Contabo VPS Security Audit — 2026-04-20

Contabo VPS Security Audit — 2026-04-20

Host: 173.249.30.224 (contabo, vmi3245237.contaboserver.net)
OS: Ubuntu 24.04 LTS, kernel 6.8.0-106
Purpose: Brian's second body — XFCE + TigerVNC + noVNC at https://vnc2.jonahtebaa.com/
Verdict: YELLOW (fixable items below are already applied; one medium left = SSH password auth)

1. Open ports

External (nmap from Hetzner)

22/tcp   open      ssh
80/tcp   open      http   (redirects to 443)
443/tcp  open      https  (vnc2.jonahtebaa.com)
5901/tcp filtered         (blocked by UFW — correct)
6080/tcp filtered         (blocked by UFW — correct)

Verdict: GREEN. VNC + websockify are bound to 127.0.0.1 and also UFW-blocked.

Internal (ss -tlnp)

• 5901 Xtigervnc -> 127.0.0.1 only. Good.
• 6080 websockify -> 127.0.0.1 only. Good.
• 22 sshd -> all interfaces.
• 80/443 nginx -> all interfaces.

UFW

22/tcp   ALLOW  Anywhere
80/tcp   ALLOW  Anywhere
443/tcp  ALLOW  Anywhere

Verdict: GREEN.

2. SSH

• root login with password is currently ENABLED.
• SSH key from Hetzner is installed in ~/.ssh/authorized_keys.
• A fresh ed25519 key was generated on Contabo and added to Hetzner for reverse sync.
• fail2ban sshd jail installed + enabled (maxretry=5, findtime=10m, bantime=1h).

Severity: MEDIUM. Recommend disabling PasswordAuthentication in /etc/ssh/sshd_config once Jonah has the key on his laptop too. Flag PermitRootLogin prohibit-password. Not auto-applied — needs confirmation Jonah has key-only access from his Mac.

3. TLS

• Cert: Let's Encrypt E7, notBefore=Apr 20 14:08:03 2026, notAfter=Jul 19 14:08:02 2026.
• certbot.timer active, next run Apr 21 05:39 CEST.
• options-ssl-nginx.conf managed by Certbot (TLS 1.2 + 1.3 only, strong ciphers).
• ssl_dhparam present.

Verdict: GREEN.

4. fail2ban

• Installed + enabled.
• /etc/fail2ban/jail.d/sshd.local:
• enabled=true, port=22, maxretry=5, findtime=10m, bantime=1h.
• fail2ban-client status sshd reports jail running.

Verdict: GREEN.

5. unattended-upgrades

• Installed + enabled (systemctl is-enabled unattended-upgrades = enabled).
• dpkg-reconfigure -f noninteractive unattended-upgrades re-applied defaults.

Verdict: GREEN.

6. noVNC / websockify

• Binds 127.0.0.1:6080 only.
• Exposed through nginx reverse proxy with WebSocket upgrade + rate limiting (30 r/s, burst 60).
• noVNC version in use: from the upstream Debian/Ubuntu package. Known CVEs in very old noVNC (<1.3) do not apply here (Ubuntu 24.04 ships 1.4+). No CVEs flagged at audit time.

Severity: LOW — consider adding HTTP basic auth in front of the websockify proxy for defense-in-depth. Not applied; would break current single-click flow Jonah prefers.

7. Claude Desktop + Claude Code

• Claude Code: v2.1.114 (official npm, @anthropic-ai/claude-code).
• Claude Desktop: 1.3109.0-9 (patrickjaja Linux build).
• Checksums: not independently verified against upstream; this is a known gap for the patrickjaja build. Acceptable until Anthropic ships an official Linux binary.

Severity: LOW.

8. Tailscale ACL

• Binary installed (v1.96.4), daemon enabled.
• NOT YET JOINED — awaiting tailnet auth key from Jonah.
• Once joined: Contabo should appear alongside ubuntu-8gb-hel1-1 (Hetzner, 100.99.129.102), jonahs-macbook-pro (100.79.172.24), xiaomi-2203121c (100.84.194.110).
• ACL should be scoped so only those four nodes can reach Contabo over the tailnet.

Severity: MEDIUM (blocker on step 3).

9. Nginx hardening (APPLIED)

Added to vnc2.jonahtebaa.com vhost:

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: wss:; connect-src 'self' wss:;

Plus rate limit on /websockify: limit_req zone=vncws burst=60 nodelay (30 r/s).

Verdict: GREEN.

Final summary

Overall: YELLOW. No red items. Two follow-ups:
1. Disable SSH password auth after Jonah confirms key access from his Mac.
2. Complete Tailscale join once authkey provided, then restrict ACL to four known nodes.