Files

Mike Swanson b79c47acb9 sync: Auto-sync from ACG-M-L5090 at 2026-01-26 16:45:54

Synced files:
- Complete claude-projects import (5 catalog files)
- Client directory with 12 clients
- Project directory with 12 projects
- Credentials updated (100+ sets)
- Session logs consolidated
- Agent coordination rules updated
- Task management integration

Major work completed:
- Exhaustive cataloging of claude-projects
- All session logs analyzed (38 files)
- All credentials extracted and organized
- Client infrastructure documented
- Problem solutions cataloged (70+)

Machine: ACG-M-L5090
Timestamp: 2026-01-26 16:45:54

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-01 16:23:47 -07:00

31 KiB

Raw Blame History

Shared Data Credential Catalog

Source: C:\Users\MikeSwanson\claude-projects\shared-data
Extracted: 2026-01-26 Purpose: Complete credential inventory from shared-data directory

File Inventory

Main Credential File

File: credentials.md (22,136 bytes)
Last Updated: 2025-12-16
Purpose: Centralized credentials for Claude Code context recovery across all machines

Supporting Files

.encryption-key (156 bytes) - ClaudeTools database encryption key
context-recall-config.env (535 bytes) - API and context recall settings
ssh-config (1,419 bytes) - SSH host configurations
multi-tenant-security-app.md (8,682 bytes) - Multi-tenant Entra app guide
permissions/ - File/registry permission exclusion lists (3 files)

Infrastructure - SSH Access

Jupiter (Unraid Primary)

Service: Primary container host
Host: 172.16.3.20
SSH User: root
SSH Port: 22
SSH Password: Th1nk3r^99##
WebUI Password: Th1nk3r^99##
Role: Primary container host (Gitea, NPM, GuruRMM, media)
iDRAC IP: 172.16.1.73 (DHCP)
iDRAC User: root
iDRAC Password: Window123!@#-idrac
iDRAC SSH: Enabled (port 22)
IPMI Key: All zeros
Access Methods: SSH, WebUI, iDRAC

Saturn (Unraid Secondary)

Service: Unraid Secondary Server
Host: 172.16.3.21
SSH User: root
SSH Port: 22
SSH Password: r3tr0gradE99
Role: Migration source, being consolidated to Jupiter
Access Methods: SSH

pfSense (Firewall)

Service: Network Firewall/Gateway
Host: 172.16.0.1
SSH User: admin
SSH Port: 2248
SSH Password: r3tr0gradE99!!
Role: Firewall, Tailscale gateway
Tailscale IP: 100.79.69.82 (pfsense-1)
Access Methods: SSH, Web, Tailscale

OwnCloud VM (on Jupiter)

Service: OwnCloud file sync server
Host: 172.16.3.22
Hostname: cloud.acghosting.com
SSH User: root
SSH Port: 22
SSH Password: Paper123!@#-unifi!
OS: Rocky Linux 9.6
Services: Apache, MariaDB, PHP-FPM, Redis, Datto RMM agents
Storage: SMB mount from Jupiter (/mnt/user/OwnCloud)
Notes: Jupiter has SSH key auth configured
Access Methods: SSH, HTTPS

GuruRMM Build Server

Service: GuruRMM/GuruConnect dedicated server
Host: 172.16.3.30
Hostname: gururmm
SSH User: guru
SSH Port: 22
SSH Password: Gptf*77ttb123!@#-rmm
Sudo Password: Gptf*77ttb123!@#-rmm (special chars cause issues with sudo -S)
OS: Ubuntu 22.04
Services: nginx, PostgreSQL, gururmm-server, gururmm-agent, guruconnect-server
SSH Key Auth: Working from Windows/WSL (ssh guru@172.16.3.30)
Service Restart Method: Services run as guru user, pkill works without sudo
Deploy Pattern:
1. Build: cargo build --release --target x86_64-unknown-linux-gnu -p <package>
2. Rename old: mv target/release/binary target/release/binary.old
3. Copy new: cp target/x86_64.../release/binary target/release/binary
4. Kill old: pkill -f binary.old (systemd auto-restarts)
GuruConnect Static Files: /home/guru/guru-connect/server/static/
GuruConnect Binary: /home/guru/guru-connect/target/release/guruconnect-server
Access Methods: SSH (key auth)

Services - Web Applications

Gitea (Git Server)

Service: Self-hosted Git server
External URL: https://git.azcomputerguru.com/
Internal URL: http://172.16.3.20:3000
SSH URL: ssh://git@172.16.3.20:2222
Web User: mike@azcomputerguru.com
Web Password: Window123!@#-git
API Token: 9b1da4b79a38ef782268341d25a4b6880572063f
SSH User: git
SSH Port: 2222
Access Methods: HTTPS, SSH, API

