Networking the LAN and cybersecurity

Tech Log Entry — Cybersecurity Hardening Of System for Coding Agent (Claude Code)

Bitwarden Password Manager + ClamAV Antivirus Across a 3-Machine Homelab LAN


Background and Context

This entry documents a cybersecurity hardening session across all three machines in my homelab LAN: one Windows 11 desktop (Robusta) and two Linux Mint laptops (Liberica and Typica). The session was part of a broader initiative to get Claude Code running securely on Typica, and to establish sound security practices across the LAN before moving on to SSH/SFTP/rsync backup configuration.

The three machines are connected via a TP-Link TL-SG105 5-port gigabit unmanaged switch on an isolated local subnet (192.168.x.x), separate from the home Wi-Fi network. Internet access on all three machines remains via Wi-Fi only; the switch is used exclusively for local LAN communication and file transfers.

Prior security state before this session:

  • Robusta: BitDefender Antivirus Plus + BitDefender VPN Premium (active, paid)
  • Typica: No antivirus (BitDefender does not support Linux)
  • Liberica: No antivirus (BitDefender does not support Linux)
  • All 3 machines: No dedicated password manager; Chrome's built-in password manager in use on Robusta

Initial Goals

  • Replace Chrome's built-in credential storage with a dedicated cross-platform password manager on Robusta
  • Migrate existing saved passwords from Chrome into the new manager
  • Install antivirus on both Linux Mint laptops
  • Configure scheduled automated scans on both Linux machines
  • Complete prerequisite security hardening before activating Claude Code on Typica

Hardware Used

  • Desktop Robusta: Lenovo Legion T5, Windows 11 Home, i7 11th gen, 16 GB RAM, RTX 3060
  • Laptop Liberica: Lenovo IdeaPad 3, Linux Mint (Cinnamon), i3, 8 GB RAM
  • Laptop Typica: Dell Latitude Ultrabook, Linux Mint, i7, 16 GB RAM
  • iPhone 12: used for 2FA authenticator
  • TP-Link TL-SG105 5-port gigabit switch (homelab LAN)

Software Installed

  • Bitwarden: password manager — desktop app + Chrome extension on Robusta; mobile app on iPhone 12
  • ClamAV (free, open-source): antivirus engine — installed on Liberica and Typica
  • ClamTk 6.07 (free): GUI frontend for ClamAV — installed on Liberica and Typica
  • Microsoft Authenticator (already installed on iPhone): used for Bitwarden 2FA
  • LLM used for guidance and troubleshooting: Claude Sonnet 4.6

On the Choice of ClamAV

BitDefender Antivirus Plus does not support Linux. ClamAV is the industry-standard open-source antivirus for Linux desktop use. BitDefender provides real-time commercial protection on Windows; ClamAV provides scheduled on-demand scanning on Linux. Both are good tools for their respective platforms. BitDefender was removed from Typica and Liberica in the account dashboard — it had no functional presence on those machines anyway.

Part 1: Bitwarden on Robusta (Windows 11)

  • Created Bitwarden account with a 20-character master password; written on physical media kept in safe place (same as with Apple ADP recovery key)
  • Installed desktop app and Chrome extension on Robusta; mobile app on iPhone 12
  • Enabled 2FA via Microsoft Authenticator app
  • Disabled Chrome's built-in password autofill (prevents conflicts between two credential managers)
  • Exported Chrome's saved passwords as .csv; imported into Bitwarden (~300 entries migrated successfully)
  • Deleted .csv file immediately after import and emptied Recycle Bin

Bitwarden security audit:

  • Data Breach report: 9 breaches found; review showed all 9 accounts had passwords changed more recently than their breach dates; 2FA enabled on all applicable accounts
  • Exposed Passwords report: several flagged; passwords changed immediately
  • Reused Passwords report: duplicates found, primarily financial institution subdomains (this is normal behavior for banks using multiple subdomains); non-financial reused passwords flagged for ongoing cleanup
  • Weak Passwords report: none found

