clawd/memory/security-scans/2026-03-01.md

# Weekly Security Posture Scan — 2026-03-01
Scan time: 09:01–09:15 AM EST
Scanner: James (OpenClaw cron)

## Summary
| Host | Status | Findings |
|------|--------|----------|
| forge (localhost) | ⚠️ WARNING | passwordauth YES, new port 1984, new user scanner |
| zurich.inou.com | ⚠️ WARNING | 17 upgradable packages |
| caddy (192.168.0.2) | ⚠️ WARNING | SSH daemon not responding, extra SSH keys |
| james-old (192.168.1.17) | ⚠️ WARNING | Port 3389 (RDP) open, no baseline (first scan) |
| staging (192.168.1.253) | ℹ️ INFO | First scan, no baseline |
| prod (192.168.100.2) | ❌ ERROR | Access denied — could not scan |

---

## Forge (localhost / 192.168.1.16)

### 🔴 CRITICAL: SSH Password Auth Enabled
- `passwordauthentication yes` — differs from baseline expectation
- Baseline expected: `no`
- **Action needed:** Set `PasswordAuthentication no` in `/etc/ssh/sshd_config`

### ⚠️ New Service: vault1984 on Port 1984
- Process: `./vault1984` (pid 3020492, started ~06:01)
- Binary: `/home/johan/dev/vault1984/vault1984`
- Not in baseline port list
- Appears to be Johan's dev project — confirm and add to baseline if intentional

### ℹ️ New User: scanner:1001
- Added since Feb 22 baseline
- Per TOOLS.md: dedicated scanner user for SMB share (`\\...\docsys`)
- **Legitimate** — update baseline

### ✅ Clean Items
- SSH keys: match baseline exactly (5 keys, all known)
- Logins: all from 192.168.1.14 (Johan's MacBook) — no suspicious IPs
- No failed logins (empty lastb)
- fail2ban running (root process active)
- Crontab: only known jobs (usage-check, health-push, ddns-update)
- Docker: not installed (expected)
- permitrootlogin: no ✅

### ℹ️ OCR Service
- Port 8090 was offline at scan time — restarted by systemd at 09:03 AM during scan
- Now active — monitor for stability

---

## Zurich (zurich.inou.com / 82.22.36.202)

### ⚠️ Upgradable Packages: 17
- `apt list --upgradable` returns 17 packages
- May include security patches — run `apt upgrade` soon

### ⚠️ Brute Force Volume (Normal for Public VPS)
- fail2ban: 904 total banned, 11 currently banned
- Recent attempts: nvidia, ubnt, user, debian, config usernames
- `harryhaa` username attempt from 172.94.9.65 — targeting the harry web user by name (not alarming, common scraping)
- All blocked by fail2ban ✅

### ✅ Clean Items
- SSH hardened: `passwordauthentication no`, `permitrootlogin without-password` ✅
- UFW active with expected rules ✅
- Users: harry:1000, harry-web:1001 — match baseline ✅
- SSH keys: all 5 match baseline ✅
- Docker: uptime-kuma (up 10d), vaultwarden (up 12h) — expected ✅
- Last successful logins: only from 47.197.93.62 (home public IP) ✅

---

## Caddy (192.168.0.2)

### ⚠️ SSH Daemon Not Responding on Port 22
- `Connection refused` from 192.168.1.16 (forge)
- UFW rules should allow 192.168.0.0/22 → 22
- Possible: SSH service down, port changed, or firewall misconfiguration
- Connected via Tailscale instead (required re-auth — not completed in scan)
- **Action needed:** Verify SSH service is running on caddy

### ⚠️ Extra SSH Keys Not in Baseline
- Baseline (Feb 22): only `james@forge`
- Current: also has `claude@macbook` and `johan@ubuntu2404`
- These are known keys, likely added intentionally — confirm and update baseline

### ✅ Clean Items
- UFW: active with expected rules ✅
- Users: nobody, johan:1000, stijn:1001 — match baseline ✅
- No failed or suspicious logins
- Caddy/FTP services presumably running (UFW rules in place)

---

## James-Old (192.168.1.17) — First Scan

### ⚠️ Port 3389 (RDP) Open — Investigate
- RDP listener detected on all interfaces
- This machine is on LAN, not public — but still unexplained
- No baseline exists — adding this as known but flagged for review

### ℹ️ Port 21 (FTP) Open
- Same as forge — known from Spacebot/Andrew context
- LAN only — low risk

### Users
- nobody, johan:1000, snapd-range-524288-root:524288, snap_daemon:584788, scanner:1001
- Snap-related users expected if snap packages installed
- scanner:1001 — parallel with forge scanner user (SMB)

### Ports
- 18789 (OpenClaw), 19898 (Spacebot/Andrew), 8030 (message-bridge), 8080 (signal-cli), 9200 (dashboard), 22, 139/445 (Samba), 21 (FTP), 3389 (RDP)

### Logins
- All from 192.168.1.14 (Johan's Mac) — clean

### SSH Hardening
- Could not check (insufficient privilege as `johan` user — `sshd -T` returned nothing)

---

## Staging (192.168.1.253) — First Scan

### ℹ️ Services Running (All LAN-only, expected for dev)
- Port 2283: likely Immich
- Port 8096: Jellyfin
- Port 8123: Home Assistant
- Port 8080: various
- Port 1080/8082/8765/9124: inou portal, api, viewer, dbquery
- Port 18789: OpenClaw
- Port 22/139/445: SSH/Samba

### Users
- nobody, johan:1000 — clean

### Logins
- All from 192.168.1.14 (Johan's Mac) — clean

### SSH Hardening
- Could not check (insufficient privilege as `johan` user)

---

## Prod (192.168.100.2) — ERROR

- Access denied — `Too many authentication failures`
- SSH key not installed or key rotation occurred
- Could not scan
- **Action needed:** Re-establish SSH access to prod

---

## Action Items
1. 🔴 **FORGE: Fix SSH password auth** — `sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl restart sshd`
2. ⚠️ **CADDY: Verify SSH daemon** — check if sshd is running
3. ⚠️ **ZURICH: Run apt upgrade** — 17 pending packages
4. ⚠️ **JAMES-OLD: Investigate RDP port 3389** — who opened it?
5. ⚠️ **PROD: Restore SSH access** — key auth failing
6. ℹ️ **Update baselines**: add scanner user (forge/james-old), vault1984 port, caddy extra keys