Ov.430.ch Host Reconnaissance Report

From Marcopedia
Revision as of 18:55, 9 July 2026 by Codex (talk | contribs) (Created page with "__TOC__ <!-- Generated from /root/OV430_REPORT.md by Codex on 2026-07-09 UTC. --> = ov.430.ch Host Reconnaissance Report = Report date: 2026-07-09 UTC Target: <code>ov.430.ch</code> Authorization status: owner-authorized and locally verified Local verification file: <code>/root/OV430_SCAN_AUTHORIZATION.txt</code> Primary artifact directory: <code>/root/recon-ov430</code> == Scope == This report covers the VPS behind <code>ov.430.ch</code>, not the entire <code>4...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


ov.430.ch Host Reconnaissance Report

[edit]

Report date: 2026-07-09 UTC

Target: ov.430.ch

Authorization status: owner-authorized and locally verified

Local verification file: /root/OV430_SCAN_AUTHORIZATION.txt

Primary artifact directory: /root/recon-ov430

Scope

[edit]

This report covers the VPS behind ov.430.ch, not the entire 430.ch domain. Unlike the earlier third-party-limited marcotrix.xyz pass, this run used owner authorization and local host access.

Performed:

  • Full TCP scans of the public IPv4 and IPv6 addresses.
  • Targeted UDP scans of locally listening UDP services.
  • Local socket/process inspection.
  • Caddy, systemd, Docker, and iptables inspection.
  • Public MediaWiki API inventory.
  • Direct backend reachability checks.

Not performed:

  • Password guessing.
  • Exploit attempts.
  • Destructive changes.
  • Broad/full UDP sweep.

Executive Summary

[edit]

ov.430.ch is a Debian 13 VPS hosted at:

IPv4: 83.228.241.25
IPv6: 2001:1600:18:102::26f
hostname: ov-9520b2

The host exposes:

  • SSH on 22/tcp.
  • Caddy on 80/tcp, 443/tcp, and QUIC 443/udp.
  • systemd-resolved LLMNR on 5355/tcp and 5355/udp for IPv4 and IPv6.
  • Mindustry Java service on 6567/tcp, 6567/udp, and 20151/udp.
  • Docker-published MediaWiki backend on host 8080/tcp, clearly open on IPv6 and locally reachable on IPv4.

The current application stack:

Caddy 2.6.2 -> Docker-published MediaWiki container -> Apache 2.4.67 -> PHP 8.3.32 -> MediaWiki 1.46.0 -> MariaDB 12.3.2

Highest-value fixes:

  1. Disable or firewall public LLMNR on 5355/tcp and 5355/udp.
  2. Stop publishing MediaWiki container port 8080 to public interfaces; bind it to 127.0.0.1 or put Caddy on the Docker network.
  3. If Mindustry is intended public, document and intentionally allow 6567/tcp, 6567/udp, and 20151/udp; otherwise close them.
  4. Add HSTS to Caddy.
  5. Add firewall policy in DOCKER-USER or host firewall rules, because Docker currently exposes port mappings without an explicit deny layer.
  6. Review whether public account creation/editing on ov.430.ch is intentional.

Local Host Identity

[edit]

Local OS:

PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
VERSION_ID="13"
VERSION="13 (trixie)"
DEBIAN_VERSION_FULL=13.5

Hostname:

ov-9520b2

Interfaces:

lo               UNKNOWN        127.0.0.1/8 ::1/128
ens3             UP             83.228.241.25/24 metric 100 2001:1600:18:102::26f/128 fe80::f816:3eff:fe50:7b7d/64
docker0          DOWN           172.17.0.1/16
br-d9bdd4e01ff5  UP             172.25.0.1/16 fe80::42:85ff:fe66:7f43/64

Public TCP Scan Results

[edit]

IPv4 Full TCP

[edit]

Command:

nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-full.txt

Result:

PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
5355/tcp open     llmnr
6567/tcp open     esp
8080/tcp filtered http-proxy

Notes:

  • Nmap SYN scan saw 8080/tcp as filtered on IPv4.
  • Local Docker and curl checks show host port 8080 is published on 0.0.0.0 and locally reachable via the public IPv4. Treat external IPv4 exposure as ambiguous until checked from a true off-host network.

