Files
vps-oracle-jp/server2/security-audit-2026-02-14.md
T
Gan, Jimmy 4a91c7a186
Deploy / security (push) Failing after 11m14s
Deploy / lint (push) Failing after 12m3s
Deploy / deploy (push) Has been skipped
Restructure repository to manage both server2 and caddy-vps
- Create server2/ directory and migrate Xray proxy config, Clash config, and utility scripts
- Create caddy-vps/ directory and add Caddyfile reverse proxy configuration
- Update .gitea/workflows/deploy.yml CI/CD pipeline to validate JSON/YAML and check Caddyfile formatting/syntax
- Deploy configurations sequentially to both servers
- Update README.md to document multi-server topology and CI/CD behavior

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 03:19:18 +08:00

4.5 KiB

Issue Fixing Report & VPS Security Audit

Date: 2026-02-14 VPS: oracle-tokyo (158.101.140.85, Ubuntu 24.04, Oracle Cloud Japan)


Part 1: Tailscale Exit Node Fix

Symptom

With Tailscale exit node on, Claude Code / Antigravity / Google failed. Bing worked.

Root Cause

GFW DNS poisoning. Tailscale's DNS servers (Cloudflare 1.1.1.1, Google 8.8.8.8) were queried as plaintext UDP, allowing the GFW to intercept and return poisoned IPs.

Fixes Applied

# Change Location Persistent?
1 UFW forward policy → ACCEPT VPS /etc/default/ufw
2 NAT MASQUERADE for ens3 VPS /etc/ufw/before.rules
3 DNS nameserver → 100.70.115.1 (AdGuard Home) Tailscale Admin DNS
4 "Use with exit node" → ON Tailscale Admin DNS
5 Removed Cloudflare/Google public DNS Tailscale Admin DNS

Part 2: VPS Security Audit

Things That Are Good

Item Status
SSH root login Disabled
SSH password auth Disabled
fail2ban Active, 108 IPs banned historically
Unattended upgrades Enabled, last update Feb 13
/etc/shadow permissions Properly restricted (640)
rpcbind Disabled
Kernel 6.8.0-1026-oracle (recent)
INPUT policy DROP (deny by default)

⚠️ Security Issues Found

🔴 HIGH: AdGuard Home DNS exposed publicly on 0.0.0.0:53

AdGuard Home binds DNS to all interfaces including the public IP 158.101.140.85:53. This makes your VPS an open DNS resolver, which can be abused for DNS amplification DDoS attacks.

Fix:

# Edit /opt/AdGuardHome/AdGuardHome.yaml
# Change:
#   bind_hosts:
#     - 0.0.0.0
# To:
#   bind_hosts:
#     - 100.70.115.1
#     - 127.0.0.1
sudo systemctl restart AdGuardHome

Caution

An open DNS resolver is one of the most commonly exploited misconfigurations on the internet. This should be fixed immediately. OCI's security list may be blocking port 53 inbound, but defense in depth is critical.


🟡 MEDIUM: X11Forwarding enabled in SSH

X11Forwarding yes is set in /etc/ssh/sshd_config. This is unnecessary for a headless server and expands the attack surface.

Fix:

sudo sed -i 's/^X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

🟡 MEDIUM: Xray config world-readable (contains private key)

/usr/local/etc/xray/config.json has permissions -rw-r--r-- and contains the Reality private key.

Fix:

sudo chmod 600 /usr/local/etc/xray/config.json

🟡 MEDIUM: Port 80 open in iptables (nothing listening)

The INPUT chain accepts traffic on port 80 (386K packets), but nothing is listening. This is leftover from nginx and should be removed to reduce attack surface.

Fix:

# Find and delete the rule
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT

🟡 MEDIUM: WireGuard PostUp/PostDown references wrong interface eth0

In /etc/wireguard/wg0.conf, the NAT rules reference eth0 but the actual interface is ens3. WireGuard NAT is currently broken.

Fix:

# Edit /etc/wireguard/wg0.conf
# Replace all 'eth0' with 'ens3' in PostUp and PostDown lines
sudo wg-quick down wg0 && sudo wg-quick up wg0

🟢 LOW: opc user has a shell

The default Oracle Cloud opc user still has /bin/sh. It has no SSH keys but exists as a potential entry point.

Fix:

sudo usermod -s /usr/sbin/nologin opc

🟢 LOW: ubuntu user has passwordless sudo

The cloud-init user ubuntu has NOPASSWD:ALL sudo. If you don't use it, consider disabling.

Fix:

sudo usermod -s /usr/sbin/nologin ubuntu
# Or remove the sudoers entry:
# sudo rm /etc/sudoers.d/90-cloud-init-users

Summary of Findings

Severity Issue Status
🔴 HIGH AdGuard DNS on 0.0.0.0:53 (open resolver) Fixed — bound to 100.70.115.1 + 127.0.0.1
🟡 MED X11Forwarding enabled Fixed — disabled, SSH restarted
🟡 MED Xray config world-readable (has private key) Fixed — chmod 600
🟡 MED Port 80 open in iptables (unused) Fixed — rule removed
🟡 MED WireGuard uses wrong interface eth0 Fixed — changed to ens3
🟢 LOW opc user has shell Fixed — set to nologin
🟢 LOW ubuntu user has passwordless sudo Fixed — set to nologin

Tip

If you want, I can apply all these fixes for you right now via SSH.