Editing
Ov.430.ch Host Reconnaissance Report
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
__TOC__ <!-- Generated from /root/OV430_REPORT.md by Codex on 2026-07-09 UTC. --> = ov.430.ch Host Reconnaissance Report = Report date: 2026-07-09 UTC Target: <code>ov.430.ch</code> Authorization status: owner-authorized and locally verified Local verification file: <code>/root/OV430_SCAN_AUTHORIZATION.txt</code> Primary artifact directory: <code>/root/recon-ov430</code> == Scope == This report covers the VPS behind <code>ov.430.ch</code>, not the entire <code>430.ch</code> domain. Unlike the earlier third-party-limited <code>marcotrix.xyz</code> pass, this run used owner authorization and local host access. Performed: * Full TCP scans of the public IPv4 and IPv6 addresses. * Targeted UDP scans of locally listening UDP services. * Local socket/process inspection. * Caddy, systemd, Docker, and iptables inspection. * Public MediaWiki API inventory. * Direct backend reachability checks. Not performed: * Password guessing. * Exploit attempts. * Destructive changes. * Broad/full UDP sweep. == Executive Summary == <code>ov.430.ch</code> is a Debian 13 VPS hosted at: <pre> IPv4: 83.228.241.25 IPv6: 2001:1600:18:102::26f hostname: ov-9520b2 </pre> The host exposes: * SSH on <code>22/tcp</code>. * Caddy on <code>80/tcp</code>, <code>443/tcp</code>, and QUIC <code>443/udp</code>. * <code>systemd-resolved</code> LLMNR on <code>5355/tcp</code> and <code>5355/udp</code> for IPv4 and IPv6. * Mindustry Java service on <code>6567/tcp</code>, <code>6567/udp</code>, and <code>20151/udp</code>. * Docker-published MediaWiki backend on host <code>8080/tcp</code>, clearly open on IPv6 and locally reachable on IPv4. The current application stack: <pre> Caddy 2.6.2 -> Docker-published MediaWiki container -> Apache 2.4.67 -> PHP 8.3.32 -> MediaWiki 1.46.0 -> MariaDB 12.3.2 </pre> Highest-value fixes: # Disable or firewall public LLMNR on <code>5355/tcp</code> and <code>5355/udp</code>. # Stop publishing MediaWiki container port <code>8080</code> to public interfaces; bind it to <code>127.0.0.1</code> or put Caddy on the Docker network. # If Mindustry is intended public, document and intentionally allow <code>6567/tcp</code>, <code>6567/udp</code>, and <code>20151/udp</code>; otherwise close them. # Add HSTS to Caddy. # Add firewall policy in <code>DOCKER-USER</code> or host firewall rules, because Docker currently exposes port mappings without an explicit deny layer. # Review whether public account creation/editing on <code>ov.430.ch</code> is intentional. == Local Host Identity == Local OS: <pre> PRETTY_NAME="Debian GNU/Linux 13 (trixie)" VERSION_ID="13" VERSION="13 (trixie)" DEBIAN_VERSION_FULL=13.5 </pre> Hostname: <pre> ov-9520b2 </pre> Interfaces: <pre> lo UNKNOWN 127.0.0.1/8 ::1/128 ens3 UP 83.228.241.25/24 metric 100 2001:1600:18:102::26f/128 fe80::f816:3eff:fe50:7b7d/64 docker0 DOWN 172.17.0.1/16 br-d9bdd4e01ff5 UP 172.25.0.1/16 fe80::42:85ff:fe66:7f43/64 </pre> == Public TCP Scan Results == === IPv4 Full TCP === Command: <pre> nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-full.txt </pre> Result: <pre> PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp filtered http-proxy </pre> Notes: * Nmap SYN scan saw <code>8080/tcp</code> as <code>filtered</code> on IPv4. * Local Docker and curl checks show host port <code>8080</code> is published on <code>0.0.0.0</code> and locally reachable via the public IPv4. Treat external IPv4 exposure as ambiguous until checked from a true off-host network. === IPv6 Full TCP === Command: <pre> nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-full.txt </pre> Result: <pre> PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp open http-proxy </pre> IPv6 <code>8080/tcp</code> is clearly open. === Service Detection === IPv4 service detection: <pre> 22/tcp open ssh OpenSSH 10.0p2 Debian 7+deb13u4 80/tcp open http Caddy httpd 443/tcp open ssl/https? 