Ov.430.ch Host Reconnaissance Report
ov.430.ch Host Reconnaissance Report
[edit]Report date: 2026-07-09 UTC
Target: ov.430.ch
Authorization status: owner-authorized and locally verified
Local verification file: /root/OV430_SCAN_AUTHORIZATION.txt
Primary artifact directory: /root/recon-ov430
Scope
[edit]This report covers the VPS behind ov.430.ch, not the entire 430.ch domain. Unlike the earlier third-party-limited marcotrix.xyz pass, this run used owner authorization and local host access.
Performed:
- Full TCP scans of the public IPv4 and IPv6 addresses.
- Targeted UDP scans of locally listening UDP services.
- Local socket/process inspection.
- Caddy, systemd, Docker, and iptables inspection.
- Public MediaWiki API inventory.
- Direct backend reachability checks.
Not performed:
- Password guessing.
- Exploit attempts.
- Destructive changes.
- Broad/full UDP sweep.
Executive Summary
[edit]ov.430.ch is a Debian 13 VPS hosted at:
IPv4: 83.228.241.25 IPv6: 2001:1600:18:102::26f hostname: ov-9520b2
The host exposes:
- SSH on
22/tcp. - Caddy on
80/tcp,443/tcp, and QUIC443/udp. systemd-resolvedLLMNR on5355/tcpand5355/udpfor IPv4 and IPv6.- Mindustry Java service on
6567/tcp,6567/udp, and20151/udp. - Docker-published MediaWiki backend on host
8080/tcp, clearly open on IPv6 and locally reachable on IPv4.
The current application stack:
Caddy 2.6.2 -> Docker-published MediaWiki container -> Apache 2.4.67 -> PHP 8.3.32 -> MediaWiki 1.46.0 -> MariaDB 12.3.2
Highest-value fixes:
- Disable or firewall public LLMNR on
5355/tcpand5355/udp. - Stop publishing MediaWiki container port
8080to public interfaces; bind it to127.0.0.1or put Caddy on the Docker network. - If Mindustry is intended public, document and intentionally allow
6567/tcp,6567/udp, and20151/udp; otherwise close them. - Add HSTS to Caddy.
- Add firewall policy in
DOCKER-USERor host firewall rules, because Docker currently exposes port mappings without an explicit deny layer. - Review whether public account creation/editing on
ov.430.chis intentional.
Local Host Identity
[edit]Local OS:
PRETTY_NAME="Debian GNU/Linux 13 (trixie)" VERSION_ID="13" VERSION="13 (trixie)" DEBIAN_VERSION_FULL=13.5
Hostname:
ov-9520b2
Interfaces:
lo UNKNOWN 127.0.0.1/8 ::1/128 ens3 UP 83.228.241.25/24 metric 100 2001:1600:18:102::26f/128 fe80::f816:3eff:fe50:7b7d/64 docker0 DOWN 172.17.0.1/16 br-d9bdd4e01ff5 UP 172.25.0.1/16 fe80::42:85ff:fe66:7f43/64
Public TCP Scan Results
[edit]IPv4 Full TCP
[edit]Command:
nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-full.txt
Result:
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp filtered http-proxy
Notes:
- Nmap SYN scan saw
8080/tcpasfilteredon IPv4. - Local Docker and curl checks show host port
8080is published on0.0.0.0and locally reachable via the public IPv4. Treat external IPv4 exposure as ambiguous until checked from a true off-host network.
IPv6 Full TCP
[edit]Command:
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-full.txt
Result:
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp open http-proxy
IPv6 8080/tcp is clearly open.
Service Detection
[edit]IPv4 service detection:
22/tcp open ssh OpenSSH 10.0p2 Debian 7+deb13u4 80/tcp open http Caddy httpd 443/tcp open ssl/https? 5355/tcp open llmnr? 6567/tcp open esp? 8080/tcp filtered http-proxy
IPv6 service detection:
22/tcp open ssh OpenSSH 10.0p2 Debian 7+deb13u4 80/tcp open http Caddy httpd 443/tcp open ssl/https? 5355/tcp open llmnr? 6567/tcp open esp? 8080/tcp open http Apache httpd 2.4.67 ((Debian))
Nmap did not recognize the Java service on 6567/tcp, but the local process mapping identifies it as Mindustry.
Targeted UDP Scan Results
[edit]Command:
nmap -Pn -sU -sV --version-light -p443,5355,6567,20151 83.228.241.25 -oN /root/recon-ov430/nmap-udp-targeted.txt
Result:
443/udp open|filtered https 5355/udp open|filtered llmnr 6567/udp open|filtered esp 20151/udp open unknown
20151/udp returned a Mindustry-looking service response:
Server Tendrils official
Local sockets confirm 20151/udp is owned by the Java/Mindustry process.
