plaintext

plaintext
Protocol 2
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
AllowUsers deploy ops

SSH daemon hardening and key based access only

ssh linux hardening
by Kai Nakamura 1 tab
plaintext
rule SuspiciousDownloader {
  strings:
    $a = "powershell -enc" nocase
    $b = "Invoke-WebRequest" nocase
    $c = "http://" nocase
  condition:

YARA rules for spotting suspicious binaries during triage

yara malware triage
by Kai Nakamura 1 tab
plaintext
local   all             postgres                                peer
hostssl app_production  app_user        10.0.0.0/16             scram-sha-256
hostssl app_production  reporting_user  10.0.1.0/24             scram-sha-256
host    all             all             0.0.0.0/0               reject

PostgreSQL hardening with pg_hba and strict role separation

postgresql database-hardening roles
by Kai Nakamura 1 tab
plaintext
bind 127.0.0.1 10.0.0.15
protected-mode yes
port 6379
rename-command FLUSHALL ""
rename-command CONFIG ""
aclfile /etc/redis/users.acl

Redis hardening with ACLs protected mode and network isolation

redis hardening infrastructure
by Kai Nakamura 1 tab
plaintext
alert tcp $HOME_NET any -> $HOME_NET 445 (
  msg:"Possible SMB lateral movement enumeration";
  flow:to_server,established;
  content:"|FF|SMB"; depth:4;
  threshold:type both, track by_src, count 15, seconds 60;
  sid:1000001; rev:1;

Suricata IDS rule authoring for suspicious lateral movement

suricata ids detection
by Kai Nakamura 1 tab
plaintext
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

SecRule ARGS|REQUEST_HEADERS|XML:/* "@detectSQLi" \
  "id:1001,phase:2,deny,status:403,log,msg:'Potential SQLi detected'"

ModSecurity WAF rules for common web attack patterns

waf modsecurity web-security
by Kai Nakamura 1 tab
plaintext
example.com.          IN TXT  "v=spf1 include:_spf.google.com -all"
default._domainkey    IN TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
_dmarc.example.com.   IN TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; adkim=s; aspf=s"

Email security baseline with SPF DKIM and DMARC records

email-security spf dkim
by Kai Nakamura 1 tab
plaintext
index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 20
index=proxy "POST" url="*/oauth/token" | stats count by client_ip | where count > 100
index=endpoint process_name=powershell.exe command_line="*EncodedCommand*"

Threat hunting query ideas mapped to MITRE ATT and CK patterns

threat-hunting mitre-attck siem
by Kai Nakamura 1 tab
plaintext
http.response.code >= 400
tcp.analysis.retransmission
tls.alert_message
dns.flags.response == 1 && dns.a
ip.addr == 10.10.20.15 && tcp.port == 443

Wireshark display filters that speed up incident triage

wireshark packet-analysis incident-response
by Kai Nakamura 1 tab
plaintext
table inet filter {
  chain input {
    type filter hook input priority 0;
    policy drop;

    ct state established,related accept

Host firewall rules with nftables for default deny networking

nftables firewall linux
by Kai Nakamura 1 tab