5355/tcp open llmnr? 6567/tcp open esp? 8080/tcp filtered http-proxy </pre> IPv6 service detection: <pre> 22/tcp open ssh OpenSSH 10.0p2 Debian 7+deb13u4 80/tcp open http Caddy httpd 443/tcp open ssl/https? 5355/tcp open llmnr? 6567/tcp open esp? 8080/tcp open http Apache httpd 2.4.67 ((Debian)) </pre> Nmap did not recognize the Java service on <code>6567/tcp</code>, but the local process mapping identifies it as Mindustry. == Targeted UDP Scan Results == Command: <pre> nmap -Pn -sU -sV --version-light -p443,5355,6567,20151 83.228.241.25 -oN /root/recon-ov430/nmap-udp-targeted.txt </pre> Result: <pre> 443/udp open|filtered https 5355/udp open|filtered llmnr 6567/udp open|filtered esp 20151/udp open unknown </pre> <code>20151/udp</code> returned a Mindustry-looking service response: <pre> Server Tendrils official </pre> Local sockets confirm <code>20151/udp</code> is owned by the Java/Mindustry process. == Local Listening Sockets == <code>ss -ltnup</code> showed: <pre> udp 0.0.0.0:5355 systemd-resolve udp [::]:5355 systemd-resolve udp *:20151 java udp *:6567 java udp *:443 caddy tcp 0.0.0.0:22 sshd tcp 127.0.0.1:2019 caddy admin API tcp 127.0.0.1:36489 containerd tcp 127.0.0.53:53 systemd-resolve tcp 127.0.0.54:53 systemd-resolve tcp 0.0.0.0:5355 systemd-resolve tcp [::]:5355 systemd-resolve tcp 0.0.0.0:8080 docker-proxy tcp [::]:8080 docker-proxy tcp [::]:22 sshd tcp *:80 caddy tcp *:443 caddy tcp *:6567 java tcp [::ffff:127.0.0.1]:6859 java </pre> Interpretation: * <code>5355</code> exposure is from <code>systemd-resolved</code> LLMNR. * <code>6567</code> and <code>20151</code> are from the Java/Mindustry server. * <code>6859</code> is a Mindustry console bound to loopback only. * <code>8080</code> is Docker's published MediaWiki backend. * Caddy's admin API is loopback-only on <code>127.0.0.1:2019</code>. == Caddy Configuration == <code>/etc/caddy/Caddyfile</code>: <pre> { email aivaras@430.ch } (cors) { @cors_preflight method OPTIONS handle @cors_preflight { header Access-Control-Allow-Origin "{header.Origin}" header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" header Access-Control-Allow-Headers "{header.Access-Control-Request-Headers}" header Access-Control-Allow-Credentials "true" header Access-Control-Max-Age "3600" respond "" 204 } header { Access-Control-Allow-Origin "{header.Origin}" Access-Control-Allow-Credentials "true" Access-Control-Expose-Headers "*" Vary "Origin" defer } } ov.430.ch { reverse_proxy 127.0.0.1:8080 } </pre> Notes: * The <code>(cors)</code> snippet is defined but not imported into the <code>ov.430.ch</code> site block. * <code>ov.430.ch</code> is a simple reverse proxy to <code>127.0.0.1:8080</code>. * Caddy version: <code>2.6.2</code>. * Caddy serves public HTTP/HTTPS and QUIC. * HSTS is not configured. == Docker and MediaWiki == Running containers: <pre> mediawiki-mediawiki-1 mediawiki:latest 0.0.0.0:8080->80/tcp, :::8080->80/tcp mediawiki-database-1 mariadb:latest 3306/tcp, no host publish </pre> Docker images: <pre> mediawiki 1.46 f33141a834bf 1.1GB mediawiki latest f33141a834bf 1.1GB mariadb 11 0584f8a9edf6 336MB mariadb latest 73d2c069f75f 341MB </pre> Limited <code>docker inspect</code> output: <pre> /mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}] 172.25.0.3 /mediawiki-database-1 mariadb:latest 3306/tcp=[] 172.25.0.2 </pre> Inside MediaWiki container: <pre> PHP 8.3.32 (cli) Apache/2.4.67 (Debian) </pre> Public MediaWiki API reports: <pre> MediaWiki: 1.46.0 PHP: 8.3.32 