NPM (Nginx Proxy Manager)

Service: Reverse proxy manager
Admin URL: http://172.16.3.20:7818
HTTP Port: 1880
HTTPS Port: 18443
User: mike@azcomputerguru.com
Password: Paper123!@#-unifi
Access Methods: HTTP (internal)

Cloudflare

Service: DNS and CDN
API Token (Full DNS): DRRGkHS33pxAUjQfRDzDeVPtt6wwUU6FwtXqOzNj
API Token (Legacy/Limited): U1UTbBOWA4a69eWEBiqIbYh0etCGzrpTU4XaKp7w
Permissions: Zone:Read, Zone:Edit, DNS:Read, DNS:Edit
Used for: DNS management, WHM plugin, cf-dns CLI
Domain: azcomputerguru.com
Notes: New full-access token added 2025-12-19
Access Methods: API

Projects - GuruRMM

Service: GuruRMM dashboard login
Email: admin@azcomputerguru.com
Password: GuruRMM2025
Role: admin
Access Methods: Web

Database (PostgreSQL)

Service: GuruRMM database
Host: gururmm-db container (172.16.3.20)
Port: 5432 (default)
Database: gururmm
User: gururmm
Password: 43617ebf7eb242e814ca9988cc4df5ad
Access Methods: PostgreSQL protocol

API Server

External URL: https://rmm-api.azcomputerguru.com
Internal URL: http://172.16.3.20:3001
JWT Secret: ZNzGxghru2XUdBVlaf2G2L1YUBVcl5xH0lr/Gpf/QmE=
Access Methods: HTTPS, HTTP (internal)

Microsoft Entra ID (SSO)

Service: GuruRMM SSO via Entra
App Name: GuruRMM Dashboard
App ID (Client ID): 18a15f5d-7ab8-46f4-8566-d7b5436b84b6
Object ID: 34c80aa8-385a-4bea-af85-f8bf67decc8f
Client Secret: gOz8Q~J.oz7KnUIEpzmHOyJ6GEzYNecGRl-Pbc9w
Secret Expires: 2026-12-21
Sign-in Audience: Multi-tenant (any Azure AD org)
Redirect URIs: https://rmm.azcomputerguru.com/auth/callback, http://localhost:5173/auth/callback
API Permissions: openid, email, profile
Created: 2025-12-21
Access Methods: OAuth 2.0

CI/CD (Build Automation)

Webhook URL: http://172.16.3.30/webhook/build
Webhook Secret: gururmm-build-secret
Build Script: /opt/gururmm/build-agents.sh
Build Log: /var/log/gururmm-build.log
Gitea Webhook ID: 1
Trigger: Push to main branch
Builds: Linux (x86_64) and Windows (x86_64) agents
Deploy Path: /var/www/gururmm/downloads/
Access Methods: Webhook

Build Server SSH Key (for Gitea)

Key Name: gururmm-build-server
Key Type: ssh-ed25519
Public Key: AAAAC3NzaC1lZDI1NTE5AAAAIKSqf2/phEXUK8vd5GhMIDTEGSk0LvYk92sRdNiRrjKi guru@gururmm-build
Added to: Gitea (azcomputerguru account)
Access Methods: SSH key authentication

Clients & Sites

Glaztech Industries (GLAZ)

Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9
Site: SLC - Salt Lake City
Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de
Site Code: DARK-GROVE-7839
API Key: grmm_Qw64eawPBjnMdwN5UmDGWoPlqwvjM7lI
Created: 2025-12-18
Access Methods: API

Projects - GuruConnect

Database (PostgreSQL on build server)

Service: GuruConnect database
Host: localhost (172.16.3.30)
Port: 5432
Database: guruconnect
User: guruconnect
Password: gc_a7f82d1e4b9c3f60
DATABASE_URL: postgres://guruconnect:gc_a7f82d1e4b9c3f60@localhost:5432/guruconnect
Created: 2025-12-28
Access Methods: PostgreSQL protocol

Projects - ClaudeTools

Database (MariaDB on Jupiter)

Service: ClaudeTools MSP tracking database
Host: 172.16.3.20
Port: 3306
Database: claudetools
User: claudetools
Password: CT_e8fcd5a3952030a79ed6debae6c954ed
Notes: Created 2026-01-15, MSP tracking database with 36 tables
Access Methods: MySQL/MariaDB protocol

Encryption Key

File Location: C:\Users\MikeSwanson\claude-projects\shared-data.encryption-key
Key: 319134ddb79fa44a6751b383cb0a7940da0de0818bd6bbb1a9c20a6a87d2d30c
Generated: 2026-01-15
Usage: AES-256-GCM encryption for credentials in database
Warning: DO NOT COMMIT TO GIT