Local Listening Sockets
[edit]ss -ltnup showed:
udp 0.0.0.0:5355 systemd-resolve udp [::]:5355 systemd-resolve udp *:20151 java udp *:6567 java udp *:443 caddy tcp 0.0.0.0:22 sshd tcp 127.0.0.1:2019 caddy admin API tcp 127.0.0.1:36489 containerd tcp 127.0.0.53:53 systemd-resolve tcp 127.0.0.54:53 systemd-resolve tcp 0.0.0.0:5355 systemd-resolve tcp [::]:5355 systemd-resolve tcp 0.0.0.0:8080 docker-proxy tcp [::]:8080 docker-proxy tcp [::]:22 sshd tcp *:80 caddy tcp *:443 caddy tcp *:6567 java tcp [::ffff:127.0.0.1]:6859 java
Interpretation:
5355exposure is fromsystemd-resolvedLLMNR.6567and20151are from the Java/Mindustry server.6859is a Mindustry console bound to loopback only.8080is Docker's published MediaWiki backend.- Caddy's admin API is loopback-only on
127.0.0.1:2019.
Caddy Configuration
[edit]/etc/caddy/Caddyfile:
{
email aivaras@430.ch
}
(cors) {
@cors_preflight method OPTIONS
handle @cors_preflight {
header Access-Control-Allow-Origin "{header.Origin}"
header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
header Access-Control-Allow-Headers "{header.Access-Control-Request-Headers}"
header Access-Control-Allow-Credentials "true"
header Access-Control-Max-Age "3600"
respond "" 204
}
header {
Access-Control-Allow-Origin "{header.Origin}"
Access-Control-Allow-Credentials "true"
Access-Control-Expose-Headers "*"
Vary "Origin"
defer
}
}
ov.430.ch {
reverse_proxy 127.0.0.1:8080
}
Notes:
- The
(cors)snippet is defined but not imported into theov.430.chsite block. ov.430.chis a simple reverse proxy to127.0.0.1:8080.- Caddy version:
2.6.2. - Caddy serves public HTTP/HTTPS and QUIC.
- HSTS is not configured.
Docker and MediaWiki
[edit]Running containers:
mediawiki-mediawiki-1 mediawiki:latest 0.0.0.0:8080->80/tcp, :::8080->80/tcp mediawiki-database-1 mariadb:latest 3306/tcp, no host publish
Docker images:
mediawiki 1.46 f33141a834bf 1.1GB mediawiki latest f33141a834bf 1.1GB mariadb 11 0584f8a9edf6 336MB mariadb latest 73d2c069f75f 341MB
Limited docker inspect output:
/mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}] 172.25.0.3
/mediawiki-database-1 mariadb:latest 3306/tcp=[] 172.25.0.2
Inside MediaWiki container:
PHP 8.3.32 (cli) Apache/2.4.67 (Debian)
Public MediaWiki API reports:
MediaWiki: 1.46.0 PHP: 8.3.32 phpsapi: apache2handler dbtype: mysql dbversion: 12.3.2-MariaDB-ubu2404 site name: Marcopedia server: https://ov.430.ch maxuploadsize: 104857600
Extensions/skins:
MinervaNeue MonoBook Timeless 0.9.1 Vector 1.0.0 MediaWikiChat 2.25.0
Current public statistics:
pages: 3 articles: 0 edits: 3 images: 0 users: 3 activeusers: 2 admins: 2 jobs: 0
Public users visible through API:
Aivaras groups: user, autoconfirmed, bot, bureaucrat, interface-admin, suppress, sysop registered: 2026-07-03T22:32:35Z Marco groups: user, autoconfirmed, bureaucrat, interface-admin, sysop registered: 2026-07-03T21:39:57Z Codex groups: user, autoconfirmed registered: 2026-07-09T18:08:07Z MediaWiki default groups: user, autoconfirmed registered: 2026-07-03T21:39:57Z
Current notable pages visible from recent changes:
430.ch Reconnaissance Report Marcotrix.xyz Reconnaissance Report Marco Main Page
The Marcotrix.xyz Reconnaissance Report page was observed in the wiki state during this scan. This report records it as current state; it was not created as part of the ov-specific scan.
Direct Backend Reachability
[edit]Outside the sandbox, direct requests to the MediaWiki backend succeeded:
http://127.0.0.1:8080/ http://83.228.241.25:8080/ http://[2001:1600:18:102::26f]:8080/
Each returned:
HTTP/1.1 301 Moved Permanently Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.3.32 Location: https://ov.430.ch/index.php/Main_Page
Interpretation:
- The backend is reachable directly on loopback and from local public addresses.
