johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/security-baselines/zurich.md

1.7 KiB
Raw Blame History

Zurich (zurich.inou.com / 82.22.36.202) — Security Baseline

Established: 2026-02-22

Root SSH Authorized Keys

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIhEtv7t3njNoG+mnKElR+rasMArdc8DnHON22lreT7 james@james ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF johan@thinkpad-x1

Expected Users (uid>=1000)

nobody:65534 (system) harry:1000 (/var/www/harryhaasjes — web service, nologin) harry-web:1001 (/home/harry-web — web service, nologin)

Expected Listening Ports

  • 22 (SSH — all interfaces)
  • 25/143/587/465/993/995/110/4190 (Stalwart mail server)
  • 80/443 (Caddy)
  • 2019 (Caddy admin — localhost)
  • 2586 (ntfy — localhost, behind Caddy)
  • 3001 (Uptime Kuma — all interfaces, UFW blocks external)
  • 8080 (Vaultwarden — localhost, behind Caddy)
  • 8880/8443 (Stalwart admin — localhost)
  • 41641 (Tailscale UDP)

SSH Hardening

  • PasswordAuthentication: no
  • PermitRootLogin: without-password
  • PubkeyAuthentication: yes

Known Firewall State

UFW: ACTIVE Rules: 22, 80, 443, 41641 (Tailscale), tailscale0, 25, 587, 465, 993, 143, 4190

Known Issues at Baseline

  • High SSH brute force volume — expected for public VPS, mitigated by key-only auth + fail2ban
  • Port 3001 (Kuma) exposed on all interfaces — but UFW blocks it externally (no rule for 3001)
  • Port 110/995 (POP3) not in UFW rules — blocked externally even though Stalwart listens
  • Docker: uptime-kuma, vaultwarden