Kai Nakamura

62 code snips · on codesnips 3 months

Security Engineer and ethical hacker with 11+ years building secure software and hardening production systems. Expert in application security, secure authentication, cloud...

bash
#!/usr/bin/env bash
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -n ZONE example.com
dnssec-signzone -A -3 $(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1) -N increment -o example.com db.example.com

DNSSEC zone signing basics for integrity of DNS answers

dnssec dns integrity
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
set -euo pipefail

certbot renew --quiet --deploy-hook "systemctl reload nginx"
openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/fullchain.pem

TLS certificate automation with certbot and strict renewal checks

tls certificates certbot
by Kai Nakamura 1 tab
nginx
server {
  listen 443 ssl;
  server_name internal-api.example.com;

  ssl_certificate /etc/nginx/tls/server.crt;
  ssl_certificate_key /etc/nginx/tls/server.key;

Mutual TLS between internal services with Nginx

mtls tls nginx
by Kai Nakamura 1 tab
ruby
timestamp = request.headers.fetch('X-Signature-Timestamp')
signature = request.headers.fetch('X-Signature')
payload = request.raw_post

data = "#{timestamp}.#{payload}"
expected = OpenSSL::HMAC.hexdigest('SHA256', ENV.fetch('WEBHOOK_SECRET'), data)

HMAC signed API requests for webhook and partner integrity

hmac api-signing webhooks
by Kai Nakamura 2 tabs
plaintext
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

SecRule ARGS|REQUEST_HEADERS|XML:/* "@detectSQLi" \
  "id:1001,phase:2,deny,status:403,log,msg:'Potential SQLi detected'"

ModSecurity WAF rules for common web attack patterns

waf modsecurity web-security
by Kai Nakamura 1 tab
ruby
AuditLog.create!(
  actor_id: current_user.id,
  action: 'member.approve',
  target_type: 'Member',
  target_id: member.id,
  ip_address: request.remote_ip,

Structured audit logging for privileged actions

audit-logging siem observability
by Kai Nakamura 1 tab
ruby
Rails.application.config.filter_parameters += [
  :password,
  :password_confirmation,
  :token,
  :authorization,
  :ssn,

Sanitizing logs so secrets and PII do not leak downstream

logging pii redaction
by Kai Nakamura 1 tab
python
import os
import stat

for root, _dirs, files in os.walk('/etc'):
    for name in files:
        path = os.path.join(root, name)

Python security audit script for exposed risky filesystem state

python auditing host-security
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
sqlmap \
  -r login-request.txt \
  --risk=2 \
  --level=3 \
  --batch \

sqlmap workflow for approved injection testing

sqlmap pentesting sql-injection
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
nmap -Pn -sV -O --top-ports 1000 10.10.20.15
nmap -Pn -sC -sV api.internal.example.com
nmap -Pn -sU --top-ports 50 dns.internal.example.com

Nmap reconnaissance profiles for safe internal assessments

nmap reconnaissance pentesting
by Kai Nakamura 1 tab
ini
[sshd]
enabled = true
maxretry = 4
findtime = 10m
bantime = 1h

Fail2ban filters to slow SSH and application abuse

fail2ban ssh brute-force
by Kai Nakamura 1 tab
plaintext
table inet filter {
  chain input {
    type filter hook input priority 0;
    policy drop;

    ct state established,related accept

Host firewall rules with nftables for default deny networking

nftables firewall linux
by Kai Nakamura 1 tab