Applied iptables firewall on VM 1130 to restrict ports 8420/8440
to CT 101 (Caddy) and localhost only. Documents Tailscale ts-input
chain ordering requirement for future firewall work.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CRITICAL: RECON backends (8420, 8440) accept direct LAN/Tailscale
connections and trust X-Authentik-Username header unconditionally.
Verified exploitation: contacts read, API keys added via spoofed header.
Root cause: No firewall on RECON VM, services bind 0.0.0.0.
Caddy forward_auth is NOT bypassed - direct backend access is the vector.
P0 remediation: Firewall RECON to accept only from CT 101.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SSH access fixed via cortex jump host to CT 101.
Key finding: navi.echo6.co uses port 8440, not 8420.
/tiles/* already public - same pattern for API routes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Comprehensive endpoint inventory and auth classification for opening
navi.echo6.co frontend to public while protecting:
- Paid API calls (Google Places, TomTom)
- Per-user data (contacts)
- Admin functions (key management, service control)
Implementation deferred to Phase 3 session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