JWT Secret

Secret: NdwgH6jsGR1WfPdUwR3u9i1NwNx3QthhLHBsRCfFxcg=
Usage: JWT token signing for API authentication
Access Methods: N/A (internal use)

API Server

External URL: https://claudetools-api.azcomputerguru.com
Internal URL: http://172.16.3.20:8000
Status: Pending deployment
Docker Container: claudetools-api
Access Methods: HTTPS (pending), HTTP (internal)

Context Recall Configuration

Claude API URL: http://172.16.3.30:8001
API Base URL: http://172.16.3.30:8001
JWT Token: (empty - get from API via setup script)
Context Recall Enabled: true
Min Relevance Score: 5.0
Max Contexts: 10
Auto Save Context: true
Default Relevance Score: 7.0
Debug Context Recall: false

Client Sites - WHM/cPanel

IX Server (ix.azcomputerguru.com)

Service: cPanel/WHM hosting server
SSH Host: ix.azcomputerguru.com
Internal IP: 172.16.3.10 (VPN required)
SSH User: root
SSH Password: Gptf*77ttb!@#!@#
SSH Key: guru@wsl key added to authorized_keys
Role: cPanel/WHM server hosting client sites
Access Methods: SSH, cPanel/WHM web

WebSvr (websvr.acghosting.com)

Service: Legacy cPanel/WHM server
Host: websvr.acghosting.com
SSH User: root
SSH Password: r3tr0gradE99#
API Token: 8ZPYVM6R0RGOHII7EFF533MX6EQ17M7O
Access Level: Full access
Role: Legacy cPanel/WHM server (migration source to IX)
Access Methods: SSH, cPanel/WHM web, API

data.grabbanddurando.com

Service: Client website (Grabb & Durando Law)
Server: IX (ix.azcomputerguru.com)
cPanel Account: grabblaw
Site Path: /home/grabblaw/public_html/data_grabbanddurando
Site Admin User: admin
Site Admin Password: GND-Paper123!@#-datasite
Database: grabblaw_gdapp_data
DB User: grabblaw_gddata
DB Password: GrabbData2025
Config File: /home/grabblaw/public_html/data_grabbanddurando/connection.php
Backups: /home/grabblaw/public_html/data_grabbanddurando/backups_mariadb_fix/
Access Methods: Web (admin), MySQL, SSH (via IX root)

GoDaddy VPS (Legacy)

Service: Legacy hosting server
IP: 208.109.235.224
Hostname: 224.235.109.208.host.secureserver.net
Auth: SSH key
Database: grabblaw_gdapp
Note: Old server, data migrated to IX
Access Methods: SSH (key)

Seafile (on Jupiter - Migrated 2025-12-27)

Container

Service: Seafile file sync server
Host: Jupiter (172.16.3.20)
URL: https://sync.azcomputerguru.com
Internal Port: 8082
Proxied via: NPM
Containers: seafile, seafile-mysql, seafile-memcached, seafile-elasticsearch
Docker Compose: /mnt/user0/SeaFile/DockerCompose/docker-compose.yml
Data Path: /mnt/user0/SeaFile/seafile-data/
Access Methods: HTTPS

Seafile Admin

Service: Seafile admin interface
Email: mike@azcomputerguru.com
Password: r3tr0gradE99#
Access Methods: Web

Database (MariaDB)

Service: Seafile database
Container: seafile-mysql
Image: mariadb:10.6
Root Password: db_dev
Seafile User: seafile
Seafile Password: 64f2db5e-6831-48ed-a243-d4066fe428f9
Databases: ccnet_db (users), seafile_db (data), seahub_db (web)
Access Methods: MySQL protocol (container)

Elasticsearch

Service: Seafile search indexing
Container: seafile-elasticsearch
Image: elasticsearch:7.17.26
Notes: Upgraded from 7.16.2 for kernel 6.12 compatibility
Access Methods: HTTP (container)

Microsoft Graph API (Email)

Service: Seafile email notifications via Graph
Tenant ID: ce61461e-81a0-4c84-bb4a-7b354a9a356d
Client ID: 15b0fafb-ab51-4cc9-adc7-f6334c805c22
Client Secret: rRN8Q~FPfSL8O24iZthi_LVJTjGOCZG.DnxGHaSk
Sender Email: noreply@azcomputerguru.com
Usage: Seafile email notifications via Graph API
Access Methods: Graph API

Migration Notes

Migrated from: Saturn (172.16.3.21) on 2025-12-27
Saturn Status: Seafile stopped, data intact for rollback (keep 1 week)

