Editing
Marcotrix.xyz Reconnaissance Report
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Security Observations and Remediation Ideas == These are defensive observations based on public data only. === High Priority === ==== Review <code>5201/tcp</code> iperf3 exposure ==== Finding: <pre> 5201/tcp open iperf3 </pre> Why it matters: * <code>iperf3</code> is normally for bandwidth testing, not a public application surface. * If left public, it can be abused for unwanted traffic generation or resource consumption. Recommendation: * Close it if not in active use. * Restrict it to trusted source IPs if needed. ==== Confirm inbound mail behavior ==== Finding: * MX points to <code>mail.marcotrix.xyz</code>. * <code>mail.marcotrix.xyz</code> resolves to <code>57.131.38.220</code>. * <code>25/tcp</code> was filtered from this vantage point. * IMAP/submission ports were closed. * <code>https://mail.marcotrix.xyz/</code> returned <code>502</code>. Why it matters: * The domain advertises mail service but may not accept inbound mail. * DMARC report address is <code>mail@marcotrix.xyz</code>; if mail is broken, aggregate reports may not be received. Recommendation: * Confirm intended mail architecture. * If self-hosting, ensure SMTP and mailbox services are intentionally reachable and hardened. * If not self-hosting, update MX/SPF/DMARC to match the actual provider. ==== Review Jellyfin public exposure ==== Finding: <pre> { "ServerName": "marcoserver", "Version": "10.11.6", "LocalAddress": "http://172.20.0.3:8096", "Id": "5b94a56e8601405d8a399c3960d5c546" } </pre> Why it matters: * Jellyfin version and instance metadata are publicly visible. * Media servers are common targets for credential attacks and known-version vulnerability checks. Recommendation: * Keep Jellyfin current. * Require strong authentication. * Disable public signups if enabled. * Consider restricting access through VPN, SSO, or source allowlists. * Monitor authentication logs. === Medium Priority === ==== Add HSTS ==== Finding: * HSTS was not configured on tested HTTPS names. Recommendation: Start conservatively: <pre> Strict-Transport-Security: max-age=86400 </pre> Move to a long-lived policy after confirming all subdomains are HTTPS-ready: <pre> Strict-Transport-Security: max-age=31536000; includeSubDomains </pre> Only use <code>preload</code> if all subdomains are intended to be permanently HTTPS-only. ==== Fix <code>money.marcotrix.xyz</code> TLS/backend configuration ==== Finding: * HTTP redirects to HTTPS. * HTTPS fails with a TLS internal error. Recommendation: * Check Caddy site block and certificate state for <code>money.marcotrix.xyz</code>. * Confirm backend availability. * Remove DNS/cert automation for the hostname if unused. ==== Harden email DNS ==== Current: <pre> SPF: v=spf1 mx ~all DMARC: v=DMARC1; p=none; rua=mailto:mail@marcotrix.xyz </pre> Recommendations: * Move SPF from softfail to hardfail once valid senders are known: <pre> v=spf1 mx -all </pre> * Move DMARC from monitoring to enforcement after reports are clean: <pre> v=DMARC1; p=quarantine; rua=mailto:... v=DMARC1; p=reject; rua=mailto:... </pre> * Add MTA-STS and TLS-RPT if receiving mail: <pre> _mta-sts.marcotrix.xyz TXT "v=STSv1; id=YYYYMMDD01" _smtp._tls.marcotrix.xyz TXT "v=TLSRPTv1; rua=mailto:tlsrpt@marcotrix.xyz" </pre> ==== Add CAA ==== Finding: * No CAA record was observed. Recommendation: If Let's Encrypt is the only intended CA: <pre> marcotrix.xyz. CAA 0 issue "letsencrypt.org" marcotrix.xyz. CAA 0 issuewild ";" </pre> Adjust this if other CAs are intentionally used. ==== Consider DNSSEC ==== Finding: * RDAP reports DNSSEC unsigned. Recommendation: * Enable DNSSEC at the DNS provider if operationally comfortable. === Low Priority / Hygiene === ==== Add <code>security.txt</code> ==== Finding: * <code>/.well-known/security.txt</code> returned <code>404</code>. Recommendation: Add a basic security contact if the owner wants coordinated reports: <pre> Contact: mailto:mail@marcotrix.xyz Preferred-Languages: en Canonical: https://marcotrix.xyz/.well-known/security.txt </pre> ==== Add or intentionally omit <code>robots.txt</code> and <code>sitemap.xml</code> ==== Finding: * Both returned <code>404</code>. This is not inherently a vulnerability. Add them only if useful for indexing control. ==== Strip unnecessary image metadata ==== No GPS metadata was observed, but stripping metadata from public images is still a reasonable default publishing step.
Summary:
Please note that all contributions to Marcopedia may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Marcopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
associated-pages
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Tools
What links here
Related changes
Page information
Online users in chat