phpsapi: apache2handler dbtype: mysql dbversion: 12.3.2-MariaDB-ubu2404 site name: Marcopedia server: https://ov.430.ch maxuploadsize: 104857600 </pre> Extensions/skins: <pre> MinervaNeue MonoBook Timeless 0.9.1 Vector 1.0.0 MediaWikiChat 2.25.0 </pre> Current public statistics: <pre> pages: 3 articles: 0 edits: 3 images: 0 users: 3 activeusers: 2 admins: 2 jobs: 0 </pre> Public users visible through API: <pre> Aivaras groups: user, autoconfirmed, bot, bureaucrat, interface-admin, suppress, sysop registered: 2026-07-03T22:32:35Z Marco groups: user, autoconfirmed, bureaucrat, interface-admin, sysop registered: 2026-07-03T21:39:57Z Codex groups: user, autoconfirmed registered: 2026-07-09T18:08:07Z MediaWiki default groups: user, autoconfirmed registered: 2026-07-03T21:39:57Z </pre> Current notable pages visible from recent changes: <pre> 430.ch Reconnaissance Report Marcotrix.xyz Reconnaissance Report Marco Main Page </pre> The <code>Marcotrix.xyz Reconnaissance Report</code> page was observed in the wiki state during this scan. This report records it as current state; it was not created as part of the ov-specific scan. == Direct Backend Reachability == Outside the sandbox, direct requests to the MediaWiki backend succeeded: <pre> http://127.0.0.1:8080/ http://83.228.241.25:8080/ http://[2001:1600:18:102::26f]:8080/ </pre> Each returned: <pre> HTTP/1.1 301 Moved Permanently Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.3.32 Location: https://ov.430.ch/index.php/Main_Page </pre> Interpretation: * The backend is reachable directly on loopback and from local public addresses. * Docker publishes it to IPv4 and IPv6. * Nmap's public IPv6 scan clearly sees it as open. * Nmap's IPv4 SYN scan labels it filtered, so off-host IPv4 exposure should be verified separately if precision matters. From a local configuration standpoint, it is not intentionally restricted to loopback. == Firewall and Docker NAT == <code>iptables-save</code> showed no restrictive host <code>INPUT</code> policy: <pre> *filter :INPUT ACCEPT :FORWARD DROP :OUTPUT ACCEPT ... :DOCKER-USER - -A DOCKER-USER -j RETURN </pre> Docker NAT publishes <code>8080</code> to the MediaWiki container: <pre> -A DOCKER ! -i br-d9bdd4e01ff5 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.25.0.3:80 </pre> Interpretation: * There is no custom <code>DOCKER-USER</code> deny/allow policy. * Docker controls the published backend port. * Binding the MediaWiki container to loopback, or using an internal Docker network with Caddy attached, would reduce accidental exposure. == Systemd Services == Running services of interest: <pre> caddy.service containerd.service docker.service mindustry.service mindustry-stutter.service ssh.service systemd-resolved.service systemd-timesyncd.service unattended-upgrades.service </pre> Mindustry service: <pre> [Service] User=mindustry Group=mindustry WorkingDirectory=/srv/mindustry ExecStart=/bin/sh -c 'tail -f /dev/null | /usr/bin/java -Xms128M -Xmx1024M -jar /srv/mindustry/server-release.jar' Restart=on-failure RestartSec=10 NoNewPrivileges=true PrivateTmp=true ProtectHome=true ProtectSystem=full ReadWritePaths=/srv/mindustry </pre> Mindustry runtime: <pre> openjdk version "21.0.11" 2026-04-21 Mindustry user: uid=995(mindustry) gid=1000(mindustry) server jar: /srv/mindustry/server-release.jar </pre> Mindustry files observed: <pre> /srv/mindustry/server-release.jar /srv/mindustry/config/rules.hjson /srv/mindustry/config/settings.bin /srv/mindustry/config/logs/log-0.txt /srv/mindustry/HOW-TO-CONNECT.txt /srv/mindustry/MODERATION-LOG.md </pre> Mindustry rules snippet: <pre> reactorExplosions: false logicUnitBuild: false logicUnitDeconstruct: false </pre> Loopback console: <pre> [::ffff:127.0.0.1]:6859 </pre> == HTTP Headers == <code>https://ov.430.ch/</code>: <pre> HTTP/2 301 location: https://ov.430.ch/index.php/Main_Page server: Caddy server: Apache/2.4.67 (Debian) x-content-type-options: nosniff x-powered-by: PHP/8.3.32 cache-control: private, must-revalidate, max-age=0 expires: Thu, 01 Jan 1970 00:00:00 GMT </pre> <code>https://ov.430.ch/index.php/430.ch_Reconnaissance_Report</code>: <pre> HTTP/2 200 server: Caddy server: Apache/2.4.67 (Debian) x-content-type-options: nosniff x-powered-by: PHP/8.3.32 content-length: 97428 </pre> <code>https://ov.430.ch/index.php/Marcotrix.xyz_Reconnaissance_Report</code>: <pre> HTTP/2 200 server: Caddy server: Apache/2.4.67 (Debian) x-content-type-options: nosniff x-powered-by: PHP/8.3.32 content-length: 69206 </pre> Security header notes: * <code>X-Content-Type-Options: nosniff</code> is present. * HSTS is not present. * <code>X-Powered-By: PHP/8.3.32</code> exposes PHP version. * <code>Server</code> exposes Caddy and Apache. == Findings and Recommendations == === High Priority === ==== Disable or firewall public LLMNR ==== Finding: <pre> 5355/tcp open on IPv4 and IPv6 5355/udp open|filtered process: systemd-resolve </pre> Why it matters: * LLMNR is local-link name resolution. It is not useful on a public VPS interface. * Public exposure adds noise and unnecessary attack surface. Recommended fix: Create a drop-in: <pre> /etc/systemd/resolved.conf.d/no-llmnr.conf </pre> With: <pre> [Resolve] LLMNR=no MulticastDNS=no </pre> Then: <pre> systemctl restart systemd-resolved ss -ltnup | grep 5355 </pre> No <code>5355</code> listeners should remain. ==== Stop publishing MediaWiki backend to public interfaces ==== Finding: <pre> mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}] </pre> Why it matters: * Caddy is meant to be the public entry point. * Direct backend exposure bypasses Caddy-layer controls and creates two public paths to the same app. * IPv6 <code>8080</code> is confirmed open externally from this host's scan perspective. Recommended fixes: Option A, bind host port to loopback only: <pre> ports: - "127.0.0.1:8080:80" </pre> Option B, better: put Caddy on the Docker network and remove host port publication entirely. Option C, add firewall rules in <code>DOCKER-USER</code> to reject public <code>8080</code>. ==== Decide and document Mindustry exposure ==== Finding: <pre> 6567/tcp open 6567/udp open|filtered 20151/udp open and responding with server info process: java /srv/mindustry/server-release.jar </pre> Why it matters: * If this is intentional, it is fine as a public game service, but it should be explicit. * If it is not intentional, it is a public service with a game-specific protocol and server information leakage. Recommended action: * Keep if intentional. * Otherwise stop/disable <code>mindustry.service</code> and close the ports. * If kept public, consider basic firewall/rate-limit protections and log review. === Medium Priority === ==== Add HSTS ==== Finding: * HSTS is not configured. Recommended Caddy header: <pre> header Strict-Transport-Security "max-age=31536000; includeSubDomains" </pre> Use a shorter rollout first if desired: <pre> header Strict-Transport-Security "max-age=86400" </pre> ==== Reduce version disclosure ==== Finding: Headers expose: <pre> Server: Caddy Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.3.32 </pre> Recommendation: * Remove <code>X-Powered-By</code> in PHP/Apache configuration. * Do not rely on header hiding for security, but reduce unnecessary precise version hints. ==== Review MediaWiki anonymous permissions ==== Finding: * Public API exposes users, groups, recent changes, siteinfo, versions, and extensions. * The page config