lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/loop/pentest/recon/surface.md
Dorian 39c7ac1924 feat: rootless podman, session hardening, boot stability, sidebar fix 
Rootless podman migration (TASK-11):
- Remove sudo from all podman calls in PodmanClient + 8 backend files
- Remove sudo from all podman/docker calls in deploy script
- Restore full systemd security hardening: NoNewPrivileges,
  RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime,
  RestrictNamespaces, RestrictSUIDSGID, SystemCallFilter, ProtectSystem=strict
- Enable loginctl linger for rootless container persistence
- Remove Ollama from auto-deploy (marketplace-only)

Session & auth hardening:
- Increase MAX_CONCURRENT_SESSIONS 20→50 (prevents eviction storms)
- Debounced 401 redirect in rpc-client.ts (prevents redirect storms)

Boot stability:
- optimize-debian.sh: adds chrony, swap, removes policy-rc.d
- deploy script: pre-restart chrony + swap setup
- ISO build: chrony package, swap file creation
- BootScreen: no longer clears localStorage (prevents splash replay)
- RootRedirect: sole owner of localStorage clearing on server ready

UI fixes:
- Sidebar opacity default changed from 0→visible (fixes missing sidebar
  after page-persistence login without entrance animation)
- Console.log/error wrapped in import.meta.env.DEV guards
- Remove unused route import from RootRedirect

Beta tracking:
- CLAUDE.md: beta freeze protocol added
- MASTER_PLAN.md: TASK-11, TASK-17, phase structure
- BETA-PROGRESS.md: initial tracking doc
- Tagged v1.2.0-alpha.1 as pre-rootless baseline

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 13:53:27 +00:00

1.4 KiB
Raw Blame History

Written to loop/pentest/recon/attack-surface-analysis.md. Here's the executive summary:

3 Critical Findings

  1. /lnd-connect-info exposes full LND admin macaroon — unauthenticated, CORS *. Anyone on the LAN gets complete Lightning node control (send payments, drain channels). Confirmed live.

  2. Bitcoin RPC proxy on :8334 with hardcoded creds (archipelago:archipelago123) — confirmed full mainnet getblockchaininfo works. If wallet is loaded, attacker can send transactions and export keys.

  3. Grafana default admin:admin on port 3000 — confirmed full admin access. Can query data sources and potentially pivot.

3 High Findings

  1. /content leaks personal file catalog (names, sizes, UUIDs) without auth
  2. Nginx Proxy Manager (port 81) directly accessible with setup: false state
  3. Multiple service ports (3000, 3001, 7777, 8080, 9000) bypass nginx proxy auth

Key Positives

  • Login rate limiting works (triggers at 5 attempts)
  • CORS properly rejects unauthorized origins
  • Session management is solid (256-bit tokens, HttpOnly, SameSite=Strict)
  • Path traversal mitigated (/.git, /.env not exposed)
  • Security headers comprehensive (HSTS, CSP, X-Frame-Options)
  • Bcrypt + Argon2id + ChaCha20 crypto stack is production-grade

The report covers 150+ RPC methods, 30+ nginx proxy routes, 10+ direct port services, and all authentication mechanisms with confirmed live probes.