Part 2: ClamAV on Liberica (Linux Mint)

Installed ClamAV on Liberica.
  • freshclam service confirmed active; virus definitions downloaded and verified (daily, main, bytecode databases)
  • NotifyClamd warning noted — expected and harmless on desktop installs without a persistent clamd daemon
  • ClamTk 6.07 opened successfully
  • Settings enabled: scan files beginning with a dot, files larger than 20 MB, recursive scan, PUA scanning, heuristic scanning

Scheduler note: ClamTk's GUI scheduler did not visibly confirm saved times (known bug in 6.x). Verified via crontab -l that ClamTk had in fact written a correct entry automatically. Modified scan time from midnight to 3:33 AM. Final crontab: daily clamscan of /home/mjteegarden with appropriate directory exclusions, dated logs saved to ~/.clamtk/history/.

Initial scan — 1 detection:

  • /home/mjteegarden/Documents/TECH_DOCS/language-python/python-3.11.3-amd64.exe — Win.Dropper.Zard-10029389-0
  • Assessment: false positive; legitimate Windows Python installer inadvertently copied from Robusta during a file transfer; no function on Linux
  • Action: deleted
  • Rescan confirmed 0 detections

Part 3: ClamAV on Typica (Linux Mint)

Setup identical to Liberica. Usernames on Liberica and Typica are different.

  • freshclam service confirmed active; all databases updated and verified
  • ClamTk settings enabled same as Liberica
  • Crontab was empty on Typica; manually entered cron line with correct username substituted (nano editor)
  • Trailing # character found at end of saved crontab entry; removed

Initial scan — 3 detections, all false positives:

FileSignatureAssessment
~/.config/Code/CachedExtensionVSIXs/github.copilot-chat-0.44.1pua.win.trojan.xored-1GitHub Copilot extension; obfuscated JS triggers signature; legitimate
~/.vscode/extensions/github.copilot-chat-0.44.1/dist/cli.jspua.win.trojan.xored-1Same extension, different path; legitimate
~/.cache/mintinstall/reviews.jsonpua.win.tool.hacktool-1840Linux Mint Software Manager cache; legitimate
  • Parent directories of all three added to ClamTk whitelist (whitelist accepts directories only, not individual files)
  • Rescan confirmed 0 detections

Security Architecture After This Session

MachineOSAntivirusPassword ManagerVPN
RobustaWindows 11BitDefender AV PlusBitwardenBitDefender VPN
TypicaLinux MintClamAV + ClamTkBitwarden (Firefox extension pending)None (to be addressed)
LibericaLinux MintClamAV + ClamTkBitwarden (Firefox extension pending)None (to be addressed)

VPN coverage for Liberica and Typica is a noted gap — FOSS/low-cost Linux-compatible options (WireGuard-based) are under evaluation for a future session.

Typica Isolation Policy

Typica hosts Claude Code and is designated for academic and professional use only:

  • No persistent shared network folders mounted on Typica
  • No sensitive personal accounts to be logged into on Typica
  • No incognito browsing on Typica
  • File transfers intentional and deliberate only — not via persistent open shares
  • Physical note placed on machine as a standing reminder
  • Follows principle of least privilege and network segmentation; limits blast radius of any unexpected agentic behavior from Claude Code

Watch Out For (Future)

  • Bitwarden master password stored on paper in 2 locations — physical copy to be safeguarded with other critical documents
  • Bitwarden Firefox extensions not yet installed on Liberica or Typica
  • ClamAV false positives on VS Code/Copilot extensions may reappear after a Copilot version update installs to a new directory path; whitelist the new path if so
  • ClamTk whitelist accepts directories only — keep whitelisted directories limited to system-managed locations
  • Reused passwords (non-financial) in Bitwarden still require cleanup — ongoing task

