johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/security-scans/2026-02-22.md

9.4 KiB
Raw Blame History

Weekly Security Posture Scan — 2026-02-22

Scan time: Sunday, February 22nd, 2026 — ~09:01 AM EST FIRST RUN — Baselines established in memory/security-baselines/

Summary

Host Firewall SSH Hardened fail2ban Intrusion Indicators Overall
forge (localhost) None None ⚠️ WARN
james-old (192.168.1.17) UFW inactive ⚠️ Unknown None ⚠️ WARN
staging (192.168.1.253) UFW inactive ⚠️ Unknown None ⚠️ WARN
caddy (192.168.0.2) UFW active None ⚠️ WARN
prod (192.168.100.2) No access UNREACHABLE
zurich.inou.com UFW active Brute force (expected) OK

FORGE (192.168.1.16 — localhost)

Firewall

  • UFW NOT INSTALLED — no host-level firewall
  • Relying entirely on network-level controls (router/UDM-Pro)

SSH Hardening

  • PasswordAuthentication no
  • PermitRootLogin: not explicitly set (Ubuntu default = prohibit-password ≈ key-only)
  • PubkeyAuthentication: yes (default)

fail2ban

  • Not installed/active

Listening Ports

Expected ports for this host. Notable:

  • ⚠️ Port 21 (vsftpd) — FTP running as root, enabled at boot, all interfaces
  • Ports 22, 139/445 (Samba), 8030, 8080, 8090, 9200-9202, 9300, 9877-9878, 9900, 18789 — all expected

Users

  • nobody (65534), johan (1000) — clean

SSH Authorized Keys

  • 5 keys: james@server, johan@ubuntu2404, claude@macbook, johanjongsma@MacBook, johan@thinkpad-x1
  • All expected — no unknown keys

Login History

  • All sessions from 192.168.1.14 (LAN) and 100.114.238.41 (Tailscale)
  • Most recent: Sat Feb 21 — clean
  • No failed logins

Outbound Connections

All legitimate:

  • IMAP to zurich:993 (message-center)
  • SSH tunnels to zurich:22
  • OpenClaw API connections
  • Signal/WhatsApp bridge
  • 192.200.0.103:443 (unknown — Anthropic CDN likely)

Cron

  • /home/johan/clawd/scripts/claude-usage-check.sh (hourly) — expected
  • /home/johan/scripts/health-push.sh (every minute) — expected

Shadow / Sudoers Perms

  • /etc/shadow: rw-r----- root:shadow
  • /etc/sudoers: r--r----- root:root

Security Patches

  • 0 pending security patches (apt list --upgradable | grep security returned empty)

Findings

Severity Finding
⚠️ MEDIUM UFW not installed — no host firewall
⚠️ MEDIUM fail2ban not active
⚠️ LOW vsftpd (FTP) running on port 21, all interfaces, root-owned process

JAMES-OLD (192.168.1.17)

Firewall

  • UFW inactive (installed but disabled)

SSH Hardening

  • sshd -T returned empty (no sudo) — hardening status unknown
  • Need root access to verify

fail2ban

  • Not active

Listening Ports

Notable:

  • ⚠️ Port 3389 (RDP/xrdp) — all interfaces (0.0.0.0)
  • ⚠️ Port 21 (FTP) — all interfaces
  • Port 8030 (message-bridge) — all interfaces
  • Ports 22, 139/445, 1143/1025 (Proton Bridge — localhost), 8025 (MC — localhost), 9200 — expected

Users

  • nobody, johan, snapd-range-524288-root, snap_daemon (all snap-related — system), scanner
  • scanner user: uid=1001, shell=/usr/sbin/nologin, home=/home/scanner — SANE scanner service, expected

SSH Authorized Keys

  • 3 keys: johan@ubuntu2404, claude@macbook, james@forge — clean

Login History

  • Last login: Wed Feb 4 from LAN
  • Machine is mostly idle (retired)

Pending Updates

  • 53 pending apt updates — needs attention

Findings

Severity Finding
⚠️ MEDIUM UFW inactive on a machine with exposed ports
⚠️ MEDIUM fail2ban not active
⚠️ LOW RDP (port 3389) exposed on all interfaces
⚠️ LOW FTP (port 21) exposed
⚠️ LOW 53 pending apt updates — should patch or decommission

STAGING (192.168.1.253)

Firewall

  • UFW inactive

SSH Hardening

  • Could not verify (no sudo for sshd -T) — TODO: verify next scan

fail2ban

  • Not active

Listening Ports

LAN-accessible services (home lab — tolerated):

  • 2283 (Immich), 8080 (signal-cli), 8096 (Jellyfin), 8123/9000 (ClickHouse)
  • 18789 (OpenClaw gateway), 8082/8765/1080 (inou app)
  • 22, 139/445 (Samba)

Docker Containers

  • Immich (server, ML, postgres, redis) — Up 11+ days (healthy)
  • ClickHouse — Up 6 hours (healthy)
  • Jellyfin — Up 11 days (healthy)
  • signal-cli-rest-api — Up 11 days (healthy)

