clawd/memory/security-baselines/caddy.md

Caddy (192.168.0.2) — Security Baseline

Established: 2026-02-22

Root SSH Authorized Keys

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge

Expected Users (uid>=1000)

nobody:65534 (system) johan:1000 stijn:1001 (/var/www/flourishevents — web service account, nologin equivalent)

Expected Listening Ports

• 22 (SSH)
• 80/443 (Caddy reverse proxy)
• 40021 (vsftpd passive FTP)
• 2019 (Caddy admin API — localhost)
• 53 (systemd-resolved — localhost)

SSH Hardening

• PasswordAuthentication: no ✅
• PermitRootLogin: without-password ✅
• PubkeyAuthentication: yes ✅

Known Firewall State

UFW: ACTIVE ✅ Rules: SSH (LIMIT from LAN), 80/443 (ALLOW), 40021 (ALLOW), 40000-40010 (ALLOW — FTP passive)

Known Issues at Baseline

• fail2ban not active
• vsftpd running (FTP) — known for flourishevents site
• User stijn exists (/var/www/flourishevents) — web service account