local all postgres peer
hostssl app_production app_user 10.0.0.0/16 scram-sha-256
hostssl app_production reporting_user 10.0.1.0/24 scram-sha-256
host all all 0.0.0.0/0 reject
#!/usr/bin/env bash
nmap -Pn -sV -O --top-ports 1000 10.10.20.15
nmap -Pn -sC -sV api.internal.example.com
nmap -Pn -sU --top-ports 50 dns.internal.example.com
#!/usr/bin/env bash
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -n ZONE example.com
dnssec-signzone -A -3 $(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1) -N increment -o example.com db.example.com
alert tcp $HOME_NET any -> $HOME_NET 445 (
msg:"Possible SMB lateral movement enumeration";
flow:to_server,established;
content:"|FF|SMB"; depth:4;
threshold:type both, track by_src, count 15, seconds 60;
sid:1000001; rev:1;
require 'ipaddr'
require 'resolv'
uri = URI.parse(params[:url])
allowed_hosts = %w[images.example-cdn.com api.partner.com]
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
ct state established,related accept