`
### ✅ Clean Items
- UFW: active ✅
- fail2ban: running, 0 bans (expected for LAN machine) ✅
- Users: johan:1000, scanner:1001 — match baseline ✅
- SSH keys (known): james@server, johan@ubuntu2404, claude@macbook, johanjongsma@Johans-MacBook-Pro.local, johan@thinkpad-x1 — all match baseline ✅
- Logins: all from 192.168.1.14 (Johan's MacBook) ✅
- Failed logins: none ✅
- Crontab: backup-forge, claude-usage-check, ddns-update, health-push — all known ✅
- vault1984 on 1984, 9900 (docproc), dealspace 9300 — expected ✅
---
## Zurich (zurich.inou.com / 82.22.36.202)
### ✅ Upgradable Packages: 1
- Down from 17 last week — packages were updated ✅
- 1 remaining package — low urgency
### ✅ Brute Force (Expected for Public VPS)
- fail2ban stats not captured this scan (output truncated)
- All SSH connections still restricted to key-only ✅
### ✅ Clean Items
- SSH hardened: passwordauth no, permitroot without-password ✅
- UFW active with expected rules ✅
- Docker: uptime-kuma (healthy), vaultwarden (healthy) ✅
- Services: stalwart-mail on all expected ports, caddy on 80/443 ✅
- Crontab: vaultwarden-backup, stalwart-allowlist-sync, config-backup, certbot, nuclei-monthly — all expected ✅
- Last logins from home public IP only ✅
---
## Caddy (192.168.0.2)
### ⚠️ New User: hans:1002
- `hans:x:1002:1005::/home/hans:/bin/bash`
- NOT in baseline (baseline: nobody, johan:1000, stijn:1001)
- Shell set to /bin/bash with home at /home/hans
- Correlates with `hans@vault1984-hq` key on forge — same person/project
- **Action:** Confirm who added this user and why; update baseline if intentional
### ⚠️ SSH Keys Changed
- Current root authorized_keys: only `james@forge` (1 key)
- Baseline had 3 keys: james@forge, claude@macbook, johan@ubuntu2404
- **2 keys removed** — actually reduces attack surface (good), but unexplained change
- **Action:** Update baseline to reflect current state
### ⚠️ Port 2283 (Caddy binding)
- Caddy listening on 2283 — likely new reverse proxy entry for Immich
- Not in baseline (baseline: 22, 80, 443, 40021, 2019-lo, 53-lo)
- No corresponding UFW rule visible — may be LAN-accessible
- **Action:** Confirm Caddy is proxying Immich on this port; add to baseline
### ✅ Clean Items
- SSH hardened: passwordauth no, permitroot without-password ✅
- UFW active ✅
- fail2ban: not active (known — unchanged from baseline)
- Logins: `reboot system boot` only (no user logins) — suggests rarely accessed ✅
- Failed logins: none ✅
- TLS cert: valid, `notAfter=Jun 3 2026` (~86 days remaining) ✅
- Crontab: daily config-backup to git ✅
- SSH daemon: responding normally ✅ (was showing "connection refused" last week — resolved)
- stijn user: present as expected ✅
---
## James-Old (192.168.1.17)
### ⚠️ RDP Port 3389 (Ongoing)
- Still open from last scan — investigation pending
- Process: xrdp (confirmed — shows in process list)
- LAN-only exposure; low external risk
- **Action:** Confirm need; disable xrdp if not actively used
### k2-watchdog.sh Cron
- `*/5 * * * * /home/johan/clawd/scripts/k2-watchdog.sh`
- Not noted in previous baseline (was not captured)
- Legitimate — added to baseline
### ✅ Clean Items
- Users: johan:1000, scanner:1001 — match baseline ✅ (snap users not present this scan)
- SSH keys: 3 keys — match baseline ✅
- Logins: all from 192.168.1.14 (Johan's MacBook), last Mar 2 ✅
- Failed logins: none ✅
- Ports: 18789, 19898, 22, 139/445, 8030, 8080, 9200, 3389, 21 — match baseline ✅
- Processes: xrdp (explains 3389), openclaw, message-bridge, signal-cli — expected ✅
---
## Staging (192.168.1.253)
### ✅ Clean Scan
- Users: only johan:1000 ✅
- SSH keys: claude@macbook, johanjongsma@Johans-MacBook-Pro.local, james@server, james@forge — reasonable
- Logins: all from 192.168.1.14, last Mar 1 ✅
- Ports: 22, 139/445, 2283 (Immich), 8080, 8082 (inou api), 8096 (Jellyfin), 8123 (HA), 8765, 9000, 9124, 1080 — expected ✅
- Crontab: inou start.sh @reboot — expected ✅
### ClickHouse at 485% CPU
- `clickhouse-server` pegging ~5 cores at scan time
- May be running a heavy query or replication/compaction
- Monitor — not necessarily alarming for ClickHouse
---
## Prod (192.168.100.2)
### ✅ Fully Clean — SSH Access Restored
- SSH access restored (was broken last week with "Too many auth failures")
- Users: only johan:1000 ✅
- SSH keys: claude@macbook, johan@ubuntu2404, james@forge — appropriate
- Logins: last from 192.168.1.14 on Mar 6 ✅
- Ports: 22, 8082 (inou api), 1080 (portal), 8765 (viewer) — lean, expected ✅
---
## Action Items
1. 🔴 **FORGE: Kill python3 http.server on 9999**`kill 866793` — exposing /tmp including vault DBs to LAN
2. ⚠️ **FORGE: Confirm hans@vault1984-hq SSH key** — update baseline when verified
3. ⚠️ **FORGE: Confirm agentchat on 7777** — update baseline when verified
4. ⚠️ **CADDY: Who added user hans:1002?** — confirm and update baseline
5. ⚠️ **CADDY: Update SSH keys baseline** — claude@macbook + johan@ubuntu2404 removed
6. ⚠️ **CADDY: Confirm port 2283 (Immich proxy)** — add to baseline
7. ⚠️ **JAMES-OLD: Decision on xrdp/RDP 3389** — disable if not needed
## Improvements Since Last Scan
- ✅ Forge SSH password auth FIXED (was Critical last week)
- ✅ Zurich packages updated (17 → 1 upgradable)
- ✅ Prod SSH access restored
- ✅ Caddy SSH daemon responding normally (was connection refused last week)
Reference in New Issue View Git Blame Copy Permalink