Users

  • nobody (65534), johan (1000) — clean

SSH Authorized Keys

  • 4 keys: claude@macbook, johanjongsma@MacBook, james@server, james@forge — clean

Login History

  • Most recent: Fri Feb 20 from LAN — clean

Findings

Severity Finding
⚠️ MEDIUM UFW inactive (LAN-only machine, tolerated)
⚠️ MEDIUM fail2ban not active
INFO Many open ports — consistent with home lab role

CADDY (192.168.0.2)

Firewall

  • UFW active with rules:
    • SSH limited from LAN (/22)
    • 80/443 ALLOW any
    • 40021/tcp ALLOW (FTP passive)
    • 40000-40010/tcp ALLOW (FTP data)

SSH Hardening

  • PasswordAuthentication no
  • PermitRootLogin without-password
  • PubkeyAuthentication yes

fail2ban

  • Not active — public-facing host, this is a gap

Listening Ports

  • 22, 80, 443, 2019 (Caddy admin — localhost), 40021 (vsftpd), 53 (systemd-resolved)
  • All expected

Users

  • nobody, johan, stijn (/var/www/flourishevents — web service account) — all expected

Root SSH Keys

  • 1 key: james@forge — clean

Login History

  • Last interactive login: Sat Jan 31 — long ago
  • 1 failed login: james@192.168.1.16 (Mon Feb 9) — from forge, expected (James SSH auth attempt)

Findings

Severity Finding
⚠️ MEDIUM fail2ban not active on public-facing host
INFO Only james@forge in root authorized_keys (minimal attack surface)

PROD (192.168.100.2)

Status

  • UNREACHABLE — SSH authentication failed (too many auth failures)
  • May require specific SSH key or non-root user
  • Action needed: Establish access method for security scans

Findings

Severity Finding
UNKNOWN Cannot scan prod — access method needed

ZURICH (zurich.inou.com / 82.22.36.202)

Firewall

  • UFW active with comprehensive rules:
    • 22, 80, 443, Tailscale, 25/143/587/465/993/4190 (mail)

SSH Hardening

  • PasswordAuthentication no
  • PermitRootLogin without-password
  • PubkeyAuthentication yes

fail2ban

  • Active (systemctl reports active)

Brute Force Activity

  • ⚠️ HIGH volume SSH brute force detected (20 failed attempts in ~15 min window today)
  • Example IPs: 80.94.92.164, 89.155.5.35, 20.185.243.158, 2.57.121.25, 57.128.214.238, 20.88.55.220, 101.47.163.102, 34.78.29.97, 139.59.157.104, 23.227.147.163
  • Usernames attempted: sol, opnsense, zookeeper, user, solana, listen, jfrog, polycom, rdp, serveradmin, borgbackup, blink, pound
  • Risk: LOW — password auth disabled, key-only auth, fail2ban active
  • This is expected/normal for a public VPS with port 22 open

Listening Ports

All expected:

  • 22 (SSH), 80/443 (Caddy), 25/143/587/465/993/995/110/4190 (Stalwart mail)
  • 2019 (Caddy admin — localhost), 2586 (ntfy — localhost), 8080/8880/8443 (localhost)
  • 3001 (Uptime Kuma — all interfaces; UFW blocks external, no UFW rule for 3001)

Docker Containers

  • uptime-kuma (louislam/uptime-kuma:1) — Up 3 days (healthy)
  • vaultwarden (vaultwarden/server) — Up 12 hours (healthy)

Users

  • nobody (65534), harry (1000 — /var/www/harryhaasjes, nologin), harry-web (1001 — nologin)
  • All expected service accounts

Root SSH Keys

  • 5 keys: claude@macbook, james@server, james@james, james@forge, johan@thinkpad-x1 — all expected

Login History

  • Last interactive: root from 47.197.93.62 (Johan's home IP) — Jan 27 — clean

Findings

Severity Finding
INFO High SSH brute force volume — mitigated (key-only + fail2ban)
INFO Port 3001 (Kuma) binding 0.0.0.0 — UFW blocks externally, but should bind localhost
INFO POP3 (110/995) listening but not in UFW rules — consider adding or disabling

Action Items

Priority Host Action
HIGH forge Install UFW or document why host firewall isn't needed
HIGH forge Install fail2ban
MEDIUM forge Review vsftpd — is FTP still needed? Disable if not
MEDIUM james-old Patch 53 pending updates, or decommission machine
MEDIUM james-old Enable UFW or document retirement status
MEDIUM caddy Install fail2ban (public-facing, should have brute-force protection)
MEDIUM staging Verify SSH hardening as root
MEDIUM prod Establish SSH access method for security scans
LOW zurich Change Kuma to bind localhost only (--listen 127.0.0.1)
LOW zurich Consider UFW rule for POP3 (995) if intentionally offered

No Intrusion Indicators Found

  • No unknown users on any accessible host
  • No rogue SSH keys
  • No suspicious processes
  • All login history from known IPs (LAN, Tailscale, Johan's home IP)
  • Zurich brute force — normal internet noise, all blocked

Next scan: 2026-03-01 | Baselines: memory/security-baselines/