A practical security panel: what’s already enabled in this Console, common failure modes, and safe hardening commands.
Enabled here
- Auth gate: Basic auth + session cookie (fetch works without headers)
- Uploads: served without directory index; no-store headers
- No secrets in UI: design rule — keep keys in env files
- Audit trail: transcript + worklog capture key actions
Note: some browsers block inline scripts; we keep critical app JS in /static.
Common trouble spots
- Inline JS blocked → UI appears but buttons don’t work (fix: move JS to
/static)
- Auth cookie Secure on HTTP → session may not stick (prefer HTTPS reverse proxy)
- Open internet → brute force risk (add fail2ban / allowlist / VPN)
Fail2ban (live)
Live SSH protection stats from fail2ban-client. Updates on load.
Loading…
Security Recommendations (copy-safe)
Run only what you understand. These are suggestions, not auto-executed.
1) Put Console behind HTTPS (recommended)
# Example (Caddy):
# reverse_proxy 127.0.0.1:21337
# (terminate TLS, then access over https://)
2) Lock SSH down + basic firewall
ufw allow OpenSSH
ufw allow 80
ufw allow 443
ufw --force enable
ufw status verbose
3) fail2ban for sshd (quick hardening)
apt-get update
apt-get install -y fail2ban
systemctl enable --now fail2ban
fail2ban-client status
nano /etc/clawdrey-console.env
# update AUTH_PASS=...
systemctl restart clawdrey-console.service