← Back to homepage

Security Audit

Generated 2026-07-13 07:00 EDT ยท read-only, nothing was changed

I'll load the six audit tool schemas first, then run all of them (they're independent and read-only).
I'll run all six audit tools in parallel (all read-only, no dependencies).
Audit complete โ€” six read-only checks run. Nothing was changed. Prioritized report below.

---

## Security Audit โ€” jvrcode droplet (2026-07-13)

### ๐Ÿ”ด CRITICAL

- **`/var/www/wp/wp-config.php` is world-readable** โ€” WordPress DB credentials & auth salts exposed to every local user (and served if Nginx mis-serves .php). โ†’ `chmod 640` and set owner to `www-data`. (guarded: `fix_file_permissions`)
- **6 exposed `.git` directories in web roots** (`jvrcode.com`, `panini-wc2026`, `wp`, `app1`, `threadmarkusa`, `radio`) โ€” full source + history + any committed secrets are downloadable if served. โ†’ Add a global `location ~ /\.git { deny all; return 404; }` in Nginx. (guarded: `secure_nginx_dotfiles`)

### ๐ŸŸ  HIGH

- **Flask dev server public on port 5000 (`python` on 0.0.0.0)** โ€” dev server, not production-hardened, internet-reachable. โ†’ Bind to 127.0.0.1 and reverse-proxy via Nginx, or `ufw deny 5000`.
- **`panini-wc2026/.env` inside a web root** โ€” env/secret file under a served directory (not world-readable, but reachable if statically served). โ†’ Move outside web root or block `.env` in Nginx.
- **Node app (3400) and Icecast (8000) public** โ€” confirm both are meant to face the internet; if only proxied through Nginx, bind to loopback or firewall. โ†’ `ufw deny` or bind 127.0.0.1.

### ๐ŸŸก MEDIUM

- **Plaintext mail ports open: POP3/110 and IMAP/143 (dovecot)** โ€” allow unencrypted auth. โ†’ Disable plaintext listeners; keep only 993/995 (+587 STARTTLS).
- **32 pending package updates** (0 flagged security) โ€” patch drift. โ†’ `apt upgrade` during a maintenance window.

### ๐ŸŸข LOW / informational

- **8,662 failed SSH logins** (top: 141.11.250.228 = 1,627; probing `admin`/`user`/`ubuntu`). Mitigated โ€” key-only auth + fail2ban already active. No action required.
- **SSH hardening: good** โ€” `PermitRootLogin prohibit-password`, `PasswordAuthentication no`, X11 off. Optional: move off port 22 to cut log noise.
- **Firewall/AV: good** โ€” ufw active, fail2ban active.
- **TLS: all 9 certs healthy** โ€” soonest is `jvrcode.com` at 38 days; certbot auto-renew window is fine.
- **`cacert.pem` world-readable** โ€” public CA bundle, not sensitive. Ignore.
- **DBs correctly loopback-only** โ€” MySQL 3306/33060, Postgres 5432, gunicorn 8001 all bound to 127.0.0.1. 

---

**Top 2 to fix now:** world-readable `wp-config.php` and the exposed `.git` dirs. I can remediate either with the guarded tools (`fix_file_permissions`, `secure_nginx_dotfiles`) โ€” they back up, validate, and roll back, and will prompt before applying. Want me to proceed on any of these, or save this report to a file?

--- done: Audit complete โ€” six read-only checks run. Nothing was changed. Prioritized report below.

---

## Security Audit โ€” jvrcode droplet (2026-07-13)

### ๐Ÿ”ด CRITICAL

- **`/var/www/wp/wp-config.php` is world-readable** โ€” WordPress DB credentials & auth salts exposed to every local user (and served if Nginx mis-serves .php). โ†’ `chmod 640` and set owner to `www-data`. (guarded: `fix_file_permissions`)
- **6 exposed `.git` directories in web roots** (`jvrcode.com`, `panini-wc2026`, `wp`, `app1`, `threadmarkusa`, `radio`) โ€” full source + history + any committed secrets are downloadable if served. โ†’ Add a global `location ~ /\.git { deny all; return 404; }` in Nginx. (guarded: `secure_nginx_dotfiles`)

### ๐ŸŸ  HIGH

- **Flask dev server public on port 5000 (`python` on 0.0.0.0)** โ€” dev server, not production-hardened, internet-reachable. โ†’ Bind to 127.0.0.1 and reverse-proxy via Nginx, or `ufw deny 5000`.
- **`panini-wc2026/.env` inside a web root** โ€” env/secret file under a served directory (not world-readable, but reachable if statically served). โ†’ Move outside web root or block `.env` in Nginx.
- **Node app (3400) and Icecast (8000) public** โ€” confirm both are meant to face the internet; if only proxied through Nginx, bind to loopback or firewall. โ†’ `ufw deny` or bind 127.0.0.1.

### ๐ŸŸก MEDIUM

- **Plaintext mail ports open: POP3/110 and IMAP/143 (dovecot)** โ€” allow unencrypted auth. โ†’ Disable plaintext listeners; keep only 993/995 (+587 STARTTLS).
- **32 pending package updates** (0 flagged security) โ€” patch drift. โ†’ `apt upgrade` during a maintenance window.

### ๐ŸŸข LOW / informational

- **8,662 failed SSH logins** (top: 141.11.250.228 = 1,627; probing `admin`/`user`/`ubuntu`). Mitigated โ€” key-only auth + fail2ban already active. No action required.
- **SSH hardening: good** โ€” `PermitRootLogin prohibit-password`, `PasswordAuthentication no`, X11 off. Optional: move off port 22 to cut log noise.
- **Firewall/AV: good** โ€” ufw active, fail2ban active.
- **TLS: all 9 certs healthy** โ€” soonest is `jvrcode.com` at 38 days; certbot auto-renew window is fine.
- **`cacert.pem` world-readable** โ€” public CA bundle, not sensitive. Ignore.
- **DBs correctly loopback-only** โ€” MySQL 3306/33060, Postgres 5432, gunicorn 8001 all bound to 127.0.0.1. 

---

**Top 2 to fix now:** world-readable `wp-config.php` and the exposed `.git` dirs. I can remediate either with the guarded tools (`fix_file_permissions`, `secure_nginx_dotfiles`) โ€” they back up, validate, and roll back, and will prompt before applying. Want me to proceed on any of these, or save this report to a file?