Porchlight
Daily Claude analysis · 7h ago

A small, friendly read of the network.

Every scan, Porchlight hands the freshly-rendered snapshot to Claude and asks for an honest, small report — at the environment, protocol, and host level. Nothing leaves the appliance besides the summarized state Home Assistant already publishes.

B
Claude · environment· 5/16/2026

The porch is lit. A few windows could be drawn.

Your network looks like a well-tended garden — most lights are on for a reason, and Porchlight can name every one of them. 55 of 62 hosts answered the call this scan, and nothing new wandered in since yesterday. The main thing worth a look is how widely SSH and unauthenticated HTTP are exposed across the LAN.

What's good
  • Tailnet identities are clean — 17 tailscale devices line up neatly with their LAN counterparts (calliope, clio, euterpe, mainsail, Mnemosyne).
  • No new hosts and no changed services since the last sweep — the environment is steady.
  • Scanner is online, healthy, and the SQLite ledger matches the rendered dashboard snapshot.
Worth a look
  • 13 hosts expose SSH (tcp/22) on the LAN. That is normal for a homelab, but it's also the single largest attack surface here.
  • Two RTSP cameras (192.168.16.48, 192.168.19.24) speak plain rtsp:// with no product banner — likely default creds or no auth at all.
  • Mnemosyne is showing tcp/3389 (RDP) and tcp/445 (SMB) open at the same time — classic lateral-movement pair if it ever leaves the LAN.
What you could try
  • Tag the 13 SSH hosts in Porchlight with an 'expected' note so future scans can flag the unexpected ones loudly.
  • Put the two bare RTSP cameras behind a VLAN or a Frigate/go2rtc reverse proxy with auth.
  • Confirm RDP on Mnemosyne is intentional; if not, disable it and let SSH carry remote access.
Per protocol

How each protocol is doing

17 graded
B
ssh
Lots of doors, all (probably) locked.

SSH is the most-spoken protocol on this network — 13 hosts answer on tcp/22. Every one of them is a device you'd expect to administer (UniFi gear, Pis, Macs, NAS). None of them are advertising a vulnerable banner, but the sheer count means a single weak key would matter.

C
http
A lot of admin pages, mostly without TLS.

27 HTTP services are open across the LAN. Many are device admin panels (Mainsail, UniFi OS, hue, Awair, Kasa). The ones served on plain :80 with no redirect to https are the ones to watch — they happily accept credentials in the clear.

B
https
TLS is reaching the right surfaces.

The hosts that should be TLS are TLS — UniFi OS, Mainsail's Stalwart Management, and the Hue bridge. Two unknown :443 endpoints are cameras and should be reviewed.

B
http-proxy
Four hosts speak HTTP on :8080.

calliope, mainsail, ecb5fa843be9 (Hue), and the UniFi gateway expose :8080. For Mainsail and UniFi this is part of the normal control plane. For the Hue bridge it's the standard local API.

C
microsoft-ds
Three SMB surfaces — one is unusual.

SMB (tcp/445) is open on Mnemosyne (expected for a Windows workstation), the UniFi appliance (expected for backups), and MacBookPro. Mac sharing SMB on a homelab is common but worth a glance.

A
domain
DNS lives where it should.

Only two hosts answer DNS — your UniFi gateway and one MacBookPro. The gateway is expected. The Mac is likely running a local resolver (mDNS, Tailscale magicDNS bridge, or dnsmasq for dev).

C
netbios-ssn
Legacy SMB chatter on two hosts.

Two hosts still answer NetBIOS (tcp/139). Modern Windows doesn't need it. UniFi probably exposes it for legacy compatibility.

C
rtsp
Cameras you can speak to, and you'd rather you couldn't.

Three RTSP endpoints are open. One (calliope:8554) is your go2rtc/Frigate aggregator and that's fine. The other two are the cameras at 192.168.16.48 and 192.168.19.24 speaking rtsp:// directly with no product banner — that's the classic 'cheap IP cam with default creds' signature.

