Cleanup & Hardening
Why: The 2026-05 audit found openvpn enabled but inert, NPM's admin port 81 exposed to any IP, and the obsolete plexupdate binary still present.
During the 2026-05 server audit, we identified several security and hygiene issues that needed addressing. We disabled an inert VPN service, restricted proxy manager admin access to the local network, and removed an outdated Plex update script.
1. Disabling OpenVPN
The openvpn.service was enabled at boot, but its configuration directories (/etc/openvpn/server and /etc/openvpn/client) were empty and no OpenVPN process was actively running.
- Action: Disabled and stopped the service using
sudo systemctl disable --now openvpnto reduce the boot footprint.
2. Restricting NPM Admin Port 81
The Nginx Proxy Manager (NPM) admin interface on port 81 was exposed globally via UFW (Anywhere). For security, management interfaces should not be publicly accessible.
- Action: Removed the broad
allow 81/tcpUFW rule and replaced it with a LAN-only restriction (sudo ufw allow from 192.168.1.0/24 to any port 81 proto tcp).
3. Archiving Obsolete plexupdate Binary
The legacy mrworf/plexupdate script located at /usr/local/bin/plexupdate was replaced by plex-update and plex-check per previous updates, but the old binary was still present.
- Action: Moved the obsolete binary to
/home/plex/archive/2026-05-cleanup/to keep the system path clean.