johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/security-scans/2026-03-01.md

5.6 KiB
Raw Blame History

Weekly Security Posture Scan — 2026-03-01

Scan time: 09:0109:15 AM EST Scanner: James (OpenClaw cron)

Summary

Host Status Findings
forge (localhost) ⚠️ WARNING passwordauth YES, new port 1984, new user scanner
zurich.inou.com ⚠️ WARNING 17 upgradable packages
caddy (192.168.0.2) ⚠️ WARNING SSH daemon not responding, extra SSH keys
james-old (192.168.1.17) ⚠️ WARNING Port 3389 (RDP) open, no baseline (first scan)
staging (192.168.1.253) INFO First scan, no baseline
prod (192.168.100.2) ERROR Access denied — could not scan

Forge (localhost / 192.168.1.16)

🔴 CRITICAL: SSH Password Auth Enabled

  • passwordauthentication yes — differs from baseline expectation
  • Baseline expected: no
  • Action needed: Set PasswordAuthentication no in /etc/ssh/sshd_config

⚠️ New Service: vault1984 on Port 1984

  • Process: ./vault1984 (pid 3020492, started ~06:01)
  • Binary: /home/johan/dev/vault1984/vault1984
  • Not in baseline port list
  • Appears to be Johan's dev project — confirm and add to baseline if intentional

New User: scanner:1001

  • Added since Feb 22 baseline
  • Per TOOLS.md: dedicated scanner user for SMB share (\\...\docsys)
  • Legitimate — update baseline

Clean Items

  • SSH keys: match baseline exactly (5 keys, all known)
  • Logins: all from 192.168.1.14 (Johan's MacBook) — no suspicious IPs
  • No failed logins (empty lastb)
  • fail2ban running (root process active)
  • Crontab: only known jobs (usage-check, health-push, ddns-update)
  • Docker: not installed (expected)
  • permitrootlogin: no

OCR Service

  • Port 8090 was offline at scan time — restarted by systemd at 09:03 AM during scan
  • Now active — monitor for stability

Zurich (zurich.inou.com / 82.22.36.202)

⚠️ Upgradable Packages: 17

  • apt list --upgradable returns 17 packages
  • May include security patches — run apt upgrade soon

⚠️ Brute Force Volume (Normal for Public VPS)

  • fail2ban: 904 total banned, 11 currently banned
  • Recent attempts: nvidia, ubnt, user, debian, config usernames
  • harryhaa username attempt from 172.94.9.65 — targeting the harry web user by name (not alarming, common scraping)
  • All blocked by fail2ban

Clean Items

  • SSH hardened: passwordauthentication no, permitrootlogin without-password
  • UFW active with expected rules
  • Users: harry:1000, harry-web:1001 — match baseline
  • SSH keys: all 5 match baseline
  • Docker: uptime-kuma (up 10d), vaultwarden (up 12h) — expected
  • Last successful logins: only from 47.197.93.62 (home public IP)

Caddy (192.168.0.2)

⚠️ SSH Daemon Not Responding on Port 22

  • Connection refused from 192.168.1.16 (forge)
  • UFW rules should allow 192.168.0.0/22 → 22
  • Possible: SSH service down, port changed, or firewall misconfiguration
  • Connected via Tailscale instead (required re-auth — not completed in scan)
  • Action needed: Verify SSH service is running on caddy

⚠️ Extra SSH Keys Not in Baseline

  • Baseline (Feb 22): only james@forge
  • Current: also has claude@macbook and johan@ubuntu2404
  • These are known keys, likely added intentionally — confirm and update baseline

Clean Items

  • UFW: active with expected rules
  • Users: nobody, johan:1000, stijn:1001 — match baseline
  • No failed or suspicious logins
  • Caddy/FTP services presumably running (UFW rules in place)

James-Old (192.168.1.17) — First Scan

⚠️ Port 3389 (RDP) Open — Investigate

  • RDP listener detected on all interfaces
  • This machine is on LAN, not public — but still unexplained
  • No baseline exists — adding this as known but flagged for review

Port 21 (FTP) Open

  • Same as forge — known from Spacebot/Andrew context
  • LAN only — low risk

Users

  • nobody, johan:1000, snapd-range-524288-root:524288, snap_daemon:584788, scanner:1001
  • Snap-related users expected if snap packages installed
  • scanner:1001 — parallel with forge scanner user (SMB)

Ports

  • 18789 (OpenClaw), 19898 (Spacebot/Andrew), 8030 (message-bridge), 8080 (signal-cli), 9200 (dashboard), 22, 139/445 (Samba), 21 (FTP), 3389 (RDP)

Logins

  • All from 192.168.1.14 (Johan's Mac) — clean

SSH Hardening

  • Could not check (insufficient privilege as johan user — sshd -T returned nothing)

Staging (192.168.1.253) — First Scan

Services Running (All LAN-only, expected for dev)

  • Port 2283: likely Immich
  • Port 8096: Jellyfin
  • Port 8123: Home Assistant
  • Port 8080: various
  • Port 1080/8082/8765/9124: inou portal, api, viewer, dbquery
  • Port 18789: OpenClaw
  • Port 22/139/445: SSH/Samba

Users

  • nobody, johan:1000 — clean

Logins

  • All from 192.168.1.14 (Johan's Mac) — clean

SSH Hardening

  • Could not check (insufficient privilege as johan user)

Prod (192.168.100.2) — ERROR

  • Access denied — Too many authentication failures
  • SSH key not installed or key rotation occurred
  • Could not scan
  • Action needed: Re-establish SSH access to prod

Action Items

  1. 🔴 FORGE: Fix SSH password authsudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl restart sshd
  2. ⚠️ CADDY: Verify SSH daemon — check if sshd is running
  3. ⚠️ ZURICH: Run apt upgrade — 17 pending packages
  4. ⚠️ JAMES-OLD: Investigate RDP port 3389 — who opened it?
  5. ⚠️ PROD: Restore SSH access — key auth failing
  6. Update baselines: add scanner user (forge/james-old), vault1984 port, caddy extra keys