NPM Proxy Hosts Reference

ID	Domain	Backend	SSL Cert	Access Methods
1	emby.azcomputerguru.com	172.16.2.99:8096	npm-1	HTTPS
2	git.azcomputerguru.com	172.16.3.20:3000	npm-2	HTTPS
4	plexrequest.azcomputerguru.com	172.16.3.31:5055	npm-4	HTTPS
5	rmm-api.azcomputerguru.com	172.16.3.20:3001	npm-6	HTTPS
-	unifi.azcomputerguru.com	172.16.3.28:8443	npm-5	HTTPS
8	sync.azcomputerguru.com	172.16.3.20:8082	npm-8	HTTPS

Tailscale Network

Tailscale IP	Hostname	Owner	OS	Notes
100.79.69.82	pfsense-1	mike@	freebsd	Gateway
100.125.36.6	acg-m-l5090	mike@	windows	Workstation
100.92.230.111	acg-tech-01l	mike@	windows	Tech laptop
100.96.135.117	acg-tech-02l	mike@	windows	Tech laptop
100.113.45.7	acg-tech03l	howard@	windows	Tech laptop
100.77.166.22	desktop-hjfjtep	mike@	windows	Desktop
100.101.145.100	guru-legion9	mike@	windows	Laptop
100.119.194.51	guru-surface8	howard@	windows	Surface
100.66.103.110	magus-desktop	rob@	windows	Desktop
100.66.167.120	magus-pc	rob@	windows	Workstation

SSH Public Keys

guru@wsl (Windows/WSL)

User: guru
Sudo Password: Window123!@#-wsl
Key Type: ssh-ed25519
Public Key: AAAAC3NzaC1lZDI1NTE5AAAAIAWY+SdqMHJP5JOe3qpWENQZhXJA4tzI2d7ZVNAwA/1u guru@wsl
Usage: WSL SSH authentication
Authorized on: GuruRMM build server, IX server

azcomputerguru@local (Mac)

User: azcomputerguru
Key Type: ssh-ed25519
Public Key: AAAAC3NzaC1lZDI1NTE5AAAAIDrGbr4EwvQ4P3ZtyZW3ZKkuDQOMbqyAQUul2+JE4K4S azcomputerguru@local
Usage: Mac SSH authentication
Authorized on: GuruRMM build server, IX server

MSP Tools

Syncro (PSA/RMM) - AZ Computer Guru

Service: PSA/RMM platform
API Key: T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3
Subdomain: computerguru
API Base URL: https://computerguru.syncromsp.com/api/v1
API Docs: https://api-docs.syncromsp.com/
Account: AZ Computer Guru MSP
Added: 2025-12-18
Access Methods: API

Autotask (PSA) - AZ Computer Guru

Service: PSA platform
API Username: dguyqap2nucge6r@azcomputerguru.com
API Password: z*6G4fT#oM~8@9Hxy$2Y7K$ma
API Integration Code: HYTYYZ6LA5HB5XK7IGNA7OAHQLH
Integration Name: ClaudeAPI
API Zone: webservices5.autotask.net
API Docs: https://autotask.net/help/developerhelp/Content/APIs/REST/REST_API_Home.htm
Account: AZ Computer Guru MSP
Added: 2025-12-18
Notes: New API user "Claude API"
Access Methods: REST API

CIPP (CyberDrain Improved Partner Portal)

Service: M365 management portal
URL: https://cippcanvb.azurewebsites.net
Tenant ID: ce61461e-81a0-4c84-bb4a-7b354a9a356d
API Client Name: ClaudeCipp2 (working)
App ID (Client ID): 420cb849-542d-4374-9cb2-3d8ae0e1835b
Client Secret: MOn8Q~~otmxJPLvmL~~_aCVTV8Va4t4~SrYrukGbJT
Scope: api://420cb849-542d-4374-9cb2-3d8ae0e1835b/.default
CIPP-SAM App ID: 91b9102d-bafd-43f8-b17a-f99479149b07
IP Range: 0.0.0.0/0 (all IPs allowed)
Auth Method: OAuth 2.0 Client Credentials
Updated: 2025-12-23
Notes: Working API client
Access Methods: REST API (OAuth 2.0)

CIPP API Usage (Bash)

# Get token
ACCESS_TOKEN=$(curl -s -X POST "https://login.microsoftonline.com/ce61461e-81a0-4c84-bb4a-7b354a9a356d/oauth2/v2.0/token" \
  -d "client_id=420cb849-542d-4374-9cb2-3d8ae0e1835b" \
  -d "client_secret=MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT" \
  -d "scope=api://420cb849-542d-4374-9cb2-3d8ae0e1835b/.default" \
  -d "grant_type=client_credentials" | python3 -c "import sys, json; print(json.load(sys.stdin).get('access_token', ''))")

