Findings · 7 min read

Fix Noxen findings

Every finding ships with a one-line remediation hint. This page goes deeper: distro-specific commands for CVE patches, lock-down patterns for exposed admin surfaces, and header configuration snippets for nginx / Apache / Caddy.

CVE findings

RemediationGenerator emits the right command for the host's distro automatically. The remediation field on each CVE finding is populated with the exact upgrade string:

Distro	Generated remediation
Ubuntu / Debian	`apt-get update && apt-get install --only-upgrade <package>`
Rocky / RHEL / CentOS Stream	`dnf upgrade <package>`
AlmaLinux	`dnf upgrade <package>`
openSUSE / SLES	`zypper update <package>`
Alpine	`apk upgrade <package>`

For the common cases:

One CVE on one host — copy the remediation line, SSH in, run it. Re-scan to confirm the finding has cleared. ~2 minutes total.
Many CVEs on one host — run the package manager's upgrade-all (apt full-upgrade on Debian/Ubuntu, dnf upgrade on Rocky). Faster than upgrading packages one at a time.
One CVE across many hosts — Ansible / Salt / a parallel-ssh loop. Noxen surfaces the affected host list, your config-management tool does the actual rollout.

Exposed admin surfaces

Different services need different lock-down patterns. The common goal: the service should not be reachable from the open internet without authentication.

Bind to localhost

The simplest fix when the service is only meant for the host's own use. For most daemons that have a "bind address" config: change 0.0.0.0 to 127.0.0.1. Examples:

Redis: bind 127.0.0.1 in /etc/redis/redis.conf.
MongoDB: net.bindIp: 127.0.0.1 in /etc/mongod.conf.
Docker daemon: ensure /etc/docker/daemon.json has no "hosts" key, or set "hosts": ["unix:///var/run/docker.sock"].

Reverse proxy + auth

The right pattern for services that do need to be web-accessible (Grafana, Plex, Jellyfin) but shouldn't be directly internet-facing. Put nginx / Caddy / Traefik in front, terminate TLS there, require auth at the proxy layer (basic auth, OAuth proxy, Cloudflare Access, Tailscale Funnel with ACL).

Enable the service's own auth

Many tools ship with auth disabled by default for "easy first run" — turning it on is a config flag.

Grafana: [auth.anonymous] enabled = false in grafana.ini.
Elasticsearch: enable Security (xpack.security.enabled: true) and configure built-in users.
Pi-hole: set WEBPASSWORD in /etc/pihole/setupVars.conf.

Move to a Tailscale / WireGuard VPN

For services with no good auth story (or where you don't want to maintain one), put them entirely on a private mesh network. The service is unreachable from the public internet — only members of your VPN see it. Standard pattern for homelab Plex / Jellyfin / Sonarr-Radarr setups.

Missing HTTP security headers

Add these to your reverse proxy (or to the application itself if it serves directly). Examples:

# nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'" always;

# Caddy (Caddyfile)
header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains"
    X-Frame-Options "DENY"
    X-Content-Type-Options "nosniff"
    Referrer-Policy "strict-origin-when-cross-origin"
    Content-Security-Policy "default-src 'self'"
}

# Apache (.htaccess or vhost)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'"

Caveat on CSP: default-src 'self' is a strict starting point but will break sites that use inline scripts, third-party fonts, analytics, or CDN-hosted assets. Tune the directives based on what your app actually needs — start strict, loosen as you find legitimate breakage.

Weak TLS

Disable deprecated protocols and weak ciphers in your TLS terminator:

# nginx — modern profile per Mozilla SSL Configuration Generator
ssl_protocols       TLSv1.2 TLSv1.3;
ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache   shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling        on;
ssl_stapling_verify on;

For the Mozilla Intermediate profile (broader compatibility), add TLSv1.0/1.1 back and a few extra ciphers. The Mozilla Configurator generates configs for nginx / Apache / HAProxy automatically; the canonical reference is at ssl-config.mozilla.org.

Compliance evidence

Every finding's remediation is also captured in the compliance mapping export — see compliance exports for how individual fixes feed into CIS / SOC 2 / ISO 27001 evidence supplements.