network-security

Database hardening starts with connection control and role hygiene. I separate app, migration, reporting, and admin roles so compromise impact is constrained. The default question is not what permissions are convenient, but which ones are actually nec

I use nmap deliberately and with scope approval, not as a random curiosity tool against production assets. Version detection, default scripts, and targeted UDP checks usually provide enough visibility to prioritize hardening. The output becomes much m

DNSSEC is not universal, but where it is available it closes an integrity gap that attackers still exploit. I keep the zone-signing workflow documented, monitor expiry on keys, and make sure operational ownership is clear. Security controls that nobod

Detection engineering works best when the rule reflects a behavior you can explain, not just a string that looked scary once. I use Suricata for network patterns that are specific enough to matter operationally. Rule quality is a maintenance problem a

SSRF defense requires more than banning localhost. I parse URLs with a real library, enforce scheme and host allowlists, resolve and reject private IP ranges, and pair app-level checks with network egress rules. If an attacker can turn your server int

I prefer a default-deny stance and then open only what the host actually serves. nftables is flexible enough to express that clearly without giant unreadable rule sets. A short explicit policy ages better than a sprawling inherited firewall script nob