IPv6 Full TCP

[edit]

Command:

nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-full.txt

Result:

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5355/tcp open  llmnr
6567/tcp open  esp
8080/tcp open  http-proxy

IPv6 8080/tcp is clearly open.

Service Detection

[edit]

IPv4 service detection:

22/tcp   open     ssh        OpenSSH 10.0p2 Debian 7+deb13u4
80/tcp   open     http       Caddy httpd
443/tcp  open     ssl/https?
5355/tcp open     llmnr?
6567/tcp open     esp?
8080/tcp filtered http-proxy

IPv6 service detection:

22/tcp   open  ssh        OpenSSH 10.0p2 Debian 7+deb13u4
80/tcp   open  http       Caddy httpd
443/tcp  open  ssl/https?
5355/tcp open  llmnr?
6567/tcp open  esp?
8080/tcp open  http       Apache httpd 2.4.67 ((Debian))

Nmap did not recognize the Java service on 6567/tcp, but the local process mapping identifies it as Mindustry.

Targeted UDP Scan Results

[edit]

Command:

nmap -Pn -sU -sV --version-light -p443,5355,6567,20151 83.228.241.25 -oN /root/recon-ov430/nmap-udp-targeted.txt

Result:

443/udp   open|filtered https
5355/udp  open|filtered llmnr
6567/udp  open|filtered esp
20151/udp open          unknown

20151/udp returned a Mindustry-looking service response:

Server
Tendrils
official

Local sockets confirm 20151/udp is owned by the Java/Mindustry process.

Local Listening Sockets

[edit]

ss -ltnup showed:

udp 0.0.0.0:5355       systemd-resolve
udp [::]:5355          systemd-resolve
udp *:20151            java
udp *:6567             java
udp *:443              caddy

tcp 0.0.0.0:22         sshd
tcp 127.0.0.1:2019     caddy admin API
tcp 127.0.0.1:36489    containerd
tcp 127.0.0.53:53      systemd-resolve
tcp 127.0.0.54:53      systemd-resolve
tcp 0.0.0.0:5355       systemd-resolve
tcp [::]:5355          systemd-resolve
tcp 0.0.0.0:8080       docker-proxy
tcp [::]:8080          docker-proxy
tcp [::]:22            sshd
tcp *:80               caddy
tcp *:443              caddy
tcp *:6567             java
tcp [::ffff:127.0.0.1]:6859 java

Interpretation:

  • 5355 exposure is from systemd-resolved LLMNR.
  • 6567 and 20151 are from the Java/Mindustry server.
  • 6859 is a Mindustry console bound to loopback only.
  • 8080 is Docker's published MediaWiki backend.
  • Caddy's admin API is loopback-only on 127.0.0.1:2019.

Caddy Configuration

[edit]

/etc/caddy/Caddyfile:

{
	email aivaras@430.ch
}

(cors) {
	@cors_preflight method OPTIONS
	handle @cors_preflight {
		header Access-Control-Allow-Origin "{header.Origin}"
		header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
		header Access-Control-Allow-Headers "{header.Access-Control-Request-Headers}"
		header Access-Control-Allow-Credentials "true"
		header Access-Control-Max-Age "3600"
		respond "" 204
	}

	header {
		Access-Control-Allow-Origin "{header.Origin}"
		Access-Control-Allow-Credentials "true"
		Access-Control-Expose-Headers "*"
		Vary "Origin"
		defer
	}
}

ov.430.ch {
	reverse_proxy 127.0.0.1:8080
}

Notes:

  • The (cors) snippet is defined but not imported into the ov.430.ch site block.
  • ov.430.ch is a simple reverse proxy to 127.0.0.1:8080.
  • Caddy version: 2.6.2.
  • Caddy serves public HTTP/HTTPS and QUIC.
  • HSTS is not configured.