# Query endpoints (use tenant domain or tenant ID as TenantFilter)
curl -s "https://cippcanvb.azurewebsites.net/api/ListLicenses?TenantFilter=sonorangreenllc.com" \
  -H "Authorization: Bearer ${ACCESS_TOKEN}"

Old CIPP API Client (DO NOT USE)

App ID: d545a836-7118-44f6-8852-d9dd64fb7bb9
Status: Authenticated but all endpoints returned 403

Claude-MSP-Access (Multi-Tenant Graph API)

Service: Direct Graph API access for M365 investigations
Tenant ID: ce61461e-81a0-4c84-bb4a-7b354a9a356d
App ID (Client ID): fabb3421-8b34-484b-bc17-e46de9703418
Client Secret: ~~QJ8Q~~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
Secret Expires: 2026-12 (24 months)
Sign-in Audience: Multi-tenant (any Entra ID org)
Purpose: Direct Graph API access for M365 investigations and remediation
Admin Consent URL: https://login.microsoftonline.com/common/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
Permissions: User.ReadWrite.All, Directory.ReadWrite.All, Mail.ReadWrite, MailboxSettings.ReadWrite, AuditLog.Read.All, Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, Group.ReadWrite.All, SecurityEvents.ReadWrite.All, AppRoleAssignment.ReadWrite.All, UserAuthenticationMethod.ReadWrite.All
Created: 2025-12-29
Access Methods: Graph API (OAuth 2.0)

Usage (Python)

import requests

tenant_id = "CUSTOMER_TENANT_ID"  # or use 'common' after consent
client_id = "fabb3421-8b34-484b-bc17-e46de9703418"
client_secret = "~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO"

# Get token
token_resp = requests.post(
    f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
    data={
        "client_id": client_id,
        "client_secret": client_secret,
        "scope": "https://graph.microsoft.com/.default",
        "grant_type": "client_credentials"
    }
)
access_token = token_resp.json()["access_token"]

# Query Graph API
headers = {"Authorization": f"Bearer {access_token}"}
users = requests.get("https://graph.microsoft.com/v1.0/users", headers=headers)

Client - MVAN Inc

Microsoft 365 Tenant 1

Service: M365 tenant
Tenant: mvan.onmicrosoft.com
Admin User: sysadmin@mvaninc.com
Password: r3tr0gradE99#
Notes: Global admin, project to merge/trust with T2
Access Methods: Web (M365 portal)

Client - BG Builders LLC

Microsoft 365 Tenant

Service: M365 tenant
Tenant: bgbuildersllc.com
CIPP Name: sonorangreenllc.com
Tenant ID: ededa4fb-f6eb-4398-851d-5eb3e11fab27
Admin User: sysadmin@bgbuildersllc.com
Password: Window123!@#-bgb
Added: 2025-12-19
Access Methods: Web (M365 portal)

Security Investigation (2025-12-22) - RESOLVED

Compromised User: Shelly@bgbuildersllc.com (Shelly Dooley)
Symptoms: Suspicious sent items reported by user
Findings:
- Gmail OAuth app with EAS.AccessAsUser.All (REMOVED)
- "P2P Server" app registration backdoor (DELETED by admin)
- No malicious mailbox rules or forwarding
- Sign-in logs unavailable (no Entra P1 license)
Remediation:
- Password reset: 5ecwyHv6&dP7 (must change on login)
- All sessions revoked
- Gmail OAuth consent removed
- P2P Server backdoor deleted
Status: RESOLVED

Client - Dataforth

Network

Subnet: 192.168.0.0/24
Domain: INTRANET (intranet.dataforth.com)

UDM (Unifi Dream Machine)

Service: Gateway/firewall
IP: 192.168.0.254
SSH User: root
SSH Password: Paper123!@#-unifi
Web User: azcomputerguru
Web Password: Paper123!@#-unifi
2FA: Push notification enabled
Role: Gateway/firewall, OpenVPN server
Access Methods: SSH, Web (2FA)

AD1 (Domain Controller)

Service: Primary domain controller
IP: 192.168.0.27
Hostname: AD1.intranet.dataforth.com
User: INTRANET\sysadmin
Password: Paper123!@#
Role: Primary DC, NPS/RADIUS server
NPS Ports: 1812/1813 (auth/accounting)
Access Methods: RDP, WinRM

AD2 (Domain Controller)

Service: Secondary domain controller
IP: 192.168.0.6
Hostname: AD2.intranet.dataforth.com
User: INTRANET\sysadmin
Password: Paper123!@#
Role: Secondary DC, file server
Access Methods: RDP, WinRM

NPS RADIUS Configuration

Client Name: unifi
Client IP: 192.168.0.254
Shared Secret: Gptf*77ttb!@#!@#
Policy: "Unifi" - allows Domain Users
Access Methods: RADIUS protocol