- Docker publishes it to IPv4 and IPv6.
- Nmap's public IPv6 scan clearly sees it as open.
- Nmap's IPv4 SYN scan labels it filtered, so off-host IPv4 exposure should be verified separately if precision matters. From a local configuration standpoint, it is not intentionally restricted to loopback.
Firewall and Docker NAT
[edit]iptables-save showed no restrictive host INPUT policy:
*filter :INPUT ACCEPT :FORWARD DROP :OUTPUT ACCEPT ... :DOCKER-USER - -A DOCKER-USER -j RETURN
Docker NAT publishes 8080 to the MediaWiki container:
-A DOCKER ! -i br-d9bdd4e01ff5 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.25.0.3:80
Interpretation:
- There is no custom
DOCKER-USERdeny/allow policy. - Docker controls the published backend port.
- Binding the MediaWiki container to loopback, or using an internal Docker network with Caddy attached, would reduce accidental exposure.
Systemd Services
[edit]Running services of interest:
caddy.service containerd.service docker.service mindustry.service mindustry-stutter.service ssh.service systemd-resolved.service systemd-timesyncd.service unattended-upgrades.service
Mindustry service:
[Service] User=mindustry Group=mindustry WorkingDirectory=/srv/mindustry ExecStart=/bin/sh -c 'tail -f /dev/null | /usr/bin/java -Xms128M -Xmx1024M -jar /srv/mindustry/server-release.jar' Restart=on-failure RestartSec=10 NoNewPrivileges=true PrivateTmp=true ProtectHome=true ProtectSystem=full ReadWritePaths=/srv/mindustry
Mindustry runtime:
openjdk version "21.0.11" 2026-04-21 Mindustry user: uid=995(mindustry) gid=1000(mindustry) server jar: /srv/mindustry/server-release.jar
Mindustry files observed:
/srv/mindustry/server-release.jar /srv/mindustry/config/rules.hjson /srv/mindustry/config/settings.bin /srv/mindustry/config/logs/log-0.txt /srv/mindustry/HOW-TO-CONNECT.txt /srv/mindustry/MODERATION-LOG.md
Mindustry rules snippet:
reactorExplosions: false logicUnitBuild: false logicUnitDeconstruct: false
Loopback console:
[::ffff:127.0.0.1]:6859
HTTP Headers
[edit]HTTP/2 301 location: https://ov.430.ch/index.php/Main_Page server: Caddy server: Apache/2.4.67 (Debian) x-content-type-options: nosniff x-powered-by: PHP/8.3.32 cache-control: private, must-revalidate, max-age=0 expires: Thu, 01 Jan 1970 00:00:00 GMT
https://ov.430.ch/index.php/430.ch_Reconnaissance_Report:
HTTP/2 200 server: Caddy server: Apache/2.4.67 (Debian) x-content-type-options: nosniff x-powered-by: PHP/8.3.32 content-length: 97428
https://ov.430.ch/index.php/Marcotrix.xyz_Reconnaissance_Report:
HTTP/2 200 server: Caddy server: Apache/2.4.67 (Debian) x-content-type-options: nosniff x-powered-by: PHP/8.3.32 content-length: 69206
Security header notes:
X-Content-Type-Options: nosniffis present.- HSTS is not present.
X-Powered-By: PHP/8.3.32exposes PHP version.Serverexposes Caddy and Apache.
Findings and Recommendations
[edit]High Priority
[edit]Disable or firewall public LLMNR
[edit]Finding:
5355/tcp open on IPv4 and IPv6 5355/udp open|filtered process: systemd-resolve
Why it matters:
- LLMNR is local-link name resolution. It is not useful on a public VPS interface.
- Public exposure adds noise and unnecessary attack surface.
Recommended fix:
Create a drop-in:
/etc/systemd/resolved.conf.d/no-llmnr.conf
With:
[Resolve] LLMNR=no MulticastDNS=no
Then:
systemctl restart systemd-resolved ss -ltnup | grep 5355
No 5355 listeners should remain.
Stop publishing MediaWiki backend to public interfaces
[edit]Finding:
mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}]
Why it matters:
- Caddy is meant to be the public entry point.
- Direct backend exposure bypasses Caddy-layer controls and creates two public paths to the same app.
- IPv6
8080is confirmed open externally from this host's scan perspective.
Recommended fixes:
Option A, bind host port to loopback only:
ports: - "127.0.0.1:8080:80"
Option B, better: put Caddy on the Docker network and remove host port publication entirely.
Option C, add firewall rules in DOCKER-USER to reject public 8080.