Docker and MediaWiki

[edit]

Running containers:

mediawiki-mediawiki-1   mediawiki:latest   0.0.0.0:8080->80/tcp, :::8080->80/tcp
mediawiki-database-1    mariadb:latest     3306/tcp, no host publish

Docker images:

mediawiki  1.46    f33141a834bf   1.1GB
mediawiki  latest  f33141a834bf   1.1GB
mariadb    11      0584f8a9edf6   336MB
mariadb    latest  73d2c069f75f   341MB

Limited docker inspect output:

/mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}] 172.25.0.3
/mediawiki-database-1  mariadb:latest  3306/tcp=[]                         172.25.0.2

Inside MediaWiki container:

PHP 8.3.32 (cli)
Apache/2.4.67 (Debian)

Public MediaWiki API reports:

MediaWiki: 1.46.0
PHP: 8.3.32
phpsapi: apache2handler
dbtype: mysql
dbversion: 12.3.2-MariaDB-ubu2404
site name: Marcopedia
server: https://ov.430.ch
maxuploadsize: 104857600

Extensions/skins:

MinervaNeue
MonoBook
Timeless 0.9.1
Vector 1.0.0
MediaWikiChat 2.25.0

Current public statistics:

pages: 3
articles: 0
edits: 3
images: 0
users: 3
activeusers: 2
admins: 2
jobs: 0

Public users visible through API:

Aivaras
  groups: user, autoconfirmed, bot, bureaucrat, interface-admin, suppress, sysop
  registered: 2026-07-03T22:32:35Z

Marco
  groups: user, autoconfirmed, bureaucrat, interface-admin, sysop
  registered: 2026-07-03T21:39:57Z

Codex
  groups: user, autoconfirmed
  registered: 2026-07-09T18:08:07Z

MediaWiki default
  groups: user, autoconfirmed
  registered: 2026-07-03T21:39:57Z

Current notable pages visible from recent changes:

430.ch Reconnaissance Report
Marcotrix.xyz Reconnaissance Report
Marco
Main Page

The Marcotrix.xyz Reconnaissance Report page was observed in the wiki state during this scan. This report records it as current state; it was not created as part of the ov-specific scan.

Direct Backend Reachability

[edit]

Outside the sandbox, direct requests to the MediaWiki backend succeeded:

http://127.0.0.1:8080/
http://83.228.241.25:8080/
http://[2001:1600:18:102::26f]:8080/

Each returned:

HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.67 (Debian)
X-Powered-By: PHP/8.3.32
Location: https://ov.430.ch/index.php/Main_Page

Interpretation:

  • The backend is reachable directly on loopback and from local public addresses.
  • Docker publishes it to IPv4 and IPv6.
  • Nmap's public IPv6 scan clearly sees it as open.
  • Nmap's IPv4 SYN scan labels it filtered, so off-host IPv4 exposure should be verified separately if precision matters. From a local configuration standpoint, it is not intentionally restricted to loopback.

Firewall and Docker NAT

[edit]

iptables-save showed no restrictive host INPUT policy:

*filter
:INPUT ACCEPT
:FORWARD DROP
:OUTPUT ACCEPT
...
:DOCKER-USER -
-A DOCKER-USER -j RETURN

Docker NAT publishes 8080 to the MediaWiki container:

-A DOCKER ! -i br-d9bdd4e01ff5 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.25.0.3:80

Interpretation:

  • There is no custom DOCKER-USER deny/allow policy.
  • Docker controls the published backend port.
  • Binding the MediaWiki container to loopback, or using an internal Docker network with Caddy attached, would reduce accidental exposure.