D2TESTNAS (SMB1 Proxy)

Service: DOS machine SMB1 proxy
IP: 192.168.0.9
Web/SSH User: admin
Web/SSH Password: Paper123!@#-nas
Role: DOS machine SMB1 proxy
Added: 2025-12-14
Access Methods: Web, SSH

Dataforth - Entra App Registration (Claude-Code-M365)

Service: Silent Graph API access to Dataforth tenant
Tenant ID: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
App ID (Client ID): 7a8c0b2e-57fb-4d79-9b5a-4b88d21b1f29
Client Secret: tXo8Q~ZNG9zoBpbK9HwJTkzx.YEigZ9AynoSrca3
Permissions: Calendars.ReadWrite, Contacts.ReadWrite, User.ReadWrite.All, Mail.ReadWrite, Directory.ReadWrite.All, Group.ReadWrite.All
Created: 2025-12-22
Access Methods: Graph API

Client - CW Concrete LLC

Microsoft 365 Tenant

Service: M365 tenant
Tenant: cwconcretellc.com
CIPP Name: cwconcretellc.com
Tenant ID: dfee2224-93cd-4291-9b09-6c6ce9bb8711
Default Domain: NETORGFT11452752.onmicrosoft.com
Notes: De-federated from GoDaddy 2025-12, domain needs re-verification
Access Methods: Web (M365 portal)

Security Investigation (2025-12-22) - RESOLVED

Findings:
- Graph Command Line Tools OAuth consent with high privileges (REMOVED)
- "test" backdoor app registration with multi-tenant access (DELETED)
- Apple Internet Accounts OAuth (left - likely iOS device)
- No malicious mailbox rules or forwarding
Remediation:
- All sessions revoked for all 4 users
- Backdoor apps removed
Status: RESOLVED

Client - Valley Wide Plastering

Network

Subnet: 172.16.9.0/24

UDM (UniFi Dream Machine)

Service: Gateway/firewall
IP: 172.16.9.1
SSH User: root
SSH Password: Gptf*77ttb123!@#-vwp
Role: Gateway/firewall, VPN server, RADIUS client
Access Methods: SSH, Web

VWP-DC1 (Domain Controller)

Service: Primary domain controller
IP: 172.16.9.2
Hostname: VWP-DC1
User: sysadmin
Password: r3tr0gradE99#
Role: Primary DC, NPS/RADIUS server
Added: 2025-12-22
Access Methods: RDP, WinRM

NPS RADIUS Configuration

RADIUS Server: 172.16.9.2
RADIUS Ports: 1812 (auth), 1813 (accounting)
Clients: UDM (172.16.9.1), VWP-Subnet (172.16.9.0/24)
Shared Secret: Gptf*77ttb123!@#-radius
Policy: "VPN-Access" - allows all authenticated users (24/7)
Auth Methods: All (PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP)
User Dial-in: All VWP_Users set to Allow
AuthAttributeRequired: Disabled on clients
Tested: 2025-12-22, user cguerrero authenticated successfully
Access Methods: RADIUS protocol

Client - Khalsa

Network

Subnet: 172.16.50.0/24

UCG (UniFi Cloud Gateway)

Service: Gateway/firewall
IP: 172.16.50.1
SSH User: azcomputerguru
SSH Password: Paper123!@#-camden (reset 2025-12-22)
Notes: Gateway/firewall, VPN server, SSH key added but not working
Access Methods: SSH, Web

Switch

User: 8WfY8
Password: tI3evTNBZMlnngtBc
Access Methods: Web

Accountant Machine

IP: 172.16.50.168
User: accountant
Password: Paper123!@#-accountant
Added: 2025-12-22
Notes: VPN routing issue
Access Methods: RDP

Client - Scileppi Law Firm

DS214se (Source NAS - Migration Source)

Service: Legacy NAS (source)
IP: 172.16.1.54
SSH User: admin
Password: Th1nk3r^99
Storage: 1.8TB (1.6TB used)
Data: User home folders (admin, Andrew Ross, Chris Scileppi, Samantha Nunez, etc.)
Access Methods: SSH, Web

Unraid (Source - Migration)

Service: Legacy Unraid (source)
IP: 172.16.1.21
SSH User: root
Password: Th1nk3r^99
Role: Data source for migration to RS2212+
Access Methods: SSH, Web

RS2212+ (Destination NAS)

Service: Primary NAS (destination)
IP: 172.16.1.59
Hostname: SL-SERVER
SSH User: sysadmin
Password: Gptf*77ttb123!@#-sl-server
SSH Key: claude-code@localadmin added to authorized_keys
Storage: 25TB total, 6.9TB used (28%)
Data Share: /volume1/Data (7.9TB - Active, Closed, Archived, Billing, MOTIONS BANK)
Notes: Migration and consolidation complete 2025-12-29
Access Methods: SSH (key + password), Web, SMB

