Editing
Ov.430.ch Host Reconnaissance Report
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Findings and Recommendations == === High Priority === ==== Disable or firewall public LLMNR ==== Finding: <pre> 5355/tcp open on IPv4 and IPv6 5355/udp open|filtered process: systemd-resolve </pre> Why it matters: * LLMNR is local-link name resolution. It is not useful on a public VPS interface. * Public exposure adds noise and unnecessary attack surface. Recommended fix: Create a drop-in: <pre> /etc/systemd/resolved.conf.d/no-llmnr.conf </pre> With: <pre> [Resolve] LLMNR=no MulticastDNS=no </pre> Then: <pre> systemctl restart systemd-resolved ss -ltnup | grep 5355 </pre> No <code>5355</code> listeners should remain. ==== Stop publishing MediaWiki backend to public interfaces ==== Finding: <pre> mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}] </pre> Why it matters: * Caddy is meant to be the public entry point. * Direct backend exposure bypasses Caddy-layer controls and creates two public paths to the same app. * IPv6 <code>8080</code> is confirmed open externally from this host's scan perspective. Recommended fixes: Option A, bind host port to loopback only: <pre> ports: - "127.0.0.1:8080:80" </pre> Option B, better: put Caddy on the Docker network and remove host port publication entirely. Option C, add firewall rules in <code>DOCKER-USER</code> to reject public <code>8080</code>. ==== Decide and document Mindustry exposure ==== Finding: <pre> 6567/tcp open 6567/udp open|filtered 20151/udp open and responding with server info process: java /srv/mindustry/server-release.jar </pre> Why it matters: * If this is intentional, it is fine as a public game service, but it should be explicit. * If it is not intentional, it is a public service with a game-specific protocol and server information leakage. Recommended action: * Keep if intentional. * Otherwise stop/disable <code>mindustry.service</code> and close the ports. * If kept public, consider basic firewall/rate-limit protections and log review. === Medium Priority === ==== Add HSTS ==== Finding: * HSTS is not configured. Recommended Caddy header: <pre> header Strict-Transport-Security "max-age=31536000; includeSubDomains" </pre> Use a shorter rollout first if desired: <pre> header Strict-Transport-Security "max-age=86400" </pre> ==== Reduce version disclosure ==== Finding: Headers expose: <pre> Server: Caddy Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.3.32 </pre> Recommendation: * Remove <code>X-Powered-By</code> in PHP/Apache configuration. * Do not rely on header hiding for security, but reduce unnecessary precise version hints. ==== Review MediaWiki anonymous permissions ==== Finding: * Public API exposes users, groups, recent changes, siteinfo, versions, and extensions. * The page config has indicated anonymous editability in previous HTML checks. Recommendation: If <code>ov.430.ch</code> should be public-editable, leave this alone but monitor abuse. If not: <pre> $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['writeapi'] = false; </pre> Also review upload settings, because <code>maxuploadsize</code> is <code>104857600</code>. ==== Add firewall policy ==== Finding: <pre> INPUT ACCEPT DOCKER-USER -j RETURN </pre> Recommendation: * Define an explicit host firewall policy. * Use <code>DOCKER-USER</code> for Docker-published ports, since Docker inserts NAT/filter rules. * Permit only intended public services: ** <code>22/tcp</code> if SSH must be public ** <code>80/tcp</code> ** <code>443/tcp</code> ** <code>443/udp</code> if HTTP/3 is desired ** Mindustry ports if desired === Low Priority === ==== Consider whether Caddy CORS snippet is needed ==== Finding: * A credentialed permissive CORS snippet exists in the Caddyfile but is not imported. Recommendation: * Remove it if unused to prevent accidental future import. * If used later, do not reflect arbitrary origins with credentials unless there is a clear requirement. ==== Keep image tags pinned ==== Finding: Containers are running <code>mediawiki:latest</code> and <code>mariadb:latest</code>. Recommendation: * Prefer explicit stable tags or image digests. * You already have <code>mediawiki:1.46</code> locally; use explicit tags in deployment config.
Summary:
Please note that all contributions to Marcopedia may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Marcopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
associated-pages
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Tools
What links here
Related changes
Page information
Online users in chat