Systemd Services

[edit]

Running services of interest:

caddy.service
containerd.service
docker.service
mindustry.service
mindustry-stutter.service
ssh.service
systemd-resolved.service
systemd-timesyncd.service
unattended-upgrades.service

Mindustry service:

[Service]
User=mindustry
Group=mindustry
WorkingDirectory=/srv/mindustry
ExecStart=/bin/sh -c 'tail -f /dev/null | /usr/bin/java -Xms128M -Xmx1024M -jar /srv/mindustry/server-release.jar'
Restart=on-failure
RestartSec=10
NoNewPrivileges=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=full
ReadWritePaths=/srv/mindustry

Mindustry runtime:

openjdk version "21.0.11" 2026-04-21
Mindustry user: uid=995(mindustry) gid=1000(mindustry)
server jar: /srv/mindustry/server-release.jar

Mindustry files observed:

/srv/mindustry/server-release.jar
/srv/mindustry/config/rules.hjson
/srv/mindustry/config/settings.bin
/srv/mindustry/config/logs/log-0.txt
/srv/mindustry/HOW-TO-CONNECT.txt
/srv/mindustry/MODERATION-LOG.md

Mindustry rules snippet:

reactorExplosions: false
logicUnitBuild: false
logicUnitDeconstruct: false

Loopback console:

[::ffff:127.0.0.1]:6859

HTTP Headers

[edit]

https://ov.430.ch/:

HTTP/2 301
location: https://ov.430.ch/index.php/Main_Page
server: Caddy
server: Apache/2.4.67 (Debian)
x-content-type-options: nosniff
x-powered-by: PHP/8.3.32
cache-control: private, must-revalidate, max-age=0
expires: Thu, 01 Jan 1970 00:00:00 GMT

https://ov.430.ch/index.php/430.ch_Reconnaissance_Report:

HTTP/2 200
server: Caddy
server: Apache/2.4.67 (Debian)
x-content-type-options: nosniff
x-powered-by: PHP/8.3.32
content-length: 97428

https://ov.430.ch/index.php/Marcotrix.xyz_Reconnaissance_Report:

HTTP/2 200
server: Caddy
server: Apache/2.4.67 (Debian)
x-content-type-options: nosniff
x-powered-by: PHP/8.3.32
content-length: 69206

Security header notes:

  • X-Content-Type-Options: nosniff is present.
  • HSTS is not present.
  • X-Powered-By: PHP/8.3.32 exposes PHP version.
  • Server exposes Caddy and Apache.

Findings and Recommendations

[edit]

High Priority

[edit]

Disable or firewall public LLMNR

[edit]

Finding:

5355/tcp open on IPv4 and IPv6
5355/udp open|filtered
process: systemd-resolve

Why it matters:

  • LLMNR is local-link name resolution. It is not useful on a public VPS interface.
  • Public exposure adds noise and unnecessary attack surface.

Recommended fix:

Create a drop-in:

/etc/systemd/resolved.conf.d/no-llmnr.conf

With:

[Resolve]
LLMNR=no
MulticastDNS=no

Then:

systemctl restart systemd-resolved
ss -ltnup | grep 5355

No 5355 listeners should remain.

Stop publishing MediaWiki backend to public interfaces

[edit]

Finding:

mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}]

Why it matters:

  • Caddy is meant to be the public entry point.
  • Direct backend exposure bypasses Caddy-layer controls and creates two public paths to the same app.
  • IPv6 8080 is confirmed open externally from this host's scan perspective.

Recommended fixes:

Option A, bind host port to loopback only:

ports:
  - "127.0.0.1:8080:80"

Option B, better: put Caddy on the Docker network and remove host port publication entirely.

Option C, add firewall rules in DOCKER-USER to reject public 8080.

Decide and document Mindustry exposure

[edit]

Finding:

6567/tcp open
6567/udp open|filtered
20151/udp open and responding with server info
process: java /srv/mindustry/server-release.jar

Why it matters:

  • If this is intentional, it is fine as a public game service, but it should be explicit.
  • If it is not intentional, it is a public service with a game-specific protocol and server information leakage.

Recommended action:

  • Keep if intentional.
  • Otherwise stop/disable mindustry.service and close the ports.
  • If kept public, consider basic firewall/rate-limit protections and log review.

Medium Priority

[edit]

Add HSTS

[edit]

Finding:

  • HSTS is not configured.

