network-security

plaintext
local   all             postgres                                peer
hostssl app_production  app_user        10.0.0.0/16             scram-sha-256
hostssl app_production  reporting_user  10.0.1.0/24             scram-sha-256
host    all             all             0.0.0.0/0               reject

PostgreSQL hardening with pg_hba and strict role separation

postgresql database-hardening roles
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
nmap -Pn -sV -O --top-ports 1000 10.10.20.15
nmap -Pn -sC -sV api.internal.example.com
nmap -Pn -sU --top-ports 50 dns.internal.example.com

Nmap reconnaissance profiles for safe internal assessments

nmap reconnaissance pentesting
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
dnssec-keygen -a ECDSAP256SHA256 -b 2048 -n ZONE example.com
dnssec-signzone -A -3 $(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1) -N increment -o example.com db.example.com

DNSSEC zone signing basics for integrity of DNS answers

dnssec dns integrity
by Kai Nakamura 1 tab
plaintext
alert tcp $HOME_NET any -> $HOME_NET 445 (
  msg:"Possible SMB lateral movement enumeration";
  flow:to_server,established;
  content:"|FF|SMB"; depth:4;
  threshold:type both, track by_src, count 15, seconds 60;
  sid:1000001; rev:1;

Suricata IDS rule authoring for suspicious lateral movement

suricata ids detection
by Kai Nakamura 1 tab
ruby
require 'ipaddr'
require 'resolv'

uri = URI.parse(params[:url])
allowed_hosts = %w[images.example-cdn.com api.partner.com]

SSRF mitigation with URL allowlists and egress controls

ssrf network-security secure-coding
by Kai Nakamura 1 tab
plaintext
table inet filter {
  chain input {
    type filter hook input priority 0;
    policy drop;

    ct state established,related accept

Host firewall rules with nftables for default deny networking

nftables firewall linux
by Kai Nakamura 1 tab