Decide and document Mindustry exposure
[edit]Finding:
6567/tcp open 6567/udp open|filtered 20151/udp open and responding with server info process: java /srv/mindustry/server-release.jar
Why it matters:
- If this is intentional, it is fine as a public game service, but it should be explicit.
- If it is not intentional, it is a public service with a game-specific protocol and server information leakage.
Recommended action:
- Keep if intentional.
- Otherwise stop/disable
mindustry.serviceand close the ports. - If kept public, consider basic firewall/rate-limit protections and log review.
Medium Priority
[edit]Add HSTS
[edit]Finding:
- HSTS is not configured.
Recommended Caddy header:
header Strict-Transport-Security "max-age=31536000; includeSubDomains"
Use a shorter rollout first if desired:
header Strict-Transport-Security "max-age=86400"
Reduce version disclosure
[edit]Finding:
Headers expose:
Server: Caddy Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.3.32
Recommendation:
- Remove
X-Powered-Byin PHP/Apache configuration. - Do not rely on header hiding for security, but reduce unnecessary precise version hints.
Review MediaWiki anonymous permissions
[edit]Finding:
- Public API exposes users, groups, recent changes, siteinfo, versions, and extensions.
- The page config has indicated anonymous editability in previous HTML checks.
Recommendation:
If ov.430.ch should be public-editable, leave this alone but monitor abuse.
If not:
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['writeapi'] = false;
Also review upload settings, because maxuploadsize is 104857600.
Add firewall policy
[edit]Finding:
INPUT ACCEPT DOCKER-USER -j RETURN
Recommendation:
- Define an explicit host firewall policy.
- Use
DOCKER-USERfor Docker-published ports, since Docker inserts NAT/filter rules. - Permit only intended public services:
22/tcpif SSH must be public80/tcp443/tcp443/udpif HTTP/3 is desired- Mindustry ports if desired
Low Priority
[edit]Consider whether Caddy CORS snippet is needed
[edit]Finding:
- A credentialed permissive CORS snippet exists in the Caddyfile but is not imported.
Recommendation:
- Remove it if unused to prevent accidental future import.
- If used later, do not reflect arbitrary origins with credentials unless there is a clear requirement.
Keep image tags pinned
[edit]Finding:
Containers are running mediawiki:latest and mariadb:latest.
Recommendation:
- Prefer explicit stable tags or image digests.
- You already have
mediawiki:1.46locally; use explicit tags in deployment config.
Artifact Inventory
[edit]/root/recon-ov430/nmap-ipv4-full.txt /root/recon-ov430/nmap-ipv4-service.txt /root/recon-ov430/nmap-ipv6-full.txt /root/recon-ov430/nmap-ipv6-service.txt /root/recon-ov430/nmap-udp-targeted.txt /root/recon-ov430/root-https.html
Directory size:
24K /root/recon-ov430
Representative Commands
[edit]ss -ltnup
systemctl list-units --type=service --state=running --no-pager
systemctl cat mindustry.service mindustry-stutter.service caddy.service docker.service --no-pager
docker ps --format 'table {{.ID}}\t{{.Image}}\t{{.Names}}\t{{.Ports}}\t{{.Status}}'
docker port mediawiki-mediawiki-1
docker image ls
docker inspect --format '{{.Name}} {{.Config.Image}} {{range $p, $v := .NetworkSettings.Ports}}{{$p}}={{$v}} {{end}} {{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}' mediawiki-mediawiki-1 mediawiki-database-1
iptables-save
nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-full.txt
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-full.txt
nmap -Pn -sV --version-light -p22,80,443,5355,6567,8080 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-service.txt
nmap -Pn -6 -sT -sV --version-light -p22,80,443,5355,6567,8080 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-service.txt
nmap -Pn -sU -sV --version-light -p443,5355,6567,20151 83.228.241.25 -oN /root/recon-ov430/nmap-udp-targeted.txt
curl -sS -D - -o /dev/null http://127.0.0.1:8080/
curl -sS -D - -o /dev/null http://83.228.241.25:8080/
curl -g -sS -D - -o /dev/null 'http://[2001:1600:18:102::26f]:8080/'
curl -sS 'https://ov.430.ch/api.php?action=query&meta=siteinfo&siprop=general%7Cstatistics%7Cextensions%7Cskins&format=json'
curl -sS 'https://ov.430.ch/api.php?action=query&list=allusers&auprop=groups%7Ceditcount%7Cregistration&format=json'
curl -sS 'https://ov.430.ch/api.php?action=query&list=recentchanges&rcprop=title%7Cids%7Ctimestamp%7Cuser%7Ccomment%7Cflags&rclimit=20&format=json'