Security Engineer and ethical hacker with 11+ years building secure software and hardening production systems. Expert in application security, secure authentication, cloud...
#!/usr/bin/env bash
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -n ZONE example.com
dnssec-signzone -A -3 $(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1) -N increment -o example.com db.example.com
#!/usr/bin/env bash
set -euo pipefail
certbot renew --quiet --deploy-hook "systemctl reload nginx"
openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/fullchain.pem
server {
listen 443 ssl;
server_name internal-api.example.com;
ssl_certificate /etc/nginx/tls/server.crt;
ssl_certificate_key /etc/nginx/tls/server.key;
timestamp = request.headers.fetch('X-Signature-Timestamp')
signature = request.headers.fetch('X-Signature')
payload = request.raw_post
data = "#{timestamp}.#{payload}"
expected = OpenSSL::HMAC.hexdigest('SHA256', ENV.fetch('WEBHOOK_SECRET'), data)
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRule ARGS|REQUEST_HEADERS|XML:/* "@detectSQLi" \
"id:1001,phase:2,deny,status:403,log,msg:'Potential SQLi detected'"
AuditLog.create!(
actor_id: current_user.id,
action: 'member.approve',
target_type: 'Member',
target_id: member.id,
ip_address: request.remote_ip,
Rails.application.config.filter_parameters += [
:password,
:password_confirmation,
:token,
:authorization,
:ssn,
import os
import stat
for root, _dirs, files in os.walk('/etc'):
for name in files:
path = os.path.join(root, name)
#!/usr/bin/env bash
sqlmap \
-r login-request.txt \
--risk=2 \
--level=3 \
--batch \
#!/usr/bin/env bash
nmap -Pn -sV -O --top-ports 1000 10.10.20.15
nmap -Pn -sC -sV api.internal.example.com
nmap -Pn -sU --top-ports 50 dns.internal.example.com
[sshd]
enabled = true
maxretry = 4
findtime = 10m
bantime = 1h
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
ct state established,related accept