A
mqtt
Quiet, scoped, exactly where it should be.

Only two MQTT brokers answer — calliope and mainsail. Both are Mainsail/Klipper hosts, which is the expected pattern. No stray brokers, no public exposure, no unauthenticated brokers on phones or cameras.

B
wsdapi
Windows discovery doing Windows things.

tcp/5357 is Windows' WSDAPI for device discovery. Expected on Mnemosyne and on the UniFi-managed Windows host.

B
ppp
Grafana-or-similar on :3000.

tcp/3000 on Mnemosyne is almost certainly a local dev/Grafana/Node service tagged as 'ppp' by nmap's port table.

D
ms-wbt-server
RDP is open on the LAN.

Mnemosyne exposes tcp/3389 (RDP). On a trusted LAN behind Tailscale this is usually fine, but RDP has a long history of brute-force pain and should be NLA-enforced.

C
upnp
MacBookPro is shouting on :5000.

tcp/5000 on MacBookPro is the macOS AirPlay receiver / Control Center port. It's usually fine on a private LAN, but it's also the port that's been a CVE magnet on older macOS releases.

C
vnc
One VNC surface.

Laboratoryi5Air exposes tcp/5900 (VNC). Default macOS Screen Sharing speaks this. Make sure it requires a password.

A
polipo
Home Assistant, exactly where expected.

tcp/8123 on homeassistant is the Home Assistant frontend. Port-name guess is wrong; this is the real thing.

A
https-alt
UniFi controller TLS.

tcp/8443 on unifi is the UniFi controller's HTTPS port. Expected.

A
rtsp-alt
Aggregated RTSP, the right way.

calliope:8554 looks like a go2rtc/Frigate aggregator — that's the recommended pattern for camera streams.

Per host

Hosts with notes this scan

10 of 65 flagged
A
unifi
192.168.16.1
The gateway is doing gateway things.

UniFi is healthy and exposing the expected control-plane surfaces (SSH, DNS, HTTP, HTTPS, :8080, :8443).

C
Mnemosyne
192.168.17.6
Mnemosyne has the largest attack surface.

Windows workstation exposing SMB, NetBIOS, RDP, WSDAPI, and a service on :3000. None of this is wrong, but it's the broadest profile on the LAN.

D
192.168.16.48
192.168.16.48
Bare camera, bare RTSP.

Plain rtsp:// and an unidentified :443 with no product banner. Almost certainly a cheap IP cam with default credentials.

D
192.168.19.24
192.168.19.24
Twin of 16.48 — same posture, same fix.

Same RTSP+HTTPS fingerprint as the other unbranded camera. Treat them as a pair.

A
calliope
192.168.18.5
calliope is your control plane host.

SSH, Mainsail/Stalwart on :8080, MQTT broker, and the RTSP aggregator on :8554 — this is the most-trusted node on the LAN and it looks the part.

A
mainsail
192.168.18.110
mainsail mirrors calliope cleanly.

Same shape as calliope — SSH, Mainsail HTTP+HTTPS+:8080, MQTT broker. Looks like an intentional pair (printer + control host).

B
6c63f8102ad08e0abb10959f956067dadbd7.id.ui.direct
192.168.18.62
UniFi OS controller node.

SSH, UniFi OS on :80 and :443, NetBIOS, SMB, WSDAPI — that's the expected UDM/UCK profile.

C
Laboratoryi5Air
192.168.18.39
Laboratoryi5Air is sharing screen.

SSH + VNC (:5900). VNC is fine on the LAN if it has a strong password.

B
MacBookPro
192.168.19.214
MacBookPro with the usual mac services.

DNS, SMB, and AirPlay/UPnP on :5000. Normal for a macOS workstation, but the DNS responder is worth checking.

A
homeassistant
192.168.17.231
Home Assistant looks healthy.

Single service exposed — :8123 — exactly what you want. This is also the receiver of Porchlight's own MQTT publish.