RS2212+ User Accounts (Created 2025-12-29)

Username	Full Name	Password	Notes
chris	Chris Scileppi	Scileppi2025!	Owner
andrew	Andrew Ross	Scileppi2025!	Staff
sylvia	Sylvia	Scileppi2025!	Staff
rose	Rose	Scileppi2025!	Staff
(TBD)	5th user	-	Name pending

Migration/Consolidation Status - COMPLETE

Completed: 2025-12-29
Final Structure:
- Active: 2.5TB (merged Unraid + DS214se Open Cases)
- Closed: 4.9TB (merged Unraid + DS214se Closed Cases)
- Archived: 451GB
- MOTIONS BANK: 21MB
- Billing: 17MB
Recycle Bin: Emptied (recovered 413GB)
Permissions: Group "users" with 775 on /volume1/Data

SSH Config File

File: ssh-config Generated from: credentials.md Last updated: 2025-12-16

Key Status

gururmm, ix: Mac + WSL keys authorized
jupiter, saturn: WSL key only (need to add Mac key)
pfsense, owncloud: May need key setup

Host Aliases

jupiter: 172.16.3.20:22 (root)
saturn: 172.16.3.21:22 (root)
pfsense: 172.16.0.1:2248 (admin)
owncloud / cloud: 172.16.3.22:22 (root)
gururmm / rmm: 172.16.3.30:22 (root)
ix / whm: ix.azcomputerguru.com:22 (root)
gitea / git.azcomputerguru.com: 172.16.3.20:2222 (git)

Default Settings

AddKeysToAgent: yes
IdentitiesOnly: yes
IdentityFile: ~/.ssh/id_ed25519

Multi-Tenant Security App Documentation

File: multi-tenant-security-app.md Purpose: Reusable Entra app for quick security investigations across client tenants

Purpose

Guide for creating a multi-tenant Entra ID app for MSP security investigations. This app provides:

Quick consent mechanism for client tenants
PowerShell investigation commands
BEC detection scripts
Mailbox forwarding rule checks
OAuth consent monitoring

Recommended Permissions

API	Permission	Purpose
Microsoft Graph	AuditLog.Read.All	Sign-in logs, risky sign-ins
Microsoft Graph	Directory.Read.All	User enumeration, directory info
Microsoft Graph	Mail.Read	Read mailboxes for phishing/BEC
Microsoft Graph	MailboxSettings.Read	Detect forwarding rules
Microsoft Graph	User.Read.All	User profiles
Microsoft Graph	SecurityEvents.Read.All	Security alerts
Microsoft Graph	Policy.Read.All	Conditional access policies
Microsoft Graph	RoleManagement.Read.All	Check admin role assignments
Microsoft Graph	Application.Read.All	Detect suspicious app consents

https://login.microsoftonline.com/{CLIENT-TENANT-ID}/adminconsent?client_id={YOUR-APP-ID}

Permission Exclusion Files

file_permissions_excludes.txt

Purpose: Exclude list for file permission repairs using ManageACL Filters:

$Recycle.Bin
System Volume Information
RECYCLER
documents and settings
Users
pagefile.sys
hiberfil.sys
swapfile.sys
WindowsApps

file_permissions_profiles_excludes.txt

Purpose: Exclude list for profiles folder in Windows (currently empty) Note: Main file permission repairs target all folders except profiles, then profiles repair runs separately with different permissions

reg_permissions_excludes.txt

Purpose: Exclude list for registry permission repairs using SetACL Filters:

bcd00000000
system\controlset001
system\controlset002
classes\appx
wow6432node\classes
classes\wow6432node\appid
classes\wow6432node\protocols
classes\wow6432node\typelib
components\canonicaldata\catalogs
components\canonicaldata\deployments
components\deriveddata\components
components\deriveddata\versionedindex
microsoft\windows nt\currentversion\perflib\009
microsoft\windows nt\currentversion\perflib\currentlanguage
tweakingtemp

Quick Reference Commands (from credentials.md)

NPM API Auth

curl -s -X POST http://172.16.3.20:7818/api/tokens \
  -H "Content-Type: application/json" \
  -d '{"identity":"mike@azcomputerguru.com","secret":"Paper123!@#-unifi"}'

Gitea API

curl -H "Authorization: token 9b1da4b79a38ef782268341d25a4b6880572063f" \
  https://git.azcomputerguru.com/api/v1/repos/search