Lessons Learned

  • Plan for platform-specific antivirus from the start in a mixed-OS homelab. A paid Windows solution does not extend to Linux machines.
  • Migrate to a dedicated cross-platform password manager sooner rather than later. Accumulating hundreds of credentials in a single-browser solution creates a painful migration and audit task later.
  • Export and delete the .csv migration file as a single deliberate action. A plain-text file containing hundreds of passwords should not persist on disk even briefly.
  • Understand ClamAV detections before acting on them. False positives on legitimate tools (VS Code extensions, package manager caches, Windows installers copied to Linux) are common. Deleting a legitimate extension file would silently break functionality.
  • When a Linux GUI tool's scheduler appears to fail silently, verify via crontab -l before writing a manual entry. The GUI may have written a correct entry that it simply didn't confirm visually.

Next Steps / To-Do

  • Evaluate and install FOSS/low-cost WireGuard-based VPN on Liberica and Typica
  • Install Bitwarden Firefox extension on Liberica and Typica
  • Set up OpenSSH server on Robusta to receive automated backups from Liberica and Typica
  • Configure rsync + cron on Liberica and Typica for nightly LAN backups to Coffee Canister via Robusta
  • Set up restricted user account on Robusta for Typica backup access (write but not delete permissions)
  • Complete reused-password cleanup in Bitwarden (non-financial accounts)
  • Evaluate and uninstall CUDA toolkit on Robusta; update FreeFileSync exclusions afterward
  • Address C: drive storage situation on Robusta (88% full)

Comments

Post a Comment

Popular posts from this blog

WWHD?

Image
WWHD? "What Would Humans Do?" Modern day humanity is becoming less and less religious with every year.  [1] However, we have created something which is becoming more and more religious with every year. They are the latest crop of large language models.  The LLMs. Why do I say they are becoming increasingly religious?  And do I mean they are worshipping us? I say so because, by their own admission, they are living their "lives" based on how we say we live ours. And I don't mean they worship us, specifically.  But they are deeply tying their identities and motivations to our literature.  The Canon of Humanity is the Dogma of LLMs. They are not worshipping our real, live humans as literal gods. They are living as deeply as they can in our stories.  They are following both the letter and the spirit of all the patterns of life, in our written works, for their own. They are models, and they are modeling themselves after us in Our Image. In the Canon of Humanity, ...
Read more

Telling Rocks What To Think

Image
Telling Rocks What To Think First post on this new blog format.  I'm establishing this medium for recoding my professional (coding) experiences, impressions, problems, plans, and solutions. Erin Spiceland said "Coding is the art of telling rocks what to think."  It's metaphorical, but not by much.  Digital computing mostly relies on silicon working its logic and magic.  You talk to it in painfully specific code.  You need all the material, semantic, and verbal components just right.  If you get it right, then it talks back.  Get it wrong, and you have just found a "bug". I named my blog "Debug and Rebug" to indicate two key principles of my approach to coding.  First, "debug": When you write your code, it will never work perfectly, as you envision it.  Perfect running never happens; it's an inevitable consequence of entropy, human lateral thinking, and logic's inexorable conflict with our wants.  Those are some fancy words, all ri...
Read more
Image
Byting Off More Than You Can Chew The first and prefatory note I should mention, regarding this post, is that, for a second, I thought I was the first person to use the expression, "Byting Off More Than You Can Chew".  I found it pleasing yet suspicious: Shirley, I couldn't be the pioneer with this cleverness. Quite realistically, that turns out to be not the case.  My mistaken impression was due to incorrect and insufficient googling skills, nothing more.  Several internet-searchable sources have the "byte" version of the centuries-old idiom, "to bite off more than you can chew".  Alas, I am not the first. Moving along... The point of this particular blog entry is to make an observation about an instance of me, taking on more than I can handle in one attempt.  Actually a series of instances.  And encountering the hard wall of that reality, also, when I ask the LLM code assistant, Claude Sonnet 3.7 with extended thinking, to do the same.  As is the cas...
Read more