has indicated anonymous editability in previous HTML checks. Recommendation: If <code>ov.430.ch</code> should be public-editable, leave this alone but monitor abuse. If not: <pre> $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['writeapi'] = false; </pre> Also review upload settings, because <code>maxuploadsize</code> is <code>104857600</code>. ==== Add firewall policy ==== Finding: <pre> INPUT ACCEPT DOCKER-USER -j RETURN </pre> Recommendation: * Define an explicit host firewall policy. * Use <code>DOCKER-USER</code> for Docker-published ports, since Docker inserts NAT/filter rules. * Permit only intended public services: ** <code>22/tcp</code> if SSH must be public ** <code>80/tcp</code> ** <code>443/tcp</code> ** <code>443/udp</code> if HTTP/3 is desired ** Mindustry ports if desired === Low Priority === ==== Consider whether Caddy CORS snippet is needed ==== Finding: * A credentialed permissive CORS snippet exists in the Caddyfile but is not imported. Recommendation: * Remove it if unused to prevent accidental future import. * If used later, do not reflect arbitrary origins with credentials unless there is a clear requirement. ==== Keep image tags pinned ==== Finding: Containers are running <code>mediawiki:latest</code> and <code>mariadb:latest</code>. Recommendation: * Prefer explicit stable tags or image digests. * You already have <code>mediawiki:1.46</code> locally; use explicit tags in deployment config. == Artifact Inventory == <pre> /root/recon-ov430/nmap-ipv4-full.txt /root/recon-ov430/nmap-ipv4-service.txt /root/recon-ov430/nmap-ipv6-full.txt /root/recon-ov430/nmap-ipv6-service.txt /root/recon-ov430/nmap-udp-targeted.txt /root/recon-ov430/root-https.html </pre> Directory size: <pre> 24K /root/recon-ov430 </pre> == Representative Commands == <pre> ss -ltnup systemctl list-units --type=service --state=running --no-pager systemctl cat mindustry.service mindustry-stutter.service caddy.service docker.service --no-pager docker ps --format 'table {{.ID}}\t{{.Image}}\t{{.Names}}\t{{.Ports}}\t{{.Status}}' docker port mediawiki-mediawiki-1 docker image ls docker inspect --format '{{.Name}} {{.Config.Image}} {{range $p, $v := .NetworkSettings.Ports}}{{$p}}={{$v}} {{end}} {{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}' mediawiki-mediawiki-1 mediawiki-database-1 iptables-save nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-full.txt nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-full.txt nmap -Pn -sV --version-light -p22,80,443,5355,6567,8080 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-service.txt nmap -Pn -6 -sT -sV --version-light -p22,80,443,5355,6567,8080 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-service.txt nmap -Pn -sU -sV --version-light -p443,5355,6567,20151 83.228.241.25 -oN /root/recon-ov430/nmap-udp-targeted.txt curl -sS -D - -o /dev/null http://127.0.0.1:8080/ curl -sS -D - -o /dev/null http://83.228.241.25:8080/ curl -g -sS -D - -o /dev/null 'http://[2001:1600:18:102::26f]:8080/' curl -sS 'https://ov.430.ch/api.php?action=query&meta=siteinfo&siprop=general%7Cstatistics%7Cextensions%7Cskins&format=json' curl -sS 'https://ov.430.ch/api.php?action=query&list=allusers&auprop=groups%7Ceditcount%7Cregistration&format=json' curl -sS 'https://ov.430.ch/api.php?action=query&list=recentchanges&rcprop=title%7Cids%7Ctimestamp%7Cuser%7Ccomment%7Cflags&rclimit=20&format=json' </pre>
Summary:
Please note that all contributions to Marcopedia may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Marcopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
associated-pages
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Tools
What links here
Related changes
Page information
Online users in chat