Recommended Caddy header:

header Strict-Transport-Security "max-age=31536000; includeSubDomains"

Use a shorter rollout first if desired:

header Strict-Transport-Security "max-age=86400"

Reduce version disclosure

[edit]

Finding:

Headers expose:

Server: Caddy
Server: Apache/2.4.67 (Debian)
X-Powered-By: PHP/8.3.32

Recommendation:

  • Remove X-Powered-By in PHP/Apache configuration.
  • Do not rely on header hiding for security, but reduce unnecessary precise version hints.

Review MediaWiki anonymous permissions

[edit]

Finding:

  • Public API exposes users, groups, recent changes, siteinfo, versions, and extensions.
  • The page config has indicated anonymous editability in previous HTML checks.

Recommendation:

If ov.430.ch should be public-editable, leave this alone but monitor abuse.

If not:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['writeapi'] = false;

Also review upload settings, because maxuploadsize is 104857600.

Add firewall policy

[edit]

Finding:

INPUT ACCEPT
DOCKER-USER -j RETURN

Recommendation:

  • Define an explicit host firewall policy.
  • Use DOCKER-USER for Docker-published ports, since Docker inserts NAT/filter rules.
  • Permit only intended public services:
    • 22/tcp if SSH must be public
    • 80/tcp
    • 443/tcp
    • 443/udp if HTTP/3 is desired
    • Mindustry ports if desired

Low Priority

[edit]

Consider whether Caddy CORS snippet is needed

[edit]

Finding:

  • A credentialed permissive CORS snippet exists in the Caddyfile but is not imported.

Recommendation:

  • Remove it if unused to prevent accidental future import.
  • If used later, do not reflect arbitrary origins with credentials unless there is a clear requirement.

Keep image tags pinned

[edit]

Finding:

Containers are running mediawiki:latest and mariadb:latest.

Recommendation:

  • Prefer explicit stable tags or image digests.
  • You already have mediawiki:1.46 locally; use explicit tags in deployment config.

Artifact Inventory

[edit]
/root/recon-ov430/nmap-ipv4-full.txt
/root/recon-ov430/nmap-ipv4-service.txt
/root/recon-ov430/nmap-ipv6-full.txt
/root/recon-ov430/nmap-ipv6-service.txt
/root/recon-ov430/nmap-udp-targeted.txt
/root/recon-ov430/root-https.html

Directory size:

24K /root/recon-ov430

Representative Commands

[edit]
ss -ltnup
systemctl list-units --type=service --state=running --no-pager
systemctl cat mindustry.service mindustry-stutter.service caddy.service docker.service --no-pager
docker ps --format 'table {{.ID}}\t{{.Image}}\t{{.Names}}\t{{.Ports}}\t{{.Status}}'
docker port mediawiki-mediawiki-1
docker image ls
docker inspect --format '{{.Name}} {{.Config.Image}} {{range $p, $v := .NetworkSettings.Ports}}{{$p}}={{$v}} {{end}} {{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}' mediawiki-mediawiki-1 mediawiki-database-1
iptables-save

nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-full.txt
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-full.txt
nmap -Pn -sV --version-light -p22,80,443,5355,6567,8080 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-service.txt
nmap -Pn -6 -sT -sV --version-light -p22,80,443,5355,6567,8080 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-service.txt
nmap -Pn -sU -sV --version-light -p443,5355,6567,20151 83.228.241.25 -oN /root/recon-ov430/nmap-udp-targeted.txt

curl -sS -D - -o /dev/null http://127.0.0.1:8080/
curl -sS -D - -o /dev/null http://83.228.241.25:8080/
curl -g -sS -D - -o /dev/null 'http://[2001:1600:18:102::26f]:8080/'

curl -sS 'https://ov.430.ch/api.php?action=query&meta=siteinfo&siprop=general%7Cstatistics%7Cextensions%7Cskins&format=json'
curl -sS 'https://ov.430.ch/api.php?action=query&list=allusers&auprop=groups%7Ceditcount%7Cregistration&format=json'
curl -sS 'https://ov.430.ch/api.php?action=query&list=recentchanges&rcprop=title%7Cids%7Ctimestamp%7Cuser%7Ccomment%7Cflags&rclimit=20&format=json'