GuruRMM Health Check

curl http://172.16.3.20:3001/health

Summary Statistics

Credential Counts

SSH Servers: 17 (infrastructure + client sites)
Web Applications: 7 (Gitea, NPM, Cloudflare, CIPP, etc.)
Databases: 5 (PostgreSQL x2, MariaDB x2, MySQL x1)
API Keys/Tokens: 12 (Gitea, Cloudflare, WHM, Syncro, Autotask, CIPP, GuruRMM, etc.)
Microsoft Entra Apps: 5 (GuruRMM SSO, Seafile Graph, Claude-MSP-Access, Dataforth Claude-Code, CIPP)
SSH Keys: 3 (guru@wsl, azcomputerguru@local, gururmm-build-server)
Client Tenants: 5 (MVAN, BG Builders, Dataforth, CW Concrete, Valley Wide Plastering, Khalsa)
Client Networks: 4 (Dataforth, Valley Wide, Khalsa, Scileppi)
Tailscale Nodes: 10
NPM Proxy Hosts: 6

Infrastructure Components

Unraid Servers: 2 (Jupiter primary, Saturn secondary)
Domain Controllers: 3 (Dataforth AD1/AD2, VWP-DC1)
NAS Devices: 4 (Scileppi RS2212+, DS214se, Unraid, D2TESTNAS)
Network Gateways: 4 (pfSense, Dataforth UDM, VWP UDM, Khalsa UCG)
Build Servers: 1 (GuruRMM/GuruConnect)
Container Hosts: 1 (Jupiter)
VMs: 1 (OwnCloud)

Service Categories

Self-Hosted: Gitea, NPM, GuruRMM, GuruConnect, ClaudeTools, Seafile
MSP Tools: Syncro, Autotask, CIPP
Cloud Services: Cloudflare, Microsoft 365/Entra ID, Tailscale
Client Hosting: WHM/cPanel (IX, WebSvr)

Notes

All passwords are UNREDACTED for context recovery purposes
File locations are preserved for easy reference
Access methods documented for each service
Last updated dates included where available in source
Security incidents documented with resolution status
Migration statuses preserved for historical reference
SSH keys include full public key text for verification
API tokens include full values for immediate use
Database connection strings can be reconstructed from provided credentials

WARNING: This file contains sensitive credentials and should be protected accordingly. Do not commit to version control or share externally.

31 KiB Raw Blame History

Shared Data Credential Catalog

File Inventory

Main Credential File

Supporting Files

Infrastructure - SSH Access

Jupiter (Unraid Primary)

Saturn (Unraid Secondary)

pfSense (Firewall)

OwnCloud VM (on Jupiter)

GuruRMM Build Server

Services - Web Applications

Gitea (Git Server)

NPM (Nginx Proxy Manager)

Cloudflare

Projects - GuruRMM

Dashboard/API Login

Database (PostgreSQL)

API Server

Microsoft Entra ID (SSO)

CI/CD (Build Automation)

Build Server SSH Key (for Gitea)

Clients & Sites

Glaztech Industries (GLAZ)

Projects - GuruConnect

Database (PostgreSQL on build server)

Projects - ClaudeTools

Database (MariaDB on Jupiter)

Encryption Key

JWT Secret

API Server

Context Recall Configuration

Client Sites - WHM/cPanel

IX Server (ix.azcomputerguru.com)

WebSvr (websvr.acghosting.com)

data.grabbanddurando.com

GoDaddy VPS (Legacy)

Seafile (on Jupiter - Migrated 2025-12-27)

Container

Seafile Admin

Database (MariaDB)

Elasticsearch

Microsoft Graph API (Email)

Migration Notes

NPM Proxy Hosts Reference

Tailscale Network

SSH Public Keys

guru@wsl (Windows/WSL)

azcomputerguru@local (Mac)

MSP Tools

Syncro (PSA/RMM) - AZ Computer Guru

Autotask (PSA) - AZ Computer Guru

CIPP (CyberDrain Improved Partner Portal)

CIPP API Usage (Bash)

Old CIPP API Client (DO NOT USE)

Claude-MSP-Access (Multi-Tenant Graph API)

Usage (Python)

Client - MVAN Inc

Microsoft 365 Tenant 1

Client - BG Builders LLC

Microsoft 365 Tenant

Security Investigation (2025-12-22) - RESOLVED

Client - Dataforth

Network

UDM (Unifi Dream Machine)

AD1 (Domain Controller)

AD2 (Domain Controller)

NPS RADIUS Configuration

D2TESTNAS (SMB1 Proxy)

Dataforth - Entra App Registration (Claude-Code-M365)

Client - CW Concrete LLC

Microsoft 365 Tenant

Security Investigation (2025-12-22) - RESOLVED

Client - Valley Wide Plastering

Network

UDM (UniFi Dream Machine)

VWP-DC1 (Domain Controller)

NPS RADIUS Configuration

Client - Khalsa

Network